Security

SAML and logs flooded with warnings: AQR and authentication extensions not supported. Or authentication extensions is su

jmartens
Path Finder

We have enabled Microsoft SAML for Splunk and out splunkd.log seems to be flooded with warnings like this:

WARN UserManagerPro [7456 SchedulerThread] - AQR and authentication extensions not supported. Or authentication extensions is supported but is used for tokens only. user=nobody information not found in cache

Found a few threads on AQR:
https://community.splunk.com/t5/Monitoring-Splunk/What-is-quot-AQR-quot-and-why-is-it-throwing-warni...

https://community.splunk.com/t5/Security/How-do-you-resolve-splunk-log-error-messages-after-switchin...

Also the documentation on authentication.conf does not help me much. It seems the only way is to create a low level user (same as mentioned in the error) to suppress the error, which seems doable but I doubt this is the best way and unsure of side effects?

Does any of you know more? 

Labels (2)
Tags (1)
0 Karma

jmartens
Path Finder

@wwangsa_splunk Thanks very much for the update, but AFAICT the current release is already 9.3.0 Is it also incorporated in that branch?

0 Karma

wwangsa_splunk
Splunk Employee
Splunk Employee

Hi @jmartens , I just checked. Yes, for 9.3.x branch, the fix is in version 9.3.1. 

Hope it helps!

 

0 Karma

rbudini_splunk
Splunk Employee
Splunk Employee

Hi there, 

A  quick search of the Splunk Knowledge base find this article:

https://splunk.my.site.com/customer/s/article/AQR-errors-in-internals-logs

 

Workaround -
I. To find the orphaned Knowledge Objects -

1. Select Settings > All configurations.
2. Click Reassign Knowledge Objects.
3. Click Orphaned to filter out non-orphaned objects from the list.
4. After filtering out the Orphaned KO we have to reassign them to the active users.

II. Reassign knowledge objects to another owner -

1. For the knowledge object that you want to reassign, click Reassign in the Action column.
2. Click Select an owner and select the name of the person that you want to reassign the knowledge object to.
3. Click Save to save your changes.

0 Karma

jmartens
Path Finder

That is no relevant to my case since I have no orphaned knowledge base items. Just checked with the instruction from the knowledge base and even with all filters set to 'All' the list turns up empty.

0 Karma

cmezao
Engager

Hello,

Were you able to resolve this? I'm having the same issue.

Thanks.

0 Karma

jmartens
Path Finder

No, unfortunately not. It is bothering but can be worked around by using Splunk itself to analyze the logs and ignore that message at search time. 

This will show all messages w/o INFO and the before mentioned messages:

index="_internal" sourcetype=splunkd NOT INFO NOT "AQR and authentication extensions not supported. Or authentication extensions is supported but is used for tokens only"
0 Karma

jmartens
Path Finder

By now found out that creating the user `nobody` is not allowed by Splunk, it throws the following error when creating such a user:

Create user: The user="nobody" is reserved by the splunk system
0 Karma

wwangsa_splunk
Splunk Employee
Splunk Employee

Hi @jmartens ,

Very sorry for the inconvenience.

Engineering is aware of this (reference: SPL-258019). They have come up with a fix, which excludes the 2 internal users, 'nobody' and 'splunk-system', from the warning message.

The fix will most likely be added to the next 9.1.x version after 9.1.6 and the next 9.2.x version after 9.2.3, respectively. 

Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In November, the Splunk Threat Research Team had one release of new security content via the Enterprise ...

Index This | Divide 100 by half. What do you get?

November 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with this ...

Stay Connected: Your Guide to December Tech Talks, Office Hours, and Webinars!

❄️ Celebrate the season with our December lineup of Community Office Hours, Tech Talks, and Webinars! ...