Data Loss Prevention

  • Private Community
 View Only

Back to discussions
Expand all | Collapse all

Domain controller agent (DCA) cannot map IP to User

  • 1.  Domain controller agent (DCA) cannot map IP to User

    Posted Dec 25, 2025 12:35 PM

    Hi all,

    I'm troubleshooting Symantec DLP Web Prevent user resolution using DCA (Domain Controller Agent).

    The DCA is installed on a separate server, connected to Active Directory/DCs. DCA is collecting logon events and I can verify the DCA successfully pulled IP → username mappings from the DCs:
    TRACE EnforceHttpsClient - POST EVENTS::: Read URL content: {"IpUserUpdatesReceived":[{"DC-ABCCOMPANY.COM":83}]} [EnforceHttpsClient.cpp(133)]
    INFO EnforceHttpsClient - POST EVENTS::: Completed Enforce request [EnforceHttpsClient.cpp(134)]
    TRACE EnforceHttpsClient - Parsed Enforce response: DC host: , DC-ABCCOMPANY.COM, query time: 0, number events: 83, error: [EnforceResponseParser.cpp(70)]
    INFO EnforceEventConsumer - Enforce received 83 events [EnforceEventConsumer.cpp(147)]

    On Enforce I can see the mapping is succesfully updated to the database:
    INFO .com.vontu.enforce.domainlayer.userresolution.batch.BatchIpUserRecordsUpdater.insertUserRecords Inserting records for DC-ABCCOMPANY.COM. Number of records 20

    Issue:

    In Enforce, I see a Web incident where the incident contains IP A. DCA's log i can see the mapping of IP A to username B. However, in Enforce the incident does not resolve to username B. When I click Run Mapping Job in Enforce, no users get mapped for that incident / IP, the Mapping starts and immediately finishes, with the message "0 users mapped"

    Enforce Tomcat shows jobs running successfully (no errors), but mapping still doesn't happen:
    17:00:55.289 INFO ... IpResolutionPackage.runStoredProcedure JobID 1 returned with status: COMPLETED
    17:00:55.315 INFO ... IpUserMappingService.mapUserRecords ... Status COMPLETED
    17:00:55.694 INFO ... IpResolutionPackage.runStoredProcedure JobID 21 returned with status: COMPLETED
    17:00:55.714 INFO ... IpUserMappingService.purgeUserRecords ... Status COMPLETED

    Question:
    Even though the mapping job return COMPLETED, what could cause Enforce not to resolve the incident IP to the username when DCA clearly has the mapping? Any recommended checks (proxy/NAT vs client IP, username format, time window/retention, DB tables to validate, etc.) would be appreciated.



    -------------------------------------------