I'll have to try the ldap service account issue a little later, but I have a hard time believing that's my issue since I'm using the same service account for both old and new servers... but maybe. Question though, in your server certificate chain, and your private key file, does your private key stay: -----BEGIN RSA PRIVATE KEY----- or -----BEGIN PRIVATE KEY----- I did confirm that if I bring my exported pfx file over to my old splunk 9.x server's bin folder, and run the openssl commands there to pull out the private key, I'm left with an RSA version of the private key. If I use that same pfx file into my splunk 10 server's bin folder and run the same commands, I'm left with a non-RSA version of the private key. I tried injecting both versions into my chain and private.pem files but neither way made any difference.  Still "cannot decrypt token" error. ... View more

ok, if you are on 9, I may just do that uninstall/reinstall.  I really don't want to but, it will rule that out as a factor at least. I don't think it's my middleware because from this same workstation, I and open a second tab in my browser and connect to our old splunk and it authenticates just fine.  I already emailed my Splunk support rep to ask if they have any known issues with CAC Auth on version 10, but my rep hasn't responded yet. My only other thought is something odd I noticed with the private key.  And maybe it's the version of openssl that's bundled with Splunk 10 causing this. When I do the process of pulling the private key, the last open ssl command creates a pem version that's non-password protected. On all of our old systems (including desktops with the forwarder installed and their private key is used there too), the start is: -----BEGIN RSA PRIVATE KEY----- But, when running the commands in this new Splunk 10 openssl, the resulting file just says: -----BEGIN PRIVATE KEY----- It doesn't specify "RSA".  I kind of doubt this is the problem but I'm going to pull my key over to the previous server to generate the private key there to see if the result is the same. ... View more

Same way I've created all of our servers.  I think I remember one of your posts earlier on saying that we didn't need the "Smart Card Logon" key usage.  We do have that on all of our certs because from day 1, 4 years ago,  I wasn't sure if it was needed or not, so I threw it on there.  I don't think it's hurting anything because both our production server and this new server have the usage ability.  I just removed the OID number from that OidList field and left only Microsoft Universal Principal Name, but it still doesn't work.   Question - is your software V 10? or still 9.x?  Since these new ones are virtual, I'm debating about taking a snapshot so I don't lose my progress, but then uninstalling 10 and going back to 9.x to see if it's a problem with the latest version. Also, is your installation on NIPR or, let's just say "Other"? The fact that my error message says "Cannot decrypt token" leads me to believe it's something wrong with my certs.  But they seem fine as far as I can tell.  They are issued by a different intermediate CA than our production system was, but I do have the proper updated chain in the CA cert pem file. ... View more

Did you ever get this to work?  I'm having a similar problem but mine is even more perplexing.  I have 2 Splunk servers that are already configured for MFA with smart card.  They are on the latest 9.x version.  I'm in the process of building new Splunk 10 servers, and I can't get those to auth with our smart card tokens. I've mimicked exactly all of our conf files the way they are on the existing working splunk servers.  I'm getting ready to pull my hair out.  As far as I can tell, AD Auth through LDAPS is working, because when I turn token based login off via web.conf file, I am able to authenticate in using active directory username/password. When I turn it back on and try again, here my errors: splunkd.log: SAN OtherName not found for configured OIDs in client certificate CertBasedUserAuth: error fetching username from client certificate audit.log: user=n/a, action=read_session_token, info=denied, reason="cannot decrypt token" My web.conf and server.conf files are exactly the same as my existing production system that works. web.conf is a little different than listed here though because I have: certBasedUserAuthMethod = PIV certBasedUserAuthPivOidList = 1.3.6.1.4.1.311.20.2.3, Microsoft Universal Principal Name I don't know why my audit.log says it can't decrypt my token.  All of my certs for the system are brand new and procedures for creating their public/private .pem files have been followed. I haven't even installed any AV software on this new build yet because I didn't want anything interfering with the troubleshooting. If anyone has any suggestions on where else to look, that would be great!  I need to take these old servers offline but I can't until the new one is configured and working. ... View more

I do not believe this is an applicable "answer". The question looks like it's in reference to NIST control number UA-6(8) which requires auditing of COMMANDS (as in typed commands in command prompt or power shell). The link this answer provides is the general auditing of EVENTS that can be turned on/off via group policy. What we are looking for the the ability to audit actual command line actions being entered. I heard rumor of this being a registry setting that can be changed to add commands to windows auditing. But haven't been able to find specifics ... View more