Failing to connect X-pack to AD LDS (ldap)

amitwer · November 29, 2017, 5:18pm

Hi,
We're trying to connect ES to an LDAP, and using AD LDS installed on windows server 2016.
We use ES 5.6.3 with xpack for the same version
We have tried the following configurations in our elasticsearch.yml:

 xpack.security.authc:
  anonymous:
   username: _es_anonymous_user
   roles: superuser
   authz_exception: true
  realms:
   active_directory:
    type: active_directory
    order: 0
    url: "ldap://ldap-url:port"
    bind_dn: "DOMAIN\\user"
    domain_name: DOMAIN.com
    bind_password: "<Password>"
    group_search:
     base_dn: "dc=newadfs,dc=com"
    files:
     role_mapping: "<path>role_mapping.yml"

However, when we try to login from Kibana (which is sending the proper username\password to ES) we get the following error in ES output, and have no idea what is going over (we got error 49 which indicates wrong user\password, but we can connect to the ldap server using ldapsearch - with the same credentials):

[2017-11-29T17:08:45,130][DEBUG][o.e.x.s.a.l.LdapRealm    ] [elastic] user [user1] not found in cache for realm [active_directory], proceeding with normal authentication
[2017-11-29T17:08:45,133][DEBUG][o.e.x.s.a.l.LdapRealm    ] [elastic] Exception occurred during authenticate for active_directory/active_directory
com.unboundid.ldap.sdk.LDAPBindException: 8009030C: LdapErr: DSID-0C0903D3, comment: AcceptSecurityContext error, data 2030, v3839
        at com.unboundid.ldap.sdk.LDAPConnectionPool.createConnection(LDAPConnectionPool.java:1289) ~[unboundid-ldapsdk-3.2.0.jar:3.2.0]
        at com.unboundid.ldap.sdk.LDAPConnectionPool.createConnection(LDAPConnectionPool.java:1178) ~[unboundid-ldapsdk-3.2.0.jar:3.2.0]
        at com.unboundid.ldap.sdk.LDAPConnectionPool.getConnection(LDAPConnectionPool.java:1706) ~[unboundid-ldapsdk-3.2.0.jar:3.2.0]
        at com.unboundid.ldap.sdk.LDAPConnectionPool.bindAndRevertAuthentication(LDAPConnectionPool.java:1531) ~[unboundid-ldapsdk-3.2.0.jar:3.2.0]
        at org.elasticsearch.xpack.security.authc.ldap.ActiveDirectorySessionFactory$ADAuthenticator.authenticate(ActiveDirectorySessionFactory.java:312) ~[x-pack-5.6.3.jar:5.6.3]
        at org.elasticsearch.xpack.security.authc.ldap.ActiveDirectorySessionFactory.getSessionWithPool(ActiveDirectorySessionFactory.java:131) ~[x-pack-5.6.3.jar:5.6.3]
        at org.elasticsearch.xpack.security.authc.ldap.PoolingSessionFactory.session(PoolingSessionFactory.java:101) ~[x-pack-5.6.3.jar:5.6.3]
        at org.elasticsearch.xpack.security.authc.ldap.LdapRealm.lambda$doAuthenticate$0(LdapRealm.java:161) ~[x-pack-5.6.3.jar:5.6.3]
        at org.elasticsearch.xpack.security.authc.ldap.LdapRealm$CancellableLdapRunnable.doRun(LdapRealm.java:317) [x-pack-5.6.3.jar:5.6.3]
        at org.elasticsearch.common.util.concurrent.ThreadContext$ContextPreservingAbstractRunnable.doRun(ThreadContext.java:638) [elasticsearch-5.6.3.jar:5.6.3]
        at org.elasticsearch.common.util.concurrent.AbstractRunnable.run(AbstractRunnable.java:37) [elasticsearch-5.6.3.jar:5.6.3]
        at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1142) [?:1.8.0_111]
        at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:617) [?:1.8.0_111]
        at java.lang.Thread.run(Thread.java:745) [?:1.8.0_111]
[2017-11-29T17:08:45,134][WARN ][o.e.x.s.a.AuthenticationService] [elastic] Authentication to realm active_directory failed - authenticate failed (Caused by LDAPException(resultCode=49 (invalid credentials), errorMessage='8009030C: LdapErr: DSID-0C0903D3, comment: AcceptSecurityContext error, data 2030, v3839', diagnosticMessage='8009030C: LdapErr: DSID-0C0903D3, comment: AcceptSecurityContext error, data 2030, v3839'))

Any Ideas what can we do next to try and solve this issue?

ikakavas · November 29, 2017, 7:48pm

Hi,

It looks that that authentication fails for your bind user , not for user1 which you try to authenticate in Kibana.

