[ZBXNEXT-1856] Web Scenario and HTTP agent with Kerberos Authentication Delegation Created: 2013 Aug 09  Updated: 2020 Apr 03  Resolved: 2019 Jun 20

Status: Closed
Project: ZABBIX FEATURE REQUESTS
Component/s: Proxy (P), Server (S)
Affects Version/s: None
Fix Version/s: 4.4.0alpha1, 4.4 (plan)

Type: New Feature Request Priority: Trivial
Reporter: SR Assignee: Andrejs Kozlovs
Resolution: Fixed Votes: 6
Labels: authentication, kerberos, webmonitoring
Σ Remaining Estimate: Not Specified Remaining Estimate: Not Specified
Σ Time Spent: Not Specified Time Spent: Not Specified
Σ Original Estimate: Not Specified Original Estimate: Not Specified
Environment:

Windows Server 2008 R2; IIS 7.5 with Auth Delegation configured to pass credentials to third server; Active Directory


Issue Links:
Duplicate
Sub-task
part of ZBXNEXT-4647 Digest Authentication for HTTP Agent Closed
part of ZBXNEXT-1778 Digest Authentication for Web Monitoring Open
Sub-Tasks:
Key
Summary
Type
Status
Assignee
ZBXNEXT-5223 Frontend change for Web Scenario and ... Change Request (Sub-task) Closed Vasily Goncharenko  
Team: Team A
Sprint: Sprint 52 (May 2019), Sprint 53 (Jun 2019)
Story Points: 1

 Description   

Hello
Creating a Web Scenario for a Website with Windows Authentication and Impersonation configured, i get a 500 Error Code which means network negotiation did not use the kerberos delegation mechanism.
The Same error i get when network.negotiate-auth.delegation-uris=mydomain and network.negotiate-auth.trusted-uris=mydomain is not configured into Firefox.
Is it a known Issue ?
Regards



 Comments   
Comment by richlv [ 2013 Aug 09 ]

zabbix web monitoring only supports basic http and ntlm authentication.

Comment by Oleksii Zagorskyi [ 2013 Aug 10 ]

The auth which SR asks for is a bit another thing.
I know that Firefox parameters mentioned above.

NTLM auth (we consider browser side) for a web site also can be:
basic (need to type login/pass in a poop-up windows)
or negotiate (transparent - user does not type anything and authenticated as currently logged in user in the Windows domain).

Main idea is to not force user (logged in domain) to type anything to authenticate on a particular web site.
But zabbix server will never be "logged in domain", so it looks like there no much sense to think about the negotiate auth type support.

The Kerberos auth can be (as I remember) only negotiate type.
As I remember every GET request (or TCP connection?) requires 2-4 auth messages exchange between browser and web server before actual data will be returned to the browser. No any passwords there passed as clear text, only "hashes" being used.

Current browsers which support the negotiate (NTLM, Kerberos) auth are IE, Firefox, Chrome (only last 2-3 years).
Opera newer tried to implement it

It also can be used for transparent user auth on a http proxy server (I used it).

I hope the info above will be useful to someone

Comment by SR [ 2013 Aug 10 ]

Indeed Oleksiy, that's exactly the mechanism i was refering.
We use it for SSO in fact.

I agree that as the Zabbix Server is not logged into the domain, you could argue there is no sense.

But as the aim of monitoring web application is to reproduct real activity to watch at regular intervals that every thing works fine, i could argue that it will be valuable to handle such a mechanism with Zabbix.

As under Linux with kerberos package, you can init tickets forwardable with kinit and after maybe transfer the hash within the HTTP auth handshake for exemple.

Comment by Oleksii Zagorskyi [ 2013 Aug 10 ]

Yeah, world call it SSO.

Last sentence sounds funny
It could be considered (theoretically) only if libcurl (used by zabbix server for web checks) supports something related to Kerberos/NTLM + digest auth.

Comment by SR [ 2013 Aug 10 ]

at first sight it seems it supports:
http://stackoverflow.com/questions/17535295/kerberos-authentication-with-sspi
but under which context, that is the question.
i must make some tests...

Comment by Gergely Czuczy [ 2014 Apr 04 ]

Actually it would be nice if a different keytab could be specified for each web scenario. That is, we could use different kerberos credentials to monitor different web sites. In a corporate environment services are usually kerberized, including web services as well, and monitoring these is also required. At least, in an enterprise environment.

Comment by Tobias Botens [ 2018 Jan 30 ]

We also need this feature for our company!

Here some hints for the zabbix-developers:

In Zabbix-sourcecode (3.4.6)
FILE: zabbix_server/httppoller/httptest.c

Inside the switch-structure (httptest->httptest.authentication) you need to set

curlauth = CURLAUTH_NEGOTIATE;

for Kerberos-Authentication.

Therefor you need a proper configured Kerberos:

  • kerberos-package for your distribution (e.g. Ubuntu: krb5-user)
  • a valid /etc/krb5.conf
  • you can validate your configuration via kinit <username>
  • test your kerberos-config with the kerberos-enabled URL: curl --negotiate -u: foo:bar https://your.url
  • then you should see a valid Kerberos-token, using klist
  • The kinit should be periodically (e.g. once per 10 minutes), for example by a cronjob. It will produce a cache-file for the unix-user in /tmp/

I hope this will support to find a solution for kerberos-webchecks! Of cause inside the dropdown of the webgui a corresponding field needs to be added, setting the value HTTPTEST_AUTH_KERBEROS.

