Active Directory Authentication not working in 5.1

jrichstein · May 25, 2023, 1:06pm

1. Describe your incident:
I’m running Graylog with Active Directory Authentication since at least version 4.2. A few days ago I upgraded to version 5.1 (from 5.0). After that I can not login anymore using a user from the AD. Users not associate with the AD can login.

Using the login form the error message is:
Error - the server returned: 503 - There was an error fetching a resource: Service Unavailable. Additional information: Authentication service unavailable

Using the “Test Server connection” in System/Authentication the message is:

There was an error fetching a resource: Bad Request. Additional information: Unable to map property email_attributes. Known properties include: servers, verify_certificates, user_search_base, transport_security, type, user_name_attribute, user_search_pattern, system_user_dn, system_user_password, user_full_name_attribute
false

The AD is available, I have no problems to login via AD from other services.

The connection is using TLS on port 636, the Certificate is not verified. I checked that System User DN and Password are correct.

2. Describe your environment:
Ubuntu 20.04, Graylog 5.1 Enterprise

Does anyone have advice for me?

patrickmann · May 26, 2023, 7:22am

Can you delete the definition of the AD authentication in GL and recreate it? Does the issue still persist?

jrichstein · May 30, 2023, 10:36am

No, I can not delete the AD authentication, the error message is “Authentication service backend <…> is still in use”. I think that is because some users are still bound to it.

However, I disabled the service and tried to create a new one. The connection still does not work, the message in Graylog is

An error occurred while attempting to connect to server hellabrunn2015.softdecc.com:636: IOException(LDAPException(resultCode=91 (connect error), errorMessage=‘An error occurred while attempting to establish a connection to server …:636: SocketException(Connection reset), ldapSDKVersion=5.1.1, revision=580fabe31b0752099ccd9a835fe7da96e8251e28’))"

while in our AD the messages are

Additional Data
Error value:
2148074289 The client and server cannot communicate, because they do not possess a common algorithm.
Internal ID: c05086b

Additional Data
Error value:
3 The system cannot find the path specified.
Internal ID:
c0605fa

Some Ciphers are not allowed in our AD (RC*), some protocols are not allowed (SSL, TLS1.0), MD5 as Hash is not allowed and TLS1.3 is not available (Windows Server 2019). But that should not make a connection impossible - and it worked with GL before.

patrickmann · May 30, 2023, 11:56am

We did disable a couple of weak ciphers in 5.1: Filter out weak TLS ciphers · Issue #14428 · Graylog2/graylog2-server · GitHub

Ideally you’d trace the handshake messages and see what exactly the client is offering.

jrichstein · May 30, 2023, 2:11pm

I do not get it…the Client-Handshake sends

“ClientHello”: {
“client version” : “TLSv1.2”,
“random” : “…”,
“session id” : “…”,
“cipher suites” : “[TLS_AES_256_GCM_SHA384(0x1302), TLS_AES_128_GCM_SHA256(0x1301), TLS_CHACHA20_POLY1305_SHA256(0x1303), TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384(0xC02C), TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256(0xC02B), TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256(0xCCA9), TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384(0xC030), TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256(0xCCA8), TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256(0xC02F), TLS_DHE_RSA_WITH_AES_256_GCM_SHA384(0x009F), TLS_DHE_RSA_WITH_CHACHA20_POLY1305_SHA256(0xCCAA), TLS_DHE_DSS_WITH_AES_256_GCM_SHA384(0x00A3), TLS_DHE_RSA_WITH_AES_128_GCM_SHA256(0x009E), TLS_DHE_DSS_WITH_AES_128_GCM_SHA256(0x00A2), TLS_EMPTY_RENEGOTIATION_INFO_SCSV(0x00FF)]”,

several of the cipher suites should match (1th and 2th, for example). Graylog does not receive an answer, instead it receives an

java.net.SocketException: Connection reset

cttjern · May 30, 2023, 9:59pm

Having the same problem. Using a local user, I was able to create a new Active Directory authentication that worked. Afterward I even tried to copy all the fields to the old one and the old one still didn’t work.

