Integrity Client Authentication

[k0rruptuk]

I have Integrity Server installed on SPLAT, setup to use my AD as an LDAP entity. I want it to assign policies to users based on their AD group membership.

The problem is that when a client connects to the server it shows the username as being 'anonymous@MACHINENAME:MACADDRESS'. This results in the user being assigned the Default Policy as the server does not see the correct username. Can anyone provide any advice on setting up an LDAP entity with AD or know what I'm doing wrong?!?!?!

[chillyjim]

Integrity server 6.6 is not production ready is the answer I get all the time. HFA1 for it should be available soon (I believe it's in a closed EA now).

Sorry for the not-so-helpful info, but I don't want you banging your head agenest the wall for nothing.

[prdehoop]

Did you try Proxy option set on ?


Where can i get the Integrity server version 6.6 i can only find 6.5 ??


Regards

[k0rruptuk]

The Proxy will make the user have to type in their username and password to log on to the Integrity server though won't it? I want it to be seamless, less confusing for users!!

[prdehoop]

Oh okay.. we're going to do the integration with the Microsoft AD to. we have now proxy enabled for the time being, and it was a 1 time only login screen. so the users wheren't to botherd by it so much.

Regards

[chillyjim]

Please let us know if HFA01 fixes this for you when it comes out.

[ffaber]

Hello,

I have the same problem. We're using 6.5.
When the client does not enter his username he stays anonymous. How can I get this thing to work so I can deploy the right policy to the right user. Can I use the Windows credentials someway? We're using Adam for the LDAP database. The stands besides the customer AD.

[chillyjim]

AFAIK the only way to use windows creds are to use an NT Domain catalog or an MSAD catalog. 802.1x might work too, I've never tried.

[CSING]

Setting up AD LDAP can be tricky. The best way is to install an ldap browser on the IAS server and verify that you can communicate to AD. Usually the configuration needed to get this working is identical to setting up an LDAP catalog in IAS 6.5. ONce it is correctly configured you are able to import users and groups.

The tricky part is setting up the base DN usually just DC=Doman,DC=com

The Admin credential domain\administrator

everything else is default. In the primary host put the full dns name ad.domain.com

for the secondary host I put the ip address of the AD as a precaution.

ONce setup it will work seamlessly.

hth

[dgcollins]

We had the same problem, below is the response we got from our Technical support company hope it helps somebody.
(Move to an NTDomain Entity looks the best answer.)

"
I have been looking into the problem with your clients/users reporting as anonymous@computername#### and have found the following article from Checkpoint. It suggest again that we either move to the NT Domain ( I remember you are not using WINS) option or by checking the “Proxy Login Server” option in the current LDAP configuration. If you check the proxy login server option then please note that your end users may be prompted for their login credentials by integrity. I would advise testing both options.


Symptoms


• Imported Active Directory via the LDAP option, but user-based Policy assignment does not work


Solution

Remove the user directory from Integrity, and import it again using the NT Domain option. This way users will be added with "ntdomain://" to the beginning of their user names, which is required to match the Windows login information the Integrity client reports to the Server.

If for some reason this is not possible, check the Proxy Login Server box when importing the user directory, to prompt users for their credentials.

The LDAP option will add "ldap://" to the beginning of user names, which only works with a true LDAP client login, such as logging into NDS.
"

[CSING]

Whatever method used, you must specify either ldap or ntdomain in the client package that is downloaded and installed by the endpoint. Changing methods will require an re-installation of the client(s).