Configure Active Directory Authentication for DLP

book

Article ID: 160207

calendar_today

Updated On:

Products

Data Loss Prevention Enforce

Issue/Introduction

You want to configure Active Directory authentication for Symantec Data Loss Prevention (DLP), and troubleshoot problems.

Resolution

Verify the following when setting up Active Directory authentication for DLP:

 

Realm names must always be capitalized

When configuring your domains for AD authentication in DLP it's very important that all domain names be capitalized. This applies to domain (realm) names entered on the System Settings page in the DLP UI and also for domains listed in the KRB5.INI file.

 

Include the file name when specifying the path to the KRB5.INI or KRB5.CONF file

It is necessary to include the name of the file when specifying its location in the System Settings page of the DLP UI. Failure to do so may result in login issues with all users, including the DLP Administrator account.

 

Domain user names entered for login must match the user names defined in DLP

When setting up Active Directory authentication you need to make sure that domain user names match what has been created in the Users section of the DLP UI. Also, remember that DLP user names are case-sensitive even if Active Directory is not.

For example, in DLP, you can define two apparently identical user names; Jsmith and jsmith. The difference is only in the case of the first letter, but DLP considers them to be unique since the user names are case-sensitive. Both names, if entered, would authenticate against a domain user name jsmith. However, if the DLP user is created as JSMITH and you attempt a login as jsmith you will get a login failure message.

 

Users must be part of a role in DLP to be able to log in

It is not sufficient to create a user in DLP that matches an existing domain user. The user must also be assigned to a role within DLP otherwise, you will be unable to login.

 

After configuring DLP for Active Directory authentication, restart the Symantec DLP Manager (formerly Vontu Manager) Service

On Linux, this is done with the command "service VontuManager restart".  On Windows, restart the service from Task Manager.

 

Try using /etc/krb5.conf if Enforce is a Linux machine. Check C:\Windows\krb5.ini if Windows machine

When the Enforce server is Linux, the machine may try to use the file /etc/krb5.conf instead of the krb5.ini file in the /opt/Vontu/Protect/config directory.  Try editing that file and specifying it (full path + filename) in the Enforce interface.  (You may also wish to rename the krb5 file in the config directory so it cannot accidentally be used.).

For the same reason, if the Enforce server is Windows, a previous copy of krb5.ini exist in C:\Windows. Try editing that file and specifying it (full path + filename) in the Enforce interface.

 

Use the "kinit" utility to test 

See the DLP Administrator's Guide section titled: 'Verifying the Active Directory connection', for more information on using the "kinit" utility to test, as well as how to configure the system for Active Directory integration.  This utility will help diagnose whether authorization is successful or not.  Unless kinit shows a successful authentication, you are not likely to be able to log in from the Enforce interface.

 

In Windows, configure Symantec DLP (formerly Vontu) services to depend on Oracle services

If in a single-tier configuration, the Symantec DLP services may come online before all the Oracle database services, AD logins might not work until the Symantec DLP services are manually restarted.  In this case, it is recommended to set the Symantec DLP Manager service (formerly “Vontu Manager”) to be dependent on the “Oracleservice[username]” service (usually OracleserviceProtect).

 

Check port connectivity

For the authentication process to succeed, UDP port 88 must be open between the Enforce server and the KDC (domain controller). Note that testing with kinit will not reveal this problem, because kinit is able to function over TCP port 88, whereas the Enforce server must use UDP port 88.

 

Check Time Synchronization

Ensure that the time on the Enforce server is accurately synchronized with the domain controller of the domain you are attempting to authenticate against. Discrepancies in time will cause Kerberos authentication failures.