API login works with built-in Administrator account but not ANY AD accounts
search cancel

API login works with built-in Administrator account but not ANY AD accounts

book

Article ID: 373691

calendar_today

Updated On:

Products

Data Loss Prevention Core Package

Issue/Introduction

Your trying to set up an AD user account for the API, but it is failing to authenticate.

In the logs you see 

[com.symantec.dlp.incidentwebapi.incidentApiRestErrorHandler]  User does not have any of these privilege(s), having at least one is required: admin_user

Environment

DLP 16.0

Cause

The API only supports Forms based logins.

Resolution

In order to resolve this you must switch to forms based authentication create the user and make sure the username and password are both set along with the appropriate roles/permissions.

After validating that your user is working correctly under the Forms based authentication, you can now switch back to your original Authentication method. Now that your user has been defined properly as a Forms based user, you may now use that account for the API.

Instructions to Switch Authentication Types:
- Backup the current springSecurityContext.xml
- Linux: /opt/Symantec/DataLossPrevention/EnforceServer/[VERSION]/Protect/tomcat/webapps/ProtectManager/WEB-INF/springSecurityContext.xml
- Windows: C:\Program Files\Symantec\DataLossPrevention\EnforceServer\[VERSION]\Protect\tomcat\webapps\ProtectManager\WEB-INF\springSecurityContext.xml

- Replace the current springSecurityContext.xml with the the Form specific springSecurityContext.xml.  Note the Form springSecurityContext-Form.xml file needs to be renamed to springSecurityContext.xml
- Linux: /opt/Symantec/DataLossPrevention/EnforceServer/[VERSION]/Protect/tomcat/webapps/ProtectManager/security/template/springSecurityContext-Form.xml
- Windows: C:\Program Files\Symantec\DataLossPrevention\EnforceServer\[VERSION]\Protect\tomcat\webapps\ProtectManager\security\template\springSecurityContext-Form.xml

- Restart the SymantecDLPManagerService on Enforce.

- Log in to Enforce and create the required user.

- Test and make sure the user is able to authenticate.

- Reverse the change by replacing the springSecurityContext.xml file with the one you backed up.

- Restart the SymantecDLPManagerService on Enforce.

 

You should now be back to your original authentication method, with a working API service account 

Powered by Wolken Software