Elasticsearch Active-Directory Authentication Failure

Elasticsearch: 7.8
Below is my xpack conf:

xpack:
  security:
    authc:
      realms:
        active_directory:
          corp_ad:
            order: 0
            domain_name: <Domain-Name>
            follow_referrals: false
            url: ldaps://<AD-Hostname>:636
            bind_dn: <username>
            bind_password: <password>
            ssl:
              certificate_authorities: [ "/etc/elasticsearch/certs/ca-cert.pem" ]

But getting the below warn message and also auth-failure when trying when I restart elasticsearch:

[WARN ][o.e.x.s.a.AuthenticationService] [<elasticsearch-1-host>] Authentication to realm corp_ad failed - authenticate failed (Caused by LDAPException(resultCode=49 (invalid credentials), diagnosticMessage='80090308: LdapErr: DSID-0C090434, comment: AcceptSecurityContext error, data 52e, v4563', ldapSDKVersion=4.0.8, revision=28812))

Please suggest

From debugging the logs, I notice that elasticsearch is searching the elastic built-in accounts on active-directory which obviously won't exist.

[2020-07-13T20:37:16,419][TRACE][o.e.x.s.a.AuthenticationService] [] Found existing authentication [Authentication[User[username=_system,roles=[_system],fullName=null,email=null,metadata={}],type=INTERNAL,by={Realm[__attach.__attach] on Node[elasticsearch-3.Host-Name]}]] in request [transport request action [internal:coordination/fault_detection/follower_check]]

[2020-07-13T20:37:16,563][TRACE][o.e.x.s.a.AuthenticationService] [] Found existing authentication [Authentication[User[username=logstash_admin_user,roles=[logstash_admin,logstash_reader,logstash_writer],fullName=Logstash XPack Mgmt ,email=logstash@,metadata={}],type=REALM,by={Realm[native.default_native] on Node[elasticsearch-3.Host-Name]}]] in request [transport request action [indices:data/read/mget[shard][s]]]

[2020-07-13T20:37:16,570][TRACE][o.e.x.s.a.AuthenticationService] [] Found authentication credentials [org.elasticsearch.xpack.core.security.authc.support.UsernamePasswordToken] for principal [logstash_admin_user] in request [rest request uri [/]]

[2020-07-13T20:37:16,578][DEBUG][o.e.x.s.a.l.LdapRealm  ] [<Elasticsearch-Host>] Exception occurred during authenticate for active_directory/corp_ad
com.unboundid.ldap.sdk.LDAPBindException: 80090308: LdapErr: DSID-0C090434, comment: AcceptSecurityContext error, data 52e, v4563 
at com.unboundid.ldap.sdk.LDAPConnection.bind(LDAPConnection.java:2273) ~[unboundid-ldapsdk-4.0.8.jar:4.0.8]
at com.unboundid.ldap.sdk.LDAPConnectionPool.bindAndRevertAuthentication(LDAPConnectionPool.java:1619) ~[unboundid-ldapsdk-4.0.8.jar:4.0.8]
at org.elasticsearch.xpack.security.authc.ldap.support.LdapUtils$1.lambda$doRun$0(LdapUtils.java:135) ~[x-pack-security-7.8.0.jar:7.8.0]
at java.security.AccessController.doPrivileged(AccessController.java:554) ~[?:?]
at org.elasticsearch.xpack.security.authc.ldap.support.LdapUtils.privilegedConnect(LdapUtils.java:74) ~[x-pack-security-7.8.0.jar:7.8.0]
at org.elasticsearch.xpack.security.authc.ldap.support.LdapUtils$1.doRun(LdapUtils.java:135) [x-pack-security-7.8.0.jar:7.8.0]
at org.elasticsearch.common.util.concurrent.AbstractRunnable.run(AbstractRunnable.java:37) [elasticsearch-7.8.0.jar:7.8.0]
at org.elasticsearch.xpack.security.authc.ldap.support.LdapUtils.maybeForkAndRun(LdapUtils.java:100) [x-pack-security-7.8.0.jar:7.8.0]
at org.elasticsearch.xpack.security.authc.ldap.support.LdapUtils.maybeForkThenBindAndRevert(LdapUtils.java:151) [x-pack-security-7.8.0.jar:7.8.0]
at org.elasticsearch.xpack.security.authc.ldap.ActiveDirectorySessionFactory$ADAuthenticator.authenticate(ActiveDirectorySessionFactory.java:285) [x-pack-security-7.8.0.jar:7.8.0]
at org.elasticsearch.xpack.security.authc.ldap.ActiveDirectorySessionFactory.getSessionWithPool(ActiveDirectorySessionFactory.java:116) [x-pack-security-7.8.0.jar:7.8.0]
at org.elasticsearch.xpack.security.authc.ldap.PoolingSessionFactory.session(PoolingSessionFactory.java:96) [x-pack-security-7.8.0.jar:7.8.0]
at org.elasticsearch.xpack.security.authc.ldap.LdapRealm.lambda$doAuthenticate$1(LdapRealm.java:131) [x-pack-security-7.8.0.jar:7.8.0]
at org.elasticsearch.xpack.security.authc.ldap.LdapRealm$CancellableLdapRunnable.doRun(LdapRealm.java:314) [x-pack-security-7.8.0.jar:7.8.0]
at org.elasticsearch.common.util.concurrent.ThreadContext$ContextPreservingAbstractRunnable.doRun(ThreadContext.java:695) [elasticsearch-7.8.0.jar:7.8.0]
at org.elasticsearch.common.util.concurrent.AbstractRunnable.run(AbstractRunnable.java:37) [elasticsearch-7.8.0.jar:7.8.0]
at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1130) [?:?]
at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:630) [?:?]
at java.lang.Thread.run(Thread.java:832) [?:?]

[2020-07-13T20:37:16,578][DEBUG][o.e.x.s.a.AuthenticationService] [] Authentication of [logstash_admin_user] using realm [active_directory/corp_ad] with token [UsernamePasswordToken] was [AuthenticationResult{status=CONTINUE, user=null, message=authenticate failed, exception=LDAPException(resultCode=49 (invalid credentials), diagnosticMessage='80090308: LdapErr: DSID-0C090434, comment: AcceptSecurityContext error, data 52e, v4563 ', ldapSDKVersion=4.0.8, revision=28812)}]

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.