After upgrading to a new orelease or after following the steps to update openJRE version on Enforce server, outlined in About updating JRE to the latest version, Kerberos Active Directory authentication as configured in SpringSecurityContext no longer functions. Despite valid credentials being used, the user cannot access Enforce console with Active Directory Authentication, however Forms authentication is not effected.
In the Apache Tomcat localhost log, the following can be seen, where "EnforceUser" is the user that attempted to log in using Active Directory (Kerberos) Authentication:
File: Enforce/logs/tomcat/localhost.<datestamp>.log
Date: 1/30/2024 9:49:51 AM
Thread: 162
Level: WARNING
Source: com.symantec.dlp.login.spring.SymantecKerberosAuthenticationProvider
Message: Kerberos authentication failed: user='EnforceUser':Kerberos authentication failed
At higher level logging you may observe the following:
13 Jul 2025 20:05:06,019- Thread: 127 WARNING [com.symantec.dlp.login.spring.SymantecKerberosAuthenticationProvider] Kerberos authentication failed: user='<AD user>'
Cause:
org.springframework.security.authentication.BadCredentialsException: Kerberos authentication failedorg.springframework.security.authentication.BadCredentialsException: Kerberos authentication failed
<java stack redacted for readability>
Caused by: javax.security.auth.login.LoginException: no supported default etypes for default_tkt_enctypes
Data Loss Prevention utilizes JRE 8. Starting in u351 and beyond, 3DES and RC4 authentication for Kerberos is deprecated.
In any environment that was previously using weak and now deprecated 3DES and RC4 ciphers in krb5.ini (Windows) or krb5.conf (Linux) configuration files, new configuration files must be obtained from the Active Directory team which controls the authentication to the Domain.
Once a new krb5.conf or krb5.ini has been obtained, it should replace the existing files for Data Loss Prevention. The existing location for krb5.conf or krb5.ini can be found in the springSecurityContext.xml file, located in Symantec\DataLossPrevention\EnforceServer\<version>\Protect\tomcat\webapps\ProtectManager\WEB-INF folder - the value for krbConfLocation shows the path to the currently used krb5.conf or krb5.ini file which should be replaced.
One the updated krb5.ini or krb5.conf file is applied, restart the DLP Manager Server Service and re-attempt to log in using Active Directory authentication.
Java 8u351 release notes
The following settings within the krb5.ini//krb5.conf file were tested with DLP 16.1 and users were able to log in.
default_tgs_enctypes = aes256-cts, aes128-cts arcfour-hmac-md5, des-cbc-md5, des-cbc-crc
default_tkt_enctypes = aes256-cts, aes128-cts arcfour-hmac-md5, des-cbc-md5, des-cbc-crc