Multi-Realm Authentication Support
One of the ways DLP authenticates users is by querying the Active Directory servers configured in SmartConsole Check Point GUI application used to manage a Check Point environment - configure Security Policies, configure devices, monitor products and events, install updates, and so on.. If a legitimate user has multiple accounts on different AD servers, each account associated with a different password, the user may fail to authenticate. DLP validates the user according to the credentials supplied by the first AD server to respond. To help prevent this error, and decrease the load created by constantly querying all AD servers, you can define which AD servers DLP queries when:
-
A user enters credentials for the DLP portal or UserCheck agent
-
DLP looks up an email address extracted from SMTP traffic to identify a user
To define AD servers Using Database Tool (GuiDBEdit Tool):
-
Open Database Tool (GuiDBEdit Tool).
-
On the Tables tab, open Other > authentication_objects.
-
In the Object Name column, select
DLPSenderRealm
. -
In the Field Name column, double-click the
ldap_au
container.The Add/Edit Element window opens.
-
In the Object list, select only those servers DLP must query for authentication purposes.
On a network that contains ten AD servers, perhaps only two of them must be queried. Edit the list to include only the required AD servers.
Note - These AD servers must first be defined in SmartConsole.
-
Click OK.
-
Save the database and close Database Tool (GuiDBEdit Tool).
-
Install the updated policy on the DLP enabled gateway.