Issue 1: When trying to login to the Enforce Console, the user login fails.

Issue 2: Unable to get to the login screen to login to the Enforce Console. This is typically seen as a 404 error where the page constantly refreshes.

Any

There are many potential causes for both of these issues, here we will provide you with the steps to identify exactly what the issue is, and a few of the common causes.

Issue 1: When trying to login to the Enforce Console, the user login fails.

- Attempt to login to the console
- When it fails, note the Date/Time and the user that you were attempting to login as.
- Now pull up the "localhost.<date>.log" for that day.
Path to "localhost.<date>.log": C:\ProgramData\Symantec\DataLossPrevention\EnforceServer\15.8.00000\logs\tomcat
Filename: localhost.2022-02-02.log

In this example I used the user account "jane.doe", and attempted to login at 19:15 Server Time.

02 Feb 2022 19:15:45,399- Thread: 117 SEVERE [com.symantec.dlp.login.spring.EnforceAuthenticationServiceBase] Authentication failed, could not find a user with the name: jane.doe
02 Feb 2022 19:15:45,399- Thread: 117 WARNING [com.symantec.dlp.login.spring.SymantecKerberosAuthenticationProvider] Kerberos authentication failed: user=jane.doe:ACME.INTERNAL
02 Feb 2022 19:15:45,427- Thread: 117 INFO [com.symantec.dlp.login.spring.SymantecLoginAuditLogger] Unsuccessful login attempt for user jane.doe at IP address: fe80:0:0:0:5d0f:83a1:857e:ef7f%2

If you search the logs for the username, and verify the timestamp, this should take you straight to the problem login.
Here we can see "Authentication failed", followed with the reason it failed "could not find user with the name: jane.doe"

There are many reasons that this might fail, the most common would be a bad password, or an account is locked out etc... in any case this should always provide you with additional data about what went wrong with the login attempt.

Another possible reason for the failed authentication is related to the IP addresses in the krb5.ini (or krb5.conf) file.  If the domain controllers (DCs) have been decommissioned and new DCs with new IP addresses replaced them, it is possible the information has not been changed in the krb5.ini file.  This will cause authentication to fail.

23 Oct 2023 08:52:35,390- Thread: 115 WARNING [com.symantec.dlp.login.spring.SymantecKerberosAuthenticationProvider] Kerberos authentication failed: user='[email protected]':Kerberos authentication failed
23 Oct 2023 08:52:35,436- Thread: 115 WARNING [com.symantec.dlp.login.spring.SymantecKerberosAuthenticationProvider] Kerberos authentication failed: user=jane.doe:DOMAIN.COM
23 Oct 2023 08:52:35,484- Thread: 115 INFO [com.symantec.dlp.login.spring.SymantecLoginAuditLogger] Unsuccessful login attempt for user jane.doe at IP address: (IP address of old Domain Controller)

Issue 2: Unable to get to the login screen to login to the Enforce Console where the page constantly refreshes.

This is typically seen as a 404 Error: "https://localhost/ProtectManager/GlobalDialog?type=NOT_FOUND" 

- Stop all of the DLP Services
- Start the Notifier Service
- Start the Manager Service
- These are the only two services that are required in order to login to the console, for now leave the IncidentPersister and the DetectionServerController Server services off. They aren't necessary and it will prevent them from cluttering up the logs.
- Now pull up the "localhost.<date>.log" for that day.
Path to "localhost.<date>.log": C:\ProgramData\Symantec\DataLossPrevention\EnforceServer\15.8.00000\logs\tomcat
Filename: localhost.2022-02-02.log
- Scroll all the way to the bottom of the log to get to the most recent messages.
- Slowly scroll back up until you find the last error that was seen. Continue scrolling up to the top of that error message (note that error text is indented in, so it should be easy to spot).

In my example I show the following error message...

02 Feb 2022 19:52:47,675- Thread: 17 WARNING [com.vontu.util.jdbc.JDBCTestConnection] Cannot connect to database
Cause:
java.sql.SQLRecoverableException: Listener refused the connection with the following error:
ORA-12514, TNS:listener does not currently know of service requested in connect descriptor
 java.sql.SQLRecoverableException: Listener refused the connection with the following error:
ORA-12514, TNS:listener does not currently know of service requested in connect descriptor

In this case, we can see that I cannot connect to my database, continuing down the error message, we see that the listener can't identify the connect descriptor. In this case I had modified my jdbc.properties file to change the connection string and I changed the connect descriptor from "protect" to "protect2" which doesn't exist. So when DLP attempts to reach out to the database, it can't identify the correct database to connect to and the connection is refused.

The most common issue for not being able to login is a failure to connect to the database. In any case the error message here would point you to the correct location. 

Common causes:
- Tablespace is full (https://knowledge.broadcom.com/external/article?legacyId=tech255126)
- jdbc.properties connection string is invalid (https://knowledge.broadcom.com/external/article?articleId=192817)
- TNS Listener is not running or does not exist on the Database (https://knowledge.broadcom.com/external/article/205005)

If you are unable to identify the root cause with either of these issues, please create a case with support and provide them with your full set of Enforce logs and the error message you identified so they can help review the information. Including the username and/or the approximate date/time of the issues is very useful for helping us narrow down what is going on in the logs.