Seeing that you have set

bind_dn: "DOMAIN\user"

in your configuration, it means that Elasticsearch will attempt to perform certain operations as that user.
Can you verify that the credentials of the bind user that you have set in the realm configuration are correct ?

amitwer · November 29, 2017, 8:17pm

Thanks for responding.
Yes, it is the bind user failing (I've replaced the actual username with User1).
The credentials are working fine when using ldapsearch from the commandline, but I'm not sure how does it map to what X-pack is doing to formulate the queries.

TimV · November 29, 2017, 11:49pm

I think Ioannis has misinterpetted the error. It certainly looks like the problem is with user1.

What format are you using for that username?
The AD realm supports various forms with NetBIOS names, User Principal Names, etc, but they all work slightly differently (ah, the joy of AD).
In particular, if you are using a raw username (such as "user1") without any sort of domain name attached to it, then the domain_name setting in your config file must be correct and match the user principal.

amitwer · December 6, 2017, 5:28pm

Hi Tim,
Thanks for responding.
I'm not sure I understand your answer.

I tried to remove variables and try the minimal configuration that should work, so I have this:

 realms:
   active_directory:
    type: active_directory
    order: 0
    url: "ldap://my-server:51245"
    domain_name: myServer.com

(note - no dn_bind, which seems to be fine from the documentation)
myServer.com is defined in /etc/hosts, and I can ping there.

Trying to login with user1 results in:

[2017-12-06T17:17:21,151][DEBUG][o.e.x.s.a.l.LdapRealm    ] [vm-qa-elastic] user [User1] not     found in cache for realm [active_directory], proceeding with normal authentication
[2017-12-06T17:17:21,154][DEBUG][o.e.x.s.a.l.LdapRealm    ] [vm-qa-elastic] Exception occurred during authenticate for active_directory/active_directory
     com.unboundid.ldap.sdk.LDAPBindException: 8009030C: LdapErr: DSID-0C0903D3,     comment: AcceptSecurityContext error, data 2030, v3839
             at com.unboundid.ldap.sdk.LDAPConnection.bind(LDAPConnection.java:2171) ~[unboundid-ldapsdk-3.2.0.jar:3.2.0]
             at org.elasticsearch.xpack.security.authc.ldap.ActiveDirectorySessionFactory$ADAuthenticator.authenticate(ActiveDirectorySessionFactory.java:277) ~[x-pack-5.6.3.jar:5.6.3]
             at org.elasticsearch.xpack.security.authc.ldap.ActiveDirectorySessionFactory.lambda$getSessionWithoutPool$4(ActiveDirectorySessionFactory.java:141) ~[x-pack-5.6.3.jar:5.6.3]
             at org.elasticsearch.xpack.security.authc.ldap.ActiveDirectorySessionFactory.getSessionWithoutPool(ActiveDirectorySessionFactory.java:150) ~[x-pack-5.6.3.jar:5.6.3]
             at org.elasticsearch.xpack.security.authc.ldap.PoolingSessionFactory.session(PoolingSessionFactory.java:103) ~[x-pack-5.6.3.jar:5.6.3]
             at org.elasticsearch.xpack.security.authc.ldap.LdapRealm.lambda$doAuthenticate$0(LdapRealm.java:161) ~[x-pack-5.6.3.jar:5.6.3]
             at org.elasticsearch.xpack.security.authc.ldap.LdapRealm$CancellableLdapRunnable.doRun(LdapRealm.java:317) [x-pack-5.6.3.jar:5.6.3]
             at org.elasticsearch.common.util.concurrent.ThreadContext$ContextPreservingAbstractRunnable.doRun(ThreadContext.java:638) [elasticsearch-5.6.3.jar:5.6.3]
             at org.elasticsearch.common.util.concurrent.AbstractRunnable.run(AbstractRunnable.java:37) [elasticsearch-5.6.3.jar:5.6.3]
             at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1142) [?:1.8.0_111]
             at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:617) [?:1.8.0_111]
             at java.lang.Thread.run(Thread.java:745) [?:1.8.0_111]
     [2017-12-06T17:17:21,155][WARN ][o.e.x.s.a.AuthenticationService] [vm-qa-elastic]     Authentication to realm active_directory failed - authenticate failed (Caused by     LDAPException(resultCode=49 (invalid credentials), errorMessage='8009030C: LdapErr: DSID-    0C0903D3, comment: AcceptSecurityContext error, data 2030, v3839',     diagnosticMessage='8009030C: LdapErr: DSID-0C0903D3, comment: AcceptSecurityContext     error, data 2030, v3839'))

