Active Directory Authentication has stopped working for new users



We are currently running 4.1.4, using Active Directory authentication, and we're running into an issue where new users are unable to log in after being granted access to the appropriate Active Directory group for their role, which is tied to groups in Splunk.

I believe this issue may have originated after our install of 4.1.4 --- we did a fresh install and copied over the splunk.secret and authentication.conf file, but I removed the splunk.secret file to resolve a different issue and allowed the system to create a new one.

Could removing the splunk.secret and allow it to recreate have knocked the authentication.conf file out of synch? Users who had access to splunk before the fresh install (ie in 3.4.12) are still able to log in, so it seems the communication to the domain controller is working, but new authentications are not. NOTE: New users are showing up in the users list, they are just not able to log in.

Unfortunately, I am not privy to the account on the domain controllers used to pull in the authentication information, so I cannot enter it in without having to ping other users in the enterprise.

Thanks in advance.

Splunk Employee
Splunk Employee

Yes, changing splunk.secret will cause LDAP/AD auth configuration to stop working, as the hashed password for the bind DN is hashed using the splunk.secret. I actually have no idea how you are able to view lists of users or groups at all, unless your AD allows anonymous bind. (I have never seen an AD domain where this happens, though it's theoretically possible.)

Pretty much, you will have to re-enter the AD bind DN password.