Kerberos Single Sign-On does not work

[acudovs]

Kerberos Single Sign-On does not work

I've tried to setup Kerberos Single Sign-On to Graylog 2.1 on my Apache HTTP Server proxy.

My current Apache HTTP Server proxy configuration:

    <Location />
        SSLRequireSSL
        RequestHeader set X-Graylog-Server-URL "https://graylog.example.com/api/"
        ProxyPass http://127.0.0.1:9000/
        ProxyPassReverse http://127.0.0.1:9000/
    </Location>

First of all I've created user admin@EXAMPLE.COM via Graylog WEB UI /system/authentication/users and configured SSO Plugin /system/authentication/config/sso to trust X-Remote-User HTTP header.

To test SSO plugin works as expected I've added static header to my configuration:

    <Location />
        SSLRequireSSL
        RequestHeader set X-Graylog-Server-URL "https://graylog.example.com/api/"
        RequestHeader set X-Remote-User "admin@EXAMPLE.COM"
        ProxyPass http://127.0.0.1:9000/
        ProxyPassReverse http://127.0.0.1:9000/
    </Location>

With the above configuration I always login as admin@EXAMPLE.COM without prompting for password.

So, the Kerberos part uses mod_auth_gssapi https://github.com/modauthgssapi/mod_auth_gssapi

    <Location />
        SSLRequireSSL

        AuthType GSSAPI
        AuthName "Kerberos Login"
        GssapiCredStore keytab:/etc/httpd/conf/krb5.keytab
        GssapiUseSessions On
        Require valid-user

        RequestHeader set X-Graylog-Server-URL "https://graylog.example.com/api/"
        RequestHeader set X-Remote-User %{REMOTE_USER}s

        Session On
        SessionCookieName gssapi_session path=/;httponly;secure;

        ProxyPass http://127.0.0.1:9000/
        ProxyPassReverse http://127.0.0.1:9000/
    </Location>

With the above configuration Apache HTTP Server authenticates me as admin@EXAMPLE.COM but Graylog API session is not authorized

