Security
cancel
Turn on suggestions
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Splunk CAC Authentication not working

xwill13
Engager
‎04-13-2023 10:08 AM

Hello,

 

I am attempting to configure splunk to allow users to authenticate via CAC card using LDAP. However when I attempt to log in I get forwarded to a page that simply says "Unauthorized". This suggested to me that splunk is successfully reading my card, but rejecting my credentials for some reason. 

Checking splunkd.log shows that whenever I attempt to log in i get the message "Account John D Johnson does not exist". 

 

Looking in active directory users and computers the account splunk is searching for from the card does seem to not exist, however I'm able to log in to my computer with it, so it must exist in some capacity.

 

My thoughts are that splunk is searching for the account with a field that does not match the field it is looking for in AD. Is there any way to tell splunk what value it should be trying to match on the CAC card in AD?

 

I tried changing the values of userNameAttribute in authorize.conf but it seems to have had no affect. My config files are below.

authentication.conf

[authentication]
authSettings = xx
authType = LDAP

[xx]
SSLEnabled = 1
anonymous_referrals = 1
bindDN = xx
bindDNpassword =xx
charset = utf8
emailAttribute = mail
enableRangeRetrieval = 0
groupBaseDN = OU=IT,OU=Groups,OU=RM,DC=xx,DC=xx,DC=xx
groupMappingAttribute = dn
groupMemberAttribute = member
groupNameAttribute = cn
host = xx
nestedGroups = 0
network_timeout = 20
pagelimit = -1
port = 636
realNameAttribute = displayname
sizelimit = 30000
timelimit = 30
userBaseDN = DC=xx,DC=xx,DC=xx
userNameAttribute = userprincipalname
#userBaseDN = DC=xx,DC=xx,DC=xx
#userNameAttribute = samaccountname

[roleMap_xx]
admin = xx SPLUNK Admins
isso normal user = xx SPLUNK isso Normal Users
operations normal user = xx SPLUNK Operations Normal Users
user = xx SPLUNK Admins

 

web.conf

[settings]
httpport = 8000
enableSplunkWebSSL = 1
requireClientCert = 1
sslRootCAPath = C:\Program Files\Splunk\etc\auth\safezone\combined_pivfirst.pem
enableCertBasedUserAuth = 1
SSOMode = permissive
trustedIP = 127.0.0.1
certBasedUserAuthMethod = commonname
privKeyPath = etc\auth\splunkweb\xx.key
serverCert = etc\auth\splunkweb\xx.pem
loginBackgroundImageOption = custom
loginCustomBackgroundImage = search:logincustombg/Warning_for_Official_Use_Only!.jpg
tools.sessions.timeout = 5
Labels (4)
Labels
0 Karma
Reply

youngsuh
Contributor
‎06-14-2024 03:30 PM

So, there is two ways to do this CAC authentication.   SAML or LDAP trusted methods.  Before, I thought PKI was just one option but, SAML open up another option.

I hope this helps:  Configure single sign-on with SAML - Splunk Documentation

0 Karma
Reply

mlousch
Loves-to-Learn Lots
‎06-26-2024 07:48 AM

I just ran into the same issue. I upgraded to splunk 9.2.1 and everything seemed to be working fine,  and now I am unable to authenticate using cac card

0 Karma
Reply

cmcgee_splunk
Splunk Employee
Splunk Employee
‎08-20-2024 03:12 PM

If you are Army you need to be on versions

9.0.10, 9.1.5, or 9.2.2

There was a bug that was fixed and pushed on 7/1/2024

0 Karma
Reply

Ty_Rob
Loves-to-Learn Lots
‎09-11-2024 12:07 PM

I am also having this issue. We are on Splunk 9.3.0 So for Army it is not possible to use DoD CAC authentication with this version?

0 Karma
Reply

cmcgee_splunk
Splunk Employee
Splunk Employee
‎09-11-2024 12:11 PM

Anything above 9.2.2 will have the fix, so you should be fine with 9.3. What is the value you are using for userNameAttribute in authentication.conf?

