Authentication to realm active_directory failed

Elastic Stack Elasticsearch
1

Hello there:

I'm trying to set up X-pack to talk to our LDAP, but ran into issues.
I have not set up SSL yet.

Here is the elasticsearch.yml:

xpack.monitoring.enabled: true
xpack.monitoring.collection.enabled: true
xpack.monitoring.collection.interval: 60s
xpack.monitoring.collection.cluster.stats.timeout: 60s
xpack.monitoring.history.duration: 90d
xpack.watcher.history.cleaner_service.enabled: true
xpack.http.proxy.host: 'hlsoprxe1a-01.mycompany.com'
xpack.http.proxy.port: 3128
xpack.watcher.enabled: true
xpack.security.enabled: true

#---------------------------------- X-Pack and LDAP-----------------------------------
xpack:
security:
authc:
realms:
active_directory:
type: active_directory
order: 0
domain_name: mycompany.com
url: ldaps://ad-01.mycompany.com:3128
user_search:
base_dn: "OU=SUDOers,DC=,DC=dxc,DC=com"
attribute: cn
bind_dn: myadmin@mycompany.com
bind_password: mypassword

When I started elasticsearch, I saw the following in the elasticsearch.log:
............
[2018-09-27T06:43:26,910][INFO ][o.e.n.Node ] [node-1] started
[2018-09-27T06:43:28,114][WARN ][o.e.x.s.a.AuthenticationService] [node-1] Authentication to realm active_directory failed - authenticate failed (Caused by LDAPException(resultCode=91 (connect error), errorMessage='An error occurred while attempting to connect to server hlsoadse1a-01.hls.dxc.com:3128: java.io.IOException: LDAPException(resultCode=91 (connect error), errorMessage='An error occurred while attempting to establish a connection to server hlsoadse1a-01.hls.dxc.com/10.100.16.11:3128: ConnectException(message='Connection refused (Connection refused)', trace='socketConnect(PlainSocketImpl.java:native) / doConnect(AbstractPlainSocketImpl.java:350) / connectToAddress(AbstractPlainSocketImpl.java:206) / connect(AbstractPlainSocketImpl.java:188) / connect(SocksSocketImpl.java:392) / connect(Socket.java:589) / connect(SSLSocketImpl.java:673) / run(ConnectThread.java:146)', revision=24201)')'))
[2018-09-27T06:43:28,179][WARN ][o.e.x.s.a.AuthenticationService] [node-1] Authentication to realm active_directory failed - authenticate failed (Caused by LDAPException(resultCode=91 (connect error), errorMessage='An error occurred while attempting to connect to server hlsoadse1a-01.hls.dxc.com:3128: java.io.IOException: LDAPException(resultCode=91 (connect error), errorMessage='An error occurred while attempting to establish a connection to server hlsoadse1a-01.hls.dxc.com/10.100.16.11:3128: ConnectException(message='Connection refused (Connection refused)', trace='socketConnect(PlainSocketImpl.java:native) / doConnect(AbstractPlainSocketImpl.java:350) / connectToAddress(AbstractPlainSocketImpl.java:206) / connect(AbstractPlainSocketImpl.java:188) / connect(SocksSocketImpl.java:392) / connect(Socket.java:589) / connect(SSLSocketImpl.java:673) / run(ConnectThread.java:146)', revision=24201)')'))
.....

Please review and let us know what went wrong...

Thanks a lot

Li

2

Hi,

The error, as clearly seen in the logs is:

errorMessage='An error occurred while attempting to establish a connection to server hlsoadse1a-01.hls.dxc.com/10.100.16.11:3128: ConnectException(message='Connection refused (Connection refused)'

It looks like an AD server is not running on hlsoadse1a-01.hls.dxc.com ( 10.100.16.11 ) or it is not listening on port 3128. Can you verify that this is the correct host and port for your environment?

3

Loannis,

Thanks for the response...

I changed the configuration as below:

xpack.monitoring.enabled: true
xpack.monitoring.collection.enabled: true
xpack.monitoring.collection.interval: 60s
#cluster_alerts.management.enabled: true
xpack.monitoring.collection.cluster.stats.timeout: 60s
xpack.monitoring.history.duration: 90d
xpack.watcher.history.cleaner_service.enabled: true
xpack.http.proxy.host: 'proxyhost.xxx.yyy.com'
xpack.http.proxy.port: 3128
xpack.watcher.enabled: true
xpack.security.enabled: true

xpack:
security:
authc:
realms:
active_directory:
type: active_directory
order: 0
domain_name: xxx.yyy.com

=================

And got a different error:

