Deployment Architecture

Problem: contract emplyees can't use our domain where Splunk is. Proposed solution: New search head in secondary domain connected to current Splunk instance. Thoughts?

New Member

We are only allowed to use AD accounts when accessing Splunk, but in our PCI DSS environment some users are not allowed to have accounts by policy due to either being contractors or due to age restrictions.

Is it at all possible to have another search head in another domain, but connected to same Splunk instance we already have? This way the search head will be in the domain where our users are etc.

I am just thinking how we can grant access to Splunk if the users cannot have AD accounts in the same domain as Splunk and we cannot use trusts etc.

0 Karma

Splunk Employee
Splunk Employee

Hey @geoppspl7, if they solved your problem, remember to "√Accept" an answer to award karma points 🙂

0 Karma

Splunk Employee
Splunk Employee

Yes, there is no problem configuring a second search head that uses a different authentication provider and different set of authorization policies to use against your existing indexing tier. All authentication/authorization enforcement happens on the search head.


@geoppspl7 - Please make sure you understand the reasoning behind the policy before you attempt to circumvent it in this way. While it is technically feasible, there's a disconnect in the policy itself.

As you describe it, and assuming there is no reason to prevent your contractors from accessing splunk, when everyone else in the AD group can access it, then the AD group appears to be being used for some other access authority as well as splunk. (This is not best practices. Access should be segregated by usage, and access should always be granted granularly based on need and assigned organizational authority.)

If so, then that duplicate authority attached to a single AD group is the root of the issue you are running up against. Has your organization somehow opened splunk up to everybody in a particular domain, regardless of whether the employee has a business need?

If so, it seems you are trying to create a workaround for a security plug, when the plug itself is obscuring a larger security hole.

Investigate the underlying philosophy, and act accordingly (but politely). Nobody wants to be the next Equifax.

0 Karma
Get Updates on the Splunk Community!

.conf24 | Day 0

Hello Splunk Community! My name is Chris, and I'm based in Canberra, Australia's capital, and I travelled for ...

Enhance Security Visibility with Splunk Enterprise Security 7.1 through Threat ...

 (view in My Videos)Struggling with alert fatigue, lack of context, and prioritization around security ...

Troubleshooting the OpenTelemetry Collector

  In this tech talk, you’ll learn how to troubleshoot the OpenTelemetry collector - from checking the ...