How to Troubleshoot Identity Awareness Issues

Similar documents
How To Backup a SmartCenter

Security Gateway Virtual Appliance R75.40

Endpoint Security VPN for Windows 32-bit/64-bit

Endpoint Security VPN for Mac

Check Point Security Administrator R70

Application Control and URL Filtering

Endpoint Security VPN for Mac

Remote Access Clients for Windows

Multi-Domain Security Management

R75. Installation and Upgrade Guide

Installing and Configuring vcloud Connector

Endpoint Security Client

VMware Identity Manager Administration

VMware Identity Manager Connector Installation and Configuration

Security Management Server

User-ID Best Practices

VMware Identity Manager Administration

ez Agent Administrator s Guide

Configuring HP Integrated Lights-Out 3 with Microsoft Active Directory

2X Cloud Portal v10.5

Single Sign-On Guide for Blackbaud NetCommunity and The Patron Edge Online

CA Performance Center

Sophos Mobile Control as a Service Startup guide. Product version: 3.5

Release Notes. CTERA Portal May CTERA Portal Release Notes 1

Security Gateway R75. for Amazon VPC. Getting Started Guide

Installing and Configuring vcloud Connector

Smart Card Authentication Client. Administrator's Guide

Setting up VMware ESXi for 2X VirtualDesktopServer Manual

Release Notes. Release Purpose... 1 Platform Compatibility... 1 Upgrading Information... 1 Browser Support... 1 Known Issues... 2 Resolved Issues...

Security Gateway for OpenStack

Active Directory 2008 Implementation. Version 6.410

SonicOS Enhanced Release Notes TZ 180 Series and TZ 190 Series SonicWALL, Inc. Firmware Release: August 28, 2007

Configuring Sponsor Authentication

SSL Network Extender R71. Release Notes

Configuring Infoblox DHCP

NETASQ ACTIVE DIRECTORY INTEGRATION

Data Loss Prevention. R77 Versions. Administration Guide. 5 May Classification: [Protected]

Cloud Attached Storage 5.0

DDoS Protection on the Security Gateway

Active Directory 2008 Implementation Guide Version 6.3

User Identification (User-ID) Tips and Best Practices

Content Filtering Client Policy & Reporting Administrator s Guide

In this topic we will cover the security functionality provided with SAP Business One.

SETTING UP ACTIVE DIRECTORY (AD) ON WINDOWS 2008 FOR EROOM

Release Notes. Pre-Installation Recommendations... 1 Platform Compatibility... 1 Known Issues... 2 Resolved Issues... 2 Troubleshooting...

SSL VPN Technology White Paper

Windows Server Update Services 3.0 SP2 Step By Step Guide

CA Nimsoft Monitor. Probe Guide for E2E Application Response Monitoring. e2e_appmon v2.2 series

Steps for Basic Configuration

Configuration Guide. BES12 Cloud

How to Configure Captive Portal

Request Manager Installation and Configuration Guide

Cisco AnyConnect Secure Mobility Solution Guide

M86 Web Filter USER GUIDE for M86 Mobile Security Client. Software Version: Document Version:

User Management Guide

CA Mobile Device Management 2014 Q1 Getting Started

Blue Coat Security First Steps Solution for Integrating Authentication

POLICY PATROL MFT. Manual

DameWare Server. Administrator Guide

Cloud Director User's Guide

Firewall R76. Administration Guide. 14 February Classification: [Protected]

NETASQ SSO Agent Installation and deployment

Oracle WebCenter Content Service for Microsoft Exchange

Websense Support Webinar: Questions and Answers

Secure Web Gateway 11.5 Release Notes

Trend Micro Hosted Security. Best Practice Guide

Manual POLICY PATROL SECURE FILE TRANSFER


HP IMC Firewall Manager

StarWind Virtual SAN Installation and Configuration of Hyper-Converged 2 Nodes with Hyper-V Cluster

Release Notes. Contents. Release Purpose. Platform Compatibility. Windows XP and Internet Explorer 8 Update

SmartView Monitor. R77 Versions. Administration Guide. 21 May Classification: [Protected]

