Symantec Data Loss Prevention (DLP) is setup with Active Directory (AD) authentication and is trying to login using the DLP created AD account and getting the standard error: “Invalid Username/Password or Disabled Account”.

"Invalid Username/Password or Disabled Account"

In the log file we can see the following:
Thread: 13 INFO [com.vontu.enforce.authentication.kerberos.KerberosAuthenticationService] System property java.security.krb5.conf=/opt/Vontu/Protect/config/krb5.conf
06 Jan 2010 11:14:58,976- Thread: 13 INFO [com.vontu.enforce.authentication.kerberos.KerberosAuthenticationService] System property java.security.krb5.realm=/opt/Vontu/Protect/config/krb5.conf
06 Jan 2010 11:14:59,508- Thread: 13 INFO [com.vontu.manager.security.IpCatcherValve] Unsuccessful login attempt for user (XXX) at IP address: ..

Additionally, AD reports Event ID 4768

Symantec Data Loss Prevention 

Customized AD environment with non-standard Kerberos settings

The default and common encryption settings that both Windows Kerberos and MIT Kerberos (Java implementation) supports are RC4-HMAC, DES-CBC-CRC and DES-CBC-MD5.
If the Windows Kerberos client (Enforce side) is needed to handle other than the default encryption type DES3-CBC-SHA1.

1. Ensure the AD admin provides the valid encryption settings that allow proper communication
2. Set the option "default_txx_enctype" in krb5.ini using a text editor
   • If modifying the KRB5.ini or KRB5.conf does not address the issue try checking the option "Do not require Kerberos preauthentication" on your Active Directory server
   • This file is case sensitive. The realms must all be in CAPS whereas kdc must be in lower case. If kdc is in upper case, kinit will fail
     • Example:

[libdefaults]
default_realm = MY.REALM.COM
default_tkt_enctypes = RC4-HMAC, DES-CBC-CRC, DES3-CBC-SHA1,DES-CBC-MD5
default_tgs_enctypes = RC4-HMAC, DES-CBC-CRC, DES3-CBC-SHA1, DES-CBC-MD5
[realms]
MY.REALM.COM = {
kdc = KDC1.MY.REALM.COM
kdc = KDC2.MY.REALM.COM
}