Thought I'd put together a quick writeup on how I got SSO working on Windows using IIS & windows authentication. Many thanks to BrianW @ Splunk for helping with this.
This configuration works with Windows 2008 R2 hosting both Splunk 4.1.2 & IIS on the same server. ISAPI Rewrite3 (full version not lite) was installed per the Admin guide.
ISAPI Rewrite's httpd.conf
RewriteCond %{REMOTE_USER} .*\\([^\\]+)
RewriteHeader Remote-User: .* %1
RewriteBase /
RewriteProxy ^(.*)$ http://yoursplunk.domain.com:8000/$1 [NC,P]
server.conf
[general]
trustedIP = 127.0.0.1
web.conf
[settings]
trustedIP = <SPLUNK_IP_ADDRESS>
remoteUser = Remote-User
In my opinion there is a line missing in your configuration where you set the REMOTE_USER. Something like:
RewriteHeader REMOTE_USER: ^$ admin
Hi everyone,
I found the following article very helpful in setting up Microsoft IIS as a reverse proxy for Splunk.
#
# IIRF.INI for IONICS v2.1 ISAPI filter on IIS7 / W2K8
#
StatusInquiry ON
# extract user name from "DOMAIN\user" pattern
RewriteCond %{REMOTE_USER} .*\\([^\\]+)
# force REMOTE_USER to use backreference match from previous condition (*1)
# web.conf must have remoteUser = Remote-User
# check http://proxy/debug/sso to validate header is OK
#
RewriteHeader REMOTE_USER: ^$ *1
# match http host to the desired server name
RewriteCond %{HTTP_HOST} ^servername$ [I]
# proxy to actual server
ProxyPass ^/(.*) http://splunkserver:8000/$1
This filter doesn't work on IIS 7.5 under WinSrv2k8R2, right? This filter seemed perfect for my needs, but It's quite disappointing it doesn't run on IIS 7.5. I wonder if anybody has the same configurations for ARR and URL Rewrite on IIS, to use only Microsoft-provided tools...
I actually use IIS with ARR on both Windows 2008R2 and Windows 2012R2 with no problems using the Helicon ISAPI Filter.
Make sure you have the following installed:
a. Helicon ISAPI Rewrite (ISAPI_Rewrite3_0104_Lite_x64.msi)
b. Microsoft Web Deployment 2.1 (WebDeploy_2_10_amd64_en-us.msi)
c. Microsoft Web Platform 3.10 (WebPlatformInstaller_3_10_amd64.en-US.msi)
d. Microsoft Web Farm 2.0 (WebFarm2_x64.msi)
e. Microsoft External Cache (ExternalDiskCache_amd64_en-us.exe)
f. Microsoft URL Rewrite (rewrite_2.0_rtw_x64.msi)
g. Microsoft Application Request Router (requestRouter_x64.msi)
h. Microsoft C++ Redistribution (vcredist_x64.exe)
i. Microsoft C++ Redistribution SP1 (vcredist_x64sp1.exe)
Okay,
What is not working? I have created a SOP that is specific to my environment, but I am happy to share it with you. There is a link I posted on how to setup a ARR reverse proxy through IIS. The key is to install the models in the sequence listed above. After that point IIS to the Splunk\bin folder, then ensure ISAPI_Filters have entries to the Helicon ISAPI models, then configure URL Re-write to turn on the proxy component of ARR.
My helicon httpd.conf looks like the following:
i. #Helicon ISAPI_Rewrite configuration file HTTPD.CONF
ii. # Version 3.1.0.104
iii. #
iv. RewriteEngine on
v. RewriteLogLevel 0
vi. LogLevel info
vii. RewriteCond %{REMOTE_USER} .\([^\]+)
viii. RewriteHeader Remote-User: . %1
ix. RewriteBase /
x. RewriteProxy ^(.*)$
Lastly there is some tweaking in the \etc\system\web.conf to enable SSO.
HTH
Yeah, I am using helicon in my existing setups here. I was thinking if there's a way to do it without it or using only the Microsoft-provided modules, but it seems not.
I'll have to do the same with a Linux server running Apache in a few days, and I have no idea even where to start.
# CheckHttpHost.ini # # rewrite based on the HTTP_HOST used in the request. # # remember to rename this file to IsapiRewrite4.ini , # or copy this content to a file named IsapiRewrite4.ini # before using it! # # Mon, 25 Sep 2006 15:42 # RewriteEngine ON UrlDecoding OFF ProxyTimeouts - - - 0 StatusUrl /iirfStatus RewriteLog c:\temp\iirfLog.out RewriteLogLevel 1 CondSubstringBackrefFlag * RewriteCond %{REMOTE_USER} ^$ RewriteCond %{CERT_SUBJECT} ^DC.*\((.*)\)$ [NC] RewriteHeader REMOTE_USER: ^$ *1 # # Direct SSO to Indexers (Optional) # RewriteCond %{HTTP_HOST} ^logview-(indexer_.*)\.csintra\.net$ [I] ProxyPass /(.*) http://*1.domain.net:8000/$1 # # SSO to local Search-Head ProxyPass /(.*) http://localhost:8000/$1 # Searcher ProxyPassReverse / http://localhost/ # Indexer ET ProxyPassReverse / http://indexer_dev.domain.net/ # Indexer IT ProxyPassReverse / http://indexer_it1.domain.net/ ProxyPassReverse / http://indexer_it1.domain.net/ # Indexer UAT ProxyPassReverse / http://indexer_uat1.domain.net/ ProxyPassReverse / http://indexer_uat2.domain.net/ # .....
Hi Jens,
Thanks for the post... I'm using IONICS v2.1 and had to adapt some of the directives to our environment.
After a LOT of struggle, I managed to get his working.
Below, I will post my own INI file
I hope it helps the next one that reads this 😉
Hi,
we're using Ionics Isapi Rewrite Filter (http://iirf.codeplex.com/) on W2K3 and IIS 6.
Works fine and its free.
If someone is interested ...
Hi JensT,
Can you please paste your IIRF.INI file here ?
Ionics ISAPI Filter does not support the RewriteProxy directive.
I'm looking into the documentation but knowing that you already have it working, it would be great to be able to validate this 😉
Thanks
In my opinion there is a line missing in your configuration where you set the REMOTE_USER. Something like:
RewriteHeader REMOTE_USER: ^$ admin
As I understand it, your example should set REMOTE_USER to admin for all users but even that doesn't work. No headers are added to the response.
I've made some progress though. If I add the 'A' option to the RewriteProxy line then ISAPI Rewrite adds the X-Isrw-Proxy-Remote-User header which almost gets me to the finish line.
The problem is that the header contains "DOMAIN\user" and Splunk's LDAP functionality creates users without the "DOMAIN\" prefix.
Looks like I'll have to figure out how to get RewriteHeader part working after all. I'll post an update when I figure it out.