Sophos Mobile Control Super administrator guide. Product version: 3

vcenter Chargeback User s Guide vcenter Chargeback 1.0 EN

CA Unified Infrastructure Management Server

Central Security Server

technical brief browsing to an installation of HP Web Jetadmin. Internal Access HTTP Port Access List User Profiles HTTP Port

Arcserve Backup for Windows

WhatsUp Gold v16.2 Installation and Configuration Guide

IBM Security QRadar SIEM Version MR1. Administration Guide

Creating a Gateway to Client VPN between Sidewinder G2 and a Mac OS X Client

Avalanche Site Edition

The SSL device also supports the 64-bit Internet Explorer with new ActiveX loaders for Assessment, Abolishment, and the Access Client.

Veeam Backup Enterprise Manager. Version 7.0

Integrating LANGuardian with Active Directory

Security Provider Integration Kerberos Authentication

Trustwave SEG Cloud Customer Guide

Setup Guide Access Manager 3.2 SP3

RoomWizard Synchronization Software Manual Installation Instructions

HP A-IMC Firewall Manager

Easy Setup Guide for the Sony Network Camera

Deploying NetScaler Gateway in ICA Proxy Mode

OnCommand Performance Manager 1.1

Sophos Mobile Control Startup guide. Product version: 3.5

CA Spectrum and CA Embedded Entitlements Manager

Configuration Guide. BlackBerry Enterprise Service 12. Version 12.0

Secure Web Gateway Version 11.0 User Guide

Integrating VMware Horizon Workspace and VMware Horizon View TECHNICAL WHITE PAPER

VMware vcenter Operations Manager Administration Guide

Transcription:

How to Troubleshoot Identity Awareness s 18 September 2011

2011 Check Point Software Technologies Ltd. All rights reserved. This product and related documentation are protected by copyright and distributed under licensing restricting their use, copying, distribution, and decompilation. No part of this product or related documentation may be reproduced in any form or by any means without prior written authorization of Check Point. While every precaution has been taken in the preparation of this book, Check Point assumes no responsibility for errors or omissions. This publication and features described herein are subject to change without notice. RESTRICTED RIGHTS LEGEND: Use, duplication, or disclosure by the government is subject to restrictions as set forth in subparagraph (c)(1)(ii) of the Rights in Technical Data and Computer Software clause at DFARS 252.227-7013 and FAR 52.227-19. TRADEMARKS: Refer to the Copyright page (http://www.checkpoint.com/copyright.html) for a list of our trademarks. Refer to the Third Party copyright notices (http://www.checkpoint.com/3rd_party_copyright.html) for a list of relevant copyrights and third-party licenses.

Important Information Latest Software We recommend that you install the most recent software release to stay up-to-date with the latest functional improvements, stability fixes, security enhancements and protection against new and evolving attacks. Latest Documentation The latest version of this document is at: http://supportcontent.checkpoint.com/documentation_download?id=12625 For additional technical information, visit the Check Point Support Center (http://supportcenter.checkpoint.com). Revision History Date Description 18 September 2011 First release of this document Feedback Check Point is engaged in a continuous effort to improve its documentation. Please help us by sending your comments (mailto:cp_techpub_feedback@checkpoint.com?subject=feedback on How to Troubleshoot Identity Awareness s ).

