• Home
  • About Us
  • Amazon Affiliate Disclaimer
    • Cookie Policy
    • Terms of Use
  • tech and gaming
  • World Tech
  • Sitemap

goto11.net

Tech gear reviews and guide

  • Home
  • About Us
  • Amazon Affiliate Disclaimer
    • Cookie Policy
    • Terms of Use
  • tech and gaming
  • World Tech
  • Sitemap

Zabbix: Single Sign-On (SSO) Authentication in Active Directory

December 29, 2020 by tuio

This article describes step by step how to implement transparent Single Sign-On (SSO) authentication for Zabbix 4.0 (or later) in Active Directory using Kerberos.

This will automatically authenticate the user on the Zabbix home page without having to enter any identification data. To do this, the user must be logged into Windows under the Active Directory domain account specified in Zabbix. The user must also configure the browser (Kerberos support must be enabled and trusted intranet sites must be installed in IE).

Showcase:

  • Ubuntu Server 18.04 LTS ;
  • Active Directory domain with 2008 (or higher) level of functionality
  • Zabbix Server 4.0.11, Apache2 as web server (Zabbix installation guide)

Pay attention. To implement SSO, this article uses Apache2 with the libapache2-mod-auth-kerb module. Nginx is not covered here, but there is an spnego-http-auth-nginx module that must be enabled separately when compiling Nginx.

Zabbix LDAP authentication in Active Directory

First of all, you need to link the users of the domain to Zabbix. Just create a user in Zabbix with the same login as in the AD domain. If your login (sAMAccountName attribute) is z. B. is user_5, so the user must have the same login in Zabbix.

Create a new zabbix user for the AD domain

Do this for every user who will use Zabbix.

Then create a separate user account in Active Directory to link Zabbix to your domain. In practice, you can use any domain account, but it is preferable to create a separate service account. In my case it will be zabbix_admin. To create the user in AD, I use the PowerShell command New-ADUser :

New-ADUser -Name zabbix_admin -GivenName zabbix_admin -SamAccountName zabbix_admin -AccountPassword (Read-Host -AsSecureString Password:) -DisplayName zabbix_admin -Enabled $true

Execute the above command in the PowerShell console and set the user password. Your new user is located under the user container in the root folder of your domain.

Configure LDAP authentication in Zabbix. In the Zabbix frontend, go to the LDAP settings tab under Administration -> Authentication. Select the Enable LDAP authentication check box and complete the following fields:

  • LDAP host: ldap://dc1.domain.local
  • Harbor: 389
  • Basic DN : DC=domain, DC=local
  • Search attribute: sAMAccountName
  • Attach a DNR: CN=zabbix_admin,OU=user,DC=domain,DC=local

You can read the description of each parameter in the LDAP authentication section of the Zabbix documentation: https://www.zabbix.com/documentation/current/manual/web_interface/frontend_sections/administration/authentication.

Before completing the configuration, make sure that your settings are valid by making a test entry (Test button). Enter the username (we created the account earlier) and the AD password.
Successful LDAP connection

If the test was successful, save the settings and change the authentication type in Zabbix from Internal to LDAP.

zabbix uses LDAP authentication

Enable HTTP authentication (HTTP settings -> Enable HTTP authentication).

Enabling HTTP authentication on Zabbix

LDAP authentication is configured.

Council. If your LDAP server is unavailable, you will not have access to Zabbix. To return to internal authentication, open MySQL and execute the following command:

updated zabbix.config set authentication_type=’0′ where configid=’1′ ;

Configuration of transparent authentication (single sign-on) in Zabbix (Apache2, krb5 user)

First enter the FQDN of your server in /etc/hostname, which must match the DNS record of your domain. In my case, it’s zabbix.domain.local.

Also enter your server’s FQDN for the local IP address and your server’s IP address in /etc/hosts.

127.0.0.1 localhost zabbix.local.domain
10.1.1.10 zabbix.local.domain

For Kerberos authentication to work properly, the time must be synchronized with the domain controller. Install the ntpdate package and connect it to the domain controller.

install apt-get ntp ntpdate
ntpdate dc.domain.local

The timeline is used to synchronize the time in CentOS 8. The ntp and ntpdate packages are not available in the official warehouses.

You must now create a key file on the domain controller. The key is a file that contains the SPN and encrypted keys. The key is used for Kerberos-based authentication.

  • Log in to the domain controller and execute the command prompt as administrator. Go to C:.
  • Enter the following data:
    ktpass -princ HTTP/[email protected] -mapuser zabbix_admin -pass STRONGPASS -crypto ALL -ptype KRB5_NT_PRINCIPAL -out zabbix.keytab -setupn -setpass
  • Copy the file C:zabbix.keytab to the /etc/apache2/ directory on your Zabbix server.

Install the Kerberos packages and the module for apache2 :

#apt install krb5-user libapache2-mod-auth-kerb

Configure the krb5 user. Edit the /etc/krb5.cnf file :

log]
default = FILE:/var/log/krb5libs.log
kdc = FILE:/var/log/krb5kdc.log
admin_server = FILE:/var/log/kadmind.log
[libdefaults]
default_realm = DOMAIN.LOCAL
default_keytab_name = /etc/apache2/zabbix.keytab
dns_lookup_kdc = false
dns_lookup_realm = false
forwardable = where
ticket_lifetime = 24h
[realms]
DOMAIN.LOCAL = {
kdc = dc.domain.local
default_domain = DOMAIN.LOCAL
admin_server = dc.domain.local
}
[domain_realm]
.domain.local = DOMAIN.LOCAL
domain.local = DOMAIN.LOCAL

Enter your domain. In some places the domain name is written in capital letters, keep this line in mind.

