Active Directory Authentication not working in 5.1

1. Describe your incident:
I’m running Graylog with Active Directory Authentication since at least version 4.2. A few days ago I upgraded to version 5.1 (from 5.0). After that I can not login anymore using a user from the AD. Users not associate with the AD can login.

Using the login form the error message is:
Error - the server returned: 503 - There was an error fetching a resource: Service Unavailable. Additional information: Authentication service unavailable

Using the “Test Server connection” in System/Authentication the message is:

  • There was an error fetching a resource: Bad Request. Additional information: Unable to map property email_attributes. Known properties include: servers, verify_certificates, user_search_base, transport_security, type, user_name_attribute, user_search_pattern, system_user_dn, system_user_password, user_full_name_attribute
  • false

The AD is available, I have no problems to login via AD from other services.

The connection is using TLS on port 636, the Certificate is not verified. I checked that System User DN and Password are correct.

2. Describe your environment:
Ubuntu 20.04, Graylog 5.1 Enterprise

Does anyone have advice for me?

Can you delete the definition of the AD authentication in GL and recreate it? Does the issue still persist?

No, I can not delete the AD authentication, the error message is “Authentication service backend <…> is still in use”. I think that is because some users are still bound to it.

However, I disabled the service and tried to create a new one. The connection still does not work, the message in Graylog is

  • An error occurred while attempting to connect to server hellabrunn2015.softdecc.com:636: IOException(LDAPException(resultCode=91 (connect error), errorMessage=‘An error occurred while attempting to establish a connection to server …:636: SocketException(Connection reset), ldapSDKVersion=5.1.1, revision=580fabe31b0752099ccd9a835fe7da96e8251e28’))"

while in our AD the messages are

Additional Data
Error value:
2148074289 The client and server cannot communicate, because they do not possess a common algorithm.
Internal ID: c05086b

Additional Data
Error value:
3 The system cannot find the path specified.
Internal ID:
c0605fa

Some Ciphers are not allowed in our AD (RC*), some protocols are not allowed (SSL, TLS1.0), MD5 as Hash is not allowed and TLS1.3 is not available (Windows Server 2019). But that should not make a connection impossible - and it worked with GL before.

We did disable a couple of weak ciphers in 5.1: Filter out weak TLS ciphers · Issue #14428 · Graylog2/graylog2-server · GitHub

Ideally you’d trace the handshake messages and see what exactly the client is offering.

I do not get it…the Client-Handshake sends

“ClientHello”: {
“client version” : “TLSv1.2”,
“random” : “…”,
“session id” : “…”,
“cipher suites” : “[TLS_AES_256_GCM_SHA384(0x1302), TLS_AES_128_GCM_SHA256(0x1301), TLS_CHACHA20_POLY1305_SHA256(0x1303), TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384(0xC02C), TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256(0xC02B), TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256(0xCCA9), TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384(0xC030), TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256(0xCCA8), TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256(0xC02F), TLS_DHE_RSA_WITH_AES_256_GCM_SHA384(0x009F), TLS_DHE_RSA_WITH_CHACHA20_POLY1305_SHA256(0xCCAA), TLS_DHE_DSS_WITH_AES_256_GCM_SHA384(0x00A3), TLS_DHE_RSA_WITH_AES_128_GCM_SHA256(0x009E), TLS_DHE_DSS_WITH_AES_128_GCM_SHA256(0x00A2), TLS_EMPTY_RENEGOTIATION_INFO_SCSV(0x00FF)]”,

several of the cipher suites should match (1th and 2th, for example). Graylog does not receive an answer, instead it receives an

java.net.SocketException: Connection reset

Having the same problem. Using a local user, I was able to create a new Active Directory authentication that worked. Afterward I even tried to copy all the fields to the old one and the old one still didn’t work.

However, there is still a problem. The email attribute is not getting synced. Therefore the email filed is getting filled in with “unknown@unknown.invalid.” I suspect the original problem didn’t have to do with the ciphers. Afterall, the original error said: “Unable to map property email_attributes.”

