Data Loss Prevention

 View Only
Expand all | Collapse all

Symantec DLP 15.5MP2: Validation check error when creating user after enabling AD authentication

  • 1.  Symantec DLP 15.5MP2: Validation check error when creating user after enabling AD authentication

    Posted Sep 22, 2020 05:49 AM
    Edited by kpyap79 Sep 22, 2020 09:39 PM
    Hi All,

    We encountered validation check error when creating user after enabling AD authentication. Existing users have no issue logging into the Enforce console via AD authentication. It is just that creating new user for AD authentication is hitting validation check error. We have verified all values are provided correctly. In order to get around this, we have to disable AD authentication, add user and then enable it back. Anyone encountered the same issue before? Any hints will be greatly appreciated.


  • 2.  RE: Symantec DLP 15.5MP2: Validation check error when creating user after enabling AD authentication

    Posted Sep 23, 2020 10:16 AM
    Symantec authentication is case sensitive, AD is not, check your names. Review your  Manager logs: c:\ProgramData\Symantec\DataLossPrevention\EnforceServer\15.7
    \Protect\logs\debug\SymantecDLPManager.log (Windows) or
    /var/log/Symantec/DataLossPrevention/EnforceServer/15.7/debug/SymantecDLPManager.log
    (Linux). An you can use the kinit command to test user validity:

    kinit username

    If using secure LDAP communications, don't forget to import LDAP server certificate into Enforce server Java Truststore. If further troubleshooting assistance, I suggest uploading a Wireshark trace when you attempting to communicate with AD.

    Good luck,
    A.C




  • 3.  RE: Symantec DLP 15.5MP2: Validation check error when creating user after enabling AD authentication

    Broadcom Employee
    Posted Sep 24, 2020 12:34 PM
    You might also look at https://knowledge.broadcom.com/external/article?articleId=174793 which suggests time mismatch between AD and Enforce can affect new user logins.

    ------------------------------
    Global Support Lead, DLP
    Broadcom, Symantec Enterprise Division
    ------------------------------



  • 4.  RE: Symantec DLP 15.5MP2: Validation check error when creating user after enabling AD authentication

    Posted Sep 24, 2020 12:44 PM
    Very good point Stephen, I have seen that happening in the past; mismatch time was more than five minutes.


  • 5.  RE: Symantec DLP 15.5MP2: Validation check error when creating user after enabling AD authentication

    Posted Sep 25, 2020 12:59 AM
    Edited by kpyap79 Sep 28, 2020 01:20 AM
    Hi All,

    Thanks all for suggestions but there is no issue with existing users doing AD authentication to login to the Enforce DLP. It is just that we are unable to create new users after we enabled AD authentication in Enforce. Getting validation errors. We have verified all fields are populated correctly.

    thanks,
    Andrew




  • 6.  RE: Symantec DLP 15.5MP2: Validation check error when creating user after enabling AD authentication

    Posted Sep 25, 2020 09:32 AM
    I misunderstand you, sorry about that. If you are using the default Administrator account (DLP maintenance account) to log into the Enforce Console, and having that issue, then there might be a bug. Collect logs and open a case for Broadcom and make sure to give them all the environmental conditions under which it can be reproduced. I have never seen this behavior and I have been installing a few DLP 15.7 MP1 ones with AD authentication this year.

    Good luck,
    A.C


  • 7.  RE: Symantec DLP 15.5MP2: Validation check error when creating user after enabling AD authentication

    Posted Sep 27, 2020 09:37 PM
    Edited by kpyap79 Sep 28, 2020 01:21 AM
    Thanks A.C. We already got a case with Broadcom Support two months ago, provided all sorts of logs and escalated to the internal team and the Management. So far, they are still clueless.




  • 8.  RE: Symantec DLP 15.5MP2: Validation check error when creating user after enabling AD authentication

    Posted Sep 28, 2020 12:03 PM
    Most of this GUI errors are related to DB issues. Make sure DB health is good, and enable JDBC logging to capture the query in failure. Follow this document https://knowledge.broadcom.com/external/article/159781/enable-sql-query-jdbc-logging-in-dlp.html

    Good luck,
    A.C.


  • 9.  RE: Symantec DLP 15.5MP2: Validation check error when creating user after enabling AD authentication

    Posted Sep 28, 2020 10:14 PM
    Hi A.C,

    Thanks for the suggestion. We will try it out.

    thanks,
    Andrew