Symantec Data Loss Prevention (DLP) is setup with Active Directory (AD) authentication and is trying to login using the DLP created AD account and getting the standard error: “Invalid Username/Password or Disabled Account”.
"Invalid Username/Password or Disabled Account"
In the log file we can see the following:
Thread: 13 INFO [com.vontu.enforce.authentication.kerberos.KerberosAuthenticationService] System property java.security.krb5.conf=/opt/Vontu/Protect/config/krb5.conf
06 Jan 2010 11:14:58,976- Thread: 13 INFO [com.vontu.enforce.authentication.kerberos.KerberosAuthenticationService] System property java.security.krb5.realm=/opt/Vontu/Protect/config/krb5.conf
06 Jan 2010 11:14:59,508- Thread: 13 INFO [com.vontu.manager.security.IpCatcherValve] Unsuccessful login attempt for user (XXX) at IP address: ..
Additionally, AD reports Event ID 4768
Symantec Data Loss Prevention
Customized AD environment with non-standard Kerberos settings
The default and common encryption settings that both Windows Kerberos and MIT Kerberos (Java implementation) supports are RC4-HMAC, DES-CBC-CRC and DES-CBC-MD5.
If the Windows Kerberos client (Enforce side) is needed to handle other than the default encryption type DES3-CBC-SHA1.
[libdefaults]
default_realm = MY.REALM.COM
default_tkt_enctypes = RC4-HMAC, DES-CBC-CRC, DES3-CBC-SHA1,DES-CBC-MD5
default_tgs_enctypes = RC4-HMAC, DES-CBC-CRC, DES3-CBC-SHA1, DES-CBC-MD5
[realms]
MY.REALM.COM = {
kdc
= KDC1.MY.REALM.COM
kdc
= KDC2.MY.REALM.COM
}