Getting Data In

Setting up SSO on Windows

erga00
Path Finder

Thought I'd put together a quick writeup on how I got SSO working on Windows using IIS & windows authentication. Many thanks to BrianW @ Splunk for helping with this.

This configuration works with Windows 2008 R2 hosting both Splunk 4.1.2 & IIS on the same server. ISAPI Rewrite3 (full version not lite) was installed per the Admin guide.

  1. Setup integrated authentication
    • Install Windows Authentication role service for IIS
    • Enable Windows Authentication in IIS Manager
      • Settings are within Authentication either at server, site or folder level
  2. Setup ISAPI Rewrite (see config file below)
  3. Enable Splunk SSO (see server.conf & web.conf below)
  4. Restart Splunk

ISAPI Rewrite's httpd.conf

RewriteCond %{REMOTE_USER} .*\\([^\\]+)
RewriteHeader Remote-User: .* %1
RewriteBase /
RewriteProxy ^(.*)$ http://yoursplunk.domain.com:8000/$1 [NC,P]

server.conf

[general]
trustedIP = 127.0.0.1

web.conf

[settings]
trustedIP = <SPLUNK_IP_ADDRESS>
remoteUser = Remote-User

Tags (2)
1 Solution

graber_cs
Engager

In my opinion there is a line missing in your configuration where you set the REMOTE_USER. Something like:

RewriteHeader REMOTE_USER: ^$ admin

View solution in original post

0 Karma

andrewbeeber
Explorer

Hi everyone,

I found the following article very helpful in setting up Microsoft IIS as a reverse proxy for Splunk.

http://blogs.msdn.com/b/chiranth/archive/2014/08/03/application-request-routing-part-2-reverse-proxy...

ruiaires
Path Finder
#
# IIRF.INI for IONICS v2.1 ISAPI filter on IIS7 / W2K8
#

StatusInquiry ON

# extract user name from "DOMAIN\user" pattern
RewriteCond %{REMOTE_USER} .*\\([^\\]+)

# force REMOTE_USER to use backreference match from previous condition (*1)
# web.conf must have remoteUser = Remote-User
# check http://proxy/debug/sso to validate header is OK
#
RewriteHeader REMOTE_USER: ^$ *1

# match http host to the desired server name
RewriteCond %{HTTP_HOST} ^servername$  [I]

# proxy to actual server
ProxyPass ^/(.*) http://splunkserver:8000/$1

GeoffExxon
New Member

This filter doesn't work on IIS 7.5 under WinSrv2k8R2, right? This filter seemed perfect for my needs, but It's quite disappointing it doesn't run on IIS 7.5. I wonder if anybody has the same configurations for ARR and URL Rewrite on IIS, to use only Microsoft-provided tools...

0 Karma

andrewbeeber
Explorer

I actually use IIS with ARR on both Windows 2008R2 and Windows 2012R2 with no problems using the Helicon ISAPI Filter.

Make sure you have the following installed:
a. Helicon ISAPI Rewrite (ISAPI_Rewrite3_0104_Lite_x64.msi)
b. Microsoft Web Deployment 2.1 (WebDeploy_2_10_amd64_en-us.msi)
c. Microsoft Web Platform 3.10 (WebPlatformInstaller_3_10_amd64.en-US.msi)
d. Microsoft Web Farm 2.0 (WebFarm2_x64.msi)
e. Microsoft External Cache (ExternalDiskCache_amd64_en-us.exe)
f. Microsoft URL Rewrite (rewrite_2.0_rtw_x64.msi)
g. Microsoft Application Request Router (requestRouter_x64.msi)
h. Microsoft C++ Redistribution (vcredist_x64.exe)
i. Microsoft C++ Redistribution SP1 (vcredist_x64sp1.exe)

0 Karma

andrewbeeber
Explorer

Okay,
What is not working? I have created a SOP that is specific to my environment, but I am happy to share it with you. There is a link I posted on how to setup a ARR reverse proxy through IIS. The key is to install the models in the sequence listed above. After that point IIS to the Splunk\bin folder, then ensure ISAPI_Filters have entries to the Helicon ISAPI models, then configure URL Re-write to turn on the proxy component of ARR.

