Thursday, March 27, 2014

Transparent Kerberos SSO with multiple GWs

Check Point Identity Awareness is a neat feature, especially with browser based transparent SSO authentication. It is also a challenging one. There is a lot of configurations to do on AD side, and that is not a strong domain for some of FW administrators. For example, I specifically started working with Check Point to be as far away as possible from a turmoil of Windows administration.

Jokes aside, there is something that Check Point documentation is not covering clear enough.

With Kerberos, one has to configure Kerberos Principal Name with a use account. Identity Awareness admin Guide is covering this point fairly well, on pages 58-59 (R77 version of the document). There is a caveat though. The document is written under assumption there is only a single FW or clsuter enforcing user identity with Kerberos. Ktpass command should how to map Kerberos parameters to the user account in the document are only working for a single portal URL.

What if one has more than one GW? Ktpass is no use here. Instead, administrators have to edit servicePrincipalName with Multi-valued String Editor to add multiple URLs there to enable IA working for the same user through multiple Identity Awareness enabled gateways. To simplify the config, just refer to this screenshot bellow.


  1. Great post thanks.

    We just had one where we had to put a \2f escape character into the DN=, along with some really intricate AU config. Only the developers could figure it out. I'm trying to figure out is this a CP issue or a AD problem in general with all vendors.

    1. Honestly, I do nto have a clue. I would assume though there is something about Kerberos parsing on CP side.