topic Re: Splunk CAC Authentication not working in Security

Splunk CAC Authentication not working

xwill13 — Thu, 13 Apr 2023 17:08:00 GMT

Hello,

I am attempting to configure splunk to allow users to authenticate via CAC card using LDAP. However when I attempt to log in I get forwarded to a page that simply says "Unauthorized". This suggested to me that splunk is successfully reading my card, but rejecting my credentials for some reason.

Checking splunkd.log shows that whenever I attempt to log in i get the message "Account John D Johnson does not exist".

Looking in active directory users and computers the account splunk is searching for from the card does seem to not exist, however I'm able to log in to my computer with it, so it must exist in some capacity.

My thoughts are that splunk is searching for the account with a field that does not match the field it is looking for in AD. Is there any way to tell splunk what value it should be trying to match on the CAC card in AD?

I tried changing the values of userNameAttribute in authorize.conf but it seems to have had no affect. My config files are below.

authentication.conf

[authentication] authSettings = xx authType = LDAP [xx] SSLEnabled = 1 anonymous_referrals = 1 bindDN = xx bindDNpassword =xx charset = utf8 emailAttribute = mail enableRangeRetrieval = 0 groupBaseDN = OU=IT,OU=Groups,OU=RM,DC=xx,DC=xx,DC=xx groupMappingAttribute = dn groupMemberAttribute = member groupNameAttribute = cn host = xx nestedGroups = 0 network_timeout = 20 pagelimit = -1 port = 636 realNameAttribute = displayname sizelimit = 30000 timelimit = 30 userBaseDN = DC=xx,DC=xx,DC=xx userNameAttribute = userprincipalname #userBaseDN = DC=xx,DC=xx,DC=xx #userNameAttribute = samaccountname [roleMap_xx] admin = xx SPLUNK Admins isso normal user = xx SPLUNK isso Normal Users operations normal user = xx SPLUNK Operations Normal Users user = xx SPLUNK Admins

web.conf

[settings] httpport = 8000 enableSplunkWebSSL = 1 requireClientCert = 1 sslRootCAPath = C:\Program Files\Splunk\etc\auth\safezone\combined_pivfirst.pem enableCertBasedUserAuth = 1 SSOMode = permissive trustedIP = 127.0.0.1 certBasedUserAuthMethod = commonname privKeyPath = etc\auth\splunkweb\xx.key serverCert = etc\auth\splunkweb\xx.pem loginBackgroundImageOption = custom loginCustomBackgroundImage = search:logincustombg/Warning_for_Official_Use_Only!.jpg tools.sessions.timeout = 5

Re: Splunk CAC Authentication not working

youngsuh — Wed, 11 Sep 2024 22:36:03 GMT

So, there is two ways to do this CAC authentication. SAML or LDAP trusted methods. Before, I thought PKI was just one option but, SAML open up another option.

I hope this helps: Configure single sign-on with SAML - Splunk Documentation

Re: Splunk CAC Authentication not working

mlousch — Wed, 26 Jun 2024 14:48:10 GMT

I just ran into the same issue. I upgraded to splunk 9.2.1 and everything seemed to be working fine, and now I am unable to authenticate using cac card

Re: Splunk CAC Authentication not working

cmcgee_splunk — Tue, 20 Aug 2024 22:12:27 GMT

If you are Army you need to be on versions

9.0.10, 9.1.5, or 9.2.2

There was a bug that was fixed and pushed on 7/1/2024

Re: Splunk CAC Authentication not working

Ty_Rob — Wed, 11 Sep 2024 19:07:28 GMT

I am also having this issue. We are on Splunk 9.3.0 So for Army it is not possible to use DoD CAC authentication with this version?

Re: Splunk CAC Authentication not working

cmcgee_splunk — Wed, 11 Sep 2024 19:11:48 GMT

Anything above 9.2.2 will have the fix, so you should be fine with 9.3. What is the value you are using for userNameAttribute in authentication.conf?

Re: Splunk CAC Authentication not working

Ty_Rob — Wed, 11 Sep 2024 19:20:10 GMT

userNameAttribute = samaccountname

Re: Splunk CAC Authentication not working

cmcgee_splunk — Wed, 11 Sep 2024 19:34:36 GMT

The value for userNameAttribute needs to be userPrincipalName to match the value being extracted from the CAC

Re: Splunk CAC Authentication not working

Ty_Rob — Wed, 11 Sep 2024 23:32:34 GMT

Ok thanks I will update that. What needs to be in the web.conf file to enable CAC login I currently have

