Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
rogergh
Explorer

LDAP Account Unit authentication request missing integrity support

Hi.

Our domain controllers require integrity checks for RPC-calls, and it does not seem like Check Point Management\Security Gateway honors the requirement, and then fails to connect. This error is logged on our domain controllers:

The server-side authentication level policy does not allow the user REDACTEDUSER from address REDACTEDIP to activate DCOM server. Please raise the activation authentication level at least to RPC_C_AUTHN_LEVEL_PKT_INTEGRITY in client application.

Where REDACTEDUSER is the user account specified in domain controller authentication in the LDAP Account Unit, and REDACTEDIP is gateway and security gateway-adresses.

Here is a link to Microsoft-information regarding different RPC authentication-levels:

[MS-RPCE]: Authentication Levels | Microsoft Docs

 

Is there a way to enable this, or is it just not supported?

0 Kudos
5 Replies
PhoneBoy
Admin
Admin

The only place I think we made actual RPC calls is when ADQuery is used (versus Identity Collector).
Otherwise, we're just making LDAP calls.
Are you using ADQuery?

0 Kudos
rogergh
Explorer

Yes, we have Active Directory Query activated, but we also have a collector up and running. Does Collector replace all functionality from AD Query? If yes, then I guess we could just disable it and not worry about this.

Running "adlog a dc" also gives the following error from the same DCs which gives RPC-warnings for Check Point: "connection had internal error [ntstatus = 0x80010111"

0 Kudos
PhoneBoy
Admin
Admin

They both do the same thing, albeit using entirely different mechanisms.
Identity Collector is a LOT more scalable and doesn't cause as much load on the Active Directory servers.

0 Kudos
Rich_Lichtenfel
Explorer

Is there a way to fix this with AD Query?

0 Kudos
gyterpena
Explorer

We use Identity Collector, but we have this error when we try to update rule base(Access Role) and this needs to pull list of users from "LDAP Account Units"(with "Active Directory Query" disabled)

0 Kudos