Security
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Splunk CAC Authentication not working

xwill13
Engager
‎04-13-2023 10:08 AM

Hello,

 

I am attempting to configure splunk to allow users to authenticate via CAC card using LDAP. However when I attempt to log in I get forwarded to a page that simply says "Unauthorized". This suggested to me that splunk is successfully reading my card, but rejecting my credentials for some reason. 

Checking splunkd.log shows that whenever I attempt to log in i get the message "Account John D Johnson does not exist". 

 

Looking in active directory users and computers the account splunk is searching for from the card does seem to not exist, however I'm able to log in to my computer with it, so it must exist in some capacity.

 

My thoughts are that splunk is searching for the account with a field that does not match the field it is looking for in AD. Is there any way to tell splunk what value it should be trying to match on the CAC card in AD?

 

I tried changing the values of userNameAttribute in authorize.conf but it seems to have had no affect. My config files are below.

authentication.conf

[authentication]
authSettings = xx
authType = LDAP

[xx]
SSLEnabled = 1
anonymous_referrals = 1
bindDN = xx
bindDNpassword =xx
charset = utf8
emailAttribute = mail
enableRangeRetrieval = 0
groupBaseDN = OU=IT,OU=Groups,OU=RM,DC=xx,DC=xx,DC=xx
groupMappingAttribute = dn
groupMemberAttribute = member
groupNameAttribute = cn
host = xx
nestedGroups = 0
network_timeout = 20
pagelimit = -1
port = 636
realNameAttribute = displayname
sizelimit = 30000
timelimit = 30
userBaseDN = DC=xx,DC=xx,DC=xx
userNameAttribute = userprincipalname
#userBaseDN = DC=xx,DC=xx,DC=xx
#userNameAttribute = samaccountname

[roleMap_xx]
admin = xx SPLUNK Admins
isso normal user = xx SPLUNK isso Normal Users
operations normal user = xx SPLUNK Operations Normal Users
user = xx SPLUNK Admins

 

web.conf

[settings]
httpport = 8000
enableSplunkWebSSL = 1
requireClientCert = 1
sslRootCAPath = C:\Program Files\Splunk\etc\auth\safezone\combined_pivfirst.pem
enableCertBasedUserAuth = 1
SSOMode = permissive
trustedIP = 127.0.0.1
certBasedUserAuthMethod = commonname
privKeyPath = etc\auth\splunkweb\xx.key
serverCert = etc\auth\splunkweb\xx.pem
loginBackgroundImageOption = custom
loginCustomBackgroundImage = search:logincustombg/Warning_for_Official_Use_Only!.jpg
tools.sessions.timeout = 5
Labels (4)
Labels
0 Karma
Reply
Get Updates on the Splunk Community!

Introducing the Splunk Community Dashboard Challenge!

Welcome to Splunk Community Dashboard Challenge! This is your chance to showcase your skills in creating ...

Get the T-shirt to Prove You Survived Splunk University Bootcamp

As if Splunk University, in Las Vegas, in-person, with three days of bootcamps and labs weren’t enough, now ...

Wondering How to Build Resiliency in the Cloud?

IT leaders are choosing Splunk Cloud as an ideal cloud transformation platform to drive business resilience,  ...