Active Directory authentication fails, while kinit testing is successful

book

Article ID: 160180

calendar_today

Updated On:

Products

Data Loss Prevention Enforce

Issue/Introduction

You have configured Active Directory authentication for Enforce according to the Administration Guide, and you are able to test the credentials using kinit, but the authentication fails when tested from the Enforce login prompt.

Resolution

Ensure that UDP port 88 is open between the Enforce server and the Active Directory domain controller (the "KDC" specified in the user interface or the krb5.ini/krb5.conf file). Port 88 is the required port for Kerberos.

 

 

In some cases, kinit succeeds where the Enforce authentication fails, because kinit is able to function using TCP port 88, whereas the Enforce UI requires UDP.

You should also make sure that the krb5.conf (or krb5.ini) file is readable by the 'protect' user account, or whatever user runs the Vontu Manager service. This is especially important on a Linux installation, where the file may only be readable by root if that user created it originally. To correct this on Linux, run the following commands on the Enforce server (login as root, and correct the user, group and file names to match your system):

cd [path to krb5.conf file]

chown protect:protect krb5.conf

chmod 744 krb5.conf

See TECH220609 Tips on setting up Active Directory Authentication for more general information on configuring Active Directory authentication.