Data Loss Prevention

Hi All, I just upgraded our environment from Symantec DLP 14.6 to 15.1. After runing migrator utility everything working fine including AD authentication but I have a question that.

 

1.I removed/rename krb5.ini from all expected locations even from my temp folder where I stored as backup file.

2. Commented the springSecuritycontext.xml file located at ("Install Drive:\Program Files\Symantec\Data Loss Prevention\Enforce Server\15.1\Protect\tomcat\webapps\ProtectManager\WEB-INF\springSecurityContext.xml") 

   Note:. after migration the path for krblocation was default  "C:\SymantecDLP\Protect\config\krb5.ini" which is odd and still getting for AD authencition prompt

2. restarted services and also renbooted server after every change

still I am prompting for AD authentication and I am not sure where are these setting any clue please.

 

Thank you 

 

Hi Waqar

 

Have you checked C:\SymantecDLP\Protect\config\krb5.ini to see if the KRB is in there?

When you say you are being prompted for AD authentication do you mean when you log into the Enforce Console?

Does the original Administrator account still exsist in your enforce user list?

Where did you remove the KRB file from you should only need to remove it from the location in the SpringSecurityContext.xml file which if you followed the documentation should be in c:\windows

 

If you have done all of this then it maybe worth renaming the SpringSecurityContext.xml to SpringSecurityContext.old and then dropping the file in that I have attached, it is the original .xml file

 

Please let me know if this fixes the issue are if i can help anymore.

 

Thanks

 

 

Hi Alan.Waggott, Appriciate your response.

We were using DLP version 14.6 and AD authentication was working and now we upgraded to 15.1 and still AD authentication is working butt the problem is that if I remove or rename our krb5.ini file, AD authentication should break as there is no krb5.ini file exist. here I am experiencing that if krb5.ini file which holds the AD information is not present but why I am still able to use my AD credentials. 

Reply to your questions is in italic

Have you checked C:\SymantecDLP\Protect\config\krb5.ini to see if the KRB is in there? 

(No (Deleted as I am testing that from where I am getting authenticated) )

When you say you are being prompted for AD authentication do you mean when you log into the Enforce Console?

 Yes (AD Authentication is in place, but I am trying to break for my test)

Does the original Administrator account still exsist in your enforce user list?

Yes 

Where did you remove the KRB file from you should only need to remove it from the location in the SpringSecurityContext.xml file which if you followed the documentation should be in c:\windows

I removed krb5.ini file from the location it was placed and also remove the file location entry in SpringSecurityContext.xml (Still  when I open Console it accepts AD accounts with AD passwords)

If you have done all of this then it maybe worth renaming the SpringSecurityContext.xml to SpringSecurityContext.old and then dropping the file in that I have attached, it is the original .xml file

When I drop your file it breaks the authentication but this is original file and I believe its the same as in template file springSecurityContext-Form.xml but I need to use "springSecurityContext-Kerberos.xml" and rename this file as "SpringSecurityContext.xml" where I can provide my krb5.ini location.

can you point me I am mistaking something here in template files?

Thanks you.

 

Hi Waqar,

I'll have a look in my lab. Have you got LDAP links in your deployment (Directory Connections, Etc.)

You are right in the fact that if you remove/rename the KRB the domain should dissapear from the Enforce login screen. One thing to be concious of is that if you have set users up in Enforce that are linked to active directory you will be able to log in using those credentials even though the domain does not appear on the Enforce login screen. This is because you have set the user up and told it to use AD for its password.

I'm not 100% but i think once you login DLP keeps a record of that password. I will test this when i have a few minutes.

 

Thanks

Hi Waqar,

I have just tested this in my lab. I made no changes to the SpringSecurityContext file and I just removed the KRB file from the windows location and this removed the Domain from my Enforce page and I was unable to login using AD credentials.

As this is an upgrade it might be worth checking out the SpringSecurityContext in the orignal install and removing the KRB from the location specified in that file as it could be getting mixed up somewhere.

If that doesn't work could you please upload your SpringSecurityContext files and I'll take a look for you.

Thanks

Hi Alan, I have removed krb5.ini files from my system and also removed the krblocation line from springsecuritycontext.xml file still getting the domain. I opened a case with Symantec and troubleshoot but they have no clue case is sent to backline and all recommendations from backline are not working. I will update if I get something working. If you have anything please share. I will send you file later as it’s not available this time. Thank you

Hi Alan, I have removed krb5.ini files from my system and also removed the krblocation line from springsecuritycontext.xml file still getting the domain. I opened a case with Symantec and troubleshoot but they have no clue case is sent to backline and all recommendations from backline are not working. I will update if I get something working. If you have anything please share. I will send you file later as it’s not available this time. Thank you