search cancel

DLP Enforce Console user account frequently getting disabled, when Enforce Console setup for Kerberos authentication


Article ID: 187555


Updated On:


Data Loss Prevention Enforce


In Enforce console when user tries to login, it is taking a long time to end up with login error, invalid username and password. On second login attempt it was found the account of that user is disabled however the account was not showing as locked out in Active Directory.


Collect netmon trace from KDC (Active Directory Server which is configured in KRB5 file in Enforce) while attempting login from Enforce Console. Netmon trace shows lot of timed out event for KRB request. This happens when active directory fails to response kerberos authentication request and retry for any reason, DLP Enforce treat each attempt as failed login attempt and as configured in Enforce user management (configured from, consecutive failure login for user making that account disable from Enforce, though the account is not locked out from Active Directory.


DLP 15.x


Reconfigure KRB5.ini file with working Active Directory server as KDC. Best practice is to mentioned multiple KDC in KRB5.ini file to avoid this situation.