Active Directory Realm Authentication Issue


(Navnith) #1

Environment:
ELK Version: 6.1.3
Setup : Docker containers created with official images from elastic

Hi All,
I am trying to configure active directory realm to work with Global catalog of our companies Active directory. Following is the configuration I am using.

   xpack.security.authc.realms:
        realm0:
            type: active_directory
            order: 0
            domain_name: company.com
            url: ldap://ldap.in.company.com:3268
            bind_dn: username@company.com
            bind_password: password
            user_search.filter: (sAMAccountName={0})

I am getting following exception message during login

[2018-02-14T17:49:51,950][DEBUG][o.e.x.s.a.l.LdapRealm    ] [otMZgVg] Exception occurred during authenticate for active_directory/realm0
com.unboundid.ldap.sdk.LDAPBindException: 80090308: LdapErr: DSID-0C09042F, comment: AcceptSecurityContext error, data 52e, v2580
        at com.unboundid.ldap.sdk.LDAPConnection.bind(LDAPConnection.java:2171) ~[?:?]
        at com.unboundid.ldap.sdk.LDAPConnectionPool.bindAndRevertAuthentication(LDAPConnectionPool.java:1535) ~[?:?]
        at org.elasticsearch.xpack.security.authc.ldap.support.LdapUtils$1.lambda$doRun$0(LdapUtils.java:135) ~[?:?]
        at java.security.AccessController.doPrivileged(Native Method) ~[?:1.8.0_161]
        at org.elasticsearch.xpack.security.authc.ldap.support.LdapUtils.privilegedConnect(LdapUtils.java:86) ~[?:?]
        at org.elasticsearch.xpack.security.authc.ldap.support.LdapUtils$1.doRun(LdapUtils.java:135) ~[?:?]
        at org.elasticsearch.common.util.concurrent.AbstractRunnable.run(AbstractRunnable.java:37) ~[elasticsearch-6.1.3.jar:6.1.3]
        at org.elasticsearch.xpack.security.authc.ldap.support.LdapUtils.maybeForkThenBind(LdapUtils.java:160) ~[x-pack-6.1.3.jar:6.1.3]
        at org.elasticsearch.xpack.security.authc.ldap.ActiveDirectorySessionFactory$ADAuthenticator.authenticate(ActiveDirectorySessionFactory.java:315) ~[x-pack-6.1.3.jar:6.1.3]
        at org.elasticsearch.xpack.security.authc.ldap.ActiveDirectorySessionFactory.getSessionWithPool(ActiveDirectorySessionFactory.java:135) ~[x-pack-6.1.3.jar:6.1.3]
        at org.elasticsearch.xpack.security.authc.ldap.PoolingSessionFactory.session(PoolingSessionFactory.java:104) ~[x-pack-6.1.3.jar:6.1.3]
        at org.elasticsearch.xpack.security.authc.ldap.LdapRealm.lambda$doAuthenticate$1(LdapRealm.java:164) ~[x-pack-6.1.3.jar:6.1.3]
        at org.elasticsearch.xpack.security.authc.ldap.LdapRealm$CancellableLdapRunnable.doRun(LdapRealm.java:320) [x-pack-6.1.3.jar:6.1.3]
        at org.elasticsearch.common.util.concurrent.ThreadContext$ContextPreservingAbstractRunnable.doRun(ThreadContext.java:637) [elasticsearch-6.1.3.jar:6.1.3]
        at org.elasticsearch.common.util.concurrent.AbstractRunnable.run(AbstractRunnable.java:37) [elasticsearch-6.1.3.jar:6.1.3]
        at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1149) [?:1.8.0_161]
        at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:624) [?:1.8.0_161]
        at java.lang.Thread.run(Thread.java:748) [?:1.8.0_161]
[2018-02-14T17:49:51,954][WARN ][o.e.x.s.a.AuthenticationService] [otMZgVg] Authentication to realm realm0 failed - authenticate failed (Caused by LDAPException(resultCode=49 (invalid credentials), errorMessage='80090308: LdapErr: DSID-0C09042F, comment: AcceptSecurityContext error, data 52e, v2580', diagnosticMessage='80090308: LdapErr: DSID-0C09042F, comment: AcceptSecurityContext error, data 52e, v2580'))

I tried to connect with ldapsearch for same credentials and it worked perfectly OK.
Can any one please help me with getting AD configuration working?


(Tim Vernum) #2

Which credentials do you mean? The bind_dn, or the user logging in to Elasticsearch?
It is the latter that is failing.

What form of login are you using?

  • account name: e.g. navnith
  • user principal name: e.g. navnith@company.com
  • NetBIOS (down level) name: e.g. Company\\navnith

Do you know if you using AD DS or LDS?


(system) #3

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.