Security

Splunk CAC Authentication not working

xwill13
Engager

Hello,

 

I am attempting to configure splunk to allow users to authenticate via CAC card using LDAP. However when I attempt to log in I get forwarded to a page that simply says "Unauthorized". This suggested to me that splunk is successfully reading my card, but rejecting my credentials for some reason. 

Checking splunkd.log shows that whenever I attempt to log in i get the message "Account John D Johnson does not exist". 

 

Looking in active directory users and computers the account splunk is searching for from the card does seem to not exist, however I'm able to log in to my computer with it, so it must exist in some capacity.

 

My thoughts are that splunk is searching for the account with a field that does not match the field it is looking for in AD. Is there any way to tell splunk what value it should be trying to match on the CAC card in AD?

 

I tried changing the values of userNameAttribute in authorize.conf but it seems to have had no affect. My config files are below.

authentication.conf

[authentication]
authSettings = xx
authType = LDAP

[xx]
SSLEnabled = 1
anonymous_referrals = 1
bindDN = xx
bindDNpassword =xx
charset = utf8
emailAttribute = mail
enableRangeRetrieval = 0
groupBaseDN = OU=IT,OU=Groups,OU=RM,DC=xx,DC=xx,DC=xx
groupMappingAttribute = dn
groupMemberAttribute = member
groupNameAttribute = cn
host = xx
nestedGroups = 0
network_timeout = 20
pagelimit = -1
port = 636
realNameAttribute = displayname
sizelimit = 30000
timelimit = 30
userBaseDN = DC=xx,DC=xx,DC=xx
userNameAttribute = userprincipalname
#userBaseDN = DC=xx,DC=xx,DC=xx
#userNameAttribute = samaccountname

[roleMap_xx]
admin = xx SPLUNK Admins
isso normal user = xx SPLUNK isso Normal Users
operations normal user = xx SPLUNK Operations Normal Users
user = xx SPLUNK Admins

 

web.conf

[settings]
httpport = 8000
enableSplunkWebSSL = 1
requireClientCert = 1
sslRootCAPath = C:\Program Files\Splunk\etc\auth\safezone\combined_pivfirst.pem
enableCertBasedUserAuth = 1
SSOMode = permissive
trustedIP = 127.0.0.1
certBasedUserAuthMethod = commonname
privKeyPath = etc\auth\splunkweb\xx.key
serverCert = etc\auth\splunkweb\xx.pem
loginBackgroundImageOption = custom
loginCustomBackgroundImage = search:logincustombg/Warning_for_Official_Use_Only!.jpg
tools.sessions.timeout = 5
Labels (4)
0 Karma

youngsuh
Contributor

So, there is two ways to do this CAC authentication.   SAML or LDAP trusted methods.  Before, I thought PKI was just one option but, SAML open up another option.

I hope this helps:  Configure single sign-on with SAML - Splunk Documentation

0 Karma

mlousch
Loves-to-Learn Lots

I just ran into the same issue. I upgraded to splunk 9.2.1 and everything seemed to be working fine,  and now I am unable to authenticate using cac card

0 Karma

cmcgee_splunk
Splunk Employee
Splunk Employee

If you are Army you need to be on versions

9.0.10, 9.1.5, or 9.2.2

There was a bug that was fixed and pushed on 7/1/2024

0 Karma

Ty_Rob
Loves-to-Learn Lots

I am also having this issue. We are on Splunk 9.3.0 So for Army it is not possible to use DoD CAC authentication with this version?

0 Karma

cmcgee_splunk
Splunk Employee
Splunk Employee

Anything above 9.2.2 will have the fix, so you should be fine with 9.3. What is the value you are using for userNameAttribute in authentication.conf?

0 Karma

Ty_Rob
Loves-to-Learn Lots

userNameAttribute = samaccountname

0 Karma

cmcgee_splunk
Splunk Employee
Splunk Employee

The value for userNameAttribute needs to be userPrincipalName to match the value being extracted from the CAC

0 Karma

Ty_Rob
Loves-to-Learn Lots

Ok thanks I will update that. What needs to be in the web.conf file to enable CAC login I currently have

[settings]
httpport = 8000
enableSplunkWebSSL = 1
tools.sessions.timeout = 15
requireClientCert = true

enableCertBasedUserAuth = true

SSOMode = permissive

trustedIP = 127.0.0.1

certBasedUserAuthMethod = commonname

allowSsoWithoutChangingServerConf = 1

privKeyPath = E:\SPLUNKent\etc\auth\mycerts\xx.key
serverCert = E:\SPLUNKent\etc\auth\mycerts\xx.pem
0 Karma

cmcgee_splunk
Splunk Employee
Splunk Employee

For web.conf
Change the AuthMethod, and add the PivOid list

certBasedUserAuthMethod = PIV
certBasedUserAuthPivOidList = 1.3.6.1.4.1.311.20.2.3, Microsoft Universal Principal Name

Ty_Rob
Loves-to-Learn Lots

I made those changes and when I go to the webpage it prompts me for a pin then I get the following error after entering my cac pin:

This XML file does not appear to have any style information associated with it. The document tree is shown below.
<response>
<messages>
<msg type="ERROR">Unauthorized</msg>
</messages>
</response>

0 Karma

cmcgee_splunk
Splunk Employee
Splunk Employee

There should be an error in splunkd when you get redirected to unauthorized that states what user it was trying to log in as. Also if you changed it from samaccountname to userprincipalname you will have to modify it on the AD/ADFS side as well.

0 Karma

computermathguy
Path Finder

Since Splunk 6.x we have been using a proxy server (Apache) with Splunk to pass the user's CAC credentials to Splunk.  Is it true that with 9.2.2, a proxy is no longer needed? 

I'm also trying to implement CAC authentication following Configure Splunk Enterprise to use a common access card for authentication - Splunk Documentation and Configuring Splunk for Common Access Card (CAC) authentication - Splunk Lantern, but now getting the following error message: "This site can't be reached"




0 Karma

cmcgee_splunk
Splunk Employee
Splunk Employee

Currently the above fix is only for Microsoft ADFS, but it is possible using Okta and F5 using the SAML configuration with the prompt being on the IdP side. What is your IdP?

0 Karma

computermathguy
Path Finder

Adding this attribute 
enableCertBasedUserAuth = true \

to web.conf, generates the below proxy error


The proxy server received an invalid response from an upstream server.
The proxy server could not handle the request
Reason: Error reading from remote server

0 Karma

cmcgee_splunk
Splunk Employee
Splunk Employee

This error could be caused by a few things, do you have updated protocol? Do you have all the certs required? Are you actually routing through a proxy? Are there any more errors than that?

0 Karma
Get Updates on the Splunk Community!

What's New in Splunk Enterprise 9.4: Features to Power Your Digital Resilience

Hey Splunky People! We are excited to share the latest updates in Splunk Enterprise 9.4. In this release we ...

Take Your Breath Away with Splunk Risk-Based Alerting (RBA)

WATCH NOW!The Splunk Guide to Risk-Based Alerting is here to empower your SOC like never before. Join Haylee ...

SignalFlow: What? Why? How?

What is SignalFlow? Splunk Observability Cloud’s analytics engine, SignalFlow, opens up a world of in-depth ...