Background:
Check Point users faced an issue when they wanted to change their expired passwords when logging into to the VPN via the SecureClient. Although they had been prompted to change password their attempts were not successful.
I did some investigation into this and discovered that SSL needs to be allowed for LDAP communication for credentials changes.
https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solutionid=sk40735
Symptoms
- SecureClient user unable to change password when it expires while authenticating through LDAP server.
- Error seen in Log Viewer: “reason: Client Encryption: Failed to modify password, LDAP Error.”
- Error seen on SecureClient: “Negotiation with gateway <gateway_name> at site <site_name> has failed. Failed to modify password, LDAP error.”
Cause
Windows AD is denying changing passwords over unencrypted channel.
Solution
1. Enable SSL Encryption in the LDAP Account unit. Select ‘Manage –> Servers and OPSEC Applications –> LDAP Account Unit‘.
2. Under the Servers tab, after completing General tab, select Encryption tab.
3. Select “Use Encryption (SSL)“.
4. Port will be 636.
5. Fetch the server’s fingerprint.
6. Click “ok“, to save “ok” to exit LDAP Account Unit Properties
7. Click “close” on Servers and OPSE Applications