search cancel

Trouble installing the Domain Controller Agent

book

Article ID: 163871

calendar_today

Updated On:

Products

Data Loss Prevention Enforce

Issue/Introduction

I am having trouble installing the Domain Controller Agent (DC Agent).

[0x00001b70] WARN  DCAgentConfig - Unable to get int configuration property: Enforce.HTTP_SESSION_TIMEOUT  Set default: 0 [DCAgentConfig.cpp(122)]
[0x00001b70] WARN  DCAgentConfig - Unable to get int configuration property: Enforce.HTTP_CONNECT_TIMEOUT  Set default: 300 [DCAgentConfig.cpp(122)]
[0x00001e54] ERROR EnforceResponseParser - Enforce returns empty JSON [EnforceResponseParser.cpp(59)]
[0x00001cc8] ERROR EnforceHttpsClient - GET QUERY TIME:::  Failed to complete Enforce HTTPS request. CURL code: 7. Error: Couldn't connect to server [EnforceHttpsClient.cpp(241)]
[0x0000105c] WARN  DCAgentConfig - Unable to get string configuration property: DomainController.EVENT_CONSUMER  Set default: Enforce [DCAgentConfig.cpp(105)]

Resolution

Troubleshooting Tips for Domain Controller Agent (DC Agent) installation

  1. The DC Agent must be installed on a Windows Server 2008 server or higher.  It is recommended the server be dedicated for this function.

  2. DLP 14.0.x is able to connect to only one domain controller.

  3. DLP 14.5.x is able to connect to multiple domain controllers.

  4. The DC Agent server must be a member of the domain and able to communicate with the Domain Controller host server(s) and the Enforce host server.

  5. The user account for the DC Agent should be an AD member (if your DLP system is utilizing AD authentication).This account should be able to authenticate to the Domain Controller host server(s) and the Enforce server.

  6. There should be a separate, dedicated, Enforce role and user account for the DC Agent.

  7. If using a SSL certificate to authenticate with Enforce, provide the path to the Enforce SSL certificate and the CA root of that certificate during the installation. It is possible to export a copy of the certificate and CA root certificate and save them to a location on the DC Agent server.

  8. During the setup, the authentication for the Enforce server should be entered as username:realm (as entered in krb5.ini or krb5.conf file).  This is the AD username and the realm, separated by a colon (:).

Environments with Multiple Domain Controllers:

  1. To add a unique username and password for each domain controller, add generic credentials to the Windows Credential Manager.

    • Log on to the DC Agent server, using the DC Agent service username/password (username/password used during the install for the domain controller)

      1. Open Control Panel

      2. Select User Accounts

      3. Select Credential Manager

      4. On Credential Manager page, you will see the name of the Enforce server in the Generic Credentials section. If you do not, then you are likely not logged in with the correct service username.

      5. Select Add a generic credential

      6. The internet or network address is the same FQDN you configured in the DCAgentConfig.properties file, and enter username:realm (as mentioned in Step 8 above) and password.

      7. Repeat step 5 for each domain controller configured.

        Note: The domain controller credentials entered during installation is not in the Generic Credentials section.  The reason these credentials are not included in the Credential Manager is because the service username and password are used if Generic Credentials are not configured for the domain controller.  This means, if you add multiple domain controllers but do not add any credentials, the service username and password will be used for all configured domain controllers.

  2. During installation of the DC Agent, only one domain controller can be entered. After installation, edit the DCAgentConfig.properties file to add the remaining domain controllers. An example is shown below:

    # Hostname or IP of the Domain Controller(s) to work with.
    # Multiple hostname needs to be separated by a ;.
    # Example:
    # DC_HOSTNAME=MACHINE1;MACHINE2;MACHINE3
    DC_HOSTNAME=lm-r2-ad;lm-r2-ad-2;lm-r2-ad-3

     

  3. It is possible to adjust the login timeout for each domain controller individually by editing the DCAgentConfig.properties file. The below example shows different login timeouts for each domain controller/user.

# Login timeouts are matched to the DC_HOSTNAME property list by order. Any Domain Controllers
# with unspecified login timeouts will be assigned the default value of 90 minutes.
# Example:
#  DC_LOGIN_TIMEOUT=110;105;100

DC_LOGIN_TIMEOUT=90;60;110