Authentication Issue

kchongMITRE · ‎06-19-2020

All,

I am having some authentication issue. If I run Splunk command in the Command Prompt, I was able to logon as admin. However, when I tried to logon as admin through the web UI, it failed to authenticate. Also, I am not able to logon using my AD account neither. I tried resetting admin password and new password worked in Command Prompt, but not Web UI.

When I looked at the splunkd.log file, I noticed that it has always tried to forward the username (even admin) to LDAP server and then failed saying invalid username. I haven't changed LDAP settings or AD group name or reset the AD account used to bind LDAP (the account is not locked).

Any idea how to fix this issue?

alonsocaio · ‎06-19-2020

Hi,

Have you tried to force the use of Splunk's local authentication? You can do that using the "?loginType=splunk" after the "/login". Example: https://SPLUNK:8000/en-US/account/login?loginType=splunk

Maybe using this endpoint you will be able to login with your admin user.

kchongMITRE · ‎06-22-2020

I tried to force using local admin but it will just clear the username and password fields and nothing happened. If I enter the wrong password, then it said "invalid password". Any other clues? Could changing the NTFS permission on the Splunk caused this issue?

kchongMITRE · ‎06-22-2020

Sorry, I meant Splunk folder. There is a STIG setting that locks down the permission for Splunk folder.

Authentication Issue

troubleshooting

.conf23 Registration is Now Open!

Don't wait! Accept the Mission Possible: Splunk Adoption Challenge Now and Win ...

Unify Your SecOps with Splunk Mission Control