About partom24

partom24 · ‎02-17-2026

Thank you kindly for the response and tagging me! Sadly, I don't think this helps my specific situation as we are a single server instance. I am speaking to my team to see if it is worth standing up an additional server in the meantime.

partom24 · ‎02-06-2026

Same issue here. We only have a single server, behind several layers of fire walls and no outside connectivity. I've searched all the logs for anything referencing serverclasses or errors and am turning up empty handed.

partom24 · ‎09-12-2025

I did finally get this working, all the configs in the original post are still what we are using today. The only update I did was set a service principal name for the account used to do the LDAP lookup. Steps below: In an elevated cmd/powershell: setspn -S http/splunk.server.domain domain\ldapaccount In Active Directory: - View the properties for the LDAP Account and go to the Delegation Tab - Ensure its set to: Trust this user for delegation to any service (Kerberos only) {{This is the option we selected}} OR Trust this user for delegation to specified services only and then supply the services as required Restart the Splunk service(s) as necessary

partom24 · ‎09-12-2025

I am not using 8443, we changed it to 443 since its the only service on the server. I do have the other items in those conf sections, I just assumed they would already be there, so I only supplied the items specifically found that were need for CAC Based Auth to work. For reference this is what i have server.conf [sslConfig] serverCert = $SPLUNK_HOME\etc\auth\server.pem sslRootCAPath = $SPLUNK_HOME\etc\auth\cacert.pem sslPassword = <encrtypted password> sslVersions = tls1.2 # CAC Based Login sslVerifyServerCert = true sslVerifyServerName = true enableSplunkdSSL = true requireClientCert = false server.conf [general] serverName = splunkServer pass4SymmKey = <encrypted password> # CAC Based Login trustedIP = 127.0.0.1 web.conf: [settings] enableSplunkWebSSL = 1 httpport = 443 serverCert = $SPLUNK_HOME\etc\auth\dodCerts\splunk2_server.pem privKeyPath = $SPLUNK_HOME\etc\auth\dodCerts\splunk2_key.pem sslPassword = <encrypted password> sslRootCAPath = $SPLUNK_HOME\etc\auth\dodCerts\DoDRootCA3.pem sslVersions = tls1.2 #CAC Based Login Stuff requireClientCert = true enableCertBasedUserAuth = true SSOMode = permissive trustedIP = 127.0.0.1 certBasedUserAuthMethod = PIV certBasedUserAuthPivOidList = Microsoft Universal Principal Name allowSsoWithoutChangingServerConf = 1

partom24 · ‎09-12-2025

Yes, the certs were created using the NPE portal and then later converted to PEM using the openSSL package contained in Splunk

partom24 · ‎09-12-2025

I did get this to work finally just a few weeks ago. The BLUF reason is the account used to do the LDAP queries did not have an SPN setup that allowed Kerberos delegation to happen. To accomplish this I did the following: In an elevated cmd/powershell prompt setspn -S http/splunkserver.domain domain\ldapaccountname In Active Directory: Open the account properties and go to the delegation tab, ensure it is either set to trust for any service (Kerberos only), or trust for specified services and configured appropriately. I selected to trust for any service. In web.conf under [Settings]: requireClientCert = true enableCertBasedUserAuth = true SSOMode = permissive trustedIP = 127.0.0.1 certBasedUserAuthMethod = PIV certBasedUserAuthPivOidList = Microsoft Universal Principal Name allowSsoWithoutChangingServerConf = 1 in server.conf under [sslConfig]: sslVerifyServerCert = true sslVerifyServerName = true enableSplunkdSSL = true requireClientCert = false in authentication.conf under the section named for your LDAP strategy: SSLEnabled = 1 anonymous_referrals = 0 bindDN = CN=Account,OU=OU,OU=OU,DC=DC,DC=DC,DC=DC bindDNpassword = <encrypted password> charset = utf8 emailAttribute = mail enableRangeRetrieval = 0 groupBaseDN = OU=Groups,DC=DC,DC=DC,DC=DC groupMappingAttribute = dn groupMemberAttribute = member groupNameAttribute = cn host = server.domain nestedGroups = 0 network_timeout = 20 pagelimit = -1 port = 636 realNameAttribute = cn sizelimit = 1000 timelimit = 15 userBaseDN = OU=Accounts,DC=DC,DC=DC,DC=DC userNameAttribute = userprincipalname in authentication.conf under [authentication]: authSettings = [name of your LDAP strategy] authType=LDAP