My helicon httpd.conf looks like the following:
i. #Helicon ISAPI_Rewrite configuration file HTTPD.CONF
ii. # Version 3.1.0.104
iii. #
iv. RewriteEngine on
v. RewriteLogLevel 0
vi. LogLevel info
vii. RewriteCond %{REMOTE_USER} .\([^\]+)
viii. RewriteHeader Remote-User: .
%1
ix. RewriteBase /
x. RewriteProxy ^(.*)$ [NC,P]

Lastly there is some tweaking in the \etc\system\web.conf to enable SSO.

HTH

0 Karma

GeoffExxon
New Member

Yeah, I am using helicon in my existing setups here. I was thinking if there's a way to do it without it or using only the Microsoft-provided modules, but it seems not.

I'll have to do the same with a Linux server running Apache in a few days, and I have no idea even where to start.

0 Karma

JensT
Communicator
# CheckHttpHost.ini
#
# rewrite based on the HTTP_HOST used in the request.
#
# remember to rename this file to IsapiRewrite4.ini ,
# or copy this content to a file named IsapiRewrite4.ini
# before using it!
#
# Mon, 25 Sep 2006  15:42
#

RewriteEngine ON
UrlDecoding OFF
ProxyTimeouts - - - 0

StatusUrl /iirfStatus

RewriteLog  c:\temp\iirfLog.out
RewriteLogLevel 1
CondSubstringBackrefFlag *

RewriteCond %{REMOTE_USER} ^$
RewriteCond %{CERT_SUBJECT} ^DC.*\((.*)\)$ [NC]
RewriteHeader REMOTE_USER: ^$ *1

#
# Direct SSO to Indexers (Optional)
#
RewriteCond %{HTTP_HOST}   ^logview-(indexer_.*)\.csintra\.net$  [I]
ProxyPass /(.*) http://*1.domain.net:8000/$1

#
# SSO to local Search-Head
ProxyPass /(.*) http://localhost:8000/$1

# Searcher
ProxyPassReverse / http://localhost/

# Indexer ET
ProxyPassReverse / http://indexer_dev.domain.net/

# Indexer IT
ProxyPassReverse / http://indexer_it1.domain.net/
ProxyPassReverse / http://indexer_it1.domain.net/

# Indexer UAT
ProxyPassReverse / http://indexer_uat1.domain.net/
ProxyPassReverse / http://indexer_uat2.domain.net/

# .....

ruiaires
Path Finder

Hi Jens,

Thanks for the post... I'm using IONICS v2.1 and had to adapt some of the directives to our environment.

After a LOT of struggle, I managed to get his working.
Below, I will post my own INI file

I hope it helps the next one that reads this 😉

0 Karma

JensT
Communicator

Hi,

we're using Ionics Isapi Rewrite Filter (http://iirf.codeplex.com/) on W2K3 and IIS 6.
Works fine and its free.

If someone is interested ...

  • Jens

ruiaires
Path Finder

Hi JensT,

Can you please paste your IIRF.INI file here ?

Ionics ISAPI Filter does not support the RewriteProxy directive.

I'm looking into the documentation but knowing that you already have it working, it would be great to be able to validate this 😉

Thanks

0 Karma

graber_cs
Engager

In my opinion there is a line missing in your configuration where you set the REMOTE_USER. Something like:

RewriteHeader REMOTE_USER: ^$ admin
0 Karma

erga00
Path Finder

As I understand it, your example should set REMOTE_USER to admin for all users but even that doesn't work. No headers are added to the response.

I've made some progress though. If I add the 'A' option to the RewriteProxy line then ISAPI Rewrite adds the X-Isrw-Proxy-Remote-User header which almost gets me to the finish line.

The problem is that the header contains "DOMAIN\user" and Splunk's LDAP functionality creates users without the "DOMAIN\" prefix.

Looks like I'll have to figure out how to get RewriteHeader part working after all. I'll post an update when I figure it out.

0 Karma
Get Updates on the Splunk Community!

Set Up More Secure Configurations in Splunk Enterprise With Config Assist

This blog post is part 3 of 4 of a series on Splunk Assist. Click the links below to see the other ...

Observability Highlights | November 2022 Newsletter

 November 2022Observability CloudEnd Of Support Extension for SignalFx Smart AgentSplunk is extending the End ...

Enterprise Security Content Update (ESCU) v3.54.0

The Splunk Threat Research Team (STRT) recently released Enterprise Security Content Update (ESCU) v3.54.0 and ...