192.168.0.133 - admin@EXAMPLE.COM [08/Sep/2016:14:05:19 +0300] "GET / HTTP/1.1" 200 500 "-" "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/53.0.2785.92 Safari/537.36"
192.168.0.133 - admin@EXAMPLE.COM [08/Sep/2016:14:05:19 +0300] "GET /config.js HTTP/1.1" 200 136 "https://graylog.example.com/" "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/53.0.2785.92 Safari/537.36"
192.168.0.133 - admin@EXAMPLE.COM [08/Sep/2016:14:05:19 +0300] "GET /assets/polyfill.6469f06d961e83d45607.js.map HTTP/1.1" 304 - "-" "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/53.0.2785.92 Safari/537.36"
192.168.0.133 - admin@EXAMPLE.COM [08/Sep/2016:14:05:20 +0300] "GET /assets/plugin/org.graylog.plugins.pipelineprocessor.ProcessorPlugin/plugin.org.graylog.plugins.pipelineprocessor.PipelineProcessorPlugin.052c725323b2a784f7b0.js.map HTTP/1.1" 304 - "-" "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/53.0.2785.92 Safari/537.36"
192.168.0.133 - - [08/Sep/2016:14:05:20 +0300] "GET /api/system/sessions HTTP/1.1" 401 381 "https://graylog.example.com/" "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/53.0.2785.92 Safari/537.36"
192.168.0.133 - - [08/Sep/2016:14:05:20 +0300] "GET /api/system/sessions HTTP/1.1" 401 381 "https://graylog.example.com/" "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/53.0.2785.92 Safari/537.36"
192.168.0.133 - admin@EXAMPLE.COM [08/Sep/2016:14:05:21 +0300] "GET /assets/plugin/org.graylog.plugins.enterprise_integration.EnterpriseIntegrationPlugin/plugin.org.graylog.plugins.enterprise_integration.EnterpriseIntegrationPlugin.cac9c48526f92b69f0dc.js.map HTTP/1.1" 304 - "-" "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/53.0.2785.92 Safari/537.36"
192.168.0.133 - admin@EXAMPLE.COM [08/Sep/2016:14:05:21 +0300] "GET /assets/plugin/org.graylog.plugins.map.MapWidgetPlugin/plugin.org.graylog.plugins.map.MapWidgetPlugin.2d9b16670c4a97bedae2.js.map HTTP/1.1" 304 - "-" "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/53.0.2785.92 Safari/537.36"
192.168.0.133 - admin@EXAMPLE.COM [08/Sep/2016:14:05:22 +0300] "GET /api/system/cluster/node HTTP/1.1" 200 223 "https://graylog.example.com/" "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/53.0.2785.92 Safari/537.36"
192.168.0.133 - - [08/Sep/2016:14:05:22 +0300] "GET /api/system/sessions HTTP/1.1" 401 381 "https://graylog.example.com/" "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/53.0.2785.92 Safari/537.36"
192.168.0.133 - - [08/Sep/2016:14:05:22 +0300] "GET /api/system/sessions HTTP/1.1" 401 381 "https://graylog.example.com/" "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/53.0.2785.92 Safari/537.36"
192.168.0.133 - admin@EXAMPLE.COM [08/Sep/2016:14:05:22 +0300] "GET /assets/f9a25466e5ac752f14dfa013fad9730a.jpg HTTP/1.1" 304 - "https://graylog.example.com/" "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/53.0.2785.92 Safari/537.36"
192.168.0.133 - admin@EXAMPLE.COM [08/Sep/2016:14:05:23 +0300] "GET /assets/plugin/org.graylog.plugins.auth.sso.SsoAuthPlugin/plugin.org.graylog.plugins.auth.sso.SsoAuthPlugin.2b841b0e8c062b58a186.js.map HTTP/1.1" 304 - "-" "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/53.0.2785.92 Safari/537.36"
192.168.0.133 - admin@EXAMPLE.COM [08/Sep/2016:14:05:23 +0300] "GET /assets/2.LoginPage.6469f06d961e83d45607.js.map HTTP/1.1" 304 - "-" "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/53.0.2785.92 Safari/537.36"
192.168.0.133 - admin@EXAMPLE.COM [08/Sep/2016:14:05:23 +0300] "GET /assets/32.32.6469f06d961e83d45607.js.map HTTP/1.1" 304 - "-" "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/53.0.2785.92 Safari/537.36"
192.168.0.133 - admin@EXAMPLE.COM [08/Sep/2016:14:05:23 +0300] "GET /assets/plugin/org.graylog.plugins.collector.CollectorPlugin/plugin.org.graylog.plugins.collector.CollectorPlugin.2d7e15af839c3b19942b.js.map HTTP/1.1" 304 - "-" "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/53.0.2785.92 Safari/537.36"
192.168.0.133 - admin@EXAMPLE.COM [08/Sep/2016:14:05:23 +0300] "GET /assets/app.6469f06d961e83d45607.js.map HTTP/1.1" 304 - "-" "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/53.0.2785.92 Safari/537.36"

Request headers:

GET /api/system/sessions HTTP/1.1
Host: graylog.example.com
Connection: keep-alive
Authorization: Basic dW5kZWZpbmVkOnNlc3Npb24=
Accept: application/json
X-Requested-With: XMLHttpRequest
User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/53.0.2785.92 Safari/537.36
Content-Type: application/json
Referer: https://graylog.example.com/
Accept-Encoding: gzip, deflate, sdch, br
Accept-Language: en-US,en;q=0.8,ru;q=0.6
Cookie: gssapi_session=MagBearerToken=XXXYYY

Response headers:

HTTP/1.1 401 Unauthorized
Date: Thu, 08 Sep 2016 11:05:20 GMT
Server: Apache
Set-Cookie: gssapi_session=MagBearerToken=XXXYYY;path=/;httponly;secure;
WWW-Authenticate: Negotiate
Cache-Control: no-cache
Content-Length: 381
Keep-Alive: timeout=5, max=99
Connection: Keep-Alive
Content-Type: text/html; charset=iso-8859-1

Seems like request to /api/system/sessions breaks Kerberos auth (header WWW-Authenticate: Negotiate) by adding HTTP header "Authorization: Basic dW5kZWZpbmVkOnNlc3Npb24=".

