Applications or scripts utilizing the Symantec Data Loss Prevention (DLP) REST API fail to authenticate, often resulting in a **401 Unauthorized** error.

This occurs because the service account used for the integration has become locked within the Enforce console.

- API calls return HTTP status code 401.
- In the Enforce console, the service account status appears as "Locked."
- Errors in the `localhost` or `SymantecDLPManager.log` may indicate failed login attempts or user lockout events.
- High-frequency API calls may conflict with system tasks like Active Directory (AD) user synchronization, leading to `OptimisticLockException` errors.

DLP 16.x and Higher

1. Failed Login Threshold: The account exceeded the maximum number of failed login attempts (default is 6).
2. Lockout Timer: Once locked, the account remains unusable for a set duration (default is 60 minutes).
3. Authentication Method Mismatch: The API primarily supports Forms-based authentication. Using an AD-integrated account that hasn't been properly initialized for the API can trigger authentication failures.
4. Concurrency Issues: Frequent API calls (e.g., once per minute) can conflict with background database transactions, such as AD imports.

1. Manually Unlock the Account

An administrator must log into the Enforce console to restore the account:

1. Navigate to System > Administrators > Users.
2. Locate the locked service account.
3. Edit the user and clear the Locked checkbox (if manual unlocking is permitted) or wait for the lockout expiration.

2. Adjust Lockout Settings

To modify how long an account remains locked or the number of permitted failed attempts:

1. On the Enforce Server, locate passwordenforcement.properties in the Protect\config directory.
2. Modify the following parameters:
   • com.vontu.manager.password.attempts=6 (Number of failed attempts before lockout)
   • com.vontu.manager.password.administrator.lockout.expiration=60 (Duration of lockout in minutes)
3. Restart the SymantecDLPManager service to apply changes.