Video Screencast Help

AD user authentication with DLP Reporting and Updating API

Created: 30 Nov 2012 | 7 comments
hxchristi's picture

Hello,

 

I am currently working on implementing a web service client against the DLP Reporting and Updating API version 11.6 and it looks like it doesn't work with AD authentication and that it only accepts single DLP user accounts.  Since our implementation uses AD authentication, we are required to be able to contact the web service using an AD account.

Any help or advice on how to properly pass an AD account credential (username, password and domain) to the webservice or any workarounds available, would be greatly appreciated.

 

Thanks!

Comments 7 CommentsJump to latest comment

kishorilal1986's picture

hi HX,

 As DLP having very strong and secure authentication mecahnism, you need to configure and verify below facts. you can directly create user account to DLP apps/AD Auth/SPC are some option.After succesfull integration with AD u must add them in DLP enble.

AD Authentication and a LDAP query are two different things.  To perform an AD authentication you need to configure the krb5.ini file (windows) or the krb5.conf file (Linux).  then run a command.  See the admin guide for DLP 10.5 and search for krb5 and it will take you to the page for AD Authentication. 

Domain user names entered for login must match the user names defined in DLP.

When setting up Active Directory authentication you need to make sure that domain user names match what has been created in the Users section of the DLP UI. Also remember that DLP user names are case-sensitive even if Active Directory is not.

For example, in DLP you can define two apparently identical user names; Jsmith and jsmith. The difference is only in the case of the first letter, but DLP considers them to be unique since the user names are case-sensitive. Both names, if entered, would authenticate against a domain user name jsmith. However, if the DLP user is created as JSMITH and you attempt a login as jsmith you will get a login failure message.

Users must be part of a role in DLP to be able to login

It is not sufficient to create a user in Vontu that matches an existing domain user. The user must also be assigned to a role within Vontu, otherwise you will be unable to login.

Also refer below link for detailed refe

Artem's picture

Hello,

I have same issue. AD user authentication is works correctly. But AD authentication isn't work from my own application, that connect with Reporting API. I can connect only with Administrator account. How I can use username from AD for the Reporting API?

jgt10's picture

For both of you having problems, double check that the role and/or users are enabled to use the API.

JGT

--
John G. Thompson
JOAT(MON)

Artem's picture

The role isn't reason of this issue.

I contacted with team of Symantec Support and got a link to the Article ID 53354 of the Data Loss Prevention Knowledgebase.

 

From the Knowledgebase:

Make sure the following syntax is used to provide AD user details in the Reporting API client -

<Username>:<Active_Directory_Domain_In_Upper_Case>

OR

<Role>\<Username>:<Active_Directory_Domain_In_Upper_Case>

For example:

jdoe:ACME.COM
superuser\jdoe:ACME.COM

 

Information from that article is a direct answer to the question.

kishorilal1986's picture

Hi HX is your query is resolved or need more solution. Please let us further..