CPUG

The Check Point User Group

A Resource For The Check Point Community.  Fast.  Useful.  Independent.

1. Come to CPUG CON 2008 EUROPE in Switzerland on September 8th - 9th!
    Two days full of technical content for Check Point administrators in the beautiful Swiss Alps!
    We already have sign-ups from twelve different countries!
2. CCSA/CCSE One-Week Dual-Certification Training Course with CPUG in San Francisco!
    Courses Starting 7/14, 8/25, 10/6, 11/3, 12/8, (2009) 1/19, 2/9, 3/9, 4/6, 5/4, 6/8.
3. Corrent S3500 SecureXL Turbocards For Sale - Last Six Remaining - Get Your Spares!
4. Join Us On LinkedIn - We now have a CPUG group.


Go Back   CPUG: The Check Point User Group > Check Point Firewall-1/VPN-1 And Related Products > Authentication
Reload this Page AD win2003 wrong user error NGX
Register FAQ Members List Calendar Search Today's Posts Mark Forums Read

Reply
 
LinkBack Thread Tools Display Modes
  #1 (permalink)  
Old 2007-04-23
Brentd Brentd is offline
Member
  
Join Date: 2006-09-25
Posts: 42
Rep Power: 0
Brentd has an average reputation (10+)
Default AD win2003 wrong user error NGX
Hi all

I have setup the following:
AD win2003 with Ent root CA
SSL cert on DC


NGX Account unit object
Account unit host
LDAP group
AD template

I have created the account unit and I can see all of the users in the users container in AD when I open the LDAP server under the users tab from the NGX dashboard.

I am using SSL and this has been verified on the AU settings in NGX dashboard as I can get the fingerprint from AD and I can also download the branches from AD.

I have setup a rule with user access (ldap_group@any) to http as the service and have setup "client auth" as fully automatic.

When I start IE to trigger the rule, I get a login dialog box but when I enter the username and password it informs me I have the wrong user name or password! ( I am using administrator and P@ssw0rd, this is a test environment)

I have tried tweaking just about everything with no good results and so I believe I am doing something fundamentally wrong, its strange that the NGX dashboard can see the AD objects but I cant authenticate to them.

I have also removed all of the digitally signed traffic settings in AD's group policys this has not helped...

Anybody have a clue where I can turn next?????

Thanks
Brent
Reply With Quote
  #2 (permalink)  
Old 2007-04-24
Brentd Brentd is offline
Member
  
Join Date: 2006-09-25
Posts: 42
Rep Power: 0
Brentd has an average reputation (10+)
Default Re: AD win2003 wrong user error NGX
It seems I will be answering my own post...

I have tested and tweaked and tested and tweaked settings regarding this always with the same result (wrong user or password), then I decided to try non-SSL LDAP transfer while tracking with wireshark at the AD DC.

Well... Did I get a shock.

The administrator's password was set to P@ssw0rd on the AD DC and when I saw the cleartext password appear in the packet trace from wireshark, (as NGX was passing the LDAP auth to AD), it looked like this

ssw0rd

Obviously I now understand that the @ symbol, when passed by Checkpoint authentication, means something special (like forget everything before this :) ).. Once I discovered this and changed the AD password so that it contained no @ symbols, the AD (LDAP) authentication works great.

I hope this helps someone, as I would never have guessed this myself!
Brent

(So much for complex passwords in AD, when it comes to checkpoint)
Reply With Quote
Reply

« Previous Thread | Next Thread »
Thread Tools
Display Modes
Linear Mode Linear Mode

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts
BB code is On
Smilies are Off
[IMG] code is On
HTML code is Off
Trackbacks are On
Pingbacks are On
Refbacks are On



All times are GMT -7. The time now is 17:02.

Contact Us - CPUG Home Page - Archive - Top

Powered by vBulletin® Version 3.7.2
Copyright ©2000 - 2008, Jelsoft Enterprises Ltd.
LinkBacks Enabled by vBSEO 3.0.0