Trusted header authentication broken after Upgrade to 5

Uzilurcs · November 15, 2023, 6:56am

Hello Guys,

we have an stange behaviour on our Graylog-Cluster.
A long time we have running Graylog 4.0 configured with trusted header authentication, and it works verry well.
After Upgrade to 4.1 the disaster has begun. We are not able to authenticate against graylog respectively graylog is not using the right header?
I have upgraded to 5.1 with the hope that it will then work. but no.

2023-11-07T12:02:54.681+01:00 DEBUG [ModularRealmAuthenticator] Realm [org.graylog2.security.realm.SessionAuthenticator@7a824830] does not support token org.apache.shiro.authc.UsernamePasswordToken - TESTUSER, rememberMe=false (1.2.3.4). Skipping realm.
2023-11-07T12:02:54.681+01:00 DEBUG [ModularRealmAuthenticator] Realm [org.graylog2.security.realm.AccessTokenAuthenticator@3cf8cbc1] does not support token org.apache.shiro.authc.UsernamePasswordToken - TESTUSER, rememberMe=false (1.2.3.4). Skipping realm.
2023-11-07T12:02:54.681+01:00 DEBUG [ModularRealmAuthenticator] Realm [org.graylog2.security.realm.HTTPHeaderAuthenticationRealm@7edb798a] does not support token org.apache.shiro.authc.UsernamePasswordToken - TESTUSER, rememberMe=false (1.2.3.4). Skipping realm.
2023-11-07T12:02:54.782+01:00 WARN [MongoDBAuthServiceBackend] Failed to validate password for user

We use an NetScaler Loadbalancer which adding an header “X-Remote-User” with the AAA.USER which is authenticated against TACACS.
Between Loadbalancer and Graylog is an local apache which is configured as reverse proxy and is forewarding all needed information.

X-Remote-User: TESTUSER
X-Graylog-Server-URL: https://graylog.sub.domain.tld/
X-Forwarded-For: 1.2.3.9 ← IP from Balancer
X-Forwarded-Host: graylog.sub.domain.tld
X-Forwarded-Server: bogus_host_without_reverse_dns
Connection: Keep-Alive

The trusted header is configured in Graylog.
The User is added locally in graylog with a differend password.
The User TESTUSER is added AFTER upgrade to 5.1
If i set the password to the TACACS-Password it works against Fallback Auth.

OS Information:
Ubuntu 22.04
Package Version:
graylog-server 5.1.8-1

To try to resolve the isssue i configured Graylog directly without apache. same behavior.

Uzilurcs · November 17, 2023, 11:28am

We have an Workaround for this.

Login, authenticated from NetScaler.
After this we see the Login-Dialog from Graylog. You can enter some random Data in User Password, press Enter to see the failed Login Message.

Now press SHIFT+F5 to reload the Page and tadaaa you are logged in.

Any idear?

Uzilurcs · November 27, 2023, 3:16pm

Hey all

i will deploy an complete new machine to verify it is an error that occured because i have updated the Cluster…

bye

system · December 11, 2023, 3:17pm

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
Failed to authenticate usernamefrom trusted HTTP header via proxy Graylog Central (peer support)	7	1099	March 9, 2022
SSO with Trusted Header Authentication not working Graylog Central (peer support)	3	1674	November 23, 2022
Problem with system login and such after upgrade from 2.0.3, to 2.2.1 Graylog Central (peer support)	1	1092	April 23, 2017
Does Trusted Header Authentication still work in 5.0? Graylog Central (peer support)	2	611	January 6, 2023
Struggling to get SSO work with Graylog 4 Graylog Central (peer support)	11	3968	June 25, 2021

Trusted header authentication broken after Upgrade to 5

Related topics