Username or password is incorrect. Please try again. / HTTP/1.1 401 Unauthorized

Hello World!

I'm trying to follow Install Kibana with Docker | Kibana Guide [7.17] | Elastic and even though it looks like Kibana started fine:

% docker compose logs --tail 1
kibana  | {"type":"log","@timestamp":"2022-07-07T20:12:15+00:00","tags":["info","status"],"pid":7,"message":"Kibana is now available (was degraded)"}
%

I'm unable to login to Kibana w/ following banner:

Username or password is incorrect. Please try again.

I have checked the connectivity from within of the container and to my Elasticsearch cluster (using ca, cert and key) everything works without any issues, yet getting 401 in logs when try to login via Kibana using valid credentials:

% docker compose logs --tail 2
kibana  | {"type":"log","@timestamp":"2022-07-07T19:03:07+00:00","tags":["info","plugins","security","routes"],"pid":7,"message":"Logging in with provider \"basic\" (basic)"}
kibana  | {"type":"response","@timestamp":"2022-07-07T19:03:07+00:00","tags":[],"pid":7,"method":"post","statusCode":401,"req":{"url":"/internal/security/login","method":"post","headers":{"host":"X.X.X:5601","connection":"keep-alive","content-length":"175","sec-ch-ua":"\"Chromium\";v=\"104\", \" Not A;Brand\";v=\"99\", \"Google Chrome\";v=\"104\"","dnt":"1","content-type":"application/json","sec-ch-ua-mobile":"?0","user-agent":"Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/104.0.0.0 Safari/537.36","kbn-version":"7.17.4","sec-ch-ua-platform":"\"macOS\"","accept":"*/*","origin":"https://X.X.X:5601","sec-fetch-site":"same-origin","sec-fetch-mode":"cors","sec-fetch-dest":"empty","referer":"https://X.X.X:5601/login?next=%2F","accept-encoding":"gzip, deflate, br","accept-language":"en-US,en;q=0.9"},"remoteAddress":"192.168.128.1","userAgent":"Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/104.0.0.0 Safari/537.36","referer":"https://X.X.X:5601/login?next=%2F"},"res":{"statusCode":401,"responseTime":544,"contentLength":124},"message":"POST /internal/security/login 401 544ms - 124.0B"}

same (or similar) request as above, however using curl instead:

kibana@67b3beeb0eec:~$ curl --cacert /usr/share/elasticsearch/config/certificates/ca/ca.crt --cert /usr/share/elasticsearch/config/certificates/elastic7/elastic7.crt --key /usr/share/elasticsearch/config/certificates/elastic7/elastic7.key --user "$ELASTICSEARCH_USERNAME:$ELASTICSEARCH_PASSWORD" https://X.X.X:5601/internal/security/login -I
HTTP/1.1 401 Unauthorized
X-Content-Type-Options: nosniff
Referrer-Policy: no-referrer-when-downgrade
kbn-name: 7-k111
kbn-license-sig: bbac8ed5bf5514a791ee0acce3c70f1b237713fbd26cae45589ec69398171dfe
content-type: application/json; charset=utf-8
cache-control: private, no-cache, no-store, must-revalidate
content-length: 66
Date: Thu, 07 Jul 2022 19:53:40 GMT
Connection: keep-alive
Keep-Alive: timeout=120

kibana@67b3beeb0eec:~$

now using same credentials, however connecting to Elasticsearch cluster directly (w/out Kibana):

kibana@519e28384ee2:~$ curl --cacert /usr/share/elasticsearch/config/certificates/ca/ca.crt --cert /usr/share/elasticsearch/config/certificates/elastic7/elastic7.crt --key /usr/share/elasticsearch/config/certificates/elastic7/elastic7.key --user "$ELASTICSEARCH_USERNAME:$ELASTICSEARCH_PASSWORD" https://X.X.X:9200 -I
HTTP/2 200 
x-elastic-product: Elasticsearch
content-type: application/json; charset=UTF-8
content-length: 544
x-envoy-upstream-service-time: 9
strict-transport-security: max-age=31536000; includeSubDomains
date: Thu, 07 Jul 2022 19:40:34 GMT
server: istio-envoy

kibana@519e28384ee2:~$ 

my kibana.yml:

% cat ./config/kibana.yml | cut -d\: -f1
elasticsearch
  hosts
  - https
  password
  ssl
    certificateAuthorities
    verificationMode
  username
monitoring
  ui
    container
      elasticsearch
        enabled
server
  host
  name
xpack
  encryptedSavedObjects
    encryptionKey
  license_management
    ui
      enabled
  reporting
    encryptionKey
  security
    authc
      providers
        basic
          basic1
            order
        oidc
          Google
            order
            realm
    encryptionKey
%

Please advise.

I wasn't expecting the --key in the request. To avoid any certificate wonkiness, what happens if you use this:

curl --insecure --user "$ELASTICSEARCH_USERNAME:$ELASTICSEARCH_PASSWORD" https://X.X.X:5601/internal/security/login

@xeraa - thank you so much for looking into my topic, i appreciate your time!

per your request the command output:

kibana@e2dd07f3bc22:~$ curl --insecure --user "$ELASTICSEARCH_USERNAME:$ELASTICSEARCH_PASSWORD" https://X.X.X:5601/internal/security/login --head
HTTP/1.1 401 Unauthorized
X-Content-Type-Options: nosniff
Referrer-Policy: no-referrer-when-downgrade
kbn-name: kibana
kbn-license-sig: bbac8ed5bf5514a791ee0acce3c70f1b237713fbd26cae45589ec69398171dfe
content-type: application/json; charset=utf-8
cache-control: private, no-cache, no-store, must-revalidate
content-length: 66
Date: Fri, 08 Jul 2022 04:27:11 GMT
Connection: keep-alive
Keep-Alive: timeout=120

kibana@e2dd07f3bc22:~$

and it's turned out to be Mutual TLS authentication between Kibana and Elasticsearch related..

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.