How to Configure AD User login Authentication in Enforce for Data Loss Prevention 14.x

book

Article ID: 171934

calendar_today

Updated On:

Products

Data Loss Prevention Enforce

Issue/Introduction

This article walks through the process of setting up User Authentication using AD in Symantec Data Loss Prevention (DLP) 14.x. If you need to complete this task in Symantec DLP 15.x see How to Configure AD User login Authentication in Enforce for Data Loss Prevention 15.x and above

 

Resolution

DLP 14.x

  1. Verify that the Enforce Server host is time-synchronized with the Active Directory server.
  2. (Linux only) Make sure that the following Red Hat RPMs are installed on the Enforce Server host:
    -krb5-workstation
    -krb5-libs
    -pam_krb5
  3. Edit the krb5.ini (or krb5.conf for Linux) configuration file located in SymantecDLP\Protect\config. (This file gives the Enforce Server information about your Active Directory domain structure and Active Directory server addresses. The [libdefaults] section identifies the default domain. The [realms] section defines an Active Directory server for each domain.)
  4. Add the Active Directory domain information and server information
  5. Save and close the krb5.ini (krb5.conf in linux)
  6. Remove any unused kdc entries from the configuration file.
  7. Open the DLP Dashboard and navigate to System > Settings > Directory Connections
  8. Add the Directory Connection according to the settings in the krb5 file

Verifying the Active Directory connection

kinit is a command-line tool you can use to confirm that the Active Directory server responds to requests. It also verifies that the Enforce Server has access to the Active Directory server.

For Microsoft Windows installations, the utility is installed by the Symantec Data Loss Prevention installer in the SymantecDLP\jre\bin directory.

For Linux installations, the utility is part of the Red Hat Enterprise Linux distribution, and is in the following location: /usr/kerberos/bin/kinit. You can also download Java SE 6 and locate the kinit tool in \java_home\jdk1.6.0\bin

If you run the Enforce Server on Linux, use the kinit utility to test access from the Enforce Server to the Active Directory server. Be sure you have renamed the krb5.ini file as krb5.conf. The kinit utility requires the file to be named krb5.conf on Linux.

To test the connection to the Active Directory server

  1. On the Enforce Server host, go to the terminal/cmd and navigate to the directory where kinit is located.
  2. Issue a kinit command using a known user name and password as parameters. (Note that the password is visible in clear text when you type it on the command line.) For example, issue the following:

    kinit kchatterjee mypwd10#

    The first time you contact Active Directory you may receive an error that it cannot find the krb5.ini or krb5.conf file in the expected location. On Windows, the error looks similar to the following: krb_error 0 Could not load configuration file c:\winnt\krb5.ini (The system cannot find the file specified) No error. In this case, copy the krb5.ini or krb5.conf file to the expected location and then rerun the kinit command that is previously shown.

Configuring the Enforce Server for Active Directory authentication

Perform the procedure in this section when you first set up Active Directory authentication, and any time you want to modify existing Active Directory settings. Make sure that you have completed the prerequisite steps before you enable Active Directory authentication.

To configure the Enforce Server to user Active Directory for authentication:

  1. Make sure all users other than the Administrator are logged out of the system.
  2. In the Enforce Server administration console, go to System > Settings > General and click Configure (at top left).
  3. At the Edit General Settings screen that appears, locate the Active Directory Authentication section near the bottom and select (check) Perform Active Directory Authentication. The system then displays several fields to fill out.
  4. In the Default Active Directory Domain field, enter the name of the default domain on your Active Directory system. This field is required. All Windows domain names must be uppercase (for example, TEST.LAB). If your setup includes a krb5.ini or krb5.conf file, the default Active Directory domain is the same as the value for default_realm in the krb5.ini or krb5.conf file.
  5. In the Default Active Directory KDC field, type the IP address (or the hostname) of the Active Directory server. The KDC (Key Distribution Center) is an Active Directory service that runs on port 88 by default. If the KDC is running on a different port, specify the port using the following format: ipaddress_or_hostname:port_number. For example, if AD is running on the host Adserver.company.com and the KDC listens on port 53, type Adserver.company.com:53.
  6. If you created a krb5.ini or krb5.conf file, enter the absolute path to the file in the krb5.ini File Path field. This file is required if your environment includes more than one domain, and recommended even if it does not. For example, type C:\winnit\krb5.ini (on Windows) or /opt/Vontu/Protect/config/krb5.conf (on Linux).
  7. If your environment has more than one Active Directory domain, enter the domain names (separated by commas) in the Active Directory Domain List field. The system displays them in a drop-down list on the user logon page. Users then select the appropriate domain at logon. Do not list the default domain, as it already appears in the drop-down list by default.
  8. Click Save
  9. Go to the operating system services tool and restart the Symantec Data Loss Prevention Manager service.