Contents Important Information... 3 How to Troubleshoot Identity Awareness s... 5 Objective... 5 Impact on the Environment and Warnings... 5 Supported OS... 5 Supported Appliances... 5 Before You Start... 5 Related Documentation... 5 Assumed Knowledge... 5 Troubleshooting General AD Integration... 6 User Groups and Access Roles are Not Enforced or Logged... 6 Users Fail to Authenticate... 6 Troubleshooting AD Query... 6 Users are Not Detected... 6 AD Query Fails to Connect to Domain Controllers... 7 Not All Users are Detected... 7 Small Number of Users are Detected... 7 A Service User is Connected to an IP Address... 7 Multiple Users are Connected to Same IP Address... 8 SmartView Tracker User Name and Group Membership Error Messages... 8 Troubleshooting Identity Awareness Configuration Wizard... 8 SmartDashboard Fails to Connect... 8 WMI (DCE-RPC) Test Failed... 8 LDAP Connectivity Failed... 9 Using the Wizard Again to Create Other Domains... 9 Login DN and AD Forest Errors... 9 Troubleshooting Access Roles... 10 Domain Users or Groups Do Not Appear in the List...10 Slow AD Tree...10 Troubleshooting Captive Portal... 10 Server Not Found or a Clear Screen...10 Endless Redirect Loop...11 Portal Enters a Loop when Agent is Connected...12 Client IP Address Identified Incorrectly...12 Cannot Authenticate With Correct Credentials...12 Changes in Portal Settings are Not Seen...12 Identity Agent is Installed But Get the Captive Portal...13 Captive Portal Bad Appearance...13 Troubleshooting Identity Agent... 13 Agent Fails to Connect to Server...13 Kerberos Does Not Work...14 Kerberos Does Not Work for All Users...14 Kerberos Does Not Work for One User...14 Troubleshooting Distributed Environments... 15 User Access Based on Identity Agent Works But Not AD Query...15 Identities are Not Propagated to the Identity Server...15 Index... 17

Impact on the Environment and Warnings How to Troubleshoot Identity Awareness s Objective This document explains how to troubleshoot Identity Awareness issues. Identity Awareness lets you easily configure in SmartDashboard network access and auditing based on network location and: The identity of a user The identity of a machine When Identity Awareness identifies a source or destination, it shows the IP address of the user or machine with a name. Impact on the Environment and Warnings Check Point R75 and higher Supported OS SecurePlatform IPSO Supported Appliances UTM-270 and higher Before You Start Related Documentation R75 Identity Awareness Administration Guide (http://supportcontent.checkpoint.com/documentation_download?id=11662) R75.20 Identity Awareness Administration Guide (http://supportcontent.checkpoint.com/documentation_download?id=12268) Assumed Knowledge Use of Identity Awareness Use of Active Directory How to Troubleshoot Identity Awareness s Page 5

Troubleshooting General AD Integration User Groups and Access Roles are Not Enforced or Logged User Groups and Access Roles are Not Enforced or Logged Users are identified successfully, but their user groups and Access Roles are not enforced or logged correctly. 1. Make sure that there is one LDAP Account Unit for each AD domain. If you must configure domain controllers for each gateway (for AD Query for example), see the Advanced AD Query section in the R75.20 Identity Awareness Administration Guide (http://supportcontent.checkpoint.com/documentation_download?id=12268). 2. If the configured user group is the primary group for the user account, there is no solution. Workaround: Change the AD account to be a member of the group. Users Fail to Authenticate Users fail to authenticate in Captive Portal or Identity Agent and the user name and password are correct. 1. Make sure that the user's account is not locked or expired. 2. If there are multiple accounts with the same user name, the AD user must authenticate with domain\user. For example, CORP.ACME.COM\jdoe. This can occur in organizations with multiple AD domains or in an AD domain and internal user database. Troubleshooting AD Query Users are Not Detected AD Query is connected successfully to all domain controllers, but users are not detected. Furthermore, there are some events in SmartView Monitor. Make sure that the necessary auditing logs are generated on the Security Event log of the domain controllers. On 2003 domain controllers the events are 672, 673, and 674. On 2008 domain controllers the events are 4624, 4768, 4769, and 4770. Troubleshooting General AD Integration Page 6

