[ZBXNEXT-1856] Web Scenario and HTTP agent with Kerberos Authentication Delegation Created: 2013 Aug 09 Updated: 2020 Apr 03 Resolved: 2019 Jun 20 |
|
Status: | Closed |
Project: | ZABBIX FEATURE REQUESTS |
Component/s: | Proxy (P), Server (S) |
Affects Version/s: | None |
Fix Version/s: | 4.4.0alpha1, 4.4 (plan) |
Type: | New Feature Request | Priority: | Trivial |
Reporter: | SR | Assignee: | Andrejs Kozlovs |
Resolution: | Fixed | Votes: | 6 |
Labels: | authentication, kerberos, webmonitoring | ||
Σ Remaining Estimate: | Not Specified | Remaining Estimate: | Not Specified |
Σ Time Spent: | Not Specified | Time Spent: | Not Specified |
Σ Original Estimate: | Not Specified | Original Estimate: | Not Specified |
Environment: |
Windows Server 2008 R2; IIS 7.5 with Auth Delegation configured to pass credentials to third server; Active Directory |
Issue Links: |
|
||||||||||||||||
Sub-Tasks: |
|
||||||||||||||||
Team: | Team A | ||||||||||||||||
Sprint: | Sprint 52 (May 2019), Sprint 53 (Jun 2019) | ||||||||||||||||
Story Points: | 1 |
Description |
Hello |
Comments |
Comment by richlv [ 2013 Aug 09 ] |
zabbix web monitoring only supports basic http and ntlm authentication. |
Comment by Oleksii Zagorskyi [ 2013 Aug 10 ] |
The auth which SR asks for is a bit another thing. NTLM auth (we consider browser side) for a web site also can be: Main idea is to not force user (logged in domain) to type anything to authenticate on a particular web site. The Kerberos auth can be (as I remember) only negotiate type. Current browsers which support the negotiate (NTLM, Kerberos) auth are IE, Firefox, Chrome (only last 2-3 years). It also can be used for transparent user auth on a http proxy server (I used it). I hope the info above will be useful to someone |
Comment by SR [ 2013 Aug 10 ] |
Indeed Oleksiy, that's exactly the mechanism i was refering. I agree that as the Zabbix Server is not logged into the domain, you could argue there is no sense. But as the aim of monitoring web application is to reproduct real activity to watch at regular intervals that every thing works fine, i could argue that it will be valuable to handle such a mechanism with Zabbix. As under Linux with kerberos package, you can init tickets forwardable with kinit and after maybe transfer the hash within the HTTP auth handshake for exemple. |
Comment by Oleksii Zagorskyi [ 2013 Aug 10 ] |
Yeah, world call it SSO. Last sentence sounds funny |
Comment by SR [ 2013 Aug 10 ] |
at first sight it seems it supports: |
Comment by Gergely Czuczy [ 2014 Apr 04 ] |
Actually it would be nice if a different keytab could be specified for each web scenario. That is, we could use different kerberos credentials to monitor different web sites. In a corporate environment services are usually kerberized, including web services as well, and monitoring these is also required. At least, in an enterprise environment. |
Comment by Tobias Botens [ 2018 Jan 30 ] |
We also need this feature for our company! Here some hints for the zabbix-developers: In Zabbix-sourcecode (3.4.6) Inside the switch-structure (httptest->httptest.authentication) you need to set curlauth = CURLAUTH_NEGOTIATE; for Kerberos-Authentication. Therefor you need a proper configured Kerberos:
I hope this will support to find a solution for kerberos-webchecks! Of cause inside the dropdown of the webgui a corresponding field needs to be added, setting the value HTTPTEST_AUTH_KERBEROS. I guess the sourcecode of the zabbix-proxy should be: case HTTPTEST_AUTH_KERBEROS: Relevant part of the CURL-Documentation: https://curl.haxx.se/libcurl/c/CURLOPT_HTTPAUTH.html Important! You need to build libcurl with a suitable GSS-API library or SSPI on Windows for this to work. |
Comment by Monitoring Team [ 2019 Mar 26 ] |
We would like to also see Kerberos authentication added to the web and newer "http agent" related checks in Zabbix.
