Bobcares

WeSupport

Call Us! 1-800-383-5193
Call Us! 1-800-383-5193
Call Us! 1-800-383-5193

Need Help?

Emergency Response Time custom

Our experts have had an average response time of 12.45 minutes in December 2020 to fix urgent issues.

We will keep your servers stable, secure and fast at all times for one fixed price.

Zabbix: Single Sign-On (SSO) Authentication in Active Directory

by | Jan 11, 2021

Can’t set up Zabbix: Single Sign-On (SSO) Authentication in Active Directory? We can help you.

Here, at Bobcares, we assist our customers with several Zabbix queries, as part of our Server Management Services.

Today, let us focus on how to set up SSO Authentication in Active Directory for Zabbix.

 

Zabbix: Single Sign-On (SSO) Authentication in Active Directory

In this article, let’s see the step-by-step configuration of a transparent SSO (Single Sign-On) authentication for Zabbix in Active Directory using Kerberos.

The end result is that a user is automatically authenticated on the Zabbix frontpage without entering credentials.

To do it, a user must be logged in to Windows under the Active Directory domain account specified in Zabbix. In addition, the user must configure the browser.

To begin, our Support Engineers suggest having:

  • Ubuntu Server 18.04 LTS
  • Active Directory domain with functional level 2008 (or higher)
  • Zabbix Server 4.0.11, Apache2 as a web server

 

Zabbix LDAP Authentication on Active Directory

First of all, we have to bind domain users to Zabbix. To do it, it is enough to create a user in Zabbix with the same login as they have in the AD domain.

For example, if the login (sAMAccountName attribute) is user_5, a user in Zabbix must have the same login.

Zabbix: Single Sign-On (SSO) Authentication in Active Directory

Do it for each user.

Then create a separate user account in Active Directory to bind Zabbix to our domain.

In practice, we can use any domain account, but it is better to create a separate service account. In this case, it will be zabbix_admin.

To create a user in AD, we will use:

New-ADUser -Name “zabbix_admin” -GivenName “zabbix_admin” -Surname “zabbix_admin” -SamAccountName “zabbix_admin” -AccountPassword (Read-Host -AsSecureString “Password:”) -DisplayName “zabbix_admin” -Enabled $true

Run the command and set a user password. Our new user will be under the Users container in the root of the domain.

Let us configure LDAP authentication in Zabbix. In the Zabbix frontend, go to the LDAP settings tab in Administration -> Authentication.

Check Enable LDAP authentication and fill in the following fields:

  • LDAP host: ldap://dc1.domain.local
  • Port: 389
  • Base DN: DC=domain, DC=local
  • Search attribute: sAMAccountName
  • Bind DN: CN=zabbix_admin,OU=Users,DC=domain,DC=local

Before completing the configuration, make sure that the settings are valid by doing a test login. Specify a user name and an AD password.

Zabbix: Single Sign-On (SSO) Authentication in Active Directory

If the test has been successful, save the settings, and change the authentication type in Zabbix from Internal to LDAP:

Zabbix

Enable HTTP authentication (HTTP Settings -> Enable HTTP authentication):

Zabbix

LDAP authentication is configured. If the LDAP server is unavailable, we will not be able to access Zabbix.

To get back to the internal authentication, we open MySQL, and run the following command:

update zabbix.config set authentication_type=’0′ where configid=’1′;

 

Configure a Transparent (Single Sign-On) Authentication in Zabbix

Initially, specify the FQDN name of the server in /etc/hostname that must match the DNS record in the domain. In this case, it is zabbix.domain.local.

Also, write the FQDN of the server for the local IP address and the IP address of the server in /etc/hosts.

127.0.0.1 localhost zabbix.domain.local
10.1.1.10 zabbix.domain.local

In order for Kerberos authentication to work, synchronize time with the domain controller. Install the ntpdate package and bind it to the domain controller.

apt-get install ntp ntpdate
ntpdate dc.domain.local

Chrony is to synchronize time in CentOS 8. The ntp and ntpdate packages are not available in the official repositories.

