Data Protection (DLP) - Additional ICAP Authentication support for the Data Protection (DLP) ICAP Agent

Document ID : KB000021852
Last Modified Date : 14/02/2018
Show Technical Document Details


The CA DLP ICAP Agent parses an ICAP header to retrieve a user id that the Policy Engine (PE) can use to determine which policy to apply. In the General Availability (GA) release of CA DLP r12.5 the ICAP Agent is unable to determine policy for any user id format other than LDAP.



IMPORTANT: This article contains information about modifying the registry.

Before you modify the registry, make sure to create a back up of the registry and ensure that you understand how to restore the registry if a problem may occur.

For more information about how to back up, restore, and edit the registry, please review the relevant Microsoft Knowledge Base articles on


FIX:RO36933 adds support for additional ICAP authentication methods which can be configured as necessary using the following registry key.


Key: HKEY_LOCAL_MACHINE\Software\ComputerAssociates\CA DLP\CurrentVersion\


ICAP Value: AuthenticatedUserType


This registry value specifies what type of user information is included in the AuthenticatedUserHeader x-header. Policy engines use this user type information to determine the user policy to use when processing the data. Supported values are "auto" (default), "DN ", "user", and "SMTP"


Type: REG_DZ



The ICAP agent tries to detect the format automatically and extract the user information. The agent can detect distinguished names, domain\user names and SMTP email addresses.


The agent detects user information prefixed with any of the following Blue Coat ProxySG prefixes: LDAP, WinNT, and unknown .


For example;

LDAP:// Rimmel,CN=Users,DC=rimmel,DC=com




The agent also detects user information without the prefixes listed above. 

For example; Rimmel,CN=Users,DC=rimmel,DC=com




DN is for Blue Coat ProxySG servers that use LDAP authentication. DN indicates that AuthenticatedUserHeader is populated with the user's DN entry in the LDAP directory.


For example;

LDAP:// Rimmel,CN=Users,DC=rimmel,DC=com Rimmel,CN=Users,DC=rimmel,DC=com

unknown://CN=Spencer Rimmel,CN=Users,DC=rimmel,DC=com

CN=Spencer Rimmel,CN=Users,DC=rimmel,DC=com



user is for Blue Coat ProxySG servers that populate the AuthenticatedUserHeader with prefixed 'domain\user' user credentials. The Blue Coat IWA and Windows SSO authentication methods generate these credentials.


For example;







SMTP is for Blue Coat ProxySG servers that populate the AuthenticatedUserHeader with prefixed SMTP email addresses. The Blue Coat Policy Substitution authentication method generates these addresses.


For example;



FIX: RO36933 is available to download from the CA Support Portal (