Data Loss Prevention

 View Only
  • 1.  Active Directory Authentication on DLP 10.5.2

    Posted Mar 15, 2011 09:51 AM

    Hey, I've been trying to get the dlp 10.5.2 enforce to authenticate against the DC but I'm getting some issues:

    krb5.ini config (placed in $vontuHome and Windows/):

    [libdefaults]
    default_realm = ABC

    [realms]
           ABC = {
                        kdc = DC.ABC      
                        }

    Test:

    Z:\Vontu\jre\bin>kinit username

    Password for username@ABC

    Exception: krb_error 41 Message stream modified (41) Message stream modified
    KrbException: Message stream modified (41)
            at sun.security.krb5.KrbKdcRep.check(Unknown Source)
            at sun.security.krb5.KrbAsRep.<init>(Unknown Source)
            at sun.security.krb5.KrbAsReq.getReply(Unknown Source)
            at sun.security.krb5.KrbAsReq.getReply(Unknown Source)
            at sun.security.krb5.internal.tools.Kinit.sendASRequest(Unknown Source)
            at sun.security.krb5.internal.tools.Kinit.<init>(Unknown Source)
            at sun.security.krb5.internal.tools.Kinit.main(Unknown Source)

     

    the error code seems to be related with some kind of encryption/decryption process being done on the DC side but I'm not familiar with that.

     

    thoughts?

     

    thanks!

     

     



  • 2.  RE: Active Directory Authentication on DLP 10.5.2

    Posted Mar 15, 2011 02:20 PM

    Fernando,

    Some of the best ways to find a solution are to use the search option in the top right of the forums.  You can search by category also.  here is a topic that may help you out.

     

    http://www.symantec.com/connect/forums/ad-auth



  • 3.  RE: Active Directory Authentication on DLP 10.5.2

    Posted Mar 15, 2011 03:18 PM

     

    You are correct it is due to Encryption/Decryption.  This is for my Windows 2003 domain that I had to put at the front of my krb5.ini file
     
    [libdefaults]
    default_tkt_enctypes = RC4-HMAC
    default_tgs_enctypes = RC4-HMAC
     
    Let me know if this works....
     


  • 4.  RE: Active Directory Authentication on DLP 10.5.2

    Posted Mar 21, 2011 11:05 AM

    thanks for the tip, tried all the encryption types:

        * des-cbc-md5
        * des-cbc-crc
        * des3-cbc-sha1
        * rc4-hmac
        * arcfour-hmac
        * arcfour-hmac-md5
        * aes128-cts-hmac-sha1-96
        * aes256-cts-hmac-sha1-96

     

    it seems I'm gonna try testing with the app itself, since the kinit app doesnt seem to work.

     

    thoughts?