Active Directory authentication fails, while kinit testing is successful
search cancel

Active Directory authentication fails, while kinit testing is successful


Article ID: 160180


Updated On:


Data Loss Prevention Enforce


You have configured Active Directory authentication for Enforce according to the Administration Guide, and you are able to test the credentials using kinit, but the authentication fails when tested from the Enforce login prompt.


Ensure that UDP port 88 is open between the Enforce server and the Active Directory domain controller (the "KDC" specified in the user interface or the krb5.ini/krb5.conf file). Port 88 is the required port for Kerberos.



In some cases, kinit succeeds where the Enforce authentication fails, because kinit is able to function using TCP port 88, whereas the Enforce UI requires UDP.

You should also make sure that the krb5.conf (or krb5.ini) file is readable by the 'protect' user account, or whatever user runs the Vontu Manager service. This is especially important on a Linux installation, where the file may only be readable by root if that user created it originally. To correct this on Linux, run the following commands on the Enforce server (login as root, and correct the user, group and file names to match your system):

cd [path to krb5.conf file]

chown protect:protect krb5.conf

chmod 744 krb5.conf