search

djkormo / adcs-issuer

BSD 3-Clause "New" or "Revised" License
16 stars 8 forks source link

unable to get the adcs issuer to successfully authenticate to adcs #97

Open evangraudins opened 1 week ago

evangraudins commented 1 week ago

Is there anything special I need to do on ADCS or IIS manager to allow for this login to work? I have tested the account credentials through a webbrowser and login is successful. I have tried formatting credentials in account@domain and domain\account Is it possible to fallback to basic authentication rather than NTLM?

Windows security log1 account@domain: An account failed to log on. Subject: Security ID: NULL SID Account Name: - Account Domain: - Logon ID: 0x0 Logon Type: 3 Account For Which Logon Failed: Security ID: NULL SID Account Name: account@domain Account Domain: Failure Information: Failure Reason: Unknown user name or bad password. Status: 0xC000006D Sub Status: 0xC0000064 Process Information: Caller Process ID: 0x0 Caller Process Name: - Network Information: Workstation Name: - Source Network Address: 1.2.3.4 Source Port: 29590 Detailed Authentication Information: Logon Process: NtLmSsp Authentication Package: NTLM Transited Services: - Package Name (NTLM only): - Key Length: 0

Windows security log2 domain\account: An account failed to log on. Subject: Security ID: NULL SID Account Name: - Account Domain: - Logon ID: 0x0 Logon Type: 3 Account For Which Logon Failed: Security ID: NULL SID Account Name: username Account Domain: domain Failure Information: Failure Reason: Unknown user name or bad password. Status: 0xC000006D Sub Status: 0xC0000064 Process Information: Caller Process ID: 0x0 Caller Process Name: - Network Information: Workstation Name: - Source Network Address: 1.2.3.4 Source Port: 63290 Detailed Authentication Information: Logon Process: NtLmSsp Authentication Package: NTLM Transited Services: - Package Name (NTLM only): - Key Length: 0

apiVersion: adcs.certmanager.csf.nokia.com/v1 kind: ClusterAdcsIssuer metadata: name: adcs-cluster-issuer spec: caBundle: redacted credentialsRef: name: adcs-issuer-credentials statusCheckInterval: 5m retryInterval: 5m url: https://hostname/certsrv # external host templateName: adcstemplate # external template

apiVersion: v1 kind: Secret metadata: name: adcs-issuer-credentials namespace: adcs-issuer type: Opaque data: password: REDACTED username: REDACTED

Main error: <h2>401 - Unauthorized: Access is denied due to invalid credentials.</h2>\r\n <h3>You do not have permission to view this directory or page using the credentials that you