However, there is still a problem. The email attribute is not getting synced. Therefore the email filed is getting filled in with “unknown@unknown.invalid.” I suspect the original problem didn’t have to do with the ciphers. Afterall, the original error said: “Unable to map property email_attributes.”

Anyway to enable the email attribute to sync? Or someway to manually correct?

patrickmann · May 31, 2023, 6:35am

Regarding the email attribute: 5.1 made the LDAP email attribute configurable. Previously it was hardcoded. Looks like that introduced a regression with AD syncing.
I created a high pri issue - stay tuned.

github.com/Graylog2/graylog2-server

AD authentication backend cannot sync users in 5.1

opened 06:52AM - 31 May 23 UTC

patrickmann

bug severe

https://community.graylog.org/t/active-directory-authentication-not-working-in-5…-1/28929 > I’m running Graylog with Active Directory Authentication since at least version 4.2. A few days ago I upgraded to version 5.1 (from 5.0). After that I can not login anymore using a user from the AD. Users not associate with the AD can login. > > Using the login form the error message is: > Error - the server returned: 503 - There was an error fetching a resource: Service Unavailable. Additional information: Authentication service unavailable > > Using the “Test Server connection” in System/Authentication the message is: > > There was an error fetching a resource: Bad Request. Additional information: Unable to map property email_attributes. Known properties include: servers, verify_certificates, user_search_base, transport_security, type, user_name_attribute, user_search_pattern, system_user_dn, system_user_password, user_full_name_attribute > false ## Possible Solution 5.1 introduced configurable email attribute for LDAP. Since AD shares some of the code with LDAP, this included changes to AD authentication backend. Guessing the problem is this: https://github.com/Graylog2/graylog2-server/blob/e3b1f04db87ea81347b07fc7f1039038ced5130f/graylog2-server/src/main/java/org/graylog/security/authservice/backend/ADAuthServiceBackend.java#L153 ## Context Users can no longer log in after upgrading to 5.1 ## Your Environment * Graylog Version: 5.1

github.com/Graylog2/graylog2-server

Add support for configuring which attribute to look for the email under ldap

opened 09:30PM - 09 Aug 21 UTC

closed 02:44PM - 29 Dec 22 UTC

paladox

bug triaged

## Expected Behavior You should be able to configure the attribute to look for …the email under ldap. ## Current Behavior I presume it looks for a default email attribute or maybe doesn't even look for one? It's currently defaulting to unknown@unknown.invalid. ## Possible Solution ## Steps to Reproduce (for bugs) 1. Setup ldap 2. Setup ldap configuation 3. Login as a user in ldap 4. View /system/users and look at the email column. ## Context ## Your Environment * Graylog Version: 4.1.2+20cd592 * Java Version: openjdk 11.0.12 2021-07-20 * Elasticsearch Version: 7.13.4 * MongoDB Version: 4.4.7 * Operating System: debian 10 * Browser version: 92.0.4515.131

https://go2docs.graylog.org/5-1/changelogs/changelog.html#Graylog510

gsgmc · May 31, 2023, 12:17pm

Good day. I am also experiencing the same issue. Logs, for reference, below:

