NetWitness Community

DanaHonsa · ‎2017-01-11

We've just configured AD authentication within Netwitness. It works great from the web client, however, when we try to log in with NW Investigator, we get an invalid username/password error.

Is AD authentication supported with the thick client?

JohnSnider · ‎2017-01-11

Yes, but it is set up separate from the NetWitness UI (SA) web client. I have attached the document we use for configuring AD authentication to the CORE devices (the Thick client bypasses the Web server authentication) Note that all users for thick client authentication will need to have accounts on the Broker itself (on Broker Security page) and be set to use External authentication, and be assigned the proper group (role) on the core device.

DanaHonsa · ‎2017-01-11

Thanks for the help! I encountered an issue, though. I ran through the document and it looks like I was missing pam_krb5. I got the error "Authentication module /lib64/security/pam_krb5.so is missing. Authentication process might not work correctly." during the install. I installed it afterwards using yum, but kinit keeps coming up as an unknown command.

JohnSnider · ‎2017-01-11

For Kerberos authentication you need:

pam-krb5

krb5-libs

krb5-workstation

they should all be in the yum repo.

DanaHonsa · ‎2017-01-11

That fixed that. I can verify that I can authenticate using kinit.

Adding the user to the external group, I'm assuming you mean External Group Mapping? We have that all set up already, for the web authentication. It still isn't working, though, error logs are showing that it's failing for an unknown user.

I'm using the format of 'username @ domain' for the login field in Investigator, which is the same format I use when verifying it with kinit

JohnSnider · ‎2017-01-11

did you modify the "netwitness" file on the broker?

did you add the user to the security page of the broker (note: users in the UI will not work for external authentication via the thick client)

Since the domain is already configured in the KERBEROS realm, you shouldn't need to put the user@domain

DanaHonsa · ‎2017-01-11

I modified the netwitness file in /etc/pam.d/

[root@nwd2rsamgmt pam.d]# vi netwitness
##
## This configuration file configures NetWitness to use PAM login modules
## for authentication when setting the External Auth Type option for Netwitness User Accounts.
## For more information see the Linux-PAM System Administrators Guide
## http://www.kernel.org/pub/linux/libs/pam/Linux-PAM-html/Linux-PAM_SAG.html
##
## Sample of standard UNIX authentication
##
##auth     required       pam_unix.so
##account required       pam_deny.so
##password required       pam_deny.so
##session required       pam_deny.so
auth    required        pam_krb5.so no_user_check

I've added my account into the Users tab in Security on the broker. I've checked the External box. My account is a member of an AD group that I have added in the External Group Mapping for Administrators

I've tried without the 'user @ domain' format as well.

Thanks!

JohnSnider · ‎2017-01-11

when you create the user on the broker security tab, you have to manually add it to a group, the mapped groups do not work at the core level, that is only for the web UI trusted authentication model

Anonymous · ‎2018-02-22

thanks everyone. We recently had to rebuild our Broker and had this exact issue. This procedure solved our problem. Please add this to the official documentation.

NetWitness Community

AD Authenticatin with Netwitness Investigator