Pay attention. Look at the line with the path to the key tab file default_keytab_name = /etc/apache2/zabbix.keytab and make sure the file is there. Specify read permissions on www-data and execute: chown www-data:www-data /etc/apache2/zabbix.keytab

Make sure the Kerberos authentication works on Linux :

kinit -kV -p HTTP/zabbix.domain.local -t /etc/apache2/zabbix.keytab

Verification of Kynit's authenticity

You can see this mistake:

related: The customer HTTP/[email protected] will not be found in the Kerberos database when the first proof of identity is received.

In this case, try to authenticate with another user’s data:

kinit -pV LOGIN

If authentication is successful, the problem is in the key file. Make sure you generated it correctly. Make sure you have entered the correct command to create the keyboard file.

Make sure that the SPN record for your Zabbix service account exists in AD. Enter the following command on the domain controller:

setpn -l zabbix_admin

A message like this appears. It must be in HTTP/zabbix.domain.local format. If there is no entry, add it.

setspn -a HTTP/zabbix.domain.local zabbix_admin

setpn HTTP for zabbix

Make sure to change the username to HTTP/zabbix.domain.local.

HTTP/zabbix.local.domain

If not, change it manually.

Then edit the apache2 configuration file – /etc/apache2/sites-available/000-default.conf.

In the ServerName line, add the following zabbix.domain.local:

AuthType Kerberos
AuthName Kerberos authenticated
KrbAuthRealms DOMAIN.LOCAL
#KrbServiceName HTTP/zabbix.domain.Local
KrbServiceName Any
Krb5Keytab /etc/apache2/zabbix.keytab
KrbMethodNegotiate On
KrbSaveCredentials on
KrbLocalUserMapping on
Requires valid-user.loader

If KrbServiceName does not match the name specified in the keyboard file, an error occurs. So you can set the desired value during the test. Once you have made sure that the system is working, enter a valid service name. You can check with:
klist – the /etc/apache2/zabbix.keytab

How do I configure my browsers for Kerberos authentication?

For Internet Explorer to use Kerberos authentication on Zabbix, you need to add its URL to the local intranet pages. Google Chrome uses the settings of Internet Explorer, so you don’t have to configure it separately.

Pay attention. The URL of your Zabbix site should not be part of the list of trusted sites, otherwise Kerberos will not work. The page must only be mentioned on the intranet.

Open Preferences -> Security in IE.

Local Intranet pages in IE

Click Sites on the local intranet, activate the options shown in the following screenshot and click Advanced.

Local Intranet Zone Settings

Enter the URL of your Zabbix server.

Click the Advanced tab and select the Enable Windows Built-in authentication checkbox.

Activate the Windows authentication built into Internet Explorer

You can also place the Zabbix URL in the local intranet zone via the Group Policy (Computer configuration -> Administrative templates -> Windows components -> Internet Explorer -> Internet control panel -> Security page -> List of Site Associations in Zones. Use zone code 1 for intranet sites).

Package-to-package allocation list

Add the URL of your Zabbix server to the following about:config settings for your Mozilla Firefox :

network.automatic-ntlm-auth.trusted-uris
network.negotiate-auth-delegation-uris
network.negotiate-auth trusted-uris

Reliable case law in the field of fire information

The configuration is now complete. When you try to access the URL of your Zabbix server, you are automatically authenticated and no password is required.

Troubleshooting Kerberos Authentication in Apache

If you have problems, enable debug mode in apache2 :

To close, enter the following tag /etc/apache2/sites-available/000-defaults.conf:

Log level tracking8

Apache LogLevel trace8

Reboot Apache and check the Kerberos module error in the error.log file.

For your convenience, you can use this command to filter the data by IP address :

tail -f /var/log/apache2/error.log | grep ‘Your IP address’.

You can use the kinit and klist commands to execute and diagnose Kerberos.

kinit is a tool to pick up and z cach. B. Kerberos Tickets :

kinit -V -k -t /etc/apache2/zabbix.keytab -p HTTP/[email protected]

If you have created the key file correctly, the command will be executed and you will receive a message that the authentication was successful.

You can use the list to display Kerberos tickets in the cache:

List -a

Related Tags:

zabbix authentication log,zabbix authorization,zabbix active directory groups,zabbix user authenticate,zabbix disable ldap authentication,zabbix radius authentication,zabbix ad ldap,zabbix oauth,zabbix cannot bind to ldap server,zabbix active directory monitoring,zabbix ldaps,zabbix auth,azure idp initiated url,acs (consumer) url validator onelogin,azure ad identity provider,postman saml azure ad,audience uri,talentlms sso azure ad,zabbix saml login,zabbix authentication ldap and internal,zabbix agent authentication,zabbix http authentication,zabbix saml azure ad

Filed Under: World Tech

About tuio

Recent Posts

  • Logitech Gaming Software User Guide 2021
  • Surface Pro won’t connect to the iPhone’s hotspot
  • Are you sure you want to leave this page?
  • Learn To Use Multiple Apps On Your Windows
  • The 13 Best Cell Phone Companies List in 2021
  • Windows 10 laptop battery drains very fast after update? Apply these tips
  • Best Free and paid parental control apps for iPad 2020
  • Divi by Elegant Themes Review 2020
  • How to boot Apple Mac M1 in Recovery Mode [Definitive Guide]
  • Android: Create a toggle button with image and no text –
  • PANIC: Cannot find AVD system path. Please define ANDROID_SDK_ROOT (in windows 10) –
  • How to Transfer Files Between Two Computers Using LAN Cable
  • Best Remote Cell Phone Spy Software Without Target Phone
  • Best Ways To Tackle Windows 10 Num Lock Issues With Ease
  • Python Machine Learning Third Edition: Book Review

Copyright © 2023 ยท GoTo11.net