2023-05-31T12:03:36.563Z ERROR [LDAPAuthServiceBackend] LDAP error
com.unboundid.ldap.sdk.LDAPException: An error occurred while attempting to connect to server servername.domainname.com:636:  IOException(LDAPException(resultCode=91 (connect error), errorMessage='An error occurred while attempting to establish a connection to server servername.domainname.com/10.10.10.10:636:  SSLHandshakeException(Received fatal alert: handshake_failure), ldapSDKVersion=5.1.1, revision=580fabe31b0752099ccd9a835fe7da96e8251e28'))
        at com.unboundid.ldap.sdk.LDAPConnection.connect(LDAPConnection.java:915) ~[graylog.jar:?]
        at com.unboundid.ldap.sdk.LDAPConnection.connect(LDAPConnection.java:802) ~[graylog.jar:?]
        at com.unboundid.ldap.sdk.LDAPConnection.connect(LDAPConnection.java:740) ~[graylog.jar:?]
        at com.unboundid.ldap.sdk.LDAPConnection.<init>(LDAPConnection.java:560) ~[graylog.jar:?]
        at com.unboundid.ldap.sdk.SingleServerSet.getConnection(SingleServerSet.java:329) ~[graylog.jar:?]
        at com.unboundid.ldap.sdk.FailoverServerSet.getConnection(FailoverServerSet.java:688) ~[graylog.jar:?]
        at com.unboundid.ldap.sdk.FailoverServerSet.getConnection(FailoverServerSet.java:592) ~[graylog.jar:?]
        at org.graylog.security.authservice.ldap.UnboundLDAPConnector.connect(UnboundLDAPConnector.java:130) ~[graylog.jar:?]
        at org.graylog.security.authservice.backend.LDAPAuthServiceBackend.authenticateAndProvision(LDAPAuthServiceBackend.java:74) ~[graylog.jar:?]
        at org.graylog.security.authservice.AuthServiceAuthenticator.authenticate(AuthServiceAuthenticator.java:102) ~[graylog.jar:?]
        at org.graylog.security.authservice.AuthServiceAuthenticator.authenticate(AuthServiceAuthenticator.java:65) ~[graylog.jar:?]
        at org.graylog2.security.realm.UsernamePasswordRealm.doGetAuthenticationInfo(UsernamePasswordRealm.java:93) ~[graylog.jar:?]
        at org.graylog2.security.realm.UsernamePasswordRealm.doGetAuthenticationInfo(UsernamePasswordRealm.java:71) ~[graylog.jar:?]
        at org.apache.shiro.realm.AuthenticatingRealm.getAuthenticationInfo(AuthenticatingRealm.java:571) ~[graylog.jar:?]
        at org.apache.shiro.authc.pam.ModularRealmAuthenticator.doMultiRealmAuthentication(ModularRealmAuthenticator.java:225) ~[graylog.jar:?]
        at org.apache.shiro.authc.pam.ModularRealmAuthenticator.doAuthenticate(ModularRealmAuthenticator.java:275) ~[graylog.jar:?]
        at org.apache.shiro.authc.AbstractAuthenticator.authenticate(AbstractAuthenticator.java:198) ~[graylog.jar:?]
        at org.apache.shiro.mgt.AuthenticatingSecurityManager.authenticate(AuthenticatingSecurityManager.java:106) ~[graylog.jar:?]
        at org.apache.shiro.mgt.DefaultSecurityManager.login(DefaultSecurityManager.java:275) ~[graylog.jar:?]
        at org.apache.shiro.subject.support.DelegatingSubject.login(DelegatingSubject.java:260) ~[graylog.jar:?]
        at org.graylog2.shared.security.SessionCreator.login(SessionCreator.java:87) ~[graylog.jar:?]
        at org.graylog2.rest.resources.system.SessionsResource.newSession(SessionsResource.java:142) ~[graylog.jar:?]
        at jdk.internal.reflect.NativeMethodAccessorImpl.invoke0(Native Method) ~[?:?]
        at jdk.internal.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:77) ~[?:?]
        at jdk.internal.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) ~[?:?]
        at java.lang.reflect.Method.invoke(Method.java:568) ~[?:?]
        at org.glassfish.jersey.server.model.internal.ResourceMethodInvocationHandlerFactory.lambda$static$0(ResourceMethodInvocationHandlerFactory.java:52) ~[graylog.jar:?]
        at org.glassfish.jersey.server.model.internal.AbstractJavaResourceMethodDispatcher$1.run(AbstractJavaResourceMethodDispatcher.java:134) [graylog.jar:?]
        at org.glassfish.jersey.server.model.internal.AbstractJavaResourceMethodDispatcher.invoke(AbstractJavaResourceMethodDispatcher.java:177) [graylog.jar:?]
        at org.glassfish.jersey.server.model.internal.JavaResourceMethodDispatcherProvider$ResponseOutInvoker.doDispatch(JavaResourceMethodDispatcherProvider.java:176) [graylog.jar:?]
        at org.glassfish.jersey.server.model.internal.AbstractJavaResourceMethodDispatcher.dispatch(AbstractJavaResourceMethodDispatcher.java:81) [graylog.jar:?]
