Kibana 5.3.0 Active Directory authentication


We would like to setup AD authentication just for Kibana and not setup AD authentication for Elasticsearch or Logstash components. Is that possible?. Can anyone point me towards the direction of setting up AD based authentication just for Kibana?

hi @mk40us,

you could do this by defining two sets of users. One for the Kibana users (humans I assume), and another for the Elasticsearch/Logstash users (services&processes I'd guess).

The Kibana users you would authenticate using the AD-realm. Ensure each has at least the kibana_user-role mapped to the appropriate AD-group, as well as (read/write) access to the required data/indices (

For the ES/Logstash users, use the native realm. So you can create these users with the ES user-api (cf.

Let me know if this is what you're looking for,

1 Like

I am getting authc not allowed error. Can you provide an example config file ?

 log   [15:56:18.759] [fatal] ValidationError: child "xpack" fails because [child "security" fails because ["authc" is not allowed]]
    at Object.exports.process (/usr/share/kibana/node_modules/joi/lib/errors.js:140:17)
    at internals.Any._validateWithOptions (/usr/share/kibana/node_modules/joi/lib/any.js:649:25)
    at root.validate (/usr/share/kibana/node_modules/joi/lib/index.js:102:23)
    at Config._commit (/usr/share/kibana/src/server/config/config.js:134:38)
    at Config.set (/usr/share/kibana/src/server/config/config.js:104:12)
    at Config.extendSchema (/usr/share/kibana/src/server/config/config.js:74:12)
    at /usr/share/kibana/src/server/plugins/plugin_collection.js:21:10
    at (native)
    at step (/usr/share/kibana/src/server/plugins/plugin_collection.js:32:273)

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.