How to Configure AD User login Authentication in Enforce for Data Loss Prevention 15.x and above


Article ID: 171932


Updated On:


Data Loss Prevention Enforce


This article covers the process of integrating an LDAP Active Directory connection into Symantec Data Loss Prevention (DLP) 15.0 or above for the purpose of logging into Enforce with an AD account.
This is a different process for DLP 12.x and 14.x. See LDAP Active Directory Connection in Data Loss Prevention 14.x


DLP 15.0 and Above

The process for setting up AD User Authentication in DLP changed in version 15.0. The configuration now takes place both in the UI and manual configuration of the springSecurityContext file.

In order to configure an LDAP AD Connection for Symantec DLP 15.0 and above, complete the following steps:

  1. Copy the springSecurityContext-KERBEROS.xml template from SymantecDLP\Protect\tomcat\webapps\ProtectManager\security\template
  2. Paste the copied springSecurityContext-KERBEROS.xml file into the SymantecDLP\Protect\tomcat\webapps\ProtectManager\WEB-INF folder
  3. Rename the file to springSecurityContext.xml by removing the -KERBEROS from the file name, replacing the existing springSecurityContext.xml file.
  4. Since we are only configuring an Active Directory connection, we do not need to edit the contents of this file.
  5. Change to the SymantecDLP\Protect\config directory (SymantecDLP\Protect\config on Windows or /opt/SymantecDLP/Protect/config on Linux).
  6. Edit the krb5.ini file (krb5.conf on Linux), adding information about the Active Directory domain structure and server location(s). More than one location can be defined if needed, as seen in screen shot below. The [libdefaults] section identifies the default domain. (Kerberos realms correspond to Active Directory domains.) The [realms] section defines an Active Directory server for each domain. In the example below, the Active Directory server for ENG.COMPANY.COM is More than one server can be added, as needed.
  7. Restart Vontu Notifier Service, which will restart two additional Vontu services as well.
  8. Log in to DLP Dashboard in the browser
  9. Add an Active Directory Connection in the Symantec DLP dashboard under System > Settings > Directory Connections.
  10. Add User Roles (as needed) under System > Login Management > Roles
  11. Add a user inside the DLP Dashboard under System > Login Management > DLP Users (You must still define users in the Enforce Administration Dashboard, before an AD user can successfully login. The user names entered in the DLP Dashboard will be cross-checked with Active Directory usernames / passwords. You can switch to Active Directory authentication after you have already created user accounts in the system. Only those existing user names that match Active Directory user names remain valid after the switch.)


If you are running Symantec Data Loss Prevention on Linux, verify the Active Directory connection using the kinit utility. You must rename the krb5.ini file as krb5.conf. The kinit utility requires the file to be named krb5.conf on Linux. Symantec DLP assumes that you use kinit to verify the Active Directory connection, and directs you to rename the file as krb5.conf.