Symantec Data Loss Prevention (DLP) is setup with Active Directory (AD) authentication and is trying to login using the DLP created AD account and getting the standard error: “Invalid Username/Password or Disabled Account”.
Symantec Data Loss Prevention (DLP) v11
Customized AD environment with non-standard Kerberos settings
"Invalid Username/Password or Disabled Account"
In the log file we can see the following:
Thread: 13 INFO [com.vontu.enforce.authentication.kerberos.KerberosAuthenticationService] System property java.security.krb5.conf=/opt/Vontu/Protect/config/krb5.conf
06 Jan 2010 11:14:58,976- Thread: 13 INFO [com.vontu.enforce.authentication.kerberos.KerberosAuthenticationService] System property java.security.krb5.realm=/opt/Vontu/Protect/config/krb5.conf
06 Jan 2010 11:14:59,508- Thread: 13 INFO [com.vontu.manager.security.IpCatcherValve] Unsuccessful login attempt for user (XXX) at IP address: ..
Additionally, AD reports Event ID 4768
The default and common encryption settings that both Windows Kerberos and MIT Kerberos (Java implementation) supports are RC4-HMAC, DES-CBC-CRC and DES-CBC-MD5. If the Windows Kerberos client (Enforce side) is needed to handle other than the default encryption type DES3-CBC-SHA1.
Ensure the AD admin provides the valid encryption settings that allow proper communication