This article describes step by step how to implement transparent Single Sign-On (SSO) authentication for Zabbix 4.0 (or later) in Active Directory using Kerberos.
This will automatically authenticate the user on the Zabbix home page without having to enter any identification data. To do this, the user must be logged into Windows under the Active Directory domain account specified in Zabbix. The user must also configure the browser (Kerberos support must be enabled and trusted intranet sites must be installed in IE).
Showcase:
- Ubuntu Server 18.04 LTS ;
- Active Directory domain with 2008 (or higher) level of functionality
- Zabbix Server 4.0.11, Apache2 as web server (Zabbix installation guide)
Pay attention. To implement SSO, this article uses Apache2 with the libapache2-mod-auth-kerb module. Nginx is not covered here, but there is an spnego-http-auth-nginx module that must be enabled separately when compiling Nginx.
Zabbix LDAP authentication in Active Directory
First of all, you need to link the users of the domain to Zabbix. Just create a user in Zabbix with the same login as in the AD domain. If your login (sAMAccountName attribute) is z. B. is user_5, so the user must have the same login in Zabbix.
Do this for every user who will use Zabbix.
Then create a separate user account in Active Directory to link Zabbix to your domain. In practice, you can use any domain account, but it is preferable to create a separate service account. In my case it will be zabbix_admin. To create the user in AD, I use the PowerShell command New-ADUser :
New-ADUser -Name zabbix_admin -GivenName zabbix_admin -SamAccountName zabbix_admin -AccountPassword (Read-Host -AsSecureString Password:) -DisplayName zabbix_admin -Enabled $true
Execute the above command in the PowerShell console and set the user password. Your new user is located under the user container in the root folder of your domain.
Configure LDAP authentication in Zabbix. In the Zabbix frontend, go to the LDAP settings tab under Administration -> Authentication. Select the Enable LDAP authentication check box and complete the following fields:
- LDAP host: ldap://dc1.domain.local
- Harbor: 389
- Basic DN : DC=domain, DC=local
- Search attribute: sAMAccountName
- Attach a DNR: CN=zabbix_admin,OU=user,DC=domain,DC=local
You can read the description of each parameter in the LDAP authentication section of the Zabbix documentation: https://www.zabbix.com/documentation/current/manual/web_interface/frontend_sections/administration/authentication.
Before completing the configuration, make sure that your settings are valid by making a test entry (Test button). Enter the username (we created the account earlier) and the AD password.
If the test was successful, save the settings and change the authentication type in Zabbix from Internal to LDAP.
Enable HTTP authentication (HTTP settings -> Enable HTTP authentication).
LDAP authentication is configured.
Council. If your LDAP server is unavailable, you will not have access to Zabbix. To return to internal authentication, open MySQL and execute the following command:
updated zabbix.config set authentication_type=’0′ where configid=’1′ ;
Configuration of transparent authentication (single sign-on) in Zabbix (Apache2, krb5 user)
First enter the FQDN of your server in /etc/hostname, which must match the DNS record of your domain. In my case, it’s zabbix.domain.local.
Also enter your server’s FQDN for the local IP address and your server’s IP address in /etc/hosts.
127.0.0.1 localhost zabbix.local.domain
10.1.1.10 zabbix.local.domain
For Kerberos authentication to work properly, the time must be synchronized with the domain controller. Install the ntpdate package and connect it to the domain controller.
install apt-get ntp ntpdate
ntpdate dc.domain.local
The timeline is used to synchronize the time in CentOS 8. The ntp and ntpdate packages are not available in the official warehouses.
You must now create a key file on the domain controller. The key is a file that contains the SPN and encrypted keys. The key is used for Kerberos-based authentication.
- Log in to the domain controller and execute the command prompt as administrator. Go to C:.
- Enter the following data:
ktpass -princ HTTP/[email protected] -mapuser zabbix_admin -pass STRONGPASS -crypto ALL -ptype KRB5_NT_PRINCIPAL -out zabbix.keytab -setupn -setpass - Copy the file C:zabbix.keytab to the /etc/apache2/ directory on your Zabbix server.
Install the Kerberos packages and the module for apache2 :
#apt install krb5-user libapache2-mod-auth-kerb
Configure the krb5 user. Edit the /etc/krb5.cnf file :
log]
default = FILE:/var/log/krb5libs.log
kdc = FILE:/var/log/krb5kdc.log
admin_server = FILE:/var/log/kadmind.log
[libdefaults]
default_realm = DOMAIN.LOCAL
default_keytab_name = /etc/apache2/zabbix.keytab
dns_lookup_kdc = false
dns_lookup_realm = false
forwardable = where
ticket_lifetime = 24h
[realms]
DOMAIN.LOCAL = {
kdc = dc.domain.local
default_domain = DOMAIN.LOCAL
admin_server = dc.domain.local
}
[domain_realm]
.domain.local = DOMAIN.LOCAL
domain.local = DOMAIN.LOCAL
Enter your domain. In some places the domain name is written in capital letters, keep this line in mind.
