Security

Splunk CAC Based Authentication

partom24
Observer

Hello All!

Trying to set up CAC Based Auth for SPLUNK 9.1.1 on Windows Server 2022 for the first time. I have successfully setup LDAP and am able to sign into Splunk using an AD username/password without any issues. When I add in the requiredClientCert, enableCertBasedAuth and certBasedUserAuthMethod stanzas, and attempt to access the Splunk GUI, all users are immediately greeted with an 'Unauthorized' message. I've been fighting this for about a week now, and Splunk support hasn't been able to help me pin this down yet. Any assistance would be greatly appreciated.

I've ensured TLS 1.2 registry keys exist in SCHANNEL to Enable TLS 1.2.

Corresponding logs from splunkd.log for the logon attempt are:

 

09-29-2023 09:02:43.191 -0400 INFO  AuthenticationProviderLDAP [12404 TcpChannelThread] - Could not find user=" \x84\x07\xd8\xb6\x05" with strategy="123_LDAP"
09-29-2023 09:02:43.192 -0400 ERROR HTTPAuthManager [12404 TcpChannelThread] - SSO failed - User does not exist:  \x84\x07\xd8\xb6\x05
09-29-2023 09:02:43.192 -0400 ERROR UiAuth [12404 TcpChannelThread] - user= \x84\x07\xd8\xb6\x05 action=login status=failure reason=sso-failed useragent="Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36" clientip=<ip>
09-29-2023 09:03:10.247 -0400 ERROR UiAuth [12404 TcpChannelThread] - SAN OtherName not found for configured OIDs in client certificate
09-29-2023 09:03:10.247 -0400 ERROR UiAuth [12404 TcpChannelThread] - CertBasedUserAuth: error fetching username from client certificate

 

authentication.conf:

 

[splunk_auth]
minPasswordLength = 8
minPasswordUppercase = 0
minPasswordLowercase = 0
minPasswordSpecial = 0
minPasswordDigit = 0

[authentication]
authSettings = 123_LDAP
authType = LDAP

[123_LDAP]
SSLEnabled = 1
anonymous_referrals = 0
bindDN = CN=<Account>,OU=Service Accounts,OU=<Command Accounts>,DC=<Command>,DC=NAVY,DC=MIL
bindDNpassword = <removed>
charset = utf8
emailAttribute = mail
enableRangeRetrieval = 0
groupBaseDN = OU=SPLUNK Groups,OU=Groups,DC=<command>,DC=NAVY,DC=MIL
groupMappingAttribute = dn
groupMemberAttribute = member
groupNameAttribute = cn
host = DC.<Command>.NAVY.MIL
nestedGroups = 1
network_timeout = 20
pagelimit = -1
port = 636
realNameAttribute = displayName
sizelimit = 1000
timelimit = 15
userBaseDN = OU=Users,OU=<Command Accounts>,DC=<Command>,DC=NAVY,DC=MIL
userNameAttribute = userprincipalname

[roleMap_LDAP]
admin = SPLUNK AUDITOR
can_delete = SPLUNK AUDITOR
network = SPLUNK NETWORK
user = SPLUNK AUDITOR;SPLUNK USERS

 

web.conf

 

[settings]
enableSplunkWebSSL = true
privKeyPath = $SPLUNK_HOME\etc\auth\dodCerts\splunk2_key.pem
serverCert = $SPLUNK_HOME\etc\auth\dodCerts\splunk2_server.pem
sslPassword = <removed>
requireClientCert = true
sslRootCAPath = $SPLUNK_HOME\etc\auth\dodCerts\DoDRootCA3.pem
enableCertBasedUserAuth=true
SSOMode=permissive
trustedIP = 127.0.0.1
certBasedUserAuthMethod=PIV

 

server.conf

 

[sslConfig]
enableSplunkdSSL = true
sslRootCAPath = $SPLUNK_HOME\etc\auth\dodCerts\DoDRootCA3.pem
serverCert = $SPLUNK_HOME\etc\auth\dodCerts\splunk2_server.pem
sslPassword = <removed>
cliVerifyServerName = true
sslVersions = tls1.2
sslVerifyServerCert = true

[general]
serverName = SPKVSPLUNK2
pass4SymmKey = <removed>
trustedIP = 127.0.0.1

 

 

 

 

 

 

Labels (3)
0 Karma

jencot01
Loves-to-Learn Lots

I'm not sure if anyone has found the exact problem in your situation, but looks like you may missing the attribute certBasedUserAuthPivOidList.  I do see errors for OID not found in client cert.  The default value is Microsoft Universal Principal Name, but you may need to change it.  Or try changing certBasedUserAuthMethod from PIV to EDIPI.    Hope this helps.

 

0 Karma

MattD
Observer

Did you get this figured out? We are currently fighting the same issue.

0 Karma

mdmorgan
New Member

Were you able to find any resolution to this?

0 Karma
Get Updates on the Splunk Community!

What's New in Splunk Enterprise 9.4: Features to Power Your Digital Resilience

Hey Splunky People! We are excited to share the latest updates in Splunk Enterprise 9.4. In this release we ...

Take Your Breath Away with Splunk Risk-Based Alerting (RBA)

WATCH NOW!The Splunk Guide to Risk-Based Alerting is here to empower your SOC like never before. Join Haylee ...

SignalFlow: What? Why? How?

What is SignalFlow? Splunk Observability Cloud’s analytics engine, SignalFlow, opens up a world of in-depth ...