Wazuh-Dashbord: bootstrap.js 401 Unauthorized

[Michael]

Hello everyone,

i installed an distributed wazuh environment and everythin is running as expected. Except the dashboard.

I can log in with my ActiveDirectory credentials but the dashbord keeps blank.

After some research i can see in the developer tools from my browser that the bootstrap.js cannot be accessed because of an 401.

When i am logged in as an internal user the dashboard works as expected.

Accessing the direct url: <dashboard-server>/bootstrap.js even works if i am not logged in at all... but as an ActiveDirectory user i get an 401.

As mentioned above the authentication/authorization works as i can login but gets an blank page and a look at the "_plugins/_security/authinfo?pretty" info for my AD user shows me the "admin" backend_role:

{
  "user" : "User [name=XXXXX, backend_roles=[XXXXX, user_wazuh-admins_gl], requestedTenant=null]",
  "user_name" : "XXXXXX",
  "user_requested_tenant" : null,
  "remote_address" : "X.X.X.X:58944",
  "backend_roles" : [
    "XXXXX",
    "user_wazuh-admins_gl"
  ],
  "custom_attribute_names" : [
    "attr.ldap.msTSExpireDate",
    "attr.ldap.logonCount",
    "attr.ldap.lastLogon",
    "attr.ldap.postalCode",
    "attr.ldap.badPwdCount",
    "attr.ldap.userAccountControl",
    "attr.ldap.whenCreated",
    "ldap.original.username",
    "attr.ldap.physicalDeliveryOfficeName",
    "attr.ldap.lastLogoff",
    "attr.ldap.mSMQDigests",
    "attr.ldap.l",
    "attr.ldap.sAMAccountName",
    "attr.ldap.userPrincipalName",
    "attr.ldap.facsimileTelephoneNumber",
    "attr.ldap.whenChanged",
    "attr.ldap.msRASSavedFramedIPAddress",
    "attr.ldap.employeeNumber",
    "attr.ldap.displayName",
    "attr.ldap.objectSid",
    "attr.ldap.codePage",
    "attr.ldap.adminCount",
    "attr.ldap.msRADIUSFramedIPAddress",
    "attr.ldap.mail",
    "attr.ldap.lastLogonTimestamp",
    "attr.ldap.primaryGroupID",
    "attr.ldap.objectGUID",
    "attr.ldap.msTSLicenseVersion3",
    "attr.ldap.msTSLicenseVersion2",
    "attr.ldap.countryCode",
    "attr.ldap.department",
    "attr.ldap.instanceType",
    "attr.ldap.telephoneNumber",
    "attr.ldap.msTSManagingLS",
    "attr.ldap.employeeID",
    "attr.ldap.objectClass",
    "attr.ldap.givenName",
    "ldap.dn",
    "attr.ldap.sAMAccountType",
    "attr.ldap.cn",
    "attr.ldap.accountExpires",
    "attr.ldap.dSCorePropagationData",
    "attr.ldap.initials",
    "attr.ldap.name",
    "attr.ldap.uSNCreated",
    "attr.ldap.otherMailbox",
    "attr.ldap.uSNChanged",
    "attr.ldap.msDS-SupportedEncryptionTypes",
    "attr.ldap.streetAddress",
    "attr.ldap.pwdLastSet",
    "attr.ldap.sn",
    "attr.ldap.mobile",
    "attr.ldap.msTSLicenseVersion",
    "attr.ldap.st"
  ],
  "roles" : [
    "own_index",
    "all_access"
  ],
  "tenants" : {
    "global_tenant" : true,
    "admin_tenant" : true,
    "XXXX" : true
  },
  "principal" : null,
  "peer_certificates" : "0",
  "sso_logout_url" : null
}

Here is the dasboards-log when i log in as AD user:

Oct 24 09:20:05 XXXX opensearch-dashboards[209338]: {"type":"log","@timestamp":"2022-10-24T07:20:05Z","tags":["info","branding"],"pid":209338,"message":"logo default config is not found or invalid."}
Oct 24 09:20:05 XXXX opensearch-dashboards[209338]: {"type":"log","@timestamp":"2022-10-24T07:20:05Z","tags":["info","branding"],"pid":209338,"message":"mark default config is not found or invalid."}
Oct 24 09:20:05 XXXX opensearch-dashboards[209338]: {"type":"log","@timestamp":"2022-10-24T07:20:05Z","tags":["info","branding"],"pid":209338,"message":"loadingLogo default config is not found or invalid."}
Oct 24 09:20:05 XXXX opensearch-dashboards[209338]: {"type":"log","@timestamp":"2022-10-24T07:20:05Z","tags":["info","branding"],"pid":209338,"message":"favicon config is not found or invalid."}
Oct 24 09:20:05 XXXX opensearch-dashboards[209338]: {"type":"response","@timestamp":"2022-10-24T07:20:05Z","tags":[],"pid":209338,"method":"get","statusCode":200,"req":{"url":"/app/wazuh","method":"get","headers":{"host":"XXXX.","user-agent":"Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101 Firefox/91.0","accept":"text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8","accept-language":"de-DE,de;q=0.8,en-US;q=0.5,en;q=0.3","accept-encoding":"gzip, deflate, br","referer":"https://XXXX./app/login?nextUrl=%2F","dnt":"1","connection":"keep-alive","upgrade-insecure-requests":"1","sec-fetch-dest":"document","sec-fetch-mode":"navigate","sec-fetch-site":"same-origin","sec-fetch-user":"?1","cache-control":"max-age=0"},"remoteAddress":"XXXXX","userAgent":"Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101 Firefox/91.0","referer":"https://XXXX./app/login?nextUrl=%2F"},"res":{"statusCode":200,"responseTime":24,"contentLength":9},"message":"GET /app/wazuh 200 24ms - 9.0B"}
Oct 24 09:20:05 XXXX opensearch-dashboards[209338]: {"type":"log","@timestamp":"2022-10-24T07:20:05Z","tags":["error","opensearch","data"],"pid":209338,"message":"[ResponseError]: Response Error"}
Oct 24 09:20:05 XXXX opensearch-dashboards[209338]: {"type":"response","@timestamp":"2022-10-24T07:20:05Z","tags":["api"],"pid":209338,"method":"get","statusCode":401,"req":{"url":"/bootstrap.js","method":"get","headers":{"host":"XXXX.","user-agent":"Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101 Firefox/91.0","accept":"*/*","accept-language":"de-DE,de;q=0.8,en-US;q=0.5,en;q=0.3","accept-encoding":"gzip, deflate, br","referer":"https://XXXX./app/wazuh","dnt":"1","connection":"keep-alive","sec-fetch-dest":"script","sec-fetch-mode":"no-cors","sec-fetch-site":"same-origin","cache-control":"max-age=0"},"remoteAddress":"XXXXX","userAgent":"Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101 Firefox/91.0","referer":"https://XXXX./app/wazuh"},"res":{"statusCode":401,"responseTime":16,"contentLength":9},"message":"GET /bootstrap.js 401 16ms - 9.0B"}