Pay attention. Look at the line with the path to the key tab file default_keytab_name = /etc/apache2/zabbix.keytab and make sure the file is there. Specify read permissions on www-data and execute: chown www-data:www-data /etc/apache2/zabbix.keytab
Make sure the Kerberos authentication works on Linux :
kinit -kV -p HTTP/zabbix.domain.local -t /etc/apache2/zabbix.keytab
You can see this mistake:
related: The customer HTTP/[email protected] will not be found in the Kerberos database when the first proof of identity is received.
In this case, try to authenticate with another user’s data:
kinit -pV LOGIN
If authentication is successful, the problem is in the key file. Make sure you generated it correctly. Make sure you have entered the correct command to create the keyboard file.
Make sure that the SPN record for your Zabbix service account exists in AD. Enter the following command on the domain controller:
setpn -l zabbix_admin
A message like this appears. It must be in HTTP/zabbix.domain.local format. If there is no entry, add it.
setspn -a HTTP/zabbix.domain.local zabbix_admin
Make sure to change the username to HTTP/zabbix.domain.local.
If not, change it manually.
Then edit the apache2 configuration file – /etc/apache2/sites-available/000-default.conf.
In the ServerName line, add the following zabbix.domain.local:
AuthType Kerberos
AuthName Kerberos authenticated
KrbAuthRealms DOMAIN.LOCAL
#KrbServiceName HTTP/zabbix.domain.Local
KrbServiceName Any
Krb5Keytab /etc/apache2/zabbix.keytab
KrbMethodNegotiate On
KrbSaveCredentials on
KrbLocalUserMapping on
Requires valid-user.loader
If KrbServiceName does not match the name specified in the keyboard file, an error occurs. So you can set the desired value during the test. Once you have made sure that the system is working, enter a valid service name. You can check with:
klist – the /etc/apache2/zabbix.keytab
How do I configure my browsers for Kerberos authentication?
For Internet Explorer to use Kerberos authentication on Zabbix, you need to add its URL to the local intranet pages. Google Chrome uses the settings of Internet Explorer, so you don’t have to configure it separately.
Pay attention. The URL of your Zabbix site should not be part of the list of trusted sites, otherwise Kerberos will not work. The page must only be mentioned on the intranet.
Open Preferences -> Security in IE.
Click Sites on the local intranet, activate the options shown in the following screenshot and click Advanced.
Enter the URL of your Zabbix server.
Click the Advanced tab and select the Enable Windows Built-in authentication checkbox.
You can also place the Zabbix URL in the local intranet zone via the Group Policy (Computer configuration -> Administrative templates -> Windows components -> Internet Explorer -> Internet control panel -> Security page -> List of Site Associations in Zones. Use zone code 1 for intranet sites).
Add the URL of your Zabbix server to the following about:config settings for your Mozilla Firefox :
network.automatic-ntlm-auth.trusted-uris
network.negotiate-auth-delegation-uris
network.negotiate-auth trusted-uris
The configuration is now complete. When you try to access the URL of your Zabbix server, you are automatically authenticated and no password is required.
Troubleshooting Kerberos Authentication in Apache
If you have problems, enable debug mode in apache2 :
To close, enter the following tag /etc/apache2/sites-available/000-defaults.conf:
Log level tracking8
Reboot Apache and check the Kerberos module error in the error.log file.
For your convenience, you can use this command to filter the data by IP address :
tail -f /var/log/apache2/error.log | grep ‘Your IP address’.
You can use the kinit and klist commands to execute and diagnose Kerberos.
kinit is a tool to pick up and z cach. B. Kerberos Tickets :
kinit -V -k -t /etc/apache2/zabbix.keytab -p HTTP/[email protected]
If you have created the key file correctly, the command will be executed and you will receive a message that the authentication was successful.
You can use the list to display Kerberos tickets in the cache:
List -a
Related Tags:
zabbix authentication log,zabbix authorization,zabbix active directory groups,zabbix user authenticate,zabbix disable ldap authentication,zabbix radius authentication,zabbix ad ldap,zabbix oauth,zabbix cannot bind to ldap server,zabbix active directory monitoring,zabbix ldaps,zabbix auth,azure idp initiated url,acs (consumer) url validator onelogin,azure ad identity provider,postman saml azure ad,audience uri,talentlms sso azure ad,zabbix saml login,zabbix authentication ldap and internal,zabbix agent authentication,zabbix http authentication,zabbix saml azure ad