Shield AD authentication error: peer not authenticated

First, the error:

[2016-09-07 13:38:32,362][WARN ][shield.authc.activedirectory] [node_test01] authentication failed for user [KibanaTest]: failed to connect to any active directory servers
cause: com.unboundid.ldap.sdk.LDAPException: An error occurred while attempting to connect to server mydomain.com:389: java.io.IOException: Unable to verify an attempt to to establish a secure connection to 'mydomain.com:389' because an unexpected error was encountered during validation processing: javax.net.ssl.SSLPeerUnverifiedException: peer not authenticated

This is what the config looks like in elasticsearch.yml:

shield.authc.realms:
active_directory:
type: active_directory
domain_name: mydomain.com
url: ldaps://mydomain.com:389
unmapped_groups_as_roles: true

Set the keystore path:

shield.ssl.keystore.path: E:\Apps\Elasticsearch\config\shield\node_test01.jks
shield.ssl.keystore.password: mypassword

It's running on a Windows Server 2012 R2 machine. In order to create the keystore, I exported the Root CA from the cert manager on the server and copied it into a .pem file to import. I did not include anything else because the Intermediate CA cert was identical. Our infrastructure admins confirmed that the URL and port are correct, and the Kibana credentials I entered in its config file are also correct. What else could I check? Did I miss something?

Thanks in advance for any advice.

Try using port 636. Port 389 is usually plaintext

That helped somewhat. It got me to a new error:

[2016-09-07 14:58:52,726][WARN ][shield.authc.activedirectory] [node_test01] authentication failed for user [KibanaTest]: failed to connect to any active directory servers
cause: com.unboundid.ldap.sdk.LDAPException: An error occurred while attempting to connect to server mydomain.com:636: java.io.IOException: Hostname verification failed because the expected hostname 'mydomain.com' was not found in peer certificate 'subject='CN=domaincontroller.mydomain.com' dNSName='domaincontroller.mydomain.com''.

Our domain is load-balanced between three DCs, and the DC that was indicated in the error message was one of them. Is this indicative of me needing to add load-balancing settings to the configuration, more information in the keystore, both, or something else? I read through the information in another question posted here (link). I tried hostname_verification: false, but that produced read timeout errors on the socket. Any ideas?

I think disabling hostname verification is the easiest solution if you would like to use the load balanced url. Otherwise maintaining a list of servers could get get out of sync. Can you share the socket exception and stracktrace?

That error might have been transient; not sure at this point. This morning when I set it to "false" again, I am no longer seeing that error. It's a little stranger, though: it appears to be accepting my credentials, but Kibana just refreshes back to the login screen (with no messages) when I hit "Log In". I came to that conclusion because if I enter the wrong password, it gives me the invalid password message.

I will keep digging but if you have any suggestions, I would appreciate them.

It could be a role mapping issue. Can you execute the following:

curl -u username 'http://localhost:9200/_shield/authenticate'

This should return the information about the user you authenticated as.

I'm working on getting curl set up, but in the meantime, I started troubleshooting Kibana from the command line, and I'm seeing this exception on startup:

[error][status][plugin:elasticsearch] Status changed from yellow to red - [security_exception] action [cluster:monitor/nodes/info] is unauthorized for user [KibanaTest]

edit: This is what I have in the role_mapping.yml file and in the kibana.yml file:

role_mapping.yml -
kibana4_server:

  • "cn=KibanaTest,dc=mydomain,dc=com"

kibana.yml -
elasticsearch.username: "KibanaTest"
elasticsearch.password: "password"

I think this is a role mapping issue. There should usually be more between the cn and dc entries in the dn like an ou. If you set shield.authc: TRACE in the logger section in config/logging.yml file, then you should be able to see the DN of the user and groups retrieved.

I enabled the trace and was able to pull out of that the full string for the Kibana domain user, which I swapped into the role mapping in place of what I had earlier. That seems to have mostly fixed it. I'm not getting the unauthorized error anymore, and the trace logs show a lot of "authenticated user [KibanaTest], with roles [[Log Modify Access, MyApp App Accounts, Domain Users, Users, kibana4_server]]" entries, no errors/warnings/etc.

However, I'm still experiencing the problem with the Kibana login screen refreshing as soon as I log in. This is what I have in the role mapping file:

admin:

  • "CN=My Admins,OU=My DMZ,DC=mydomain,DC=com"

This is what is shown in the trace logs:

[2016-09-09 10:47:52,072][DEBUG][shield.authc.activedirectory] [node_test01] user not found in cache, proceeding with normal authentication
[2016-09-09 10:47:52,197][DEBUG][shield.authc.activedirectory] [node_test01] group SID to DN search filter: [Lots of SIDs in here]
[2016-09-09 10:47:52,322][DEBUG][shield.authc.activedirectory] [node_test01] found these groups [[Lots of groups in here]] for userDN [CN=My Name,OU=IT Users,DC=mydomain,DC=com]
[2016-09-09 10:47:52,322][DEBUG][shield.authc.support ] [node_test01] the roles [[Lots of roles here]], are mapped from these [active_directory] groups [[Same groups as above]] for realm [active_directory/active_directory]
[2016-09-09 10:47:52,322][DEBUG][shield.authc.support ] [node_test01] the roles [[]], are mapped from the user [active_directory] for realm [CN=My Name,OU=IT Users,DC=mydomain,DC=com/active_directory]
[2016-09-09 10:47:52,338][DEBUG][shield.authc.activedirectory] [node_test01] authenticated user [my_user], with roles [[Same roles as above]]

The AD group that I chose to put into the role mapping file shows up in list of groups returned for my account, and the name of the group also shows up in the AD roles list as well. Why, then, does it return empty braces for the roles mapped from that? I am starting to suspect that those empty braces are why I'm not getting an "incorrect login" screen but also being kept out of the app.

Hmm. What user are you logging into Kibana as? What roles are they given?

I think the log line is a bit misleading. Roles can be mapped from group DNs and the User DN. The empty brackets is the role mapping based off of the user DN; while the one with many roles are those mapped based on the group DNs. Both sets of roles are combined when creating the user.

I'm logging in with my Active Directory account, which is included in the group that I mapped under the "admin" role shown in my previous post. The logs do show that, when it authenticates my account against AD, it returns that group as one of the groups assigned to my account. Ergo, it's inexplicable as to why it's not letting me in.

This is the step-by-step:

  1. Update role-mapping file
  2. Restart ES.
  3. Start Kibana.
  4. Go to localhost:5601.
  5. Type in username and password.
  6. Hit "Log In".
  7. Page briefly flashes the Kibana startup screen ("Loading lots of code") and then displays the login screen again.

Right now I don't have SSL set up on Kibana (i.e. using http:// instead of https://); working with one of our infrastructure guys to get the CSR signed so I can install it and start using https. Is it possible that this is somehow complicit in the problem here?

That would have been my next question. Yes I believe it is the culprit here. The cookie that kibana uses has the secure flag set, which browsers will only send via a HTTPS connection.

Okay. That makes sense. I'll post a new topic if I still have trouble after that's installed and configured; the main question here has been answered. Thanks for your help! :slight_smile: