LDAPBindException/SSLHandshakeException setting Active Directory User Authentication

Elastic Stack Elasticsearch
1

Hi,

I am trying to setup AD user authentication with Elasticsearch 6.0 installed on Windows Server 2016. Any ideas how to solve this issue?

The configuration in elasticsearch.yml file is

xpack:
security:
authc:
realms:
active_directory:
type: active_directory
bind_dn: binduser@company.com
bind_password: PASSWORD
order: 0
domain_name: corp.company.com
follow_referrals: false
url: "ldaps://corp.company.com:3269"
ssl:
certificate: certs/new/certificate.pem
key: certs/new/secret.key
certificate_authorities: certs/new/CA.pem
verification_mode: certificate
user_search:
base_dn: "OU=UserAccounts,DC=subdomain,DC=corp,DC=company,DC=com"
group_search:
base_dn: "DC=subdomain,DC=corp,DC=company,DC=com"
files:
role_mapping: "C:/elasticsearch/config/x-pack/role_mapping.yml"
unmapped_groups_as_roles: false

I have also enabled xpack ssl for the elasticsearch node itself. That when I browse https://elasticnode:9200 with elastic user I see successful ES default response with a secure symbol.

But AD authentication fails for domain user when a request is sent from Postman tool with type: "security_exception", status:401, reason: unable to authenticate user [domain/aduser] for REST request [/]"

LDP.exe can successfully authenticate this user and shows response
Authenticated as dn: ‘binduser’.

SSL cert has been imported to the server's keystore cacerts

Exception detail in log file is

2018-02-10T02:54:46,908][DEBUG][o.e.x.s.a.l.LdapRealm ] [ES-node1-dev] Exception occurred during authenticate for active_directory/active_directory
com.unboundid.ldap.sdk.LDAPBindException: An error occurred while attempting to send the LDAP message to server corp.company.com:3269: SSLHandshakeException(message='sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target', trace='getSSLException(Alerts.java:192) / fatal(SSLSocketImpl.java:1959) / fatalSE(Handshaker.java:328) / fatalSE(Handshaker.java:322) / serverCertificate(ClientHandshaker.java:1614) / processMessage(ClientHandshaker.java:216) / processLoop(Handshaker.java:1052) / process_record(Handshaker.java:987) / readRecord(SSLSocketImpl.java:1072) / performInitialHandshake(SSLSocketImpl.java:1385) / writeRecord(SSLSocketImpl.java:757) / write(AppOutputStream.java:123) / flushBuffer(BufferedOutputStream.java:82) / flush(BufferedOutputStream.java:140) / sendMessage(LDAPConnectionInternals.java:543) / sendMessage(LDAPConnection.java:4249) / process(SimpleBindRequest.java:551) / bind(LDAPConnection.java:2143) / createConnection(LDAPConnectionPool.java:1268) / createConnection(LDAPConnectionPool.java:1178) / getConnection(LDAPConnectionPool.java:1706) / bindAndRevertAuthentication(LDAPConnectionPool.java:1531) / lambda$doRun$0(LdapUtils.java:135) / doPrivileged(AccessController.java:native) / privilegedConnect(LdapUtils.java:86) / doRun(LdapUtils.java:135) / run(AbstractRunnable.java:37) / maybeForkThenBind(LdapUtils.java:160) / authenticate(ActiveDirectorySessionFactory.java:318) / getSessionWithPool(ActiveDirectorySessionFactory.java:136) / session(PoolingSessionFactory.java:104) / lambda$doAuthenticate$1(LdapRealm.java:164) / doRun(LdapRealm.java:320) / doRun(ThreadContext.java:638) / run(AbstractRunnable.java:37) / runWorker(ThreadPoolExecutor.java:1149) / run(ThreadPoolExecutor.java:624) / run(Thread.java:748)', cause=ValidatorException(message='PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target', trace='doBuild(PKIXValidator.java:397) / engineValidate(PKIXValidator.java:302) / validate(Validator.java:260) / validate(X509TrustManagerImpl.java:324) / checkTrusted(X509TrustManagerImpl.java:229) / checkServerTrusted(X509TrustManagerImpl.java:124) / checkServerTrusted(SSLService.java:568) / serverCertificate(ClientHandshaker.java:1596) / processMessage(ClientHandshaker.java:216) / processLoop(Handshaker.java:1052) / process_record(Handshaker.java:987) / readRecord(SSLSocketImpl.java:1072) / performInitialHandshake(SSLSocketImpl.java:1385) / writeRecord(SSLSocketImpl.java:757) / write(AppOutputStream.java:123) / flushBuffer(BufferedOutputStream.java:82) / flush(BufferedOutputStream.java:140) / sendMessage(LDAPConnectionInternals.java:543) / sendMessage(LDAPConnection.java:4249) / process(SimpleBindRequest.java:551) / bind(LDAPConnection.java:2143) / createConnection(LDAPConnectionPool.java:1268) / createConnection(LDAPConnectionPool.java:1178) / getConnection(LDAPConnectionPool.java:1706) / bindAndRevertAuthentication(LDAPConnectionPool.java:1531) / lambda$doRun$0(LdapUtils.java:135) / doPrivileged(AccessController.java:native) / privilegedConnect(LdapUtils.java:86) / doRun(LdapUtils.java:135) / run(AbstractRunnable.java:37) / maybeForkThenBind(LdapUtils.java:160) / authenticate(ActiveDirectorySessionFactory.java:318) / getSessionWithPool(ActiveDirectorySessionFactory.java:136) / session(PoolingSessionFactory.java:104) / lambda$doAuthenticate$1(LdapRealm.java:164) / doRun(LdapRealm.java:320) / doRun(ThreadContext.java:638) / run(AbstractRunnable.java:37) / runWorker(ThreadPoolExecutor.java:1149) / run(ThreadPoolExecutor.java:624) / run(Thread.java:748)', cause=SunCertPathBuilderException(message='unable to find valid certification path to requested target', trace='build(SunCertPathBuilder.java:141) / engineBuild(SunCertPathBuilder.java:126) / build(CertPathBuilder.java:280) / doBuild(PKIXValidator.java:392) / engineValidate(PKIXValidator.java:302) / validate(Validator.java:260) / validate(X509TrustManagerImpl.java:324) /
...
at com.unboundid.ldap.sdk.LDAPConnectionPool.createConnection(LDAPConnectionPool.java:1289) ~[?:?]
at com.unboundid.ldap.sdk.LDAPConnectionPool.createConnection(LDAPConnectionPool.java:1178) ~[?:?]
at com.unboundid.ldap.sdk.LDAPConnectionPool.getConnection(LDAPConnectionPool.java:1706) ~[?:?]
at com.unboundid.ldap.sdk.LDAPConnectionPool.bindAndRevertAuthentication(LDAPConnectionPool.java:1531) ~[?:?]
at org.elasticsearch.xpack.security.authc.ldap.support.LdapUtils$1.lambda$doRun$0(LdapUtils.java:135) ~[?:?]
at java.security.AccessController.doPrivileged(Native Method) ~[?:1.8.0_161]
at
...

