Can’t set up Zabbix: Single Sign-On (SSO) Authentication in Active Directory? We can help you.

Here, at Bobcares, we assist our customers with several Zabbix queries, as part of our Server Management Services.

Today, let us focus on how to set up SSO Authentication in Active Directory for Zabbix.

 

Zabbix: Single Sign-On (SSO) Authentication in Active Directory

In this article, let’s see the step-by-step configuration of a transparent SSO (Single Sign-On) authentication for Zabbix in Active Directory using Kerberos.

The end result is that a user is automatically authenticated on the Zabbix frontpage without entering credentials.

To do it, a user must be logged in to Windows under the Active Directory domain account specified in Zabbix. In addition, the user must configure the browser.

To begin, our Support Engineers suggest having:

• Ubuntu Server 18.04 LTS
• Active Directory domain with functional level 2008 (or higher)
• Zabbix Server 4.0.11, Apache2 as a web server

 

Zabbix LDAP Authentication on Active Directory

First of all, we have to bind domain users to Zabbix. To do it, it is enough to create a user in Zabbix with the same login as they have in the AD domain.

For example, if the login (sAMAccountName attribute) is user_5, a user in Zabbix must have the same login.

Do it for each user.

Then create a separate user account in Active Directory to bind Zabbix to our domain.

In practice, we can use any domain account, but it is better to create a separate service account. In this case, it will be zabbix_admin.

To create a user in AD, we will use:

New-ADUser -Name “zabbix_admin” -GivenName “zabbix_admin” -Surname “zabbix_admin” -SamAccountName “zabbix_admin” -AccountPassword (Read-Host -AsSecureString “Password:”) -DisplayName “zabbix_admin” -Enabled $true

Run the command and set a user password. Our new user will be under the Users container in the root of the domain.

Let us configure LDAP authentication in Zabbix. In the Zabbix frontend, go to the LDAP settings tab in Administration -> Authentication.

Check Enable LDAP authentication and fill in the following fields:

• LDAP host: ldap://dc1.domain.local
• Port: 389
• Base DN: DC=domain, DC=local
• Search attribute: sAMAccountName
• Bind DN: CN=zabbix_admin,OU=Users,DC=domain,DC=local

Before completing the configuration, make sure that the settings are valid by doing a test login. Specify a user name and an AD password.

If the test has been successful, save the settings, and change the authentication type in Zabbix from Internal to LDAP:

Enable HTTP authentication (HTTP Settings -> Enable HTTP authentication):

LDAP authentication is configured. If the LDAP server is unavailable, we will not be able to access Zabbix.

To get back to the internal authentication, we open MySQL, and run the following command:

update zabbix.config set authentication_type=’0′ where configid=’1′;

 

Configure a Transparent (Single Sign-On) Authentication in Zabbix

Initially, specify the FQDN name of the server in /etc/hostname that must match the DNS record in the domain. In this case, it is zabbix.domain.local.

Also, write the FQDN of the server for the local IP address and the IP address of the server in /etc/hosts.

127.0.0.1 localhost zabbix.domain.local
10.1.1.10 zabbix.domain.local

In order for Kerberos authentication to work, synchronize time with the domain controller. Install the ntpdate package and bind it to the domain controller.

apt-get install ntp ntpdate
ntpdate dc.domain.local

Chrony is to synchronize time in CentOS 8. The ntp and ntpdate packages are not available in the official repositories.

Now we need to generate a keytab file on a domain controller. Keytab is a file that contains SPN and encrypted keys. Keytab is used for Kerberos-based authentication.

• Log in on the domain controller and run the command prompt as an administrator. Go to C:\.
• Then enter the following:

ktpass -princ HTTP/zabbix.domain.local@DOMAIN.LOCAL -mapuser zabbix_admin -pass STRONGPASS -crypto ALL -ptype KRB5_NT_PRINCIPAL -out zabbix.keytab -setupn –setpass

• Copy C:\zabbix.keytab file to /etc/apache2/ directory on Zabbix server.
• Install Kerberos packages and a module for apache2:

#apt install krb5-user libapache2-mod-auth-kerb

• Then, configure krb5-user. Edit /etc/krb5.cnf:

[logging]
default = FILE:/var/log/krb5libs.log
kdc = FILE:/var/log/krb5kdc.log
admin_server = FILE:/var/log/kadmind.log
[libdefaults]
default_realm = DOMAIN.LOCAL
default_keytab_name = /etc/apache2/zabbix.keytab
dns_lookup_kdc = false
dns_lookup_realm = false
forwardable = true
ticket_lifetime = 24h
[realms]
DOMAIN.LOCAL = {
kdc = dc.domain.local
default_domain = DOMAIN.LOCAL
admin_server = dc.domain.local
}
[domain_realm]
.domain.local = DOMAIN.LOCAL
domain.local = DOMAIN.LOCAL

Specify the domain. In some places, the domain name is written in upper case, follow this rule.