Anyway to enable the email attribute to sync? Or someway to manually correct?

Regarding the email attribute: 5.1 made the LDAP email attribute configurable. Previously it was hardcoded. Looks like that introduced a regression with AD syncing.
I created a high pri issue - stay tuned.

https://go2docs.graylog.org/5-1/changelogs/changelog.html#Graylog510

1 Like

Good day. I am also experiencing the same issue. Logs, for reference, below:

2023-05-31T12:03:36.563Z ERROR [LDAPAuthServiceBackend] LDAP error
com.unboundid.ldap.sdk.LDAPException: An error occurred while attempting to connect to server servername.domainname.com:636:  IOException(LDAPException(resultCode=91 (connect error), errorMessage='An error occurred while attempting to establish a connection to server servername.domainname.com/10.10.10.10:636:  SSLHandshakeException(Received fatal alert: handshake_failure), ldapSDKVersion=5.1.1, revision=580fabe31b0752099ccd9a835fe7da96e8251e28'))
        at com.unboundid.ldap.sdk.LDAPConnection.connect(LDAPConnection.java:915) ~[graylog.jar:?]
        at com.unboundid.ldap.sdk.LDAPConnection.connect(LDAPConnection.java:802) ~[graylog.jar:?]
        at com.unboundid.ldap.sdk.LDAPConnection.connect(LDAPConnection.java:740) ~[graylog.jar:?]
        at com.unboundid.ldap.sdk.LDAPConnection.<init>(LDAPConnection.java:560) ~[graylog.jar:?]
        at com.unboundid.ldap.sdk.SingleServerSet.getConnection(SingleServerSet.java:329) ~[graylog.jar:?]
        at com.unboundid.ldap.sdk.FailoverServerSet.getConnection(FailoverServerSet.java:688) ~[graylog.jar:?]
        at com.unboundid.ldap.sdk.FailoverServerSet.getConnection(FailoverServerSet.java:592) ~[graylog.jar:?]
        at org.graylog.security.authservice.ldap.UnboundLDAPConnector.connect(UnboundLDAPConnector.java:130) ~[graylog.jar:?]
        at org.graylog.security.authservice.backend.LDAPAuthServiceBackend.authenticateAndProvision(LDAPAuthServiceBackend.java:74) ~[graylog.jar:?]
        at org.graylog.security.authservice.AuthServiceAuthenticator.authenticate(AuthServiceAuthenticator.java:102) ~[graylog.jar:?]
        at org.graylog.security.authservice.AuthServiceAuthenticator.authenticate(AuthServiceAuthenticator.java:65) ~[graylog.jar:?]
        at org.graylog2.security.realm.UsernamePasswordRealm.doGetAuthenticationInfo(UsernamePasswordRealm.java:93) ~[graylog.jar:?]
        at org.graylog2.security.realm.UsernamePasswordRealm.doGetAuthenticationInfo(UsernamePasswordRealm.java:71) ~[graylog.jar:?]
        at org.apache.shiro.realm.AuthenticatingRealm.getAuthenticationInfo(AuthenticatingRealm.java:571) ~[graylog.jar:?]
        at org.apache.shiro.authc.pam.ModularRealmAuthenticator.doMultiRealmAuthentication(ModularRealmAuthenticator.java:225) ~[graylog.jar:?]
        at org.apache.shiro.authc.pam.ModularRealmAuthenticator.doAuthenticate(ModularRealmAuthenticator.java:275) ~[graylog.jar:?]
        at org.apache.shiro.authc.AbstractAuthenticator.authenticate(AbstractAuthenticator.java:198) ~[graylog.jar:?]
        at org.apache.shiro.mgt.AuthenticatingSecurityManager.authenticate(AuthenticatingSecurityManager.java:106) ~[graylog.jar:?]
        at org.apache.shiro.mgt.DefaultSecurityManager.login(DefaultSecurityManager.java:275) ~[graylog.jar:?]
        at org.apache.shiro.subject.support.DelegatingSubject.login(DelegatingSubject.java:260) ~[graylog.jar:?]
        at org.graylog2.shared.security.SessionCreator.login(SessionCreator.java:87) ~[graylog.jar:?]