Error from pod logs: ts=2024-06-27T16:00:49.781062623Z level=info logger=controllers.ClusterAdcsIssuer msg="Registered cluster issuer" clusteradcsissuer="{adcs-cluster-issuer }" ts=2024-06-27T16:00:49.781088024Z level=error msg="Reconciler error" controller=adcsrequest controllerGroup=adcs.certmanager.csf.nokia.com controllerKind=AdcsRequest AdcsRequest="{adcs-sim-certificate-z2l9f adcs-issuer}" namespace=adcs-issuer name=adcs-sim-certificate-z2l9f reconcileID=59e0091d-605b-49e9-aadd-d66c0452d557 error="ClusterAdcsIssuer.adcs.certmanager.csf.nokia.com \"adcs-sim-adcsclusterissuer\" not found" stacktrace="sigs.k8s.io/controller-runtime/pkg/internal/controller.(*Controller).reconcileHandler\n\t/go/pkg/mod/sigs.k8s.io/controller-runtime@v0.16.3/pkg/internal/controller/controller.go:329\nsigs.k8s.io/controller-runtime/pkg/internal/controller.(*Controller).processNextWorkItem\n\t/go/pkg/mod/sigs.k8s.io/controller-runtime@v0.16.3/pkg/internal/controller/controller.go:266\nsigs.k8s.io/controller-runtime/pkg/internal/controller.(*Controller).Start.func2.2\n\t/go/pkg/mod/sigs.k8s.io/controller-runtime@v0.16.3/pkg/internal/controller/controller.go:227" ts=2024-06-27T16:00:49.781280383Z level=info msg="Processing request" controller=adcsrequest controllerGroup=adcs.certmanager.csf.nokia.com controllerKind=AdcsRequest AdcsRequest="{keycloak-tls-certificate-6klkq auth}" namespace=auth name=keycloak-tls-certificate-6klkq reconcileID=09da7549-0f3b-4805-9e19-34f520828461 adcsrequest="{keycloak-tls-certificate-6klkq auth}" ts=2024-06-27T16:00:50.482836767Z level=info logger=RequestCertificate msg="Starting certificate request" template=adcstemplate url=https://<redacted>/certsrv/certfnsh.asp ts=2024-06-27T16:00:51.098339949Z level=info logger=RequestCertificate msg=Body template=adcstemplate body=<redacted> ts=2024-06-27T16:00:51.098418181Z level=error logger=RequestCertificate msg="Couldn't obtain new certificate ID" template=adcstemplate body="<!DOCTYPE html PUBLIC \"-//W3C//DTD XHTML 1.0 Strict//EN\" \"http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd\">\r\n<html xmlns=\"http://www.w3.org/1999/xhtml\">\r\n<head>\r\n<meta http-equiv=\"Content-Type\" content=\"text/html; charset=iso-8859-1\"/>\r\n<title>401 - Unauthorized: Access is denied due to invalid credentials.</title>\r\n<style type=\"text/css\">\r\n<!--\r\nbody{margin:0;font-size:.7em;font-family:Verdana, Arial, Helvetica, sans-serif;background:#EEEEEE;}\r\nfieldset{padding:0 15px 10px 15px;} \r\nh1{font-size:2.4em;margin:0;color:#FFF;}\r\nh2{font-size:1.7em;margin:0;color:#CC0000;} \r\nh3{font-size:1.2em;margin:10px 0 0 0;color:#000000;} \r\n#header{width:96%;margin:0 0 0 0;padding:6px 2% 6px 2%;font-family:\"trebuchet MS\", Verdana, sans-serif;color:#FFF;\r\nbackground-color:#555555;}\r\n#content{margin:0 0 0 2%;position:relative;}\r\n.content-container{background:#FFF;width:96%;margin-top:8px;padding:10px;position:relative;}\r\n-->\r\n</style>\r\n</head>\r\n<body>\r\n<div id=\"header\"><h1>Server Error</h1></div>\r\n<div id=\"content\">\r\n <div class=\"content-container\"><fieldset>\r\n <h2>401 - Unauthorized: Access is denied due to invalid credentials.</h2>\r\n <h3>You do not have permission to view this directory or page using the credentials that you supplied.</h3>\r\n </fieldset></div>\r\n</div>\r\n</body>\r\n</html>\r\n" error="Unknown error occured" stacktrace="github.com/nokia/adcs-issuer/adcs.(*NtlmCertsrv).RequestCertificate\n\t/workspace/adcs/ntlm_certsrv.go:312\ngithub.com/nokia/adcs-issuer/issuers.(*Issuer).Issue\n\t/workspace/issuers/issuer.go:57\ngithub.com/nokia/adcs-issuer/controllers.(*AdcsRequestReconciler).Reconcile\n\t/workspace/controllers/adcsrequest_controller.go:83\nsigs.k8s.io/controller-runtime/pkg/internal/controller.(*Controller).Reconcile\n\t/go/pkg/mod/sigs.k8s.io/controller-runtime@v0.16.3/pkg/internal/controller/controller.go:119\nsigs.k8s.io/controller-runtime/pkg/internal/controller.(*Controller).reconcileHandler\n\t/go/pkg/mod/sigs.k8s.io/controller-runtime@v0.16.3/pkg/internal/controller/controller.go:316\nsigs.k8s.io/controller-runtime/pkg/internal/controller.(*Controller).processNextWorkItem\n\t/go/pkg/mod/sigs.k8s.io/controller-runtime@v0.16.3/pkg/internal/controller/controller.go:266\nsigs.k8s.io/controller-runtime/pkg/internal/controller.(*Controller).Start.func2.2\n\t/go/pkg/mod/sigs.k8s.io/controller-runtime@v0.16.3/pkg/internal/controller/controller.go:227"

djkormo commented 2 days ago

Would you like to add by ClusterAdcsIssuer or AdcsIssuer configuration to make login to adcs without using ntlm?