On the other hand look at the line with keytab file path “default_keytab_name = /etc/apache2/zabbix.keytab”. Then make sure that the file is available there.

Grant read permissions on www-data and run:

chown www-data:www-data /etc/apache2/zabbix.keytab

Make sure that Kerberos authentication is working in Linux:

kinit -kV -p HTTP/zabbix.domain.local –t /etc/apache2/zabbix.keytab

We may see this error:

kinit: Client ‘HTTP/zabbix.domain.local@DOMAIN.LOCAL’ not found in Kerberos database while getting initial credentials

In this case, try to authenticate using the credentials of another user:

kinit -pV LOGIN

If the authentication is successful, the problem is with the keytab file. Check if the command to create a keytab file is correct.

Then we make sure that an SPN record for the Zabbix service account exists in AD.

Enter the following command on the domain controller:

setspn -l zabbix_admin

We will see a message like this. It must be in HTTP/zabbix.domain.local format. If there is no record, add it.

setspn -a HTTP/zabbix.domain.local zabbix_admin

Make sure that the user login name changed to HTTP/zabbix.domain.local.

If it has not, change it manually.

Then edit the apache2 configuration file – /etc/apache2/sites-available/000-default.conf.

Later, add the following under the ServerName zabbix.domain.local line:

AuthType Kerberos
AuthName “Kerberos authenticated”
KrbAuthRealms DOMAIN.LOCAL
#KrbServiceName HTTP/zabbix.domain.local
KrbServiceName Any
Krb5Keytab /etc/apache2/zabbix.keytab
KrbMethodNegotiate On
KrbSaveCredentials on
KrbLocalUserMapping on
Require valid-user

If KrbServiceName does not match the name specified in the keytab file, an error occurs. So we can set Any value while testing. After making sure that the system is working, specify the valid service name.

We can check it using:

klist -le /etc/apache2/zabbix.keytab

[Set up SSO Authentication quick! We are here for you!]

 

How to Configure Browsers for Kerberos Authentication?

For Internet Explorer to use Kerberos authentication on Zabbix, we will have to add its URL to Local Intranet sites.

Google Chrome uses Internet Explorer settings, so we do not need to configure it separately.

Open Options -> Security in the IE.

Click Sites in the Local intranet, check the options shown in the screenshot below, and click Advanced:

Later, enter the Zabbix server URL.

Then, go to the Advanced tab and check Enable Integrated Windows Authentication.

Also, we can also put Zabbix URL to the Local Intranet zone using the Group Policies (Computer Configuration -> Administrative Templates -> Windows Components -> Internet Explorer -> Internet Control Panel -> Security Page -> Site to Zone Assignment List. Use zone code 1 for intranet sites).

Add the URL of the Zabbix server to the following parameters of about:config for Mozilla Firefox:

network.automatic-ntlm-auth.trusted-uris
network.negotiate-auth.delegation-uris
network.negotiate-auth.trusted-uris

The configuration is over. If we try to access the Zabbix server URL, we will be authenticated automatically and will not be prompted to enter the password.

[Couldn’t configure browser? Contact us now]

 

Kerberos Authentication Debugging & Troubleshooting in Apache

If we have any issues, enable debug mode in apache2:

Enter the following before the closing tag in /etc/apache2/sites-available/000-defaults.conf:

LogLevel trace8

Then we restart apache and check the Kerberos module error in the error.log file.

To make it more convenient, we use the command to filter the entries by the IP address:

tail -f /var/log/apache2/error.log | grep ‘Our IP address’

Similarly, to work with and diagnose Kerberos, we can use kinit and klist commands.

kinit is a tool to get and cache Kerberos tickets, for example:

kinit –V -k -t /etc/apache2/zabbix.keytab –p HTTP/zabbix.domain.local@DOMAIN.LOCAL

If we have generated our keytab file correctly, the command will run. As a result, we will get a message that the authentication has been successful.

Using klist, we can view cached Kerberos tickets:

klist -a

[Find it hard to set? We’d be happy to assist]

 

Conclusion

To conclude, setting Zabbix: Single Sign-On (SSO) Authentication in Active Directory helps users authenticate the Zabbix frontpage without entering credentials. Today, we saw the steps our Support Engineers employ in this regard.