AD Query Fails to Connect to Domain Controllers AD Query Fails to Connect to Domain Controllers AD Query fails to connect to the domain controllers. You can see this in SmartView Tracker, SmartView Monitor or you can run adlog a dc in expert mode. See sk58881 (http://supportcontent.checkpoint.com/solutions?id=sk58881). Not All Users are Detected Not all users are detected. AD Query must be configured to communicate with the actual domain controller that the user is connected to. This is necessary because security event logs are not replicated. Make sure that the domain controller that the user is connected to belongs to the AD Query account unit. You can use echo %LOGONSERVER% If AD Query was configured through the wizard and the SmartDashboard computer is not a member of the domain, then only one domain controller is entered into the LDAP Account unit. Small Number of Users are Detected AD Query is successfully connected to the domain controllers and receives events, but the number of users detected is relatively low. Numbers detected can be seen in SmartView Monitor or with adlog a query all. 1. Make sure that users / IP addresses are not ignored. You can configure this in SmartDashboard. 2. Make sure that users do not go through a NAT (with Check Point NAT) to the firewall. If the events in the security event log are generated with a NAT IP address, they will be ignored automatically. NAT is not supported by AD Query. A Service User is Connected to an IP Address AD Query shows that a different user is connected to a user's IP address. This can be a service user (for example, an anti virus company name) that is connected besides the actual user. AD Query does not know the difference between an actual user that logged in and a service account that logged in from the same computer. You can filter service accounts in SmartDashboard. To learn more about filtering service accounts, see the R75.20 Identity Awareness Administration Guide (http://supportcontent.checkpoint.com/documentation_download?id=12268). Troubleshooting AD Query Page 7

Multiple Users are Connected to Same IP Address Multiple Users are Connected to Same IP Address After a user logs off and a different user logs on, AD Query still thinks that both users are connected. AD Query aggregates users and permissions. Only after the first user's session is timed out, the user's session is revoked. To change this behavior, you can configure the Assume only one user per machine option in SmartDashboard. This option requires that you also ignore the service account. To learn more about assuming only one user for a machine, see the R75.20 Identity Awareness Administration Guide (http://supportcontent.checkpoint.com/documentation_download?id=12268). SmartView Tracker User Name and Group Membership Error Messages SmartView Tracker error messages show that the gateway could not fetch group membership for users and the user names contain non-english characters. In GuiDBedit, enable the EnableUnicode attribute on the LDAP account unit. See the R75.20 Identity Awareness Administration Guide (http://supportcontent.checkpoint.com/documentation_download?id=12268). Troubleshooting Identity Awareness Configuration Wizard SmartDashboard Fails to Connect The Identity Awareness Configuration Wizard fails to open. A message states that "SmartDashboard failed to connect to..". The error message starts with SmartDashboard and not gateway. See sk60417 (http://supportcontent.checkpoint.com/solutions?id=sk60417). WMI (DCE-RPC) Test Failed The Identity Awareness Configuration Wizard fails. An error message states WMI(DCE-RPC) test failed or shows an equivalent message. AD Query is configured, but users are not identified in logs and cannot get access based on their identity. In SmartView Monitor or with the adlog a dc command line in Expert mode, you see domain controllers that the Security Gateway fails to connect to. Troubleshooting Identity Awareness Configuration Wizard Page 8

LDAP Connectivity Failed See sk58881 (http://supportcontent.checkpoint.com/solutions?id=sk58881). LDAP Connectivity Failed There are two parts to this issue: 1. The Identity Awareness Configuration Wizard fails stating that LDAP connectivity failed. This also occurs when the administrator has selected a working account unit in it. 2. LDAP connectivity test fails without an obvious cause and only LDAP over SSL is supported on the domain controllers. The Identity Awareness Configuration Wizard works only with LDAP (not LDAPS). It disregards the use ssl option on the account unit. If LDAP (as opposed to LDAPS) is disabled, the wizard fails and the administrator needs to configure the account unit manually. Using the Wizard Again to Create Other Domains An administrator wants to use the wizard again to create other domains. Clear the Enable Identity Awareness checkbox in SmartDashboard and then select it again. This selection will rerun the wizard. Login DN and AD Forest Errors Identity Awareness Configuration Wizard fails, possibly stating that it: Could not fill in the Login DN parameter in the LDAP Account Unit The customer Active Directory forest contains more than one Active Directory Domain Learn more about configuring Identity Awareness for forests with more than one domain (usually subdomains), see the R75.20 Identity Awareness Administration Guide (http://supportcontent.checkpoint.com/documentation_download?id=12268). Troubleshooting Identity Awareness Configuration Wizard Page 9