        at org.graylog2.rest.resources.system.SessionsResource.newSession(SessionsResource.java:142) ~[graylog.jar:?]
        at jdk.internal.reflect.NativeMethodAccessorImpl.invoke0(Native Method) ~[?:?]
        at jdk.internal.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:77) ~[?:?]
        at jdk.internal.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) ~[?:?]
        at java.lang.reflect.Method.invoke(Method.java:568) ~[?:?]
        at org.glassfish.jersey.server.model.internal.ResourceMethodInvocationHandlerFactory.lambda$static$0(ResourceMethodInvocationHandlerFactory.java:52) ~[graylog.jar:?]
        at org.glassfish.jersey.server.model.internal.AbstractJavaResourceMethodDispatcher$1.run(AbstractJavaResourceMethodDispatcher.java:134) [graylog.jar:?]
        at org.glassfish.jersey.server.model.internal.AbstractJavaResourceMethodDispatcher.invoke(AbstractJavaResourceMethodDispatcher.java:177) [graylog.jar:?]
        at org.glassfish.jersey.server.model.internal.JavaResourceMethodDispatcherProvider$ResponseOutInvoker.doDispatch(JavaResourceMethodDispatcherProvider.java:176) [graylog.jar:?]
        at org.glassfish.jersey.server.model.internal.AbstractJavaResourceMethodDispatcher.dispatch(AbstractJavaResourceMethodDispatcher.java:81) [graylog.jar:?]
        at org.glassfish.jersey.server.model.ResourceMethodInvoker.invoke(ResourceMethodInvoker.java:478) [graylog.jar:?]
        at org.glassfish.jersey.server.model.ResourceMethodInvoker.apply(ResourceMethodInvoker.java:400) [graylog.jar:?]
        at org.glassfish.jersey.server.model.ResourceMethodInvoker.apply(ResourceMethodInvoker.java:81) [graylog.jar:?]
        at org.glassfish.jersey.server.ServerRuntime$1.run(ServerRuntime.java:255) [graylog.jar:?]
        at org.glassfish.jersey.internal.Errors$1.call(Errors.java:248) [graylog.jar:?]
        at org.glassfish.jersey.internal.Errors$1.call(Errors.java:244) [graylog.jar:?]
        at org.glassfish.jersey.internal.Errors.process(Errors.java:292) [graylog.jar:?]
        at org.glassfish.jersey.internal.Errors.process(Errors.java:274) [graylog.jar:?]
        at org.glassfish.jersey.internal.Errors.process(Errors.java:244) [graylog.jar:?]
        at org.glassfish.jersey.process.internal.RequestScope.runInScope(RequestScope.java:265) [graylog.jar:?]
        at org.glassfish.jersey.server.ServerRuntime.process(ServerRuntime.java:234) [graylog.jar:?]
        at org.glassfish.jersey.server.ApplicationHandler.handle(ApplicationHandler.java:684) [graylog.jar:?]
        at org.glassfish.jersey.grizzly2.httpserver.GrizzlyHttpContainer.service(GrizzlyHttpContainer.java:356) [graylog.jar:?]
        at org.glassfish.grizzly.http.server.HttpHandler$1.run(HttpHandler.java:200) [graylog.jar:?]
        at com.codahale.metrics.InstrumentedExecutorService$InstrumentedRunnable.run(InstrumentedExecutorService.java:180) [graylog.jar:?]
        at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1136) [?:?]
        at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:635) [?:?]
        at java.lang.Thread.run(Thread.java:833) [?:?]
Caused by: java.io.IOException: LDAPException(resultCode=91 (connect error), errorMessage='An error occurred while attempting to establish a connection to server servername.domainname.com/10.10.10.10:636:  SSLHandshakeException(Received fatal alert: handshake_failure), ldapSDKVersion=5.1.1, revision=580fabe31b0752099ccd9a835fe7da96e8251e28')