When I run ldapsearch I get the following result:

ldapsearch -x -h "vm-adfs-win16" -D "myServer\Administrator" -W -b "cn=User1, cn=users,     dc=myServer, dc=com" 
Enter LDAP Password: 
# extended LDIF
#
# LDAPv3
# base <cn=User1, cn=users, dc=myServer, dc=com> with scope subtree
# filter: (objectclass=*)
# requesting: ALL
#

# User1, Users, myServer.com
dn: CN=User1,CN=Users,DC=myServer,DC=com
objectClass: top
objectClass: person
objectClass: organizationalPerson
objectClass: user
cn: User1
givenName: User1
distinguishedName: CN=User1,CN=Users,DC=myServer,DC=com
instanceType: 4
whenCreated: 20170831144812.0Z
whenChanged: 20171122161733.0Z
displayName: User1
uSNCreated: 31048
memberOf: CN=elkPoc,CN=Users,DC=myServer,DC=com
uSNChanged: 46786
name: User1
objectGUID:: o/NbXeiclEWdFwQHdwr9QQ==
userAccountControl: 66048
badPwdCount: 0
codePage: 0
countryCode: 0
badPasswordTime: 0
lastLogoff: 0
lastLogon: 131486647771588002
pwdLastSet: 131558410531272256
primaryGroupID: 513
objectSid:: AQUAAAAAAAUVAAAA33X/gY5rls2wtjH+UAQAAA==
accountExpires: 9223372036854775807
logonCount: 1
sAMAccountName: User1
sAMAccountType: 805306368
userPrincipalName: User1@myServer.com
lockoutTime: 0
objectCategory: CN=Person,CN=Schema,CN=Configuration,DC=myServer,DC=com
dSCorePropagationData: 16010101000000.0Z
lastLogonTimestamp: 131486647771588002

# search result
search: 2
result: 0 Success

# numResponses: 2
# numEntries: 1

TimV · December 11, 2017, 5:54am

Based on the specific error you're getting, I think this might actually be an AD configuration problem rather than an Elasticsearch one.

Can you verify that you can connect to your AD server as "User1" using the ldp.exe tool.
My guess is that this will fail with a similar error.

amitwer · December 11, 2017, 5:03pm

Thanks for the reply.
I think I am able to connect using ldp.exe

I'm not familiar with the tool, so here what I did:

connection -> bind (without "connect" first)
put the credentials for user1 (User=User1, Domain=MYSERVER)
got response:

0 = ldap_set_option(ld, LDAP_OPT_ENCRYPT, 1)
res = ldap_bind_s(ld, NULL, &NtAuthIdentity, NEGOTIATE (1158)); // v.3
{NtAuthIdentity: User='User1'; Pwd=; domain = 'MYSERVER'}
Authenticated as: 'MYSERVER\User1'.

I then tried to fiddle a bit with xpack configuration to see if I can make it any more similar (so I changed the "domain_name" to be "MYSERVER instead of myServer.com ) - still, I get the same exception.

system · January 8, 2018, 5:03pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.