Active Directory user authentication

Hi, we need to use Elasticsearch authentication for our users in DC (Active Directory).
Due to the instructs in link below:
https://www.elastic.co/guide/en/elasticsearch/reference/7.11/active-directory-realm.html
I add the AD realm to elasticsearch.yml

xpack:
  security:
    authc:
      realms:
        active_directory:
          my_ad:
            order: 0
            domain_name: develop.local
            url: ldap://192.168.3.89:389
            user_search:
              base_dn: "cn=users,dc=develop,dc=local"
            group_search:
              base_dn: "cn=users,dc=develop,dc=local"
            files:
              role_mapping: "/etc/elasticsearch/role_mapping.yml"

and this line to role_mapping.yaml

superuser:
  - "cn=elasticsearch-superuser,cn=users,dc=develop,dc=local"

but we can not log in elasticsearch not with local users, nor users of domain controller.
and get this as elasticsearch log

[2021-02-22T05:15:21,458][WARN ][o.e.x.s.a.AuthenticationService] [APK-Elastic-Node] Authentication to realm my_ad failed - authenticate failed (Caused by LDAPException(resultCode=49 (invalid credentials), diagnosticMessage='80090308: LdapErr: DSID-0C09041C, comment: AcceptSecurityContext error, data 52e, v4563', ldapSDKVersion=4.0.8, revision=28812))
[2021-02-22T05:15:21,913][WARN ][o.e.x.s.a.AuthenticationService] [APK-Elastic-Node] Authentication to realm my_ad failed - authenticate failed (Caused by LDAPException(resultCode=49 (invalid credentials), diagnosticMessage='80090308: LdapErr: DSID-0C09041C, comment: AcceptSecurityContext error, data 52e, v4563', ldapSDKVersion=4.0.8, revision=28812))
[2021-02-22T05:15:24,406][WARN ][o.e.x.s.a.AuthenticationService] [APK-Elastic-Node] Authentication to realm my_ad failed - authenticate failed (Caused by LDAPException(resultCode=49 (invalid credentials), diagnosticMessage='80090308: LdapErr: DSID-0C09041C, comment: AcceptSecurityContext error, data 52e, v4563', ldapSDKVersion=4.0.8, revision=28812))
[2021-02-22T05:15:24,456][WARN ][o.e.x.s.a.AuthenticationService] [APK-Elastic-Node] Authentication to realm my_ad failed - authenticate failed (Caused by LDAPException(resultCode=49 (invalid credentials), diagnosticMessage='80090308: LdapErr: DSID-0C09041C, comment: AcceptSecurityContext error, data 52e, v4563', ldapSDKVersion=4.0.8, revision=28812))
[2021-02-22T05:15:26,905][WARN ][o.e.x.s.a.AuthenticationService] [APK-Elastic-Node] Authentication to realm my_ad failed - authenticate failed (Caused by LDAPException(resultCode=49 (invalid credentials), diagnosticMessage='80090308: LdapErr: DSID-0C09041C, comment: AcceptSecurityContext error, data 52e, v4563', ldapSDKVersion=4.0.8, revision=28812))
[2021-02-22T05:15:27,463][WARN ][o.e.x.s.a.AuthenticationService] [APK-Elastic-Node] Authentication to realm my_ad failed - authenticate failed (Caused by LDAPException(resultCode=49 (invalid credentials), diagnosticMessage='80090308: LdapErr: DSID-0C09041C, comment: AcceptSecurityContext error, data 52e, v4563', ldapSDKVersion=4.0.8, revision=28812))
[2021-02-22T05:15:29,406][WARN ][o.e.x.s.a.AuthenticationService] [APK-Elastic-Node] Authentication to realm my_ad failed - authenticate failed (Caused by LDAPException(resultCode=49 (invalid credentials), diagnosticMessage='80090308: LdapErr: DSID-0C09041C, comment: AcceptSecurityContext error, data 52e, v4563', ldapSDKVersion=4.0.8, revision=28812))

I have a group named elasticsearch-superuser in AD and two users (members of elasticsearch-superuser)

What type of license are you using? According to the docs AD integration requires a commercial license (Gold or above).

we have a Platinum.
the AD users problem solved with set

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NTDS\Parameters\ldapserverintegrity

value from 2 to 1
but we do not have the built-in users yet. Is it normal that all the auth request go to AD realm or not?

Then please also do raise a request with the Support team :slight_smile:

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.