DLP Enforce Console user account frequently disabled, when Enforce Console set up for Kerberos authentication
search cancel

DLP Enforce Console user account frequently disabled, when Enforce Console set up for Kerberos authentication

book

Article ID: 187555

calendar_today

Updated On:

Products

Data Loss Prevention Enforce

Issue/Introduction

In the Enforce console when a user tries to login, it is taking a long time to end up with "login error, invalid username and password" error. On a  second login attempt, it was found the account of that user is disabled; however, the account was not showing as locked out in Active Directory.

Environment

DLP 15.x

Cause

Collect netmon trace from KDC (Active Directory Server which is configured in KRB5 file in Enforce) while attempting login from Enforce Console. Netmon trace shows a lot of timed-out events for the KRB request. This happens when Active Directory fails to respond to the kerberos authentication request and retry for any reason.  DLP Enforce treats each attempt as a failed login attempt, and as configured in Enforce user management (configured from passwordenforcement.properties), consecutive failed logins for the user makes that account disabled from Enforce; though the account is not locked out from Active Directory.

Resolution

Reconfigure KRB5.ini file with working Active Directory server as KDC. Best practice is to mentioned multiple KDC in KRB5.ini file to avoid this situation.
Powered by Wolken Software