Active Directory Authentication

Endpoint Security Active Directory Authentication

When an Endpoint Security client connects to the Endpoint Security Management ServerClosed A Security Management Server that manages your Endpoint Security environment. Includes the Endpoint Security policy management and databases. It communicates with endpoint clients to update their components, policies, and protection data., an authentication process identifies the endpoint client and the user currently working on that computer.

The Endpoint Security system can function in these authentication modes:

The authentication process:

  1. The Endpoint Security client (1) requests an authentication ticket from the Active Directory server (2).

  2. The Active Directory server sends the ticket (3) to the client (1).

  3. The client sends the ticket to the Endpoint Security Management Server (4).

  4. The Endpoint Security Management Server returns an acknowledgment of authentication to the Endpoint Security client (1).

The default behavior after Security Management Server installation is Unauthenticated mode. It is recommended that you use this mode when you are evaluating Endpoint Security, in a lab environment. Change to Strong Authentication mode just before moving to a production environment. It is not recommended to continue to work in Unauthenticated mode after moving to production in a live environment.

Important - If you use Active Directory Authentication, then Full Disk EncryptionClosed A component on Endpoint Security Windows clients. This component combines Pre-boot protection, boot authentication, and strong encryption to make sure that only authorized users are given access to information stored on desktops and laptops. Acronym: FDE. and Media Encryption & Port ProtectionClosed A component on Endpoint Security Windows clients. This component protects data stored on the computers by encrypting removable media devices and allowing tight control over computers' ports (USB, Bluetooth, and so on). Acronym. MEPP. are only supported on endpoint computers that are part of Active Directory.

Note - If you have endpoint computers in your environment that are not part of Active Directory, Full Disk Encryption and Media Encryption & Port Protection will not work on them.

Configuring Active Directory Authentication

Make sure you configure Strong Authentication for your production environment. Do not set up Strong Authentication before you are ready to move to production. When you are ready to move to production, follow this process.

Workflow for Configuring Strong Authentication:

UPN Suffixes and Domain Names

The User Principal Name (UPN) is the username in "email format" for use in Windows Active Directory (AD). The user's personal username is separated from a domain name by the "@" sign.

UPN suffixes are part of AD logon names. For example, if the logon name is administrator@ad.example.com, the part of the name to the right of the ampersand is known as the UPN suffix. In this case ad.example.com

When you configure a new user account in AD, you are given the option to select a UPN suffix, which by default will be the DNS name for your AD domain. It can be useful to have a selection of UPN suffixes available. If your AD domain name is ad.example.com, it might be more convenient to assign users a UPN suffix of example.com. To make additional UPN suffixes available, you need to add them to AD.

Configuring Alternative Domain Names

When configuring Strong Authentication for Active Directory communication between the Endpoint Security client and the Endpoint Security Management Server, you can configure multiple UPN suffixes for the Active Directory domain name.

To Configure Additional UPN Suffixes for Active Directory Authentication

  1. In SmartEndpoint open Manage > Endpoints Authentication Settings.

    The Authentication Settings Properties window opens.

  2. Click Add.

    The New Authentication Principal Properties window opens.

  3. In the Domain name field, enter the alternative Active Directory domain name. For example, if the previously configured domain name is nac1.com add an alternative domain name such as ad.nac1.com

  4. Configure the other fields with the same values as the previously configured authentication settings:

    • Principle Name

    • Version Key

    • Encryption Method

    • Password

  5. Click OK.

  6. Save the changes. Go to the Policy tab of SmartEndpoint, and in the Policy Toolbar, click Save

Troubleshooting Authentication in Server Logs

To troubleshoot problems related to Active Directory Authentication, use the Authentication log on the Endpoint Security Management Server or Endpoint Policy ServerClosed Endpoint Policy Server improves performance in large environments by managing most communication with the Endpoint Security clients. Managing the Endpoint Security client communication decreases the load on the Endpoint Security Management Server, and reduces the bandwidth required between sites. The Endpoint Policy Server handles heartbeat and synchronization requests, Policy downloads, Anti-Malware updates, and Endpoint Security client logs. in the $UEPMDIR/logs/Authentication.log file.

To see full debugging information in the Authentication.log file on an Endpoint Security server:

  1. On the Endpoint Security server, run:

    export TDERROR_ALL_KERBEROS_SERVER=5

  2. Restart the Endpoint Security server. Run:

    uepm_stop ; uepm_start

Results in Authentication.log

  • If the Authentication.log file on the server shows:

    ERROR: Config file contains no principals

    The database was cleaned or the process to include authentication in the client package was faulty. To fix:

    1. Repeat the process to configure Active Directory authentication (See Configuring Active Directory Authentication).

    2. Make a new client package.

    3. Restart the Endpoint Security server:

      reboot

  • If the Authentication.log file on the server shows:

    Permission denied in replay cache code

    Restart the Endpoint Security server:

    reboot

  • If the Authentication.log file on the server shows:

    Clock skew too great

    • Make sure that the Endpoint Security Management Server and all clients are synchronized with the Active Directory server.

    • Make sure that in the Windows Date and Time Properties window, the Automatically adjust clock for daylight saving changes option has the same value (selected or cleared) for all computers in the system, including the Active Directory server.

    • The following workaround is not recommended, for security reasons, but is offered if you cannot fix the clock skew error with synchronization changes.

      To ensure that authentication occurs even if the clocks of the client, the Endpoint Security Management Server and the Active Directory server are out of synch, define an acceptable skew. By default, the authentication clock skew is 3600 seconds. You can change the Endpoint Security settings. In the $UEPMDIR/engine/conf/global.properties file, add this line:
      authentication.clockSkew.secs=<seconds>, where you replace <seconds> with the clock skew in seconds that you want to allow.

  • If the Authentication.log file on the server shows:

    Key version number for principal in key table is incorrect

    Update the Key version number in the Active Directory SSO Configuration window.

    You might have changed the user that is mapped to the ktpass service (see Step 1 of 3: Configuring the Active Directory Server for Authentication.

To turn off full debugging information on the Endpoint Security server:

  1. On the Endpoint Security server, unset the debug variable:

    unset TDERROR_ALL_KERBEROS_SERVER

  2. Make sure that the output is empty:

    echo $TDERROR_ALL_KERBEROS_SERVER

  3. Restart the Endpoint Security server. Run:

    uepm_stop ; uepm_start

Troubleshooting Authentication in Client Logs

The Authentication.log file for each Endpoint Security client is on the client computer at %DADIR%/logs.

A normal log is:

[KERBEROS_CLIENT(KerberosLogger_Events)] : Credentials acquired for John@ACME-DOM.COM
[KERBEROS_MESSAGE(KerberosLogger_Events)] : Message is Empty.
[KERBEROS_CLIENT(KerberosLogger_Events)] : Security context is not yet established.continue needed.

If the Authentication.log file on the client shows:

No authority could be contacted for authentication.

The Endpoint Agent cannot find a Domain Controller to supply credentials.

To fix this:

  1. Make sure that the client is in the domain and has connectivity to your Domain Controller.

  2. To authenticate with user credentials, log off and then log in again.

    To authenticate with device credentials, restart the computer.

If the Authentication.log file on the client shows:

The specified target is unknown or unreachable

Check the service name. Make sure that there are no typing errors and that the format is correct.

If there was an error, correct it on the Check Point Endpoint Security Management Server.