I guess the sourcecode of the zabbix-proxy should be:

case HTTPTEST_AUTH_KERBEROS:
curlauth = CURLAUTH_NEGOTIATE;
break;

Relevant part of the CURL-Documentation: https://curl.haxx.se/libcurl/c/CURLOPT_HTTPAUTH.html

Important! You need to build libcurl with a suitable GSS-API library or SSPI on Windows for this to work.

Comment by Monitoring Team [ 2019 Mar 26 ]

We would like to also see Kerberos authentication added to the web and newer "http agent" related checks in Zabbix.

 

We are looking to query elasticsearch from Zabbix using the item level http request. The elastic cluster in question only allows kerberos authentication.

Example of a curl request currently looks like

kinit userid@OX.AC.UK

curl -u : --negotiate https://domain.ox.ac.uk/elasticsearch/

 

Comment by Vladislavs Sokurenko [ 2019 May 09 ]

Following patch should be enough for server side:

diff --git a/include/common.h b/include/common.h
index a8b79b613b..7cab444832 100644
--- a/include/common.h
+++ b/include/common.h
@@ -899,7 +899,8 @@ typedef enum
 {
        HTTPTEST_AUTH_NONE = 0,
        HTTPTEST_AUTH_BASIC,
-       HTTPTEST_AUTH_NTLM
+       HTTPTEST_AUTH_NTLM,
+       HTTPTEST_AUTH_NEGOTIATE
 }
 zbx_httptest_auth_t;
 
diff --git a/src/libs/zbxhttp/http.c b/src/libs/zbxhttp/http.c
index ca7c20c4ac..bdf39f1856 100644
--- a/src/libs/zbxhttp/http.c
+++ b/src/libs/zbxhttp/http.c
@@ -149,6 +149,9 @@ int zbx_http_prepare_auth(CURL *easyhandle, unsigned char authtype, const char *
                        case HTTPTEST_AUTH_NTLM:
                                curlauth = CURLAUTH_NTLM;
                                break;
+                       case HTTPTEST_AUTH_NEGOTIATE:
+                               curlauth = CURLAUTH_NEGOTIATE;
+                               break;
                        default:
                                THIS_SHOULD_NEVER_HAPPEN;
                                break;
diff --git a/src/zabbix_server/trapper/trapper.c b/src/zabbix_server/trapper/trapper.c

But same changes need to be implemented in frontend.

Comment by Monitoring Team [ 2019 May 15 ]

Sounds promising Vladislavs. What would need to be patched for the frontend?

Any plans to roll into the main product?

Comment by Vladislavs Sokurenko [ 2019 May 15 ]

We are currently looking into this and will let you know soon bdlss-infra

Comment by Malcolm [ 2019 May 16 ]

Could these other two issues, referencing digest authentication, be grouped into this change as well?

https://support.zabbix.com/browse/ZBXNEXT-1778

https://support.zabbix.com/browse/ZBXNEXT-4647

Comment by Glebs Ivanovskis [ 2019 May 16 ]

Note that CURLAUTH_NEGOTIATE is supported since 7.38.0, so LIBCURL_VERSION_NUM check is also needed.

Comment by Andrejs Kozlovs [ 2019 May 20 ]

(1) [D] Steps to configure Kerberos with Zabbix server to perform web monitoring of www.example.com with user 'zabbix':

1. Set Kerberos packet:
for Ubuntu/Debian:

apt install krb5-user

for RHEL/CentOS:

yum install krb5-workstation

2. Configure Kerberos configuration file
(see MIT documentation for details)

cat /etc/krb5.conf 
[libdefaults]
	default_realm = EXAMPLE.COM

# The following krb5.conf variables are only for MIT Kerberos.
	kdc_timesync = 1
	ccache_type = 4
	forwardable = true
	proxiable = true

[realms]
	EXAMPE.COM = {
	}

[domain_realm]
	.example.com=EXAMPLE.COM
	example.com=EXAMPLE.COM

3. Create Kerberos ticket for user 'zabbix'

kinit zabbix

4. Create web scenario or HTTP agent with kerberos authentication type

Optionally can be tested with the following curl command:

curl -v --negotiate -u : http://example.com

During long-time web-monitoring It is necessary to take care about Kerberos ticket renewing. Default time of ticket expiration is 10h.

martins-v Also added to general documentation. RESOLVED
ak CLOSED

Comment by Monitoring Team [ 2019 May 22 ]

Please could you confirm if the HTTP Agent function (eg. HTTP Request within the Item checks) will also include the negotiate option?

We now mostly use HTTP Agent / HTTP request item checks rather than the web scenarios.

Comment by Vladislavs Sokurenko [ 2019 May 23 ]

Yes bdlss-infra HTTP agent will also include negotiate option.

Comment by Andrejs Kozlovs [ 2019 Jun 10 ]

Fixed in:

  • 4.4.0alpha1 (trunk) 33e64165889
Comment by Alexander Vladishev [ 2019 Jun 20 ]

Updated documentation:

Generated at Fri Mar 29 04:05:32 EET 2024 using Jira 9.12.4#9120004-sha1:625303b708afdb767e17cb2838290c41888e9ff0.