Environment

• Apache HTTP Server Version: 2.4.6
• Graylog Version: 2.1.1
• Plugin Version: 1.0.3
• Elasticsearch Version: 2.4.0
• MongoDB Version: 2.6.12
• Operating System: CentOS Linux 7.2.1511 (64-bit)
• Browser version: Google Chrome 53.0.2785.101 (64-bit)

[hc4]

I had similar problem (but I'm using squid for kerberos auth)
And my solution was to not authorize with kerberos requests containing session auth (authorization header contains session id as login and "session" as password)

[hc4]

Also be sure that XHR requests generated for server name (not ip).
For this web_endpoint_uri should be set to relative (empty string) or http://servername

[acudovs]

Could you share your Squid configuration?

[hc4]

The key part is that:

acl with_session_or_token req_header Authorization ^Basic\s.+(OnNlc3Npb24=|p0b2tlbg==)$
acl authenticated proxy_auth REQUIRED

http_access allow with_session_or_token
http_access deny !authenticated
http_access allow all

[acudovs]

I'm not sure how to mimic this in the Apache configuration.

For Single Sign-On to works properly user session needs to be authenticated using X-Remote-User header. But if I disable Kerberos for some requests to /api/system/sessions the Apache doesn't add X-Remote-User header, authentication fails and Graylog shows standard login form.

[hc4]

graylog will work with session auth header only

[hc4]

check order of auth providers:

[acudovs]

It's true only if you already got the session somehow. I've spent hours trying different configurations. But maybe I just can't catch your point. Do you have spare Apache server to test the above configuration yourself? And don't forget to open a browser in incognito mode or you may share some previous session.

[hc4]

Actualy I don't want to run Apache :)
But my point is that you need to pass X-Remote-User header only until session will be created.
After that you will have session auth and you no longer need Kerberos auth.
Also it is important to have graylog WEB and graylog REST on same address.

[acudovs]

You are just right! I need to create initial session by passing the X-Remote-User header with correct Kerberos user principal in this header but I can't because only Kerberos knows the principal name and it needs to be disabled for the same request. The "chicken or the egg" :) Maybe I should try Squid if it works for you...

But the main problem is that Graylog breaks standard proxy authentication algorithm (including but not limited to Kerberos) by its own unexpected Authorization header.

[hc4]

Yep. Sure graylog auth header is a root problem.
But I still can't get a problem.
Send X-Remote-User header using Kerberos until graylog will generate auth header.
After that X-Remote-User is not needed anymore.

This is what I did with squid config.
It checks auth header with session and passes request if header found.
Otherwise it makes Kerberos auth and sends X-Remote-User

[hc4]

Myabe the problem is that you sending auth header as undefined:session?

[kroepke]

The undefined:session is from the Graylog frontend code, when it tries to find out whether it has a valid session or not.
I'm not sure what you mean by the auth header being the root problem, Graylog is using Basic auth, and has always done that. The SSO plugin only creates a Graylog session based on the externally set trusted headers and does not change anything else about the authentication mechanism.

From my limited Kerberos knowledge, the client needs to follow a few steps to get a valid Kerberos ticket, in which case the client is the Graylog web interface code running in the browser.
We assume Basic auth and this is unlikely to change, to be honest.

[acudovs]

Kerberos works as expected, there is no problem with tickets. But Graylog's Basic auth breaks Kerberos auth as both rely on Authorization header. So, technically SSO plugin can't be used for SSO with Apache + Kerberos. At least, until some workaround is found.

[kroepke]

Ah, then I misunderstood. So Kerberos is relying on being able to use the Authentication header for itself?