Having trouble setting kerberos on Kibana

There seems no proper documentation on setting up kerberos on kibana, 
on elasticsearch kerberos works fine with --negotiate user.
But on Kibana once we add xpack.security.authc.providers:[kerberos] 
and try to load kibana UI, we get error on authentication

2020-04-26T16:24:52,241][DEBUG][r.suppressed ] [master] path: /_security/_authenticate, params: {} org.elasticsearch.ElasticsearchSecurityException: missing authentication credentials for REST request [/_security/_authenticate] at org.elasticsearch.xpack.core.security.support.Exceptions.authenticationError(Exceptions.java:18) ~[x-pack-core-7.5.2.jar:7.5.2] at org.elasticsearch.xpack.core.security.authc.DefaultAuthenticationFailureHandler.createAuthenticationError(DefaultAuthenticationFailureHandler.java:154) ~[x-pack-core-7.5.2.jar:7.5.2] at org.elasticsearch.xpack.core.security.authc.DefaultAuthenticationFailureHandler.missingToken(DefaultAuthenticationFailureHandler.java:104) ~[x-pack-core-7.5.2.jar:7.5.2].
Can anyone suggest how to --negotiate with AD user without providing credentials to browser..?

@elasticsearch

cc /

@Oleg/ @Larry_Gregory

Hi @lnitin12, welcome to the discussion boards.

Can you provide your elasticsearch.yml and kibana.yml configurations, redacting any sensitive information?

Can you also turn on debug logging for kibana by setting logging.verbose: true in your kibana.yml, and see if Kibana is reporting anything relevant in its log file when you try to authenticate?

Hi @Larry_Gregory
I'll send you configurations in few mins for kerberos. Attached is the image from logs in kibana after adding above setting.

Added configuration for kerberos
elasticsearch.yml
xpack.security.authc.realms.kerberos.kerb1.order: "3"
xpack.security.authc.realms.kerberos.kerb1.order: /etc/elasticsearch/es.keytab
xpack,security.authc.realms.kerberos.kerb1.remove_realm_name: 'true'
xpack.security.authc.realms.kerberos.kerb1.krb.debug: 'true'

jvm.options
-Djava.security.krb5.conf: /etc/krb5.conf
-Dsun.security.krb5.debug: true
-Dsun.security.krb5.spnego.debug: true
-Dsun.security.krb5.rcache: none

kibana.yml
xpack.security.authc.providers: [kerberos, basic]

Thanks for the update -- the full log file and full configuration files would be more helpful. It looks like there are other realms configured, so getting the full picture will help us help you.

When you try to authenticate against Elasticsearch directly, is that the same machine that you're accessing Kibana from?

What browser are you using to attempt authentication?

I see you have basic auth enabled as well. Can you make sure that Kibana allows you to login using a username/password? This will help us rule out other issues.

ok, let me send out log and config files.. Yes there is ldap configured with kerberos.
I tried to access kibana UI on Chrome, firefox and internet explorer ans all of them get same error as below.
with basic auth i'm able to login as ldap user and also as native user.

020-04-26T16:24:52,241][DEBUG][r.suppressed ] [master] path: /_security/_authenticate, params: {} org.elasticsearch.ElasticsearchSecurityException: missing authentication credentials for REST request [/_security/_authenticate] at org.elasticsearch.xpack.core.security.support.Exceptions.authenticationError(Exceptions.java:18) ~[x-pack-core-7.5.1.jar:7.5.1] at org.elasticsearch.xpack.core.security.authc.DefaultAuthenticationFailureHandler.createAuthenticationError(DefaultAuthenticationFailureHandler.java:154) ~[x-pack-core-7.5.1.jar:7.5.1] at org.elasticsearch.xpack.core.security.authc.DefaultAuthenticationFailureHandler.missingToken(DefaultAuthenticationFailureHandler.java:104) ~[x-pack-core-7.5.1.jar:7.5.1]

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.