        at org.glassfish.jersey.server.model.ResourceMethodInvoker.invoke(ResourceMethodInvoker.java:478) [graylog.jar:?]
        at org.glassfish.jersey.server.model.ResourceMethodInvoker.apply(ResourceMethodInvoker.java:400) [graylog.jar:?]
        at org.glassfish.jersey.server.model.ResourceMethodInvoker.apply(ResourceMethodInvoker.java:81) [graylog.jar:?]
        at org.glassfish.jersey.server.ServerRuntime$1.run(ServerRuntime.java:255) [graylog.jar:?]
        at org.glassfish.jersey.internal.Errors$1.call(Errors.java:248) [graylog.jar:?]
        at org.glassfish.jersey.internal.Errors$1.call(Errors.java:244) [graylog.jar:?]
        at org.glassfish.jersey.internal.Errors.process(Errors.java:292) [graylog.jar:?]
        at org.glassfish.jersey.internal.Errors.process(Errors.java:274) [graylog.jar:?]
        at org.glassfish.jersey.internal.Errors.process(Errors.java:244) [graylog.jar:?]
        at org.glassfish.jersey.process.internal.RequestScope.runInScope(RequestScope.java:265) [graylog.jar:?]
        at org.glassfish.jersey.server.ServerRuntime.process(ServerRuntime.java:234) [graylog.jar:?]
        at org.glassfish.jersey.server.ApplicationHandler.handle(ApplicationHandler.java:684) [graylog.jar:?]
        at org.glassfish.jersey.grizzly2.httpserver.GrizzlyHttpContainer.service(GrizzlyHttpContainer.java:356) [graylog.jar:?]
        at org.glassfish.grizzly.http.server.HttpHandler$1.run(HttpHandler.java:200) [graylog.jar:?]
        at com.codahale.metrics.InstrumentedExecutorService$InstrumentedRunnable.run(InstrumentedExecutorService.java:180) [graylog.jar:?]
        at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1136) [?:?]
        at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:635) [?:?]
        at java.lang.Thread.run(Thread.java:833) [?:?]
Caused by: java.io.IOException: LDAPException(resultCode=91 (connect error), errorMessage='An error occurred while attempting to establish a connection to server servername.domainname.com/10.10.10.10:636:  SSLHandshakeException(Received fatal alert: handshake_failure), ldapSDKVersion=5.1.1, revision=580fabe31b0752099ccd9a835fe7da96e8251e28')
        at com.unboundid.ldap.sdk.LDAPConnectionInternals.<init>(LDAPConnectionInternals.java:204) ~[graylog.jar:?]
        at com.unboundid.ldap.sdk.LDAPConnection.connect(LDAPConnection.java:904) ~[graylog.jar:?]
        ... 48 more
Caused by: com.unboundid.ldap.sdk.LDAPException: An error occurred while attempting to establish a connection to server servername.domainname.com/10.10.10.10:636:  SSLHandshakeException(Received fatal alert: handshake_failure), ldapSDKVersion=5.1.1, revision=580fabe31b0752099ccd9a835fe7da96e8251e28
        at com.unboundid.ldap.sdk.ConnectThread.getConnectedSocket(ConnectThread.java:287) ~[graylog.jar:?]
        at com.unboundid.ldap.sdk.LDAPConnectionInternals.<init>(LDAPConnectionInternals.java:185) ~[graylog.jar:?]
        at com.unboundid.ldap.sdk.LDAPConnection.connect(LDAPConnection.java:904) ~[graylog.jar:?]
        ... 48 more
Caused by: javax.net.ssl.SSLHandshakeException: Received fatal alert: handshake_failure
        at sun.security.ssl.Alert.createSSLException(Alert.java:131) ~[?:?]
        at sun.security.ssl.Alert.createSSLException(Alert.java:117) ~[?:?]
        at sun.security.ssl.TransportContext.fatal(TransportContext.java:358) ~[?:?]
        at sun.security.ssl.Alert$AlertConsumer.consume(Alert.java:293) ~[?:?]
        at sun.security.ssl.TransportContext.dispatch(TransportContext.java:204) ~[?:?]
        at sun.security.ssl.SSLTransport.decode(SSLTransport.java:172) ~[?:?]
        at sun.security.ssl.SSLSocketImpl.decode(SSLSocketImpl.java:1510) ~[?:?]
        at sun.security.ssl.SSLSocketImpl.readHandshakeRecord(SSLSocketImpl.java:1425) ~[?:?]
        at sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:455) ~[?:?]
        at sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:426) ~[?:?]
        at com.unboundid.util.ssl.SetEnabledProtocolsAndCipherSuitesSocket.startHandshake(SetEnabledProtocolsAndCipherSuitesSocket.java:926) ~[graylog.jar:?]
        at com.unboundid.ldap.sdk.ConnectThread.run(ConnectThread.java:173) ~[graylog.jar:?]
2023-05-31T12:03:36.566Z INFO  [SessionCreator] Session creation failed due to authentication service being unavailable. Actor: "urn:graylog:user:username"