[settings] httpport = 8000 enableSplunkWebSSL = 1 tools.sessions.timeout = 15 requireClientCert = true enableCertBasedUserAuth = true SSOMode = permissive trustedIP = 127.0.0.1 certBasedUserAuthMethod = commonname allowSsoWithoutChangingServerConf = 1 privKeyPath = E:\SPLUNKent\etc\auth\mycerts\xx.key serverCert = E:\SPLUNKent\etc\auth\mycerts\xx.pem

Re: Splunk CAC Authentication not working

cmcgee_splunk — Wed, 11 Sep 2024 20:57:23 GMT

For web.conf
Change the AuthMethod, and add the PivOid list

certBasedUserAuthMethod = PIV
certBasedUserAuthPivOidList = 1.3.6.1.4.1.311.20.2.3, Microsoft Universal Principal Name

Re: Splunk CAC Authentication not working

computermathguy — Thu, 12 Sep 2024 14:12:04 GMT

Since Splunk 6.x we have been using a proxy server (Apache) with Splunk to pass the user's CAC credentials to Splunk. Is it true that with 9.2.2, a proxy is no longer needed?

I'm also trying to implement CAC authentication following Configure Splunk Enterprise to use a common access card for authentication - Splunk Documentation and Configuring Splunk for Common Access Card (CAC) authentication - Splunk Lantern, but now getting the following error message: "This site can't be reached"

Re: Splunk CAC Authentication not working

cmcgee_splunk — Thu, 12 Sep 2024 14:17:28 GMT

Currently the above fix is only for Microsoft ADFS, but it is possible using Okta and F5 using the SAML configuration with the prompt being on the IdP side. What is your IdP?

Re: Splunk CAC Authentication not working

Ty_Rob — Thu, 12 Sep 2024 15:57:06 GMT

I made those changes and when I go to the webpage it prompts me for a pin then I get the following error after entering my cac pin:

This XML file does not appear to have any style information associated with it. The document tree is shown below.
<response>
<messages>
<msg type="ERROR">Unauthorized</msg>
</messages>
</response>

Re: Splunk CAC Authentication not working

computermathguy — Thu, 12 Sep 2024 20:48:07 GMT

Adding this attribute
enableCertBasedUserAuth = true \

to web.conf, generates the below proxy error

The proxy server received an invalid response from an upstream server.
The proxy server could not handle the request
Reason: Error reading from remote server

Re: Splunk CAC Authentication not working

cmcgee_splunk — Mon, 23 Sep 2024 23:04:28 GMT

There should be an error in splunkd when you get redirected to unauthorized that states what user it was trying to log in as. Also if you changed it from samaccountname to userprincipalname you will have to modify it on the AD/ADFS side as well.

Re: Splunk CAC Authentication not working

cmcgee_splunk — Mon, 23 Sep 2024 23:07:34 GMT

This error could be caused by a few things, do you have updated protocol? Do you have all the certs required? Are you actually routing through a proxy? Are there any more errors than that?

Re: Splunk CAC Authentication not working

jnoose — Thu, 24 Apr 2025 19:50:08 GMT

♪♫♬ And they say that a hero could saaaaaaave us

I'm not gonna stand here and waaaaaaaait ♪♫♬

Re: Splunk CAC Authentication not working

computermathguy — Thu, 24 Apr 2025 20:29:36 GMT

Sorry for the late response. We opted to stay with using Apache as an SSL proxy to pass the user's credentials to Splunk.

Re: Splunk CAC Authentication not working

youngsuh — Wed, 24 Sep 2025 15:44:24 GMT

Just documenting a mental note for myself and others navigating CAC enablement:

After working through the options, things are much clearer now. There are multiple paths to integrate CAC authentication, each with trade-offs:

SAML via CAC – This is the most straightforward and scalable option. It requires F5 configuration as a SAML Service Provider and integrates cleanly with enterprise IdPs like Microsoft Entra ID. It simplifies certificate validation and user mapping.
LDAP/AD via CAC – Also requires F5, but involves deeper complexity: LDAP schema alignment, altsecid mapping, and certificate parsing. It’s more effort-intensive and better suited for legacy environments.
Header-Based SSO via F5 + LDAP – F5 handles CAC auth and injects headers based on LDAP attributes. Useful for apps that don’t support SAML or OAuth directly.
Direct Smart Card Logon to Windows Domain – Enables CAC-based workstation or domain logon. Requires registry tweaks and trusted CA enforcement. Best for tightly controlled on-prem environments.
Hybrid Models – Some environments combine SAML for web apps and LDAP for legacy systems, using F5 to bridge both. This adds flexibility but increases configuration overhead.

If you're starting fresh or aiming for simplicity, SAML via CAC is the cleanest and most future-proof path, especially in environments already using F5 and federated identity.

Hope this helps others exploring CAC integration—especially in Zero Trust-aligned architectures.