Active Directory SSO "half" working

[frenchviking]

Hello,

I have set up Active Directory integrated authentication for users. My Apache logs tells me that users get successfully authenticated among the domain, but when I browse to nagios xi I desperately stay on the login page.

I have configured Internet Explorer settings to set my local domain as intranet local and told IE to use automatic connexion for this zone (default setting).
My users have been configured using the LDAP/AD wizard. LDAP / Active Directory Integration Configuration is fine.

Where should I look for ?

Thank you.

[rkennedy]

So after you log in, does the login page just refresh then or are you presented with an error message? Do you see the same thing occur if you try a different browsers?

Any additional information will help, including screenshots if possible.

[frenchviking]

Hello,

I have the same behavior with Chrome or Edge. When I browse to http://myserver.mydomain.net Apache authenticate me :

xx.xx.xx.xx - - [08/Jun/2016:08:45:51 +0200] "GET /nagiosxi HTTP/1.1" 401 381 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/46.0.2486.0 Safari/537.36 Edge/13.10586"
xx.xx.xx.xx - [MY_AD_sAMAccountName]@[MYDOMAIN_FQDN] [08/Jun/2016:08:45:51 +0200] "GET /nagiosxi HTTP/1.1" 301 248 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/46.0.2486.0 Safari/537.36 Edge/13.10586"
xx.xx.xx.xx - [MY_AD_sAMAccountName]@[MYDOMAIN_FQDN] [08/Jun/2016:08:45:51 +0200] "GET /nagiosxi/ HTTP/1.1" 302 - "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/46.0.2486.0 Safari/537.36 Edge/13.10586"
xx.xx.xx.xx - [MY_AD_sAMAccountName]@[MYDOMAIN_FQDN] [08/Jun/2016:08:45:52 +0200] "GET /nagiosxi/login.php?redirect=/nagiosxi/index.php%3f&noauth=1 HTTP/1.1" 200 20672 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/46.0.2486.0 Safari/537.36 Edge/13.10586"

What is weird is that after the http 401 I'm correctly authenticated, then redirect 301 then 302, Nagios redirect me to the page /nagiosxi/login.php?redirect=/nagiosxi/index.php%3f&noauth=1

On the browser side, I end up to the login page (here credentials are filled-in because I previously told chrome to save them, but in Edge it's empty)



Here are my Internet Options settings :

Set my domain to the Intranet zone


Zone is configured to allow automatique use of current credentials


Integrated Windows authentication activated


Hope I have been clear enough

Thank you.

[frenchviking]

Hello,

When I browse to the nagios page, I have correctly been authenticated among Active Directory and Apache log confirms :

xx.xx.xx.xx - - [08/Jun/2016:11:35:07 +0200] "GET / HTTP/1.1" 302 - "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/46.0.2486.0 Safari/537.36 Edge/13.10586"
xx.xx.xx.xx - - [08/Jun/2016:11:35:07 +0200] "GET /nagiosxi/login.php?redirect=/index.php%3f&noauth=1 HTTP/1.1" 401 381 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/46.0.2486.0 Safari/537.36 Edge/13.10586"
xx.xx.xx.xx - [sAMAccountName]@[DOMAIN_FQDN] [08/Jun/2016:11:35:07 +0200] "GET /nagiosxi/login.php?redirect=/index.php%3f&noauth=1 HTTP/1.1" 200 20066 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/46.0.2486.0 Safari/537.36 Edge/13.10586"

But then, I fall on the nagios login page :



If I give my Active Directory credentials I can login so the AD communication is ok. Strange thing, once logged in I can see the "Logout" option on top right corner but if I click it I receive an error page

Error: You cannot logout when using HTTP Basic Authentication.

Then I can navigate anywhere, the logout option has disappeared ! Other weird stuff, on the admin page, "Monitoring Engine Status"



And I can not apply any new configuration.

Once I disable Kerberos authentication, everything works as expected and the Monitoring Engine Status page display correctly.

I guess I have an issue with my Apache/Kerberos configuration. My nagios is available with an URL like http://websiteurl.domainfqdn/nagiosxi

Here is my apache conf

<VirtualHost *:80>
ServerName websiteurl.domainfqdn

DirectoryIndex index.php
DocumentRoot /usr/local/nagiosxi/html

<Directory "/usr/local/nagiosxi/html">
#SSLRequireSSL
Options None
AllowOverride None
Order allow,deny
Allow from all
#Order deny,allow
#Deny from all
#Allow from 127.0.0.1
#AuthName "Nagios XI"
#AuthType Basic
#AuthUserFile /usr/local/nagiosxi/etc/htpasswd.users
#Require valid-user
Require all granted
</Directory>

<Location /nagiosxi>
AuthName "Nagiox XI"
KrbMethodNegotiate On
KrbAuthoritative On
KrbMethodK5Passwd Off
KrbAuthRealms DOMAIN.FQDN
AuthType Kerberos
require valid-user
KrbServiceName HTTP/[email protected]
Krb5KeyTab /etc/httpd/conf.d/nagiosxi.ktab
Alias /nagiosxi "/usr/local/nagiosxi/html"

<IfModule mod_rewrite.c>
RewriteEngine On
RewriteCond %{REQUEST_FILENAME} !-f
RewriteCond %{REQUEST_FILENAME} !-d
RewriteRule nagiosxi/api/v1/(.*)$ /usr/local/nagiosxi/html/api/v1/index.php?request=$1 [QSA,NC,L]
</IfModule>

ErrorLog /var/log/httpd/nagiosxi.error_log
CustomLog /var/log/httpd/nagiosxi.access_log combined

</VirtualHost>
</Location>

Thank you for the support!

[tmcdonald]

One thing that was pointed out by one of our developers is that your </VirtualHost> and </Location> tags should be swapped in your Apache config. Aside from that, nobody here can say for certain that XI was designed for SSO. We certainly don't have any documentation we could give, and it hasn't been tested in-house. From a support perspective if I had to make the call I would say it is not something we can assist with.

Turns out there were some Apache configs that have been commented out for *ages* in /etc/httpd/conf.d/nagiosxi.conf that can be uncommented:

Code: Select all

   AuthName "Nagios XI"
   AuthType Basic
   AuthUserFile /usr/local/nagiosxi/etc/htpasswd.users
   Require valid-user

Uncomment those and restart Apache. You also need to change /usr/local/nagiosxi/html/config.inc.php like so:

Code: Select all

// HTTP BASIC AUTHENTICATION INFO -- USED BY SUBSYSTEM
$cfg['use_basic_authentication'] = true; // is HTTP Basic authentication being used? if so, set the two variables below...
$cfg['subsystem_basic_auth_username'] = 'nagiosxi'; // subsystem credentials
$cfg['subsystem_basic_auth_password'] = 'somepassword';

Then you should be able to use http://username:[email protected]/ ... /login.php to log in. Should help with your SSO troubles, but this is something we just kinda stumbled upon when one of the devs who has been around longer chimed in. I saw the same issues you did, with the "No output from backend" error message, so we'll probably have to do some updates to get it fully working. For example, we'll need to test and see what the password in the above config needs to be set to - my testing did not fix the errors and I tried a few different passes, so it'll be some time.

Let us know how this goes for you.

[frenchviking]

Hello,

Thank you for the explanations. From what I understood, this will switch the authentication to Basic instead of Negociate. If SSO integration is not officially supported I''ll stick with a simple AD integration. If you need to me to make further tests around SSO let me know !

Thanks again for the support.

[tmcdonald]

I'll definitely keep you in mind in the future if we decide to officially support SSO, but at the moment it's not something that I would have any further input on.