gsgmc · May 31, 2023, 1:32pm

An update: enabling TLS1.1 as an available protocol has allowed us to authenticate. That being said, we do not permit TLS1.1 in our environment, so this fix is temporary until Graylog determines a permanent resolution.

In case it helps anyone else, please try:

root@graylogserver:/etc/graylog/server# ack tls server.conf
enabled_tls_protocols = TLSv1.1,TLSv1.2,TLSv1.3

jrichstein · May 31, 2023, 1:52pm

Thanks, thats works for us as well - creating a new new AD-Service. It does not make the older service work. In that case the “email_attributes” problem is still there.

cttjern · May 31, 2023, 8:31pm

Allowing TLSv1.1 didn’t work for me. Hopefully, this will get corrected in the next update.

@patrickmann: I don’t understand. If the ability to configure email was added in 5.1, why is there no where to configure it? And why isn’t Graylog picking up the email from Active Directory?

Thank you.

patrickmann · May 31, 2023, 8:45pm

The configurable email attribute was introduced for LDAP, not AD. AD should not have been affected but there was an unintended side effect.

The TLS errors seem unrelated.

cttjern · May 31, 2023, 8:58pm

Got it. Thank you for the clarification.

system · June 14, 2023, 8:58pm

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.

mpfz0r · July 31, 2023, 1:37pm

@jrichstein
can you run this in a Powershell on your win 2019 server?
(Get-TlsCipherSuite).Name

Topic		Replies	Views
Authentication Service TLS (Windows Active Directory) Graylog Central (peer support)	5	681	January 25, 2024
ldap/Active Diirectory authentication start failing after a few days Graylog Central (peer support)	1	366	July 22, 2019
New Install - AD Failing Graylog Central (peer support)	14	2035	October 6, 2021
Cannot connect graylog to LDAPS Graylog Central (peer support)	2	245	April 26, 2024
Unable to connect to Active Directory Graylog Central (peer support)	4	751	November 5, 2021

Active Directory Authentication not working in 5.1

Related topics