        at com.unboundid.ldap.sdk.LDAPConnectionInternals.<init>(LDAPConnectionInternals.java:204) ~[graylog.jar:?]
        at com.unboundid.ldap.sdk.LDAPConnection.connect(LDAPConnection.java:904) ~[graylog.jar:?]
        ... 48 more
Caused by: com.unboundid.ldap.sdk.LDAPException: An error occurred while attempting to establish a connection to server servername.domainname.com/10.10.10.10:636:  SSLHandshakeException(Received fatal alert: handshake_failure), ldapSDKVersion=5.1.1, revision=580fabe31b0752099ccd9a835fe7da96e8251e28
        at com.unboundid.ldap.sdk.ConnectThread.getConnectedSocket(ConnectThread.java:287) ~[graylog.jar:?]
        at com.unboundid.ldap.sdk.LDAPConnectionInternals.<init>(LDAPConnectionInternals.java:185) ~[graylog.jar:?]
        at com.unboundid.ldap.sdk.LDAPConnection.connect(LDAPConnection.java:904) ~[graylog.jar:?]
        ... 48 more
Caused by: javax.net.ssl.SSLHandshakeException: Received fatal alert: handshake_failure
        at sun.security.ssl.Alert.createSSLException(Alert.java:131) ~[?:?]
        at sun.security.ssl.Alert.createSSLException(Alert.java:117) ~[?:?]
        at sun.security.ssl.TransportContext.fatal(TransportContext.java:358) ~[?:?]
        at sun.security.ssl.Alert$AlertConsumer.consume(Alert.java:293) ~[?:?]
        at sun.security.ssl.TransportContext.dispatch(TransportContext.java:204) ~[?:?]
        at sun.security.ssl.SSLTransport.decode(SSLTransport.java:172) ~[?:?]
        at sun.security.ssl.SSLSocketImpl.decode(SSLSocketImpl.java:1510) ~[?:?]
        at sun.security.ssl.SSLSocketImpl.readHandshakeRecord(SSLSocketImpl.java:1425) ~[?:?]
        at sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:455) ~[?:?]
        at sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:426) ~[?:?]
        at com.unboundid.util.ssl.SetEnabledProtocolsAndCipherSuitesSocket.startHandshake(SetEnabledProtocolsAndCipherSuitesSocket.java:926) ~[graylog.jar:?]
        at com.unboundid.ldap.sdk.ConnectThread.run(ConnectThread.java:173) ~[graylog.jar:?]
2023-05-31T12:03:36.566Z INFO  [SessionCreator] Session creation failed due to authentication service being unavailable. Actor: "urn:graylog:user:username"

An update: enabling TLS1.1 as an available protocol has allowed us to authenticate. That being said, we do not permit TLS1.1 in our environment, so this fix is temporary until Graylog determines a permanent resolution.

In case it helps anyone else, please try:

root@graylogserver:/etc/graylog/server# ack tls server.conf
enabled_tls_protocols = TLSv1.1,TLSv1.2,TLSv1.3

Thanks, thats works for us as well - creating a new new AD-Service. It does not make the older service work. In that case the “email_attributes” problem is still there.

Allowing TLSv1.1 didn’t work for me. Hopefully, this will get corrected in the next update.

@patrickmann: I don’t understand. If the ability to configure email was added in 5.1, why is there no where to configure it? And why isn’t Graylog picking up the email from Active Directory?

Thank you.

The configurable email attribute was introduced for LDAP, not AD. AD should not have been affected but there was an unintended side effect.

The TLS errors seem unrelated.

Got it. Thank you for the clarification.

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.

@jrichstein
can you run this in a Powershell on your win 2019 server?
(Get-TlsCipherSuite).Name