Hi Phoneboy,

No, it is for the AD server itself. For other non-AD-servers I see log entries like shown below.

Id: 0a6000f1-b607-a64b-6064-724300000001
Marker: @A@@B@1617193489@C@911804
Log Server Origin: x.x.x.x
Time: 2021-03-31T12:59:47Z
Id Generated By Indexer:false
First: true
Sequencenum: 87
Domain Name: example.com
Source: y.y.y.y
Endpoint IP: y.y.y.y
Authentication Status: Successful Login
Identity Source: Identity Collector (Active Directory)
Session ID: 66d6b3c5
Source Machine Name: servername
Source Machine Group: All Machines; ad_group_my_servers;
Authentication Method: Machine Identity Propagation
Identity Type: machine
Authentication Trial: this is a reauthentication for session xxxxxx
Roles: My_Servers
Action: Update
Type: Log
Blade: Identity Awareness
Origin: FW-A
Product Family: Network
Logid: 131073
Description: Successful Login 

Updates like these are not being received for the AD servers themself. 

But you're using an actual AD account to log in, correct?
Maybe @Adi_Babai or @Royi_Priov know here.

Well as far as I know, it is the AD server itself. I think the 'Machine Identity Propagation' update is send when a system itself is domain joined en authenticates itself to the AD server or domain. Maybe the AD represents the domain itself, and therefore doesn't join the domain like non-ADS servers do. That could be the reason that I don't see updates on the Security Gateway.  

Your explanation seems reasonable to me, at least.

Hi Niels,

summary: it appears only the AD Servers , selected as an identity source that appear to be affected.

long:

We have the same behaviour in our environment. (1st time posting on checkpoint.... hooray.)
> other domain controllers,   NOT in the Identity Collector as sources are registering just fine here.

It's only those  that are enlisted as "Identity Collector Sources"  that are not registering as "machine identity". Exactly what you described.

Was this fixed for you somehow recently? or still an open question? Wondering if we should open a case @ CP for this or not.
Honestly we don't know if it has always been like this - but considering the Ruleset we stumbled upon a couple issues - and narrowed it down to the fact those specific Domain Controllers are not having their machine identity updated towards our Security Gateway.

No, I'm still seeing all these messages.

Failed to get users groups for the domain.
Verify that this domain name is configured in your LDAP Account Unit.
Domain: somegroup.local

the answer maybe to add these domains to the IDC, there's a few differentusers who log in.

After adding the new domain to IDC and adding an account unit for the new domain, I'm still seeing these in R81.20

Machine Identity propagation Failed Login  Failed to get users groups for the domain.
Verify that this domain name is configured in your LDAP Account Unit.  (Yes, it is so ?)

Getting the same error here, actually a lot of them... ? Propagation deactivation option would be helpful

Any other leads ?

We also see this in our environment. Is there a solution for this. 

Hi. Checked the SR history I had and we fixed it with:

Ah Great.... ( and fast answer ) 

I will look a solution for a terminal server.