[2018-09-27T14:40:38,202][INFO ][o.e.x.s.t.n.SecurityNetty4HttpServerTransport] [node-1] publish_address {10.100.35.182:9200}, bound_addresses {elasitcIP:9200}
[2018-09-27T14:40:38,202][INFO ][o.e.n.Node ] [node-1] started
[2018-09-27T14:40:39,409][INFO ][o.e.l.LicenseService ] [node-1] license [ea071fcf-a30c-4bf3-bed6-de82629478ca] mode [trial] - valid
[2018-09-27T14:40:39,422][INFO ][o.e.g.GatewayService ] [node-1] recovered [30] indices into cluster_state
[2018-09-27T14:40:40,891][WARN ][o.e.x.s.a.AuthenticationService] [node-1] Authentication to realm active_directory failed - authenticate failed (Caused by LDAPException(resultCode=49 (invalid credentials), errorMessage='80090308: LdapErr: DSID-0C09042F, comment: AcceptSecurityContext error, data 52e, v2580', diagnosticMessage='80090308: LdapErr: DSID-0C09042F, comment: AcceptSecurityContext error, data 52e, v2580'))
[2018-09-27T14:40:40,990][WARN ][o.e.x.s.a.AuthenticationService] [node-1] Authentication to realm active_directory failed - authenticate failed (Caused by LDAPException(resultCode=49 (invalid credentials), errorMessage='80090308: LdapErr: DSID-0C09042F, comment: AcceptSecurityContext error, data 52e, v2580', diagnosticMessage='80090308: LdapErr: DSID-0C09042F, comment: AcceptSecurityContext error, data 52e, v2580'))
[2018-09-27T14:40:41,118][WARN ][o.e.x.s.a.AuthenticationService] [node-1] Authentication to realm active_directory failed - authenticate failed (Caused by LDAPException(resultCode=49 (invalid credentials), errorMessage='80090308: LdapErr: DSID-0C09042F, comment: AcceptSecurityContext error, data 52e, v2580', diagnosticMessage='80090308: LdapErr: DSID-0C09042F, comment: AcceptSecurityContext error, data 52e, v2580'))
[2018-09-27T14:40:41,190][WARN ][o.e.x.s.a.AuthenticationService] [node-1] Authentication to realm active_directory failed - authenticate failed (Caused by LDAPException(resultCode=49 (invalid credentials), errorMessage='80090308: LdapErr: DSID-0C09042F, comment: AcceptSecurityContext error, data 52e, v2580', diagnosticMessage='80090308: LdapErr: DSID-0C09042F, comment: AcceptSecurityContext error, data 52e, v2580'))
[2018-09-27T14:40:42,712][INFO ][o.e.c.r.a.AllocationService] [node-1] Cluster health status changed from [RED] to [YELLOW] (reason: [shards started [[metricbeat-6.3.2-2018.08.30][0], [metricbeat-6.3.2-2018.08.27][0], [.kibana][0]] ...]).
[2018-09-27T14:40:43,513][WARN ][o.e.x.s.a.AuthenticationService] [node-1] Authentication to realm active_directory failed - authenticate failed (Caused by LDAPException(resultCode=49 (invalid credentials), errorMessage='80090308: LdapErr: DSID-0C09042F, comment: AcceptSecurityContext error, data 52e, v2580', diagnosticMessage='80090308: LdapErr: DSID-0C09042F, comment: AcceptSecurityContext error, data 52e, v2580'))
[2018-09-27T14:40:46,022][WARN ][o.e.x.s.a.AuthenticationService] [node-1] Authentication to realm active_directory failed - authenticate failed (Caused by LDAPException(resultCode=49 (invalid credentials), errorMessage='80090308: LdapErr: DSID-0C09042F, comment: AcceptSecurityContext error, data 52e, v2580', diagnosticMessage='80090308: LdapErr: DSID-0C09042F, comment: AcceptSecurityContext error, data 52e, v2580'))
[2018-09-27T14:40:48,531][WARN ][o.e.x.s.a.AuthenticationService] [node-1] Authentication to realm active_directory failed - authenticate failed (Caused by LDAPException(resultCode=49 (invalid credentials), errorMessage='80090308: LdapErr: DSID-0C09042F, comment: AcceptSecurityContext error, data 52e, v2580', diagnosticMessage='80090308: LdapErr: DSID-0C09042F, comment: AcceptSecurityContext error, data 52e, v2580'))
[2018-09-27T14:40:50,371][WARN ][o.e.x.s.a.AuthenticationService] [node-1] Authentication to realm active_directory failed - authenticate failed (Caused by LDAPException(resultCode=49 (invalid credentials), errorMessage='80090308: LdapErr: DSID-0C09042F, comment: AcceptSecurityContext error, data 52e, v2580', diagnosticMessage='80090308: LdapErr: DSID-0C09042F, comment: AcceptSecurityContext error, data 52e, v2580'))
[2018-09-27T14:40:50,373][WARN ][o.e.x.s.a.AuthenticationService] [node-1] Authentication to realm active_directory failed - authenticate failed (Caused by LDAPException(resultCode=49 (invalid credentials), errorMessage='80090308: LdapErr: DSID-0C09042F, comment: AcceptSecurityContext error, data 52e, v2580', diagnosticMessage='80090308: LdapErr: DSID-0C09042F, comment: AcceptSecurityContext error, data 52e, v2580'))
[2018-09-27T14:40:51,040][WARN ][o.e.x.s.a.AuthenticationService] [node-1] Authentication to realm active_directory failed - authenticate failed (Caused by LDAPException(resultCode=49 (invalid credentials), errorMessage='80090308: LdapErr: DSID-0C09042F, comment: AcceptSecurityContext error, data 52e, v2580', diagnosticMessage='80090308: LdapErr: DSID-0C09042F, comment: AcceptSecurityContext error, data 52e, v2580'))
...

