I am having some authentication issue. If I run Splunk command in the Command Prompt, I was able to logon as admin. However, when I tried to logon as admin through the web UI, it failed to authenticate. Also, I am not able to logon using my AD account neither. I tried resetting admin password and new password worked in Command Prompt, but not Web UI.
When I looked at the splunkd.log file, I noticed that it has always tried to forward the username (even admin) to LDAP server and then failed saying invalid username. I haven't changed LDAP settings or AD group name or reset the AD account used to bind LDAP (the account is not locked).
Any idea how to fix this issue?
Have you tried to force the use of Splunk's local authentication? You can do that using the "?loginType=splunk" after the "/login". Example: https://SPLUNK:8000/en-US/account/login?loginType=splunk
Maybe using this endpoint you will be able to login with your admin user.
I tried to force using local admin but it will just clear the username and password fields and nothing happened. If I enter the wrong password, then it said "invalid password". Any other clues? Could changing the NTFS permission on the Splunk caused this issue?
Sorry, I meant Splunk folder. There is a STIG setting that locks down the permission for Splunk folder.