- Splunk Answers
- :
- Splunk Administration
- :
- Security
- :
- Splunk CAC Authentication not working
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Splunk CAC Authentication not working
Hello,
I am attempting to configure splunk to allow users to authenticate via CAC card using LDAP. However when I attempt to log in I get forwarded to a page that simply says "Unauthorized". This suggested to me that splunk is successfully reading my card, but rejecting my credentials for some reason.
Checking splunkd.log shows that whenever I attempt to log in i get the message "Account John D Johnson does not exist".
Looking in active directory users and computers the account splunk is searching for from the card does seem to not exist, however I'm able to log in to my computer with it, so it must exist in some capacity.
My thoughts are that splunk is searching for the account with a field that does not match the field it is looking for in AD. Is there any way to tell splunk what value it should be trying to match on the CAC card in AD?
I tried changing the values of userNameAttribute in authorize.conf but it seems to have had no affect. My config files are below.
authentication.conf
[authentication]
authSettings = xx
authType = LDAP
[xx]
SSLEnabled = 1
anonymous_referrals = 1
bindDN = xx
bindDNpassword =xx
charset = utf8
emailAttribute = mail
enableRangeRetrieval = 0
groupBaseDN = OU=IT,OU=Groups,OU=RM,DC=xx,DC=xx,DC=xx
groupMappingAttribute = dn
groupMemberAttribute = member
groupNameAttribute = cn
host = xx
nestedGroups = 0
network_timeout = 20
pagelimit = -1
port = 636
realNameAttribute = displayname
sizelimit = 30000
timelimit = 30
userBaseDN = DC=xx,DC=xx,DC=xx
userNameAttribute = userprincipalname
#userBaseDN = DC=xx,DC=xx,DC=xx
#userNameAttribute = samaccountname
[roleMap_xx]
admin = xx SPLUNK Admins
isso normal user = xx SPLUNK isso Normal Users
operations normal user = xx SPLUNK Operations Normal Users
user = xx SPLUNK Admins
web.conf
[settings]
httpport = 8000
enableSplunkWebSSL = 1
requireClientCert = 1
sslRootCAPath = C:\Program Files\Splunk\etc\auth\safezone\combined_pivfirst.pem
enableCertBasedUserAuth = 1
SSOMode = permissive
trustedIP = 127.0.0.1
certBasedUserAuthMethod = commonname
privKeyPath = etc\auth\splunkweb\xx.key
serverCert = etc\auth\splunkweb\xx.pem
loginBackgroundImageOption = custom
loginCustomBackgroundImage = search:logincustombg/Warning_for_Official_Use_Only!.jpg
tools.sessions.timeout = 5
Enter the Dashboard Challenge and Watch the .conf24 Global Broadcast!
Join Us at the Builder Bar at .conf24 – Empowering Innovation and Collaboration
Combine Multiline Logs into a Single Event with SOCK - a Guide for Advanced Users