Domain Users or Groups Do Not Appear in the List Troubleshooting Access Roles Domain Users or Groups Do Not Appear in the List There is a red X on the domain name and no domain users or groups are available in the list. Make sure that SmartDashboard has a working connection to the domain controller. Slow AD Tree The AD tree is slow to show results. This occurs when there are many sibling folders in the AD tree. There is no solution for this issue. Troubleshooting Captive Portal Server Not Found or a Clear Screen Browsing to http://www.myiaserver.com/connect shows Server Not Found or a clear screen. Make sure you configured Identity Awareness correctly: Did you enable Identity Awareness? Did you connect to the correct URL? Did you configure DNS? Did you define a rule and install policy? Troubleshooting Access Roles Page 10

Endless Redirect Loop Did you connect to the correct interface? Is the portal up? Make sure with: [admin@cpmodule ~]$ mpclient status nac Portal is not running Endless Redirect Loop There is an endless redirect loop when this environment is deployed. 1. Prevent this type of environment when possible. 2. Add the Captive Portal as an exception in the browser proxy settings. Troubleshooting Captive Portal Page 11

Portal Enters a Loop when Agent is Connected Portal Enters a Loop when Agent is Connected If a user is revoked from the system, the client machine can enter an endless loop when trying to browse to a web site. The loop occurs since the gateway is redirecting to the Captive Portal and the Captive Portal assumes that the agent is connected and directs the web browser to the original URL. You should know about this problem. Don t revoke an IP in this situation. Client IP Address Identified Incorrectly The client IP address is identified incorrectly. All clients that go through the proxy are reported with the proxy IP address and not their own IP address. Work with x-forwarded-for to: Make sure that the proxy is configured to send x-forwarded-for in its header. Make sure that APPI (Application Control) is running. APPI is the component that reads this header. Cannot Authenticate With Correct Credentials You cannot authenticate with correct credentials. 1. Are your credentials in English only? If not make sure you enabled the SupportUnicode field in the LDAP account unit server object with GuiDBedit. Use the GuiDBedit command: modify servers <ldap_au_name> SupportUnicode 'true' To learn more, see sk32030 (http://supportcontent.checkpoint.com/solutions?id=sk32030). 2. Make sure that pdpd is running. 3. Use domain\user when you have more than one account with the same name. Changes in Portal Settings are Not Seen After you customize portal images or other customization changes, you do not see the changes in the portal or the web browser. Troubleshooting Captive Portal Page 12

Identity Agent is Installed But Get the Captive Portal 1. Close and reopen ALL open browser windows (to make sure the browsing session no longer exists). Browsing sessions that were open while changes were being made, continue to work with previous settings. 2. Clear the browser cache. Identity Agent is Installed But Get the Captive Portal The Identity Agent has been installed on my computer, but I keep getting the Captive Portal. Make sure the Identity Agent is: Working Connected Authenticated If you use an Internet Explorer browser, when you are connected and authenticated you are redirected to your initial destination. Other browsers do not work like this. Captive Portal Bad Appearance The Captive Portal looks bad. 1. Make sure you are using a supported browser: Internet Explorer 6,7,8 Safari 5 Firefox 3 Chrome 8 2. Reload the portal page in your browser Troubleshooting Identity Agent Agent Fails to Connect to Server The umbrella icon on a user's computer is closed and the agent fails to connect to the server. Do these steps until one works. 1. Try to configure the gateway manually. 2. Make sure the gateway's discovery configuration is correct. Troubleshooting Identity Agent Page 13

Kerberos Does Not Work 3. If the problem is only for one computer, make sure the DNS settings and network configuration are correct. 4. Reset Agent settings: a) Double-click the umbrella icon. b) Go to Advanced > Reset to defaults and try to connect. 5. Restart the service: a) Open a command line with computer administrator credentials. b) Enter sc stop madservice and then sc start madservice 6. If no users can connect with the Identity Agent, make sure the gateway uses an internal interface to communicate with the client. It not, change this setting from Identity Awareness gateway properties > Identity Agent Settings. Kerberos Does Not Work Kerberos does not work on this network. 1. Read the Kerberos section in the R75.20 Identity Awareness Administration Guide (http://supportcontent.checkpoint.com/documentation_download?id=12268) and do the steps carefully. 2. Make sure that you enter the KTPass command manually and not with copy and paste. 3. Make sure you have the same output. 4. If you did all of the steps and it never worked, delete the user and follow the steps in the R75.20 Identity Awareness Administration Guide (http://supportcontent.checkpoint.com/documentation_download?id=12268). Kerberos Does Not Work for All Users Kerberos does not work for all users. 1. Make sure the date and time on the server is correct including daylight savings time. 2. Make sure the gateway Kerberos user is not locked out. 3. Reset the user password on the domain controller. 4. Make sure the account is not disabled. Kerberos Does Not Work for One User Kerberos Does Not Work for One User 1. Make sure the user s time and date are synchronized with the Kerberos server and the Identity Server (including Day Lights Saving). 2. Make sure the user is not locked out. 3. Make sure the user has a Kerberos ticket. 4. If you recently changed the gateway Kerberos user password, log out and then log in again. Troubleshooting Identity Agent Page 14

