Unable to authenticate using Active Directory (AD)

book

Article ID: 160208

calendar_today

Updated On:

Products

Data Loss Prevention Enforce

Issue/Introduction

Inability to authenticate using Active Directory.

Resolution

To determine whether authentication is possible:

1. Test the connectivity with the kinit command to make sure the credentials are correct.

To determine whether authentication is possible using kinit:

    • If you have Vontu installed, the tool is available in c:\Vontu\jre\bin
    • If you dont have Vontu installed:
      -- Download java 6.
      -- In the java\jdk1.6.0\bin directory, find a tool called "kinit"

Kinit is a simple command line tool. The input is username and password. It will respond back with success (some message about a new ticket) or failure and an exception. The password appears in cleartext on the screen. Customers need to be aware of this. 

When set up for the first time, it may complain about a missing krb5.ini file. Modify the krb5.ini file provided in protect\config appropriately and put it at the location asked for.

2. Ensure that the user has an assigned role. Without a role, the user cannot log in to the system.

To assign a role:

  • Log into the Enforce UI
  • Go to Administration -> Users -> Users
  • Select the User in question
  • Check the box for the appropriate role for that user and save changes

If no roles are set up, you will need to set one up under Administration -> Users -> Roles. Click the Add a Role tab. Then name and define your role.  Save changes when you are finished.

NOTE:  If Vontu services come online before all the Oracle database services, AD logins might not work until the Vontu services are restarted.  In this case, it is recommended to set the “Vontu Manager” service to have a dependency on the “Oracleservice[username]” service.

See also: 

TECH220609:  Tips on setting up Active Directory Authentication