Configuring Kerberos Based Authentication
search cancel

Configuring Kerberos Based Authentication

book

Article ID: 384313

calendar_today

Updated On: 01-27-2025

Products

Data Loss Prevention Data Loss Prevention Core Package Data Loss Prevention Enterprise Suite Data Loss Prevention Plus Suite Data Loss Prevention Enforce

Issue/Introduction

The purpose of this guide is to provide basic implementation for Kerberos Based Authentication.
Also known as "LDAP  Authentication", "AD Authentication", or "Active Directory Authentication"

Resolution

Authentication Templates Location: C:\Program Files\Symantec\DataLossPrevention\EnforceServer\<DLP Version>\Protect\tomcat\webapps\ProtectManager\WEB-INF\security\template
Template Files:
     - SpringSecurityContext-Certificate.xml
     - SpringSecurityContext-Form.xml
     - SpringSecurityContext-Kerberos.xml
     - SpringSecurityContext-SAML.xml

 

From: Copy the "springSecurityContext-Kerberos.xml" template
"C:\Program Files\Symantec\DataLossPrevention\EnforceServer\15.5\Protect\tomcat\webapps\ProtectManager\security\template\SpringSecurityContext-Kerberos.xml"

 

To:
"C:\Program Files\Symantec\DataLossPrevention\EnforceServer\15.5\Protect\tomcat\webapps\ProtectManager\WEB-INF\SpringSecurityContext-Kerberos.xml"

 

Rename:
From: "SpringSecurityContext-Kerberos.xml"
To: "SpringSecurityContext.xml"

- Make sure to update the path to the KRB5.ini in the "SpringSecurityContext.xml" file. This path should point to the modified KRB5.ini file that has the correct domain information.

 

Modify the KRB5.ini with your domain information:
C:\Program Files\Symantec\DataLossPrevention\EnforceServer\16.1.00000\Protect\config\krb5.ini
     - rename to "KRB5.conf" for Linux

 

- Update the default values to reflect your current environment.

[libdefaults]
  default_realm = TEST.LAB
[realms]
      ENG.COMPANY.COM = {
          kdc = engAD.eng.company.com
      }
      MARK.COMPANY.COM = {
          kdc = markAD.eng.company.com
      }
      QA.COMPANY.COM = {
          kdc = qaAD.eng.company.com
      }

     

Replace the default_realm value "TEST.LAB" with your fully qualified domain name (must be all UPPER CASE).

      For example:
      Default: default_realm = TEST.LAB
      ChangeTo: default_realm = <YOURDOMAIN.COM>
     

Replace the sample domain names (such as "ENG.COMPANY.COM") with your actual Domain Names (must be all UPPER CASE).

      For example:
      Default: ENG.COMPANY.COM
      ChangeTo: <YOURDOMAIN.COMPANY.COM>

Replace the sample KDC values with the hostnames (or IP Addresses) of your Active Directory Servers (DO NOT REFORMAT the line, simply replace the sample values with the appropriate values).

      For example:
      Default: kdc = engAD.eng.company.com
      ChangeTo: kdc = <ADserver.eng.company.com

Remove any unused KDC entries

      For Example:
      MARK.COMPANY.COM = {
            kdc = markAD.eng.company.com
      }
      QA.COMPANY.COM = {
            kdc = qaAD.eng.company.com
      }     

Save the file.          

- Restart the SymantecDLPManager Service on the Enforce Server
- Enforce Console > System > Settings > General > Configure
- Add the Domains listed into the DLP Authentication area

Powered by Wolken Software