Transparent Kerberos SSO Authentication

Identity Awareness Check Point Software Blade on a Security Gateway that enforces network access and audits data based on network location, the identity of the user, and the identity of the computer. Acronym: IDA. can recognize Microsoft group membership data in the Kerberos An authentication server for Microsoft Windows Active Directory Federation Services (ADFS). tickets that are granted by any domain controller configured in SmartConsole Check Point GUI application used to manage a Check Point environment - configure Security Policies, configure devices, monitor products and events, install updates, and so on.. This solution is available for:

• Identity Agent Check Point dedicated client agent installed on Windows-based user endpoint computers. This Identity Agent acquires and reports identities to the Check Point Identity Awareness Security Gateway. The administrator configures the Identity Agents (not the end users). There are two types of Identity Agents - Full and Light. You can download the Full and Light Identity Agent package from the Captive Portal - 'https://<Gateway_IP_Address>/connect' or from sk134312. for a User Endpoint Computer

• Identity Agent for a Terminal Server

The Transparent Kerberos SSO Authentication feature is disabled by default.

Note - On VSX Gateway Physical server that hosts VSX virtual networks, including all Virtual Devices that provide the functionality of physical network devices. It holds at least one Virtual System, which is called VS0., run the commands in the context of the Virtual System with enabled Identity Awareness Software Blade Specific security solution (module): (1) On a Security Gateway, each Software Blade inspects specific characteristics of the traffic (2) On a Management Server, each Software Blade enables different management capabilities..

1. Connect to the command line on the Identity Awareness Gateway.

2. On a VSX Virtual System Extension. Check Point virtual networking solution, hosted on a computer or cluster with virtual abstractions of Check Point Security Gateways and other network devices. These Virtual Devices provide the same functionality as their physical counterparts. Gateway, go to the context of the Virtual System with the enabled Identity Awareness Software Blade.

   See the VSX Administration Guide for your version.

3. Configure the Transparent Kerberos SSO Authentication.

   Configure the Transparent Kerberos SSO Authentication

   • To see if the feature is enabled or disabled, run:

     pdp auth fetch_by_sid status

   • To enable the feature, run:

     pdp auth fetch_by_sid enable

   • To disable the feature, run:

     pdp auth fetch_by_sid disable

   Configure the Identity Client to support domains that are not configured in SmartConsole

   • To see if the feature is enabled or disabled, run:

     pdp auth kerberos_any_domain status

   • To enable the feature, run:

     pdp auth kerberos_any_domain enable

   • To disable the feature, run:

     pdp auth kerberos_any_domain disable

   Configure the Identity Client to send updated Kerberos tickets upon policy installation

   By default, the Identity Client fetches and sends a Kerberos ticket to the Identity Awareness Gateway only during a re-authentication (based on the Identity Client settings).

   You can force the Identity Client to send an updated Kerberos ticket when you install Access Control Policy on the Identity Awareness Gateway.

   • To see if the feature is enabled or disabled on the Identity Awareness Gateway, run:

     pdp auth reauth_agents_after_policy status

   • To enable the feature, run:

     pdp auth reauth_agents_after_policy enable

   • To disable the feature, run:

     pdp auth reauth_agents_after_policy disable

4. Install the Access Control Policy on this Identity Awareness Gateway (Virtual System).