Configure AD User login Authentication in Enforce for Data Loss Prevention 15.x and higher
search cancel

Configure AD User login Authentication in Enforce for Data Loss Prevention 15.x and higher

book

Article ID: 171932

calendar_today

Updated On:

Products

Data Loss Prevention Enforce Data Loss Prevention

Issue/Introduction

This article covers the process of integrating an LDAP Active Directory connection into Symantec Data Loss Prevention (DLP) 15.x and higher to log into Enforce with an AD account.

Resolution

DLP 15.x and higher

The process for setting up AD User Authentication in DLP changed in version 15.x. The configuration now takes place both in the UI and manual configuration of the springSecurityContext file.

In order to configure an LDAP AD Connection for Symantec DLP 15.x and higher, complete the following steps:

  1. Copy the springSecurityContext-Kerberos.xml template from "C:\Program Files\Symantec\DataLossPrevention\EnforceServer\<version>\Protect\tomcat\webapps\ProtectManager\security\template" folder
  2. Paste the copied springSecurityContext-Kerberos.xml file into the "C:\Program Files\Symantec\DataLossPrevention\EnforceServer\<version>\Protect\tomcat\webapps\ProtectManager\WEB-INF" folder
  3. Rename the file to springSecurityContext.xml by removing the -Kerberos from the file name, replacing the existing springSecurityContext.xml file.
  4. Open the copied springSecurityContext.xml file and ensure that the krbConfLocation property is set to the correct location of your krb5.ini file (krb5.conf for Linux)
  5. Change to the Symantec\DataLossPrevention\EnforceServer\<version>\Protect\config directory (C:\Program Files\Symantec\DataLossPrevention\EnforceServer\<version>\Protect\config on Windows or /opt/SymantecDLP/Protect/config on Linux).
  6. Edit the krb5.ini file (krb5.conf on Linux), adding information about the Active Directory domain structure and server location(s). More than one location can be defined if needed, as seen in screen shot below. The [libdefaults] section identifies the default domain. (Kerberos realms correspond to Active Directory domains.) The [realms] section defines an Active Directory server for each domain. In the example below, the Active Directory server for DOMAIN.COM is dc.domain.com. More than one server can be added, as needed.  The domain name in default_realm property, as well as under the [realms] section, need to be uppercase as presented on the screenshot.
  7. Restart services.
  8. Log in to DLP Console in the browser
  9. Add an Active Directory Connection in the Symantec DLP dashboard under System > Settings > Directory Connections.
  10. Add User Roles (as needed) under System > Login Management > Roles
  11. Add a user inside the DLP Dashboard under System > Login Management > DLP Users (You must still define users in the Enforce Administration Console, before an AD user can successfully login. The user names entered in the DLP Console will be cross-checked with Active Directory usernames / passwords. You can switch to Active Directory authentication after you have already created user accounts in the system. Only those existing user names that match Active Directory user names remain valid after the switch.)

For additional information refer to: Configure Active Directory Authentication for DLP


Linux

If you are running Symantec Data Loss Prevention on Linux, verify the Active Directory connection using the kinit utility. You must rename the krb5.ini file as krb5.conf. The kinit utility requires the file to be named krb5.conf on Linux. Symantec DLP assumes that you use kinit to verify the Active Directory connection, and directs you to rename the file as krb5.conf.