3 login attempts to login x-pack security for active directory

YuWatanabe · April 22, 2017, 8:38am

Hello.

I would like to get help with configuration for active directory authentication for x-pack security.

I was able to login to kibana via active directory authentication, however, it took 3 login attempts . I had checked the log file for elasticsearch and saw below errors. I am not sure if this is the root cause of why it took three attempts but I would like to start from here.

Since the log was too long I have added only the portion of it

Error log

[2017-04-22T17:19:13,179][WARN ][o.e.x.s.a.l.s.LdapUtils  ] caught exception while trying to follow referral [ldap://ForestDnsZones.example.com/DC=ForestDnsZones,DC=example,DC=com]
com.unboundid.ldap.sdk.LDAPException: An error occurred while attempting to resolve address 'ForestDnsZones.example.com':  
....
Caused by: java.net.UnknownHostException: ForestDnsZones.example.com: Name or service not known
...
[2017-04-22T17:19:38,369][WARN ][o.e.x.s.a.l.s.LdapUtils  ] caught exception while trying to follow referral [ldap://DomainDnsZones.example.com/DC=DomainDnsZones,DC=example,DC=com]
com.unboundid.ldap.sdk.LDAPException: An error occurred while attempting to resolve address 'DomainDnsZones.example.com':  
.....
Caused by: java.net.UnknownHostException: DomainDnsZones.example.com: Name or service not known
...
[2017-04-22T17:19:43,371][WARN ][o.e.x.s.a.l.s.LdapUtils  ] caught exception while trying to follow referral [ldap://example.com/CN=Configuration,DC=example,DC=com]
...
Caused by: java.io.IOException: LDAPException(resultCode=91 (connect error), errorMessage='Unable to establish a connection to server example.com/93.184.216.34:389 within the configured timeout of 5000 milliseconds.')
...
Caused by: com.unboundid.ldap.sdk.LDAPException: Unable to establish a connection to server example.com/93.184.216.34:389 within the configured timeout of 5000 milliseconds.
        at com.unboundid.ldap.sdk.ConnectThread.getConnectedSocket(ConnectThread.java:235) ~[?:?]
        at com.unboundid.ldap.sdk.LDAPConnectionInternals.<init>(LDAPConnectionInternals.java:161) ~[?:?]
        at com.unboundid.ldap.sdk.LDAPConnection.connect(LDAPConnection.java:860) ~[?:?]
        ... 9 more
[2017-04-22T17:19:51,854][WARN ][o.e.x.s.a.l.s.LdapUtils  ] caught exception while trying to follow referral [ldap://ForestDnsZones.example.com/DC=ForestDnsZones,DC=example,DC=com]
com.unboundid.ldap.sdk.LDAPException: An error occurred while attempting to resolve address 'ForestDnsZones.example.com':  
....
Caused by: java.net.UnknownHostException: ForestDnsZones.example.com: Name or service not known
...

[2017-04-22T17:20:16,878][WARN ][o.e.x.s.a.l.s.LdapUtils  ] caught exception while trying to follow referral [ldap://DomainDnsZones.example.com/DC=DomainDnsZones,DC=example,DC=com]
com.unboundid.ldap.sdk.LDAPException: An error occurred while attempting to resolve address 'DomainDnsZones.example.com':  
...
Caused by: java.net.UnknownHostException: DomainDnsZones.example.com: Name or service not known
...

[2017-04-22T17:20:21,880][WARN ][o.e.x.s.a.l.s.LdapUtils  ] caught exception while trying to follow referral [ldap://example.com/CN=Configuration,DC=example,DC=com]
com.unboundid.ldap.sdk.LDAPException: 
...
Caused by: java.io.IOException: LDAPException(resultCode=91 (connect error), errorMessage='Unable to establish a connection to server example.com/93.184.216.34:389 within the configured timeout of 5000 milliseconds.')
...  

Caused by: com.unboundid.ldap.sdk.LDAPException: Unable to establish a connection to server example.com/93.184.216.34:389 within the configured timeout of 5000 milliseconds.
        at com.unboundid.ldap.sdk.ConnectThread.getConnectedSocket(ConnectThread.java:235) ~[?:?]
        at com.unboundid.ldap.sdk.LDAPConnectionInternals.<init>(LDAPConnectionInternals.java:161) ~[?:?]
        at com.unboundid.ldap.sdk.LDAPConnection.connect(LDAPConnection.java:860) ~[?:?]
        ... 9 more

My enviroment is

kibana 5.3.0
elasticsearch 5.3.0
x-pack 5.3.0

And authenticating against,
Windows server 2012 R2 Datacenter

Why is x-pack security accessing to hosts that are not defined anywhere?

ldap://ForestDnsZones.example.com/DC=ForestDnsZones,DC=example,DC=com
ldap://DomainDnsZones.example.com/DC=DomainDnsZones,DC=example,DC=com
ldap://example.com/CN=Configuration,DC=example,DC=com

YuWatanabe · April 22, 2017, 9:19am

It looks like if I enable below option , the login process goes smoothly.

follow_referrals

Does this option needs to be set true at first place?

jaymode · April 25, 2017, 1:09pm

I think you mean disable the option? Following referrals by default is done to ensure we can retrieve items located in more complex structures and the errors you see are common with active directory environments that have not registered those names in DNS. Active Directory is returning those referrals and we are simply following them to ensure we get all of the information.

system · May 23, 2017, 1:15pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.