Multi-Realm Authentication Support

One of the ways DLP authenticates users is by querying the Active Directory servers configured in SmartConsole. If a legitimate user has multiple accounts on different AD servers, each account associated with a different password, the user may fail to authenticate. DLP validates the user according to the credentials supplied by the first AD server to respond. To help prevent this error, and decrease the load created by constantly querying all AD servers, you can define which AD servers DLP queries when:

A user enters credentials for the DLPportal or UserCheck agent
DLP looks up an email address extracted from SMTP traffic to identify a user

To define AD servers Using GuiDBedit:

Open GuiDBedit.
On the Tables tab, open Other > authentication_objects.
In the Object Name column, select DLPSenderRealm.
In the Field Name column, double-click the ldap_au container.
The Add/Edit Element window opens.
In the Object list, select only those servers DLP must query for authentication purposes.
On a network that contains ten AD servers, perhaps only two of them must be queried. Edit the list to include only the required AD servers.

Note - These AD servers must first be defined in SmartConsole.
Click OK.
Save the database and close GuiDBedit.
Install the updated policy on the DLP enabled gateway.

Troubleshooting DLP Related Authentication Issues

The Check Point database tool, GuiDBedit, has a number of properties that set default authentication values. These properties can be used in troubleshooting DLP related authentication issues. These objects are found under: GuiDBedit > Tables > Other > authentication_objects:

Object	Description
`DLPSenderRealm`	Controls authentication for the DLP portal and the UserCheck agent. This object contains: `Fetch_options > do_internal_fetch` True by default, meaning DLP does the email look up against user accounts in SmartConsole. `Fetch_options > do_ldap_fetch` True by default, meaning if DLP fails to identify the user through a user account in SmartConsole, it then queries the AD servers defined in the `ldap_au` container object. The `ldap_au` container holds objects that represent AD servers. Use `DLPSenderRealm` to solve authentication problems.
`dlp_ldap_auth_settings`	This object controls how DLP identifies users by querying the email address attribute in the Active Directory. Use this object to troubleshoot problems involving email look up in the Active directory. The `CustomLoginAttr` string lets you enter a custom LDAP query with a specified email address. The default query is: `\|(mail=<<>>)(proxyAddresses=smtp:<<>>)` By default, it searches for the user with the specified email address. To refine the query, you can add other AD attributes to the query or change existing ones. WARNING: Changing this default query might affect DLP rules that enforce a policy according to users or user groups defined by access roles. Known users may become Unknown and the data they send is allowed to leave the organization.
`dlp_internal_auth_settings`	This object controls how DLP identifies users by querying the email address attribute in the database of internal users defined in SmartConsole.

Object

Description

DLPSenderRealm

Controls authentication for the DLP portal and the UserCheck agent. This object contains:

Fetch_options > do_internal_fetch
True by default, meaning DLP does the email look up against user accounts in SmartConsole.
Fetch_options > do_ldap_fetch
True by default, meaning if DLP fails to identify the user through a user account in SmartConsole, it then queries the AD servers defined in the ldap_au container object.
The ldap_au container holds objects that represent AD servers.

Use DLPSenderRealm to solve authentication problems.

dlp_ldap_auth_settings

This object controls how DLP identifies users by querying the email address attribute in the Active Directory. Use this object to troubleshoot problems involving email look up in the Active directory.

The CustomLoginAttr string lets you enter a custom LDAP query with a specified email address. The default query is:

|(mail=<<>>)(proxyAddresses=smtp:<<>>)

By default, it searches for the user with the specified email address.

To refine the query, you can add other AD attributes to the query or change existing ones.

WARNING: Changing this default query might affect DLP rules that enforce a policy according to users or user groups defined by access roles. Known users may become Unknown and the data they send is allowed to leave the organization.

dlp_internal_auth_settings

This object controls how DLP identifies users by querying the email address attribute in the database of internal users defined in SmartConsole.