I hope you guys are smarter then i because at the moment i ran out of ideas.

Thanks for any help.

Regards

Michael

[Michael]

I forgot to say that wazuh-indexer, wazuh-manager and dashboard were installed via apt, and the version is 4.3.9

[Carlos Ezequiel Bordon]

Hello Michael, possibly it is missing to apply permissions and roles to the users created with Active Directory, I share our documentation on the roles so that you can configure them: https://documentation.wazuh.com/current/cloud-service/your-environment/manage-auth.html

Here you have some tips to achieve what you need:

AD/LDAP Server Configuration
In this step, you need to create users, and groups and obtain some information from your AD/LDAP server:

• Create an OU for the Users (or use an already created). Get the DN of the OU, in our example: OU=USERS,OU=WAZUH,DC=wazuh,DC=local
• Create an OU for the Group(s) (or use an already created). Get the DN of the OU, in our example: OU=WAZUH,DC=wazuh,DC=local
• Create a user with sufficient privileges to bind to the service. Get the DN of the User, in our example: CN=OpenDistro User,OU=USERS,OU=WAZUH,DC=wazuh,DC=local
• Create a group where the users with access to Wazuh will be placed, in our example: Wazuh_Admins

Get the IP Address of the Domain Controller, in our example: 10.10.10.140

Wazuh indexer Configuration

In Wazuh indexer, you need to edit the file: /usr/share/wazuh-indexer/plugins/opensearch-security/securityconfig/config.yml in which you need to place all the configurations from above:

authc:
   basic_internal_auth_domain:
    description: "Authenticate via HP Basic against internal users database"
    http_enabled: true
    transport_enabled: true
    order: 0
    http_authenticator:
     type: basic
     challenge: true
    authentication_backend:
     type: intern
   ldap:
    description: "Authenticate via LDAP or Active Directory"
    http_enabled: true
    transport_enabled: true
    order: 1
    http_authenticator:
     type: basic
     challenge: false
    authentication_backend:
     type: ldap
     config:
      enable_ssl: false
      enable_start_tls: false
      enable_ssl_client_auth: false
      verify_hostnames: false
      hosts:
      - 10.10.10.140:389
      bind_dn: CN=OpenDistro User,OU=USERS,OU=WAZUH,DC=wazuh,DC=local
      password: Password
      userbase: OU=USERS,OU=WAZUH,DC=wazuh,DC=local
      usersearch: (sAMAccountName={0})
      username_attribute: cn
authz:
   ldap:
    description: "Authorize via LDAP or Active Directory"
    http_enabled: true
    transport_enabled: true
    authorization_backend:
     type: ldap
     config:
      enable_ssl: false
      enable_start_tls: false
      enable_ssl_client_auth: false
      verify_hostnames: true
      hosts:
      - 10.10.10.140:389
      bind_dn: CN=OpenDistro User,OU=USERS,OU=WAZUH,DC=wazuh,DC=local
      password: Password123
      rolebase: OU=WAZUH,DC=wazuh,DC=local
      rolesearch_enabled: true
      rolesearch: (member={0})
      userroleattribute: null
      userrolename: none
      rolename: cn
      resolve_nested_roles: true
      userbase: OU=USERS,OU=WAZUH,DC=wazuh,DC=local
      usersearch: (sAMAccountName={0})
      skip_users:
       - kibanaserver
       - admin

Then you need to map the roles from Wazuh indexer with the already created AD/LDAP user, by editing the file: /usr/share/wazuh-indexer/plugins/opensearch-security/securityconfig/roles_mapping.yml

all_access:
 reserved: false
 backend_roles:
 - "admin"
 - "Wazuh_Admins"
 description: "Maps admin to all_access"

Finally, to apply this configuration, you need to run the indexer-security-init.sh script:
/usr/share/wazuh-indexer/bin/indexer-security-init.sh

You can find some extra information here https://opensearch.org/docs/1.2/security-plugin/configuration/ldap/ and a little guide on how to do this here https://github.com/wazuh/wazuh-documentation/issues/2983