Page 2 of 2
Re: CAC & AD authentication failures
Posted: Wed Oct 30, 2024 11:16 am
by jmichaelson
Can you use Wireshark to watch the connections between your log server and AD server? Or telnet to port 636 on the AD server from your log server?
Re: CAC & AD authentication failures
Posted: Wed Oct 30, 2024 12:34 pm
by netgroupnrlssc
Attached is the error from the Domain Controller. I don't see anything in the settings to create or choose a client certificate.
Re: CAC & AD authentication failures
Posted: Thu Oct 31, 2024 9:04 am
by DoubleDoubleA
Is the SSL cert on your Log Server instances self-signed?
Re: CAC & AD authentication failures
Posted: Thu Oct 31, 2024 9:18 am
by netgroupnrlssc
I have not enabled https on the log server. Is that cert automatically used for this?
Re: CAC & AD authentication failures
Posted: Thu Oct 31, 2024 10:13 am
by DoubleDoubleA
Well, I might have that backwards. "Certificate is not trusted" is usually what the client will say when it connects to, for example, a web server, that uses a self-signed cert.
But in this case, I would expect Log Server is the client attempting to connect to the LDAP server, and that is what the error message seems to say.
This article seems to suggest there is something about client signing with LDAP, though it is not as plainly descriptive as I might like.
https://learn.microsoft.com/en-us/previ ... quirements
https://learn.microsoft.com/en-us/troub ... ows-server
But how do you set a Linux host up with that? Here's a Red Hat article
https://docs.redhat.com/en/documentatio ... entication
I
DON'T use arch, btw:
https://wiki.archlinux.org/title/LDAP_authentication
Re: CAC & AD authentication failures
Posted: Thu Nov 07, 2024 3:04 pm
by netgroupnrlssc
I'm enabling https to ensure there is a valid cert and remove this is as a problem. I'm following the instructions at
https://assets.nagios.com/downloads/nag ... S-2024.pdf . The main page at https://<servername>/nagioslogserver loads, but not fully. The css and images do not load. For example https://<servername>/nagioslogserver/media/favicon.ico returns 404, not found; but the http of that url does work.
# tail /var/log/httpd/access_log
128.160.42.50 - - [07/Nov/2024:13:50:53 -0600] "GET /nagioslogserver/media/favicon.ico HTTP/1.1" 304 - "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/130.0.0.0 Safari/537.36"
128.160.42.50 128.160.115.33 128.160.42.50 HTTP/1.1 - GET 304 [07/Nov/2024:13:50:53 -0600] - /nagioslogserver/media/favicon.ico "-"
# tail /var/log/httpd/ssl_access_log
128.160.42.50 - - [07/Nov/2024:13:49:08 -0600] "GET /nagioslogserver/www/media/favicon.ico HTTP/1.1" 404 1130
# cat /etc/httpd/conf.d/ssl.conf | grep -v \#
Code: Select all
Listen 443 https
SSLPassPhraseDialog exec:/usr/libexec/httpd-ssl-pass-dialog
SSLCryptoDevice builtin
<VirtualHost _default_:443>
Options FollowSymLinks
ErrorLog logs/ssl_error_log
TransferLog logs/ssl_access_log
LogLevel warn
SSLEngine on
SSLHonorCipherOrder on
SSLCipherSuite PROFILE=SYSTEM
SSLProxyCipherSuite PROFILE=SYSTEM
SSLCertificateFile /usr/local/nagioslogserver/var/certs/nagioslogserver.crt
SSLCertificateKeyFile /usr/local/nagioslogserver/var/certs/nagioslogserver.key
<FilesMatch "\.(cgi|shtml|phtml|php)$">
SSLOptions +StdEnvVars
</FilesMatch>
<Directory "/var/www/cgi-bin">
SSLOptions +StdEnvVars
</Directory>
BrowserMatch "MSIE [2-5]" \
nokeepalive ssl-unclean-shutdown \
downgrade-1.0 force-response-1.0
CustomLog logs/ssl_request_log \
"%t %h %{SSL_PROTOCOL}x %{SSL_CIPHER}x \"%r\" %b"
<IfModule mod_rewrite.c>
RewriteEngine on
RewriteCond $1 !^(index\.php|scripts|-media|app|js|css|img|font|vendor|config.js)
RewriteCond %{REQUEST_FILENAME} !-f
RewriteCond %{REQUEST_FILENAME} !-d
RewriteRule nagioslogserver/(.*)$ /var/www/html/nagioslogserver/www/index.php/$1 [L,QSA]
</IfModule>
<Directory "/var/www/html/nagioslogserver/www/">
Options FollowSymLinks
AllowOverride All
Require all granted
</Directory>
</VirtualHost>
# cat /etc/httpd/conf.d/nagioslogserver.conf | grep -v \#
Code: Select all
Alias /nagioslogserver "/var/www/html/nagioslogserver/www/"
KeepAlive On
MaxKeepAliveRequests 100
LoadModule usertrack_module modules/mod_usertrack.so
LoadModule session_module modules/mod_session.so
<Directory "/var/www/html/nagioslogserver/www/">
Options FollowSymLinks
AllowOverride All
Require all granted
</Directory>
RewriteEngine on
RewriteCond $1 !^(index\.php|scripts|media|app|js|css|img|font|vendor|config.js)
RewriteCond %{REQUEST_FILENAME} !-f
RewriteCond %{REQUEST_FILENAME} !-d
RewriteRule nagioslogserver/(.*)$ /var/www/html/nagioslogserver/www/index.php/$1 [L,QSA]
Re: CAC & AD authentication failures
Posted: Thu Nov 14, 2024 10:49 am
by netgroupnrlssc
If my problems have exceeded this forum how do I open a support ticket?
Re: CAC & AD authentication failures
Posted: Thu Nov 14, 2024 3:40 pm
by jmichaelson
Go here:
https://support.nagios.com/; register for access to the customer support portal if you have not already done so, and log in to get in touch with support.