0 Karma
Reply

Ty_Rob
Loves-to-Learn Lots
‎09-11-2024 12:20 PM

userNameAttribute = samaccountname

0 Karma
Reply

cmcgee_splunk
Splunk Employee
Splunk Employee
‎09-11-2024 12:34 PM

The value for userNameAttribute needs to be userPrincipalName to match the value being extracted from the CAC

0 Karma
Reply

Ty_Rob
Loves-to-Learn Lots
‎09-11-2024 12:47 PM

Ok thanks I will update that. What needs to be in the web.conf file to enable CAC login I currently have

[settings]
httpport = 8000
enableSplunkWebSSL = 1
tools.sessions.timeout = 15
requireClientCert = true

enableCertBasedUserAuth = true

SSOMode = permissive

trustedIP = 127.0.0.1

certBasedUserAuthMethod = commonname

allowSsoWithoutChangingServerConf = 1

privKeyPath = E:\SPLUNKent\etc\auth\mycerts\xx.key
serverCert = E:\SPLUNKent\etc\auth\mycerts\xx.pem
0 Karma
Reply

cmcgee_splunk
Splunk Employee
Splunk Employee
‎09-11-2024 01:57 PM

For web.conf
Change the AuthMethod, and add the PivOid list

certBasedUserAuthMethod = PIV
certBasedUserAuthPivOidList = 1.3.6.1.4.1.311.20.2.3, Microsoft Universal Principal Name

Reply

Ty_Rob
Loves-to-Learn Lots
‎09-12-2024 08:57 AM

I made those changes and when I go to the webpage it prompts me for a pin then I get the following error after entering my cac pin:

This XML file does not appear to have any style information associated with it. The document tree is shown below.
<response>
<messages>
<msg type="ERROR">Unauthorized</msg>
</messages>
</response>

0 Karma
Reply

cmcgee_splunk
Splunk Employee
Splunk Employee
‎09-23-2024 04:04 PM

There should be an error in splunkd when you get redirected to unauthorized that states what user it was trying to log in as. Also if you changed it from samaccountname to userprincipalname you will have to modify it on the AD/ADFS side as well.

0 Karma
Reply

computermathguy
Path Finder
‎09-12-2024 07:12 AM

Since Splunk 6.x we have been using a proxy server (Apache) with Splunk to pass the user's CAC credentials to Splunk.  Is it true that with 9.2.2, a proxy is no longer needed? 

I'm also trying to implement CAC authentication following Configure Splunk Enterprise to use a common access card for authentication - Splunk Documentation and Configuring Splunk for Common Access Card (CAC) authentication - Splunk Lantern, but now getting the following error message: "This site can't be reached"




0 Karma
Reply

cmcgee_splunk
Splunk Employee
Splunk Employee
‎09-12-2024 07:17 AM

Currently the above fix is only for Microsoft ADFS, but it is possible using Okta and F5 using the SAML configuration with the prompt being on the IdP side. What is your IdP?

0 Karma
Reply

computermathguy
Path Finder
‎09-12-2024 01:48 PM

Adding this attribute 
enableCertBasedUserAuth = true \

to web.conf, generates the below proxy error


The proxy server received an invalid response from an upstream server.
The proxy server could not handle the request
Reason: Error reading from remote server

0 Karma
Reply

cmcgee_splunk
Splunk Employee
Splunk Employee
‎09-23-2024 04:07 PM

This error could be caused by a few things, do you have updated protocol? Do you have all the certs required? Are you actually routing through a proxy? Are there any more errors than that?

0 Karma
Reply
Get Updates on the Splunk Community!

Preparing your Splunk Environment for OpenSSL3

The Splunk platform will transition to OpenSSL version 3 in a future release. Actions are required to prepare ...

Unleash Unified Security and Observability with Splunk Cloud Platform

     Now Available on Microsoft AzureThursday, March 27, 2025  |  11AM PST / 2PM EST | Register NowStep boldly ...

Splunk AppDynamics with Cisco Secure Application

Web applications unfortunately present a target rich environment for security vulnerabilities and attacks. ...
Top