API users are frequently locked out on enforce server.
search cancel

API users are frequently locked out on enforce server.

book

Article ID: 275349

calendar_today

Updated On:

Products

Data Loss Prevention Enterprise Suite Data Loss Prevention Enforce

Issue/Introduction

API user is frequently locked on enforce server.

Environment

Release : 15.8, 16.0, 16.0.1

Cause

API user attempts form based authentication first and fails as user is a AD user and ideally kerberos authentication should be performed.

When this fails it will lock the protectUser table and the kerberos authentication in another thread can be locked out.

Resolution

Below workaround can be used. Note: This will disable form based authentication for web services.

  1. Backup and then edit the springSecurityContext.xml file:
    Protect/tomcat/webapps/ProtectManager/WEB-INF/springSecurityContext.xml
  2. Locate the following lines.

     
    <!-- Web service authentication manager -->
    <security:authentication-manager id="basicAuthManager">
    <!-- Enable user name and password authentication through Enforce DB -->
    <security:authentication-provider ref="formAuthenticationProvider" />

    <!-- Enable AD/Kerberos authentication -->
    <security:authentication-provider ref="kerberosAuthenticationProvider" />
    </security:authentication-manager>

  3. Comment out the line that has formAuthenticationProvider on it. The new configuration will look like this (highlighted the changed line before and after for convenience):
<!-- Web service authentication manager -->
<security:authentication-manager id="basicAuthManager">
<!-- Enable user name and password authentication through Enforce DB -->
<!-- security:authentication-provider ref="formAuthenticationProvider" / -->

<!-- Enable AD/Kerberos authentication -->
<security:authentication-provider ref="kerberosAuthenticationProvider" />
</security:authentication-manager>

4. Restart manager service.

Powered by Wolken Software