First time AD authentication using https://elasticsearchurl/_xpack/security/_authenticate takes around 3 mins to return a successful result. I am using x-pack 6.0 and below is the realms setting in elasticsearch.yml file
xpack:
security:
authc:
realms:
active_directory:
type: "active_directory"
bind_dn: user@company.com
bind_password: mypassword
order: 0
domain_name: corp.company.com
follow_referrals: true
timeout.tcp_read: 25s
timeout.tcp_connect: 25s
timeout.ldap_search: 25s
url: "ldaps://corp.company.com:3211"
ssl:
certificate_authorities: ["/etc/elasticsearch/certs/ca.pem"]
verification_mode: none
user_search:
base_dn: "OU=UserAccounts,DC=domain,DC=corp,DC=company,DC=com"
group_search:
base_dn: "DC=domain,DC=corp,DC=company,DC=com"
files:
role_mapping: "/etc/elasticsearch/role_mapping.yml"
unmapped_groups_as_roles: false
Below is the log file - Detailed error log removed for brevity
[2018-03-13T21:43:40,524][WARN ][o.e.x.s.a.l.s.LdapUtils ] caught exception while trying to follow referral [ldaps://ForestDnsZones.corp.company.com/DC=ForestDnsZones,DC=corp,DC=company,DC=com]
com.unboundid.ldap.sdk.LDAPException: An error occurred while attempting to send the LDAP message to server ForestDnsZones.corp.company.com:636: SocketTimeoutException(message='Read timed out', trace='socketRead0(SocketInputStream.java:native) / socketRead(SocketInputStream.java:116) / read(SocketInputStream.java:171) / read(SocketInputStream.java:141) / readFully(InputRecord.java:465) / read(InputRecord.java:503) / readRecord(SSLSocketImpl.java:983) / performInitialHandshake(SSLSocketImpl.java:1385) / writeRecord(SSLSocketImpl.java:757) / write(AppOutputStream.java:123) / flushBuffer(BufferedOutputStream.java:82) / flush(BufferedOutputStream.java:140) / sendMessage(LDAPConnectionInternals.java:543) / sendMessage(LDAPConnection.java:4249) / process(SimpleBindRequest.java:551) / bind(LDAPConnection.java:2143) / getReferralConnection(LDAPConnection.java:4573) / lambda$followReferral$11(LdapUtils.java:601) / doPrivileged(AccessController.java:native) / privilegedConnect(LdapUtils.java:87) / followReferral(LdapUtils.java:601) / access$300(LdapUtils.java:66) / searchResultReceived(LdapUtils.java:533) / responseReceived(AsyncSearchHelper.java:240) / run(LDAPConnectionReader.java:569)', revision=24201)
Caused by: java.net.SocketTimeoutException: Read timed out
... 12 more
[2018-03-13T21:44:26,725][WARN ][o.e.x.s.a.l.s.LdapUtils ] caught exception while trying to follow referral [ldaps://DomainDnsZones.corp.company.com/DC=DomainDnsZones,DC=corp,DC=company,DC=com]
... 12 more
[2018-03-13T21:45:57,211][WARN ][o.e.x.s.a.l.s.LdapUtils ] caught exception while trying to follow referral [ldaps://DomainDnsZones.redmond.corp.company.com/DC=DomainDnsZones,DC=redmond,DC=corp,DC=company,DC=com]
... 12 more
[2018-03-13T21:46:27,448][WARN ][o.e.x.s.a.l.s.LdapUtils ] caught exception while trying to follow referral [ldaps://region1.corp.company.com/DC=region1,DC=corp,DC=company,DC=com]
... 12 more
[2018-03-13T21:47:00,697][WARN ][o.e.x.s.a.l.s.LdapUtils ] caught exception while trying to follow referral [ldaps://region2.corp.company.com/DC=region2,DC=corp,DC=company,DC=com]
com.unboundid.ldap.sdk.LDAPException: An error occurred while attempting to send the LDAP message to server region2.corp.company.com:636: SocketTimeoutException(message='Read timed out', trace='socketRead0(SocketInputStream.java:native) / socketRead(SocketInputStream.java:116) / read(SocketInputStream.java:171) / read(SocketInputStream.java:141) / readFully(InputRecord.java:465) / read(InputRecord.java:503) / readRecord(SSLSocketImpl.java:983) / performInitialHandshake(SSLSocketImpl.java:1385) / writeRecord(SSLSocketImpl.java:757) / write(AppOutputStream.java:123) / flushBuffer(BufferedOutputStream.java:82) / flush(BufferedOutputStream.java:140) / sendMessage(LDAPConnectionInternals.java:543) / sendMessage(LDAPConnection.java:4249) / process(SimpleBindRequest.java:551) / bind(LDAPConnection.java:2143) / getReferralConnection(LDAPConnection.java:4573) / lambda$followReferral$11(LdapUtils.java:601) / doPrivileged(AccessController.java:native) / privilegedConnect(LdapUtils.java:87) / followReferral(LdapUtils.java:601) / access$300(LdapUtils.java:66) / searchResultReceived(LdapUtils.java:533) / responseReceived(AsyncSearchHelper.java:240) / run(LDAPConnectionReader.java:569)', revision=24201)
... 12 more
[2018-03-13T21:48:16,366][WARN ][o.e.x.s.a.l.s.LdapUtils ] caught exception while trying to follow referral [ldaps://region3.corp.company.com/DC=region3,DC=corp,DC=company,DC=com]
... 12 more
[2018-03-13T21:48:33,306][WARN ][o.e.x.s.a.l.s.LdapUtils ] caught exception while trying to follow referral [ldaps://region4.corp.company.com/DC=region4,DC=corp,DC=company,DC=com]
[2018-03-13T21:48:53,398][WARN ][o.e.x.s.a.l.s.LdapUtils ] caught exception while trying to follow referral [ldaps://region5.corp.company.com/DC=region5,DC=corp,DC=company,DC=com]
... 11 more
[2018-03-13T21:49:08,527][WARN ][o.e.x.s.a.l.s.LdapUtils ] caught exception while trying to follow referral [ldaps://region6.corp.company.com/DC=region6,DC=corp,DC=company,DC=com]
[2018-03-13T21:49:08,659][WARN ][o.e.x.s.a.l.s.LdapUtils ] caught exception while trying to follow referral [ldaps://region7.corp.company.com/DC=region7,DC=corp,DC=company,DC=com]
[2018-03-13T21:49:23,835][WARN ][o.e.x.s.a.l.s.LdapUtils ] caught exception while trying to follow referral [ldaps://region8.corp.company.com/DC=region8,DC=corp,DC=company,DC=com]
If I set the follow_referrals: false then the authentication fails. LDp.exe authentication response is instant. How to reduce the latency of x-pack AD authentication ?