[FW-1] Check Point NG and Windows 2000 LDAP password expired issue solved

["Palmer, Kevin" <KPalmer@FW1-NOSPAMGSITE.COM>]

Everyone,

I don't know how many people are using NG's ability to connect to a
Windows 2000 LDAP server, but I thought I'd share a recent experience.

Two Secure Client users were being denied access when they authenticated
using their Windows 2000 domain username and password. The message
displayed to the users and displayed in the log viewer stated that their
username and password had expired. All of the firewall user groups and
templates were set to expire in 2004. The users were still able to log
into Windows 2000 without the operating system asking them to change
their passwords. The problem turned out to be that Check Point does not
read the Windows 2000 user account "Password Never Expires" setting.
This issue could lead to a situation where half of a group of
identically configured users are unable to authenticate to the firewall.
Newly created user accounts would be allowed access while accounts
created 42 days ago would be denied access.

Commas in display names are another annoying issue. In order for NG to
display a list of user accounts, I had to remove all of the commas in
the display names. Instead of "Palmer, Kevin", I now have to use "Palmer
Kevin".

I hope these tips can save someone a few hours troubleshooting NG & W2K
LDAP.

Kevin Palmer
Network Engineer - MCSE+I, CCSE, CCNA
Granite Solutions, Inc.

===============================================
To unsubscribe from this mailing list,
please see the instructions at
http://www.checkpoint.com/services/mailing.html
===============================================