Troubleshooting Distributed Environments User Access Based on Identity Agent Works But Not AD Query User Access Based on Identity Agent Works But Not AD Query A user is authenticated based on Identity Agent but not with AD Query. 1. Make sure that AD Query is configured correctly (adlog utility). 2. Make sure the user is in the AD Query database using the adlog utility. 3. Make sure communication has been established between the Identity Server and Identity Gateway (use pdp and pep commands). 4. If the user is in the AD Query database but is not in the Identity Gateway database (use pep show user all) a) a "sync" between the Identity Server and Identity Gateway (use pdp control sync). b) Make sure the user is in the Identity Gateway (use pep show user all). Identities are Not Propagated to the Identity Server The Identity Server that is set to share identities is not getting identities. 1. Make sure that the daemons pepd and pdpd are up and running. 2. Make sure that the Identity Server is configured to connect to the Identity Gateway (run pdp c p on the Identity Server). 3. Make sure that communication is possible to the main IP address of the remote gateway in both directions. Do this with a ping from one gateway to the other gateway's main IP. If you are testing connectivity from the Identity Server, then the remote gateway is the Identity Gateway and vice-versa. 4. If communication is not possible through the main IP address, use sk60701 (http://supportcontent.checkpoint.com/solutions?id=sk60701). This instructs you how to change the IP address used for the communication channel. Troubleshooting Distributed Environments Page 15

Index A A Service User is Connected to an IP Address 7 AD Query Fails to Connect to Domain Controllers 7 Agent Fails to Connect to Server 13 Assumed Knowledge 5 B Before You Start 5 C Cannot Authenticate With Correct Credentials 12 Captive Portal Bad Appearance 13 Changes in Portal Settings are Not Seen 12 Client IP Address Identified Incorrectly 12 D Domain Users or Groups Do Not Appear in the List 10 E Endless Redirect Loop 11 H How to Troubleshoot Identity Awareness s 5 I Identities are Not Propagated to the Identity Server 15 Identity Agent is Installed But Get the Captive Portal 13 Impact on the Environment and Warnings 5 Important Information 3 K Kerberos Does Not Work 14 Kerberos Does Not Work for All Users 14 Kerberos Does Not Work for One User 14 L LDAP Connectivity Failed 9 Login DN and AD Forest Errors 9 M Multiple Users are Connected to Same IP Address 8 N Not All Users are Detected 7 O Objective 5 P Portal Enters a Loop when Agent is Connected 12 R Related Documentation 5 S Server Not Found or a Clear Screen 10 Slow AD Tree 10 Small Number of Users are Detected 7 SmartDashboard Fails to Connect 8 SmartView Tracker User Name and Group Membership Error Messages 8 Supported Appliances 5 Supported OS 5 T Troubleshooting Access Roles 10 Troubleshooting AD Query 6 Troubleshooting Captive Portal 10 Troubleshooting Distributed Environments 14 Troubleshooting General AD Integration 6 Troubleshooting Identity Agent 13 Troubleshooting Identity Awareness Configuration Wizard 8 U User Access Based on Identity Agent Works But Not AD Query 15 User Groups and Access Roles are Not Enforced or Logged 6 Users are Not Detected 6 Users Fail to Authenticate 6 Using the Wizard Again to Create Other Domains 9 W WMI (DCE-RPC) Test Failed 8

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information