Kerberos SSO Compliance

The Identity Awareness Check Point Software Blade on a Security Gateway that enforces network access and audits data based on network location, the identity of the user, and the identity of the computer. Acronym: IDA. Single Sign-On (SSO) solution for Identity Clients lets you transparently authenticate users that are logged in to the domain. After a user authenticates to the domain once, the user has access to all authorized network resources without additional authentication. This solution is available for:

• Identity Agent Check Point dedicated client agent installed on Windows-based user endpoint computers. This Identity Agent acquires and reports identities to the Check Point Identity Awareness Security Gateway. The administrator configures the Identity Agents (not the end users). There are two types of Identity Agents - Full and Light. You can download the Full and Light Identity Agent package from the Captive Portal - 'https://<Gateway_IP_Address>/connect' or from sk134312. for a User Endpoint Computer

• Identity Agent for a Terminal Server

These are some major benefits of Identity Clients SSO:

• User and computer identity.

• Minimal user intervention - The administrators do all the necessary configuration steps, and no input from a user is necessary.

• Seamless connectivity - There is transparent authentication when users are logged in to the domain. If you do not configure SSO, users enter their credentials manually. You can let users save their credentials.

• Connectivity through roaming - Users stay automatically identified when they move between networks, while the client detects the movement and reconnects.

• Added security - You can use packet tagging to prevent IP Spoofing. In addition, Identity Clients give you strong (Kerberos An authentication server for Microsoft Windows Active Directory Federation Services (ADFS). based) user and computer authentication.

You get SSO in Windows domains with the Kerberos authentication protocol. Kerberos is the default authentication protocol for Windows 2000 and above.

The Kerberos protocol uses tickets. Tickets are encrypted data packets issued by a trusted authority, in this case the Active Directory (AD). When a user logs in, the user authenticates to a domain controller that provides an initial ticket granting ticket (TGT). This ticket proves the user's identity. When the user authenticates against the Identity Awareness Gateway, the Identity Client presents this ticket to the domain controller and requests a service ticket (SR) for a specific Security Gateway Dedicated Check Point server that runs Check Point software to inspect traffic and enforce Security Policies for connected network resources.. The Identity Client then presents this service ticket to the Security Gateway that grants access.

How SSO Works

This is the workflow for SSO:

1. The user logs in to the computer and authenticates to the AD server.

2. The AD sends an initial ticket (TGT) to the computer.

3. The Identity Client connects to the Identity Awareness Gateway, which then requests the identity.

4. The Identity Client requests an SR (service ticket) for the Identity Awareness Gateway and presents the TGT to the AD server.

5. The AD server sends the SR to the computer.

   The user name is encrypted with the shared secret between the Identity Awareness Gateway and the AD server.

6. The Identity Client sends the SR to the Identity Awareness Gateway.

7. The Identity Awareness Gateway uses the shared secret to decrypt the ticket and confirms the user identity.

8. The user gets access to resources behind the Identity Awareness Gateway.

SSO Configuration

SSO configuration includes these steps:

1. Configuration in Active Directory

   In this step, you create a user account and map it to a Kerberos principal name.

   To use Kerberos with Active Directory, make a Kerberos principal name with the Check Point Security Gateway service. Map this new account to the domain name.

   Use the setspn.exe utility.

   Make sure you have the correct version (see the Identity Awareness Administration Guide for your version > Section "Mapping the User Account to a Kerberos Principal Name").

   Important: If you used the setspn utility before, with the same principal name, but with a different account, you must delete the different account, or remove the association to the principal name. To remove the association, run: setspn -D ckp_pdp/<domain_full_dns_name><old_account name> If you do not do this, authentication fails.

   To configure Active Directory for Kerberos:

   1. Make a new user account (see the Identity Awareness Administration Guide for your version > section "Creating a New User Account").

   2. Open Windows Command Prompt (Start > Run > cmd).

   3. Run:

      setspn -A ckp_pdp/<domain_full_dns_name> <username>

   To see users associated with the principle name, run:

   setspn -Q ckp_pdp*/*

2. Configuration in SmartConsole

   In this step, you configure an LDAP Account Unit object to work with SSO.

   To use this account, configure an Account Unit in SmartConsole Check Point GUI application used to manage a Check Point environment - configure Security Policies, configure devices, monitor products and events, install updates, and so on. (see the Identity Awareness Administration Guide for your version > Section "Configuring an Account Unit").