Splunk CAC Authentication not working

xwill13 · ‎04-13-2023

Hello,

I am attempting to configure splunk to allow users to authenticate via CAC card using LDAP. However when I attempt to log in I get forwarded to a page that simply says "Unauthorized". This suggested to me that splunk is successfully reading my card, but rejecting my credentials for some reason.

Checking splunkd.log shows that whenever I attempt to log in i get the message "Account John D Johnson does not exist".

Looking in active directory users and computers the account splunk is searching for from the card does seem to not exist, however I'm able to log in to my computer with it, so it must exist in some capacity.

My thoughts are that splunk is searching for the account with a field that does not match the field it is looking for in AD. Is there any way to tell splunk what value it should be trying to match on the CAC card in AD?

I tried changing the values of userNameAttribute in authorize.conf but it seems to have had no affect. My config files are below.

authentication.conf

[authentication]
authSettings = xx
authType = LDAP

[xx]
SSLEnabled = 1
anonymous_referrals = 1
bindDN = xx
bindDNpassword =xx
charset = utf8
emailAttribute = mail
enableRangeRetrieval = 0
groupBaseDN = OU=IT,OU=Groups,OU=RM,DC=xx,DC=xx,DC=xx
groupMappingAttribute = dn
groupMemberAttribute = member
groupNameAttribute = cn
host = xx
nestedGroups = 0
network_timeout = 20
pagelimit = -1
port = 636
realNameAttribute = displayname
sizelimit = 30000
timelimit = 30
userBaseDN = DC=xx,DC=xx,DC=xx
userNameAttribute = userprincipalname
#userBaseDN = DC=xx,DC=xx,DC=xx
#userNameAttribute = samaccountname

[roleMap_xx]
admin = xx SPLUNK Admins
isso normal user = xx SPLUNK isso Normal Users
operations normal user = xx SPLUNK Operations Normal Users
user = xx SPLUNK Admins

web.conf

[settings]
httpport = 8000
enableSplunkWebSSL = 1
requireClientCert = 1
sslRootCAPath = C:\Program Files\Splunk\etc\auth\safezone\combined_pivfirst.pem
enableCertBasedUserAuth = 1
SSOMode = permissive
trustedIP = 127.0.0.1
certBasedUserAuthMethod = commonname
privKeyPath = etc\auth\splunkweb\xx.key
serverCert = etc\auth\splunkweb\xx.pem
loginBackgroundImageOption = custom
loginCustomBackgroundImage = search:logincustombg/Warning_for_Official_Use_Only!.jpg
tools.sessions.timeout = 5

youngsuh · ‎06-14-2024

So, there is two ways to do this CAC authentication. SAML or LDAP trusted methods. Before, I thought PKI was just one option but, SAML open up another option.

I hope this helps: Configure single sign-on with SAML - Splunk Documentation

mlousch · ‎06-26-2024

I just ran into the same issue. I upgraded to splunk 9.2.1 and everything seemed to be working fine, and now I am unable to authenticate using cac card

cmcgee_splunk

If you are Army you need to be on versions

9.0.10, 9.1.5, or 9.2.2

There was a bug that was fixed and pushed on 7/1/2024

Ty_Rob

I am also having this issue. We are on Splunk 9.3.0 So for Army it is not possible to use DoD CAC authentication with this version?

cmcgee_splunk

Anything above 9.2.2 will have the fix, so you should be fine with 9.3. What is the value you are using for userNameAttribute in authentication.conf?

Ty_Rob

userNameAttribute = samaccountname

cmcgee_splunk

The value for userNameAttribute needs to be userPrincipalName to match the value being extracted from the CAC

Ty_Rob

Ok thanks I will update that. What needs to be in the web.conf file to enable CAC login I currently have

[settings]
httpport = 8000
enableSplunkWebSSL = 1
tools.sessions.timeout = 15
requireClientCert = true

enableCertBasedUserAuth = true

SSOMode = permissive

trustedIP = 127.0.0.1

certBasedUserAuthMethod = commonname

allowSsoWithoutChangingServerConf = 1

privKeyPath = E:\SPLUNKent\etc\auth\mycerts\xx.key
serverCert = E:\SPLUNKent\etc\auth\mycerts\xx.pem

cmcgee_splunk

For web.conf
Change the AuthMethod, and add the PivOid list

certBasedUserAuthMethod = PIV
certBasedUserAuthPivOidList = 1.3.6.1.4.1.311.20.2.3, Microsoft Universal Principal Name

Ty_Rob

I made those changes and when I go to the webpage it prompts me for a pin then I get the following error after entering my cac pin:

This XML file does not appear to have any style information associated with it. The document tree is shown below.
<response>
<messages>
<msg type="ERROR">Unauthorized</msg>
</messages>
</response>

computermathguy

Since Splunk 6.x we have been using a proxy server (Apache) with Splunk to pass the user's CAC credentials to Splunk. Is it true that with 9.2.2, a proxy is no longer needed?

I'm also trying to implement CAC authentication following Configure Splunk Enterprise to use a common access card for authentication - Splunk Documentation and Configuring Splunk for Common Access Card (CAC) authentication - Splunk Lantern, but now getting the following error message: "This site can't be reached"

cmcgee_splunk

Currently the above fix is only for Microsoft ADFS, but it is possible using Okta and F5 using the SAML configuration with the prompt being on the IdP side. What is your IdP?

computermathguy

Adding this attribute
enableCertBasedUserAuth = true \

to web.conf, generates the below proxy error

The proxy server received an invalid response from an upstream server.
The proxy server could not handle the request
Reason: Error reading from remote server

Splunk CAC Authentication not working

access control

LDAP

SAML

SSO

How to Get Started with Splunk Data Management Pipeline Builders (Edge Processor & ...

Out of the Box to Up And Running - Streamlined Observability for Your Cloud ...

Splunk Smartness with Brandon Sternfield | Episode 3