Now we need to generate a keytab file on a domain controller. Keytab is a file that contains SPN and encrypted keys. Keytab is used for Kerberos-based authentication.

  • Log in on the domain controller and run the command prompt as an administrator. Go to C:\.
  • Then enter the following:
ktpass -princ HTTP/zabbix.domain.local@DOMAIN.LOCAL -mapuser zabbix_admin -pass STRONGPASS -crypto ALL -ptype KRB5_NT_PRINCIPAL -out zabbix.keytab -setupn –setpass
  • Copy C:\zabbix.keytab file to /etc/apache2/ directory on Zabbix server.
  • Install Kerberos packages and a module for apache2:
#apt install krb5-user libapache2-mod-auth-kerb
  • Then, configure krb5-user. Edit /etc/krb5.cnf:
[logging]
default = FILE:/var/log/krb5libs.log
kdc = FILE:/var/log/krb5kdc.log
admin_server = FILE:/var/log/kadmind.log
[libdefaults]
default_realm = DOMAIN.LOCAL
default_keytab_name = /etc/apache2/zabbix.keytab
dns_lookup_kdc = false
dns_lookup_realm = false
forwardable = true
ticket_lifetime = 24h
[realms]
DOMAIN.LOCAL = {
kdc = dc.domain.local
default_domain = DOMAIN.LOCAL
admin_server = dc.domain.local
}
[domain_realm]
.domain.local = DOMAIN.LOCAL
domain.local = DOMAIN.LOCAL

Specify the domain. In some places, the domain name is written in upper case, follow this rule.

On the other hand look at the line with keytab file path “default_keytab_name = /etc/apache2/zabbix.keytab”. Then make sure that the file is available there.

Grant read permissions on www-data and run:

chown www-data:www-data /etc/apache2/zabbix.keytab

Make sure that Kerberos authentication is working in Linux:

kinit -kV -p HTTP/zabbix.domain.local –t /etc/apache2/zabbix.keytab
We may see this error:
kinit: Client ‘HTTP/zabbix.domain.local@DOMAIN.LOCAL’ not found in Kerberos database while getting initial credentials

In this case, try to authenticate using the credentials of another user:

kinit -pV LOGIN

If the authentication is successful, the problem is with the keytab file. Check if the command to create a keytab file is correct.

Then we make sure that an SPN record for the Zabbix service account exists in AD.

Enter the following command on the domain controller:

setspn -l zabbix_admin

We will see a message like this. It must be in HTTP/zabbix.domain.local format. If there is no record, add it.

setspn -a HTTP/zabbix.domain.local zabbix_admin

Make sure that the user login name changed to HTTP/zabbix.domain.local.

If it has not, change it manually.

Then edit the apache2 configuration file – /etc/apache2/sites-available/000-default.conf.

Later, add the following under the ServerName zabbix.domain.local line:

<Location />
AuthType Kerberos
AuthName “Kerberos authenticated”
KrbAuthRealms DOMAIN.LOCAL
#KrbServiceName HTTP/zabbix.domain.local
KrbServiceName Any
Krb5Keytab /etc/apache2/zabbix.keytab
KrbMethodNegotiate On
KrbSaveCredentials on
KrbLocalUserMapping on
Require valid-user
</Location>

If KrbServiceName does not match the name specified in the keytab file, an error occurs. So we can set Any value while testing. After making sure that the system is working, specify the valid service name.

We can check it using:

klist -le /etc/apache2/zabbix.keytab

[Set up SSO Authentication quick! We are here for you!]

 

How to Configure Browsers for Kerberos Authentication?

For Internet Explorer to use Kerberos authentication on Zabbix, we will have to add its URL to Local Intranet sites.

Google Chrome uses Internet Explorer settings, so we do not need to configure it separately.

Open Options -> Security in the IE.

Click Sites in the Local intranet, check the options shown in the screenshot below, and click Advanced:

Single Sign-On (SSO) Authentication in Active Directory

Later, enter the Zabbix server URL.

Then, go to the Advanced tab and check Enable Integrated Windows Authentication.

