You want to configure Active Directory authentication for Symantec Data Loss Prevention (DLP), and troubleshoot problems.
Verify the following when setting up Active Directory authentication for DLP:
When configuring your domains for AD authentication in DLP it's very important that all domain names be capitalized. This applies to domain (realm) names entered on the System Settings page in the DLP UI and also for domains listed in the KRB5.INI file.
It is necessary to include the name of the file when specifying its location in the System Settings page of the DLP UI. Failure to do so may result in login issues with all users, including the DLP Administrator account.
When setting up Active Directory authentication you need to make sure that domain user names match what has been created in the Users section of the DLP UI. Also, remember that DLP user names are case-sensitive even if Active Directory is not.
For example, in DLP, you can define two apparently identical user names; Jsmith and jsmith. The difference is only in the case of the first letter, but DLP considers them to be unique since the user names are case-sensitive. Both names, if entered, would authenticate against a domain user name jsmith. However, if the DLP user is created as JSMITH and you attempt a login as jsmith you will get a login failure message.
It is not sufficient to create a user in DLP that matches an existing domain user. The user must also be assigned to a role within DLP otherwise, you will be unable to login.
On Linux, this is done with the command "
service VontuManager restart". On Windows, restart the service from Task Manager.
When the Enforce server is Linux, the machine may try to use the file
/etc/krb5.conf instead of the krb5.ini file in the
/opt/Vontu/Protect/config directory. Try editing that file and specifying it (full path + filename) in the Enforce interface. (You may also wish to rename the krb5 file in the config directory so it cannot accidentally be used.).
For the same reason, if the Enforce server is Windows, a previous copy of krb5.ini exist in C:\Windows. Try editing that file and specifying it (full path + filename) in the Enforce interface.
See the DLP Administrator's Guide section titled: 'Verifying the Active Directory connection', for more information on using the "kinit" utility to test, as well as how to configure the system for Active Directory integration. This utility will help diagnose whether authorization is successful or not. Unless kinit shows a successful authentication, you are not likely to be able to log in from the Enforce interface.
If in a single-tier configuration, the Symantec DLP services may come online before all the Oracle database services, AD logins might not work until the Symantec DLP services are manually restarted. In this case, it is recommended to set the Symantec DLP Manager service (formerly “Vontu Manager”) to be dependent on the “Oracleservice[username]” service (usually OracleserviceProtect).
For the authentication process to succeed, UDP port 88 must be open between the Enforce server and the KDC (domain controller). Note that testing with kinit will not reveal this problem, because kinit is able to function over TCP port 88, whereas the Enforce server must use UDP port 88.
Ensure that the time on the Enforce server is accurately synchronized with the domain controller of the domain you are attempting to authenticate against. Discrepancies in time will cause Kerberos authentication failures.