We are looking to query elasticsearch from Zabbix using the item level http request. The elastic cluster in question only allows kerberos authentication. Example of a curl request currently looks like kinit userid@OX.AC.UK curl -u : --negotiate https://domain.ox.ac.uk/elasticsearch/
|
Comment by Vladislavs Sokurenko [ 2019 May 09 ] |
Following patch should be enough for server side: diff --git a/include/common.h b/include/common.h index a8b79b613b..7cab444832 100644 --- a/include/common.h +++ b/include/common.h @@ -899,7 +899,8 @@ typedef enum { HTTPTEST_AUTH_NONE = 0, HTTPTEST_AUTH_BASIC, - HTTPTEST_AUTH_NTLM + HTTPTEST_AUTH_NTLM, + HTTPTEST_AUTH_NEGOTIATE } zbx_httptest_auth_t; diff --git a/src/libs/zbxhttp/http.c b/src/libs/zbxhttp/http.c index ca7c20c4ac..bdf39f1856 100644 --- a/src/libs/zbxhttp/http.c +++ b/src/libs/zbxhttp/http.c @@ -149,6 +149,9 @@ int zbx_http_prepare_auth(CURL *easyhandle, unsigned char authtype, const char * case HTTPTEST_AUTH_NTLM: curlauth = CURLAUTH_NTLM; break; + case HTTPTEST_AUTH_NEGOTIATE: + curlauth = CURLAUTH_NEGOTIATE; + break; default: THIS_SHOULD_NEVER_HAPPEN; break; diff --git a/src/zabbix_server/trapper/trapper.c b/src/zabbix_server/trapper/trapper.c But same changes need to be implemented in frontend. |
Comment by Monitoring Team [ 2019 May 15 ] |
Sounds promising Vladislavs. What would need to be patched for the frontend? Any plans to roll into the main product? |
Comment by Vladislavs Sokurenko [ 2019 May 15 ] |
We are currently looking into this and will let you know soon bdlss-infra |
Comment by Malcolm [ 2019 May 16 ] |
Could these other two issues, referencing digest authentication, be grouped into this change as well? |
Comment by Glebs Ivanovskis [ 2019 May 16 ] |
Note that CURLAUTH_NEGOTIATE is supported since 7.38.0, so LIBCURL_VERSION_NUM check is also needed. |
Comment by Andrejs Kozlovs [ 2019 May 20 ] |
(1) [D] Steps to configure Kerberos with Zabbix server to perform web monitoring of www.example.com with user 'zabbix': 1. Set Kerberos packet: apt install krb5-user for RHEL/CentOS: yum install krb5-workstation 2. Configure Kerberos configuration file cat /etc/krb5.conf [libdefaults] default_realm = EXAMPLE.COM # The following krb5.conf variables are only for MIT Kerberos. kdc_timesync = 1 ccache_type = 4 forwardable = true proxiable = true [realms] EXAMPE.COM = { } [domain_realm] .example.com=EXAMPLE.COM example.com=EXAMPLE.COM 3. Create Kerberos ticket for user 'zabbix' kinit zabbix 4. Create web scenario or HTTP agent with kerberos authentication type Optionally can be tested with the following curl command:
curl -v --negotiate -u : http://example.com
During long-time web-monitoring It is necessary to take care about Kerberos ticket renewing. Default time of ticket expiration is 10h. martins-v Also added to general documentation. RESOLVED |
Comment by Monitoring Team [ 2019 May 22 ] |
Please could you confirm if the HTTP Agent function (eg. HTTP Request within the Item checks) will also include the negotiate option? We now mostly use HTTP Agent / HTTP request item checks rather than the web scenarios. |
Comment by Vladislavs Sokurenko [ 2019 May 23 ] |
Yes bdlss-infra HTTP agent will also include negotiate option. |
Comment by Andrejs Kozlovs [ 2019 Jun 10 ] |
Fixed in:
|
Comment by Alexander Vladishev [ 2019 Jun 20 ] |
Updated documentation: |