I did authentication as below.... seems to be fine...

$ curl -k -u localuser 'http://10.100.35.182:9200/_xpack/security/_authenticate?pretty'
Enter host password for user 'CD021544':
[ec2-user@xxxoelke1b-03 ~]$ curl -k -u localuser 'http://:9200/_xpack/security/_authenticate?pretty'
Enter host password for user 'localuser':
{
"username" : "localuser",
"roles" : [ ],
"full_name" : null,
"email" : null,
"metadata" : {
"ldap_dn" : "CN=localuser,CN=Users,DC=xxx,DC=yyy,DC=com",
"ldap_groups" : [
"CN=Administrators,CN=Builtin,DC=xxx,DC=yyy,DC=com",
"CN=Users,CN=Builtin,DC=xxx,DC=yyy,DC=com",
"CN=Remote Management Users,CN=Builtin,DC=xxx,DC=yyy,DC=com",
"CN=Domain Admins,CN=Users,DC=xxx,DC=yyy,DC=com",
"CN=Domain Users,CN=Users,DC=xxx,DC=yyy,DC=com",
"CN=Cert Publishers,CN=Users,DC=xxx,DC=yyy,DC=com",
"CN=Schema Admins,CN=Users,DC=xxx,DC=yyy,DC=com",
"CN=Enterprise Admins,CN=Users,DC=xxx,DC=yyy,DC=com",
"CN=Group Policy Creator Owners,CN=Users,DC=xxx,DC=yyy,DC=com",
"CN=Denied RODC Password Replication Group,CN=Users,DC=xxx,DC=yyy,DC=com",
"CN=DnsAdmins,CN=Users,DC=xxx,DC=yyy,DC=com"
]
},
"enabled" : true
}

Please help to find out what went wrong and how to fix..

Thanks a lot in advance

Li

4

Please take the time to correctly format the logs in your message, this is very hard to read through

5

Sorry, this is the error in the elasticsearch.log, the same exception happened many times..

=====================

[2018-09-27T14:40:51,040][WARN ][o.e.x.s.a.AuthenticationService] [node-1] Authentication to realm active_directory failed - authenticate failed (Caused by LDAPException(resultCode=49 (invalid credentials), errorMessage='80090308: LdapErr: DSID-0C09042F, comment: AcceptSecurityContext error, data 52e, v2580', diagnosticMessage='80090308: LdapErr: DSID-0C09042F, comment: AcceptSecurityContext error, data 52e, v2580'))

....

6

My guess ( seeing that there is a .metricbeat index from your log output ) is that you have a Beat attempting to connect to Elasticsearch and to authenticate with a username/password for a user in the native realm. Since you have defined an AD realm, you need to explicitly configure the native realm if you want to use this too.

Now that you haven't, and since you have configured your AD realm without a bind user, Elasticsearch attempts to bind to AD with the credentials for the Beat user and fails producing these error messages.

When authenticating with your CD021544, this succeeds as this is a user in AD and its password is correct.

If the above assumption is not correct, please

  • Set the logging to DEBUG by setting
     logger.authc.name = org.elasticsearch.xpack.security.authc
 logger.authc.level = DEBUG
    in your log4j2.log in the Elasticsearch configuration dir
  • Share a larger part of your Elasticsearch log that would give us some more insights.
  • Share additional information on your architecture, i.e. what other components of the Elastic stack you are using and relevant configuration.
7

Thanks, will try this

8

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.