Also, we can also put Zabbix URL to the Local Intranet zone using the Group Policies (Computer Configuration -> Administrative Templates -> Windows Components -> Internet Explorer -> Internet Control Panel -> Security Page -> Site to Zone Assignment List. Use zone code 1 for intranet sites).

Add the URL of the Zabbix server to the following parameters of about:config for Mozilla Firefox:

network.automatic-ntlm-auth.trusted-uris
network.negotiate-auth.delegation-uris
network.negotiate-auth.trusted-uris

The configuration is over. If we try to access the Zabbix server URL, we will be authenticated automatically and will not be prompted to enter the password.

[Couldn’t configure browser? Contact us now]

 

Kerberos Authentication Debugging & Troubleshooting in Apache

If we have any issues, enable debug mode in apache2:

Enter the following before the closing </VirtualHost> tag in /etc/apache2/sites-available/000-defaults.conf:

LogLevel trace8

Then we restart apache and check the Kerberos module error in the error.log file.

To make it more convenient, we use the command to filter the entries by the IP address:

tail -f /var/log/apache2/error.log | grep ‘Our IP address’

Similarly, to work with and diagnose Kerberos, we can use kinit and klist commands.

kinit is a tool to get and cache Kerberos tickets, for example:

kinit –V -k -t /etc/apache2/zabbix.keytab –p HTTP/zabbix.domain.local@DOMAIN.LOCAL

If we have generated our keytab file correctly, the command will run. As a result, we will get a message that the authentication has been successful.

Using klist, we can view cached Kerberos tickets:

klist -a

[Find it hard to set? We’d be happy to assist]

 

Conclusion

To conclude, setting Zabbix: Single Sign-On (SSO) Authentication in Active Directory helps users authenticate the Zabbix frontpage without entering credentials. Today, we saw the steps our Support Engineers employ in this regard.

PREVENT YOUR SERVER FROM CRASHING!

Never again lose customers to poor server speed! Let us help you.

Our server experts will monitor & maintain your server 24/7 so that it remains lightning fast and secure.

GET STARTED

var google_conversion_label = "owonCMyG5nEQ0aD71QM";

0 Comments

Submit a Comment

Your email address will not be published. Required fields are marked *

Privacy Preference Center

Necessary

Necessary cookies help make a website usable by enabling basic functions like page navigation and access to secure areas of the website. The website cannot function properly without these cookies.

PHPSESSID - Preserves user session state across page requests.

gdpr[consent_types] - Used to store user consents.

gdpr[allowed_cookies] - Used to store user allowed cookies.

PHPSESSID, gdpr[consent_types], gdpr[allowed_cookies]
PHPSESSID
WHMCSpKDlPzh2chML

Statistics

Statistic cookies help website owners to understand how visitors interact with websites by collecting and reporting information anonymously.

_ga - Preserves user session state across page requests.

_gat - Used by Google Analytics to throttle request rate

_gid - Registers a unique ID that is used to generate statistical data on how you use the website.

smartlookCookie - Used to collect user device and location information of the site visitors to improve the websites User Experience.

_ga, _gat, _gid
_ga, _gat, _gid
smartlookCookie

Marketing

Marketing cookies are used to track visitors across websites. The intention is to display ads that are relevant and engaging for the individual user and thereby more valuable for publishers and third party advertisers.

IDE - Used by Google DoubleClick to register and report the website user's actions after viewing or clicking one of the advertiser's ads with the purpose of measuring the efficacy of an ad and to present targeted ads to the user.

test_cookie - Used to check if the user's browser supports cookies.

1P_JAR - Google cookie. These cookies are used to collect website statistics and track conversion rates.

NID - Registers a unique ID that identifies a returning user's device. The ID is used for serving ads that are most relevant to the user.

DV - Google ad personalisation

IDE, test_cookie, 1P_JAR, NID, DV, NID
IDE, test_cookie
1P_JAR, NID, DV
NID
hblid

Security

These are essential site cookies, used by the google reCAPTCHA. These cookies use an unique identifier to verify if a visitor is human or a bot.

SID, APISID, HSID, NID, PREF
SID, APISID, HSID, NID, PREF