partom24 · ‎09-29-2023

Hello All! Trying to set up CAC Based Auth for SPLUNK 9.1.1 on Windows Server 2022 for the first time. I have successfully setup LDAP and am able to sign into Splunk using an AD username/password without any issues. When I add in the requiredClientCert, enableCertBasedAuth and certBasedUserAuthMethod stanzas, and attempt to access the Splunk GUI, all users are immediately greeted with an 'Unauthorized' message. I've been fighting this for about a week now, and Splunk support hasn't been able to help me pin this down yet. Any assistance would be greatly appreciated. I've ensured TLS 1.2 registry keys exist in SCHANNEL to Enable TLS 1.2. Corresponding logs from splunkd.log for the logon attempt are: 09-29-2023 09:02:43.191 -0400 INFO AuthenticationProviderLDAP [12404 TcpChannelThread] - Could not find user=" \x84\x07\xd8\xb6\x05" with strategy="123_LDAP" 09-29-2023 09:02:43.192 -0400 ERROR HTTPAuthManager [12404 TcpChannelThread] - SSO failed - User does not exist: \x84\x07\xd8\xb6\x05 09-29-2023 09:02:43.192 -0400 ERROR UiAuth [12404 TcpChannelThread] - user= \x84\x07\xd8\xb6\x05 action=login status=failure reason=sso-failed useragent="Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36" clientip=<ip> 09-29-2023 09:03:10.247 -0400 ERROR UiAuth [12404 TcpChannelThread] - SAN OtherName not found for configured OIDs in client certificate 09-29-2023 09:03:10.247 -0400 ERROR UiAuth [12404 TcpChannelThread] - CertBasedUserAuth: error fetching username from client certificate authentication.conf: [splunk_auth] minPasswordLength = 8 minPasswordUppercase = 0 minPasswordLowercase = 0 minPasswordSpecial = 0 minPasswordDigit = 0 [authentication] authSettings = 123_LDAP authType = LDAP [123_LDAP] SSLEnabled = 1 anonymous_referrals = 0 bindDN = CN=<Account>,OU=Service Accounts,OU=<Command Accounts>,DC=<Command>,DC=NAVY,DC=MIL bindDNpassword = <removed> charset = utf8 emailAttribute = mail enableRangeRetrieval = 0 groupBaseDN = OU=SPLUNK Groups,OU=Groups,DC=<command>,DC=NAVY,DC=MIL groupMappingAttribute = dn groupMemberAttribute = member groupNameAttribute = cn host = DC.<Command>.NAVY.MIL nestedGroups = 1 network_timeout = 20 pagelimit = -1 port = 636 realNameAttribute = displayName sizelimit = 1000 timelimit = 15 userBaseDN = OU=Users,OU=<Command Accounts>,DC=<Command>,DC=NAVY,DC=MIL userNameAttribute = userprincipalname [roleMap_LDAP] admin = SPLUNK AUDITOR can_delete = SPLUNK AUDITOR network = SPLUNK NETWORK user = SPLUNK AUDITOR;SPLUNK USERS web.conf [settings] enableSplunkWebSSL = true privKeyPath = $SPLUNK_HOME\etc\auth\dodCerts\splunk2_key.pem serverCert = $SPLUNK_HOME\etc\auth\dodCerts\splunk2_server.pem sslPassword = <removed> requireClientCert = true sslRootCAPath = $SPLUNK_HOME\etc\auth\dodCerts\DoDRootCA3.pem enableCertBasedUserAuth=true SSOMode=permissive trustedIP = 127.0.0.1 certBasedUserAuthMethod=PIV server.conf [sslConfig] enableSplunkdSSL = true sslRootCAPath = $SPLUNK_HOME\etc\auth\dodCerts\DoDRootCA3.pem serverCert = $SPLUNK_HOME\etc\auth\dodCerts\splunk2_server.pem sslPassword = <removed> cliVerifyServerName = true sslVersions = tls1.2 sslVerifyServerCert = true [general] serverName = SPKVSPLUNK2 pass4SymmKey = <removed> trustedIP = 127.0.0.1

Posts	8
Solutions	0
Karma Given	1
Karma Received	2
Member Since	‎09-29-2023

Online Status	Offline
Date Last Visited	‎02-17-2026 05:06 AM

Splunk CAC Based Authentication

Re: After upgrade 10.0 to 10.2.0, Forwarder Manage...

Re: After upgrade 10.0 to 10.2.0, Forwarder Manage...

Re: Splunk CAC Based Authentication

Re: Splunk CAC Based Authentication

Re: Splunk CAC Based Authentication

Re: Splunk CAC Based Authentication

Splunk CAC Based Authentication

Join the Conversation