Create a Post
Showing results for 
Search instead for 
Did you mean: 

Microsoft Updates KB4487026/KB4485447 stops IA and remote access via RADIUS from working??

Hello Check Mates, 

i have just received an info from one of my customers.
after installing the patches KB4487026/KB4485447 on their domain controllers the identity awarenress stopped working, a yellow exclamation mark in SmartView Monitor.

and RAS via RADIUS stopped working alslo, users were no longer able to connect ... username or password wrong in the Microsoft NPS logs and on the Check Point Endpoint Connect VPN clients.

setup is: 
R80.10 + Take 154
Windows 2016 domain controllers 
especially the patch KB4487026 is causing this issue ... 

since i have so little information so far its not easy to give any clear answers.

but did somebody install this Microsoft patches already together with IA running with AD Query?
And remote access via RADIUS authentication?

best regards
Thomas Eichelburg

0 Kudos
7 Replies

Hi Thomas, 

I would strongly recommend raising a TAC raise so that support can investigate the issue further. 




It is interesting you bring this up because I have observed that I am unable to manually run IPS updates from SmartConsole from two Win10 machines that have this same Servicing Stack Update applied to them. The IPS updates worked when I ran them from an old Server 2008 R2 machine I had. I wonder if the same issue could be affecting multiple Check Point functions?

0 Kudos

I created another thread that documented the other issues I've uncovered that seem to be related to these patches. I have an open TAC case and will update TAC with this information.

0 Kudos

Good Morning,

We've had the same issue with IA/RADIUS and KB4487026. I would suggest it relates to this line in the patch release notes:

Addresses an issue that fails to set the LmCompatibilityLevel value correctly. LmCompatibilityLevel specifies the authentication mode and session security. 

I've raised it with our Check Point support, but until then, the only fix I've found is to uninstall the patch from our domain controllers which is not ideal.


Hi all,

Last weekend these patches were installed on our NPS servers ( W2012 R2 ) and the SmartConsole login failed afterwards. Also the wrong username/password enrtries in the NPS logs.

We have configured authentication via RADIUS v2 + MS-CHAP2.

I changed to PAP and it worked again.
Seems like the patch broke MS-CHAP2 ?

But if you guys are looking for a quick workaround, changing to PAP should do the trick.
Less secure though..

0 Kudos

Yes, I have the same issue using ADquery. One DC did not get patched and is still working and I am getting alot of pushback from TAC saying the patch did not cause the issue. If that is so, why is my unpatched DC working with ADquery?
0 Kudos


i have also raised a TAC ticket, but it still gets pushed back ...
Its not a Check Point issues, Check Point is dealing accordingly to the RFC´s.
Anyway we have a patch "KB4487026". After applying this patch, it affects RADIUS authenticatiom. NTLMv2 doesnt work anymore. Only with PAP ...

So i will put on some more pressure ... to get a solution or at least a detailed technical explanation.

best regards

0 Kudos


Epsum factorial non deposit quid pro quo hic escorol.

Upcoming Events

    CheckMates Events