ALERT: Some images may not load properly within the Knowledge Base Article. If you see a broken image, please right-click and select 'Open image in a new tab'. We apologize for this inconvenience.

DLP Enforce Console user account frequently getting disabled, when Enforce Console setup for Kerberos authentication

book

Article ID: 187555

calendar_today

Updated On:

Products

Data Loss Prevention Enforce

Issue/Introduction

In Enforce console when user tries to login, it is taking a long time to end up with login error, invalid username and password. On second login attempt it was found the account of that user is disabled however the account was not showing as locked out in Active Directory.

Cause

Collect netmon trace from KDC (Active Directory Server which is configured in KRB5 file in Enforce) while attempting login from Enforce Console. Netmon trace shows lot of timed out event for KRB request. This happens when active directory fails to response kerberos authentication request and retry for any reason, DLP Enforce treat each attempt as failed login attempt and as configured in Enforce user management (configured from passwordenforcement.properties), consecutive failure login for user making that account disable from Enforce, though the account is not locked out from Active Directory.

Environment

DLP 15.x

Resolution

Reconfigure KRB5.ini file with working Active Directory server as KDC. Best practice is to mentioned multiple KDC in KRB5.ini file to avoid this situation.