This website uses cookies. By clicking Accept, you consent to the use of cookies. Click Here to learn more about how we use cookies.
Accept
Reject
Register Now
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
NetWitness Discussions

External Authentification

Go to solution
Anonymous
Not applicable

‎2014-04-10 04:14 AM

I have issue with external authentification in Active Directory (10.3 SP2). I mapping AD User Group to ADMIN role. Group name at Russian language, but I see entitlement in UI correctly. I try use English name group - not solve issue. After this user can login to UI, but not have access to any appliance (Device 10.10.0.x host LogCollector is unreachable) and then try access to Investigation tab - receive message "Failed to retrieve meta keys" Somebody have this issue?

0 Likes
1 ACCEPTED SOLUTION

Accepted Solutions

Go to solution
huanzhou1
Beginner
Beginner
In response to Anonymous

‎2014-04-16 10:51 AM

just to share my config:

SA UI: AD authentication

Device:

1. external which is PAM

2. modify /etc/pam.d/netwitness file as: auth sufficient pam_krb5.so no_user_check

not /etc/pam.d/securityanalytics file

3. create krb5.ini as below:

[root@SA103SP1 etc]# ls krb5.conf

krb5.conf

[root@SA103SP1 etc]# cat krb5.conf

[logging]

default = FILE:/var/log/krb5libs.log

kdc = FILE:/var/log/krb5kdc.log

admin_server = FILE:/var/log/kadmind.log

 

 

[libdefaults]

default_realm = EXCHANGE.LOCAL

dns_lookup_realm = false

dns_lookup_kdc = false

ticket_lifetime = 24h

renew_lifetime = 7d

forwardable = true

 

 

[realms]

EXCHANGE.LOCAL = {

  kdc = srv6.exchange.local

}

 

 

[domain_realm]

.exchange.local = EXCHANGE.LOCAL

exchange.local = EXCHANGE.LOCAL

4. testing krb5.ini

[root@SA103SP1 etc]# kinit administrator@EXCHANGE.LOCAL

Password for administrator@EXCHANGE.LOCAL:

No output means ok.

 

Can you try again?

View solution in original post

0 Likes
12 REPLIES 12

Go to solution
huanzhou1
Beginner
Beginner

‎2014-04-11 11:12 AM

Did you create the device user?

SA UI need to map to device user.

http://sadocs.emc.com/0_en-us/199_10.2_User_Guide/10_Admin_Tasks/10_Manage_Security/Add_Device_Users_(SP2)

0 Likes

Go to solution
Anonymous
Not applicable
In response to huanzhou1

‎2014-04-11 12:37 PM

Need create (replicate) each domain user on each appliance? I do this for one user (mapped to group administrator at appliance) and then try logon but nothing changes. I don't think this official way to use Domain Authentification. If appliance connect with Analytics Server without SSL - password domain users will not be secure.

0 Likes

Go to solution
huanzhou1
Beginner
Beginner
In response to Anonymous

‎2014-04-11 01:15 PM

you have the option to enable the the ssl for all the appliances.

 

for the device user are you using external? if yes, you need enable pam.

0 Likes

Go to solution
Anonymous
Not applicable
In response to huanzhou1

‎2014-04-12 04:53 AM

SSL not work at all device by default. I not have SSL connect with (Log) Decoder/Concentrator. What I should do to use SSL at all device?

 

Need enable PAM? I use external authentication with Active Directory...

0 Likes

Go to solution
huanzhou1
Beginner
Beginner
In response to Anonymous

‎2014-04-12 07:48 AM

For the device users if you use netwitness, then you should be able to connect, i don't have any issue.

 

What i mean is if you need you can enable for all the devices.

 

Device users also can use AD authentication but use PAM.

 

Thank you.

0 Likes

Go to solution
Anonymous
Not applicable
In response to huanzhou1

‎2014-04-12 10:31 AM

I use this guide: https://sadocs.emc.com/0_en-us/095_10.3_User_Guide/20_System_Security_and_User_Management/00_Security_Config_Checklist/C…

 

1. Create user d.smith and choise external authentication, gpoup administrators.

2. Сonfigure PAM Module (Kerberos) in my Log Concentrator (all 4 steps).

3. Try connect from user d.smith via UI and recive message:

 

You are not authorized for this device.

0 Likes

Go to solution
huanzhou1
Beginner
Beginner
In response to Anonymous

‎2014-04-16 01:45 AM

for the device users, can you use netwitness auth first see whether can connect or not? I don't have this issue, and can you check log? does it say wrong password?

0 Likes

Go to solution
Anonymous
Not applicable
In response to huanzhou1

‎2014-04-16 01:50 AM

If I use netwitness authentication at device - all work fine. But is not solution for me. Need use external authentication from Active Directory. What logs need to see when I use external authentication?

0 Likes

Go to solution
Anonymous
Not applicable
In response to Anonymous

‎2014-04-16 07:25 AM

Good Morning Hubba900,

 

For external auth to work it is correct that each machine needs PAM installed and configured correctly.  Do you have a krb5.conf in your /etc?

 

If so make sure that all your domains are setup correctly in the file. 

Mine looks like this.

 

[seandko@avsesa-rsasa-log-p01 etc]$ cat krb5.conf


[logging]


default = FILE:/var/log/krb5libs.log


kdc = FILE:/var/log/krb5kdc.log


admin_server = FILE:/var/log/kadmind.log



[libdefaults]


dns_lookup_realm = true


dns_lookup_kdc = true


ticket_lifetime = 24h


renew_lifetime = 7d


forwardable = true



default_realm = STAFF.xxxx.COM


[realms]



STAFF.xxxx.COM = {


  kdc = 10.x.x.x


  admin_server = 10.x.x.x


}



[domain_realm]



staff.xxxx.com = STAFF.xxxx.COM


.staff.xxxx.com = STAFF.xxxx.COM

© 2022 RSA Security LLC or its affiliates. All rights reserved.