2

Please take the time to format your post correctly - in particular, configuration files need to be put into a pre-formatted block (the </> button). It is impossible for us to provide accurate advice about configuration issues if the file is not formatted properly.

Where did you obtain these files from? The error you are seeing indicates that this is not the correct CA for your AD server.

3

Apologies for the unformatted code, as this is my first post in elastic I didn't realize this. Here is xpack settings in elasticsearch.yml file

xpack: 
  security: 
    authc: 
      realms: 
        active_directory:
          type: active_directory
          bind_dn: binduser@company.com
          bind_password: PASSWORD
          order: 0
          domain_name: corp.company.com
          follow_referrals: false
          url: "ldaps://corp.company.com:3269"
          ssl: 
            certificate: certs/new/certificate.pem
            key: certs/new/secret.key
            certificate_authorities: certs/new/CA.pem
            verification_mode: certificate
          user_search:
            base_dn: "OU=UserAccounts,DC=subdomain,DC=corp,DC=company,DC=com"            
          group_search:
            base_dn: "DC=subdomain,DC=corp,DC=company,DC=com"
          files:
            role_mapping: "C:/elasticsearch/config/x-pack/role_mapping.yml"
          unmapped_groups_as_roles: false

I am not sure if I understand your question about - where did you obtain these files from? The log message is copied from the .log file in the ES server.

I've used the same CA set in the xpack.ssl.certificate_authorities setting. Let me check the CA used in AD server. Thanks

4

Is that a CA that you created, or one that was provided to you by an internal IT team?
Either way, it doesn't look like it's the one used by the AD server.

5

From our IT department I got the CA used in AD and set it as the certificate_authorities as

xpack: 
  security: 
    authc: 
      realms: 
        active_directory:
          type: active_directory
          bind_dn: binduser@company.com
          bind_password: password
          order: 0
          domain_name: corp.company.com
          follow_referrals: true
          timeout.tcp_read: 25s
          timeout.tcp_connect: 25s
          timeout.ldap_search: 25s
          url: "ldaps://corp.company.com:3269"
          ssl: 
            certificate_authorities: ["certs/new/**ADCA**.pem"]
            verification_mode: certificate
          user_search:
            base_dn: "OU=UserAccounts,DC=subdomain,DC=corp,DC=company,DC=com"            
          group_search:
            base_dn: "DC=subdomain,DC=corp,DC=company,DC=com"
          files:
            role_mapping: "C:/elasticsearch/config/x-pack/role_mapping.yml"
          unmapped_groups_as_roles: false

Now I see the below error.

[2018-02-11T19:35:34,622][DEBUG][o.e.x.s.a.l.LdapRealm ] [nisfacts-node1-dev] Exception occurred during authenticate for active_directory/active_directory
com.unboundid.ldap.sdk.LDAPBindException: An error occurred while attempting to send the LDAP message to server corp.company.com:3269: SocketTimeoutException(message='Read timed out'

Then I added the timeout as 25s in realm configuration and this didn't help either.

6

Is ldp.exe still working from the same server? This looks very much like a network issue, rather than an Elasticsearch one.

7

Yes LDP.exe works from this server. It shows message "Authenticated as dn:'binduser'."

8

It worked! I got the root CA exported using the Softerra tool and set this in certificate_authorities.

9

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.