Entra mfa/sso configuration

20 views
Skip to first unread message

dwight c

unread,
Feb 20, 2026, 1:13:18 AM (4 days ago) Feb 20
to Wazuh | Mailing List
I feel like i'm really close on fixing it. but i keep getting :
{"statusCode":500,"error":"Internal Server Error","message":"Internal Error"}
on the final step need help troubleshooting 

systemctl status wazuh-manager
systemctl status wazuh-indexer
systemctl status wazuh-dashboard
systemctl status filebeat
● wazuh-manager.service - Wazuh manager
     Loaded: loaded (/usr/lib/systemd/system/wazuh-manager.service; enabled; preset: disabled)
     Active: active (running) since Thu 2026-02-19 23:03:58 UTC; 7min ago
    Process: 720847 ExecStart=/usr/bin/env /var/ossec/bin/wazuh-control start (code=exited, status=0/SUCCESS)
      Tasks: 358 (limit: 410999)
     Memory: 6.7G (peak: 6.8G)
        CPU: 53.759s
     CGroup: /system.slice/wazuh-manager.service
             ├─721004 /var/ossec/framework/python/bin/python3 /var/ossec/api/scripts/wazuh_apid.py
             ├─721005 /var/ossec/framework/python/bin/python3 /var/ossec/api/scripts/wazuh_apid.py
             ├─721006 /var/ossec/framework/python/bin/python3 /var/ossec/api/scripts/wazuh_apid.py
             ├─721009 /var/ossec/framework/python/bin/python3 /var/ossec/api/scripts/wazuh_apid.py
             ├─721012 /var/ossec/framework/python/bin/python3 /var/ossec/api/scripts/wazuh_apid.py
             ├─721058 /var/ossec/bin/wazuh-authd
             ├─721071 /var/ossec/bin/wazuh-db
             ├─721118 /var/ossec/bin/wazuh-execd
             ├─721130 /var/ossec/bin/wazuh-analysisd
             ├─721140 /var/ossec/bin/wazuh-syscheckd
             ├─721154 /var/ossec/bin/wazuh-remoted
             ├─721354 /var/ossec/bin/wazuh-logcollector
             ├─721371 /var/ossec/bin/wazuh-monitord
             └─721381 /var/ossec/bin/wazuh-modulesd

Feb 19 23:03:55 #### env[720847]: Started wazuh-syscheckd...
Feb 19 23:03:56 #### env[720847]: Started wazuh-remoted...
Feb 19 23:03:56 #### env[720847]: Started wazuh-logcollector...
Feb 19 23:03:56 #### env[720847]: Started wazuh-monitord...
Feb 19 23:03:56 #### env[721379]: 2026/02/19 23:03:56 wazuh-modulesd:router: INFO: Loaded router module.
Feb 19 23:03:56 #### env[721379]: 2026/02/19 23:03:56 wazuh-modulesd:content_manager: INFO: Loaded content_manager module.
Feb 19 23:03:56 #### env[721379]: 2026/02/19 23:03:56 wazuh-modulesd:inventory-harvester: INFO: Loaded Inventory harvester module.
Feb 19 23:03:56 #### env[720847]: Started wazuh-modulesd...
Feb 19 23:03:58 #### env[720847]: Completed.
Feb 19 23:03:58 #### systemd[1]: Started Wazuh manager.
● wazuh-indexer.service - wazuh-indexer
     Loaded: loaded (/usr/lib/systemd/system/wazuh-indexer.service; enabled; preset: disabled)
     Active: active (running) since Thu 2026-02-19 23:04:02 UTC; 7min ago
       Docs: https://documentation.wazuh.com
   Main PID: 720660 (java)
      Tasks: 166 (limit: 410999)
     Memory: 1.7G (peak: 1.8G)
        CPU: 1min 38.552s
     CGroup: /system.slice/wazuh-indexer.service
             └─720660 /usr/share/wazuh-indexer/jdk/bin/java -Xshare:auto -Dopensearch.networkaddress.cache.ttl=60 -Dopensearch.networkaddress.cache.negative.ttl=10 -XX:+AlwaysPreTouch -Xss1m -Djava.awt.headless=true -Dfile.en>

Feb 19 23:03:52 #### systemd-entrypoint[720660]: WARNING: System::setSecurityManager has been called by org.opensearch.bootstrap.OpenSearch (file:/usr/share/wazuh-indexer/lib/opensearch-2.19.3.jar)
Feb 19 23:03:52 #### systemd-entrypoint[720660]: WARNING: Please consider reporting this to the maintainers of org.opensearch.bootstrap.OpenSearch
Feb 19 23:03:52 #### systemd-entrypoint[720660]: WARNING: System::setSecurityManager will be removed in a future release
Feb 19 23:03:52 #### systemd-entrypoint[720660]: Feb 19, 2026 11:03:52 PM sun.util.locale.provider.LocaleProviderAdapter <clinit>
Feb 19 23:03:52 #### systemd-entrypoint[720660]: WARNING: COMPAT locale provider will be removed in a future release
Feb 19 23:03:53 #### systemd-entrypoint[720660]: WARNING: A terminally deprecated method in java.lang.System has been called
Feb 19 23:03:53 #### systemd-entrypoint[720660]: WARNING: System::setSecurityManager has been called by org.opensearch.bootstrap.Security (file:/usr/share/wazuh-indexer/lib/opensearch-2.19.3.jar)
Feb 19 23:03:53 #### systemd-entrypoint[720660]: WARNING: Please consider reporting this to the maintainers of org.opensearch.bootstrap.Security
Feb 19 23:03:53 #### systemd-entrypoint[720660]: WARNING: System::setSecurityManager will be removed in a future release
Feb 19 23:04:02 #### systemd[1]: Started wazuh-indexer.

● wazuh-dashboard.service - wazuh-dashboard
     Loaded: loaded (/etc/systemd/system/wazuh-dashboard.service; enabled; preset: disabled)
     Active: active (running) since Thu 2026-02-19 23:03:50 UTC; 8min ago
   Main PID: 720661 (node)
      Tasks: 11 (limit: 410999)
     Memory: 190.8M (peak: 236.4M)
        CPU: 8.075s
     CGroup: /system.slice/wazuh-dashboard.service
             └─720661 /usr/share/wazuh-dashboard/node/bin/node --no-warnings --max-http-header-size=65536 --unhandled-rejections=warn /usr/share/wazuh-dashboard/src/cli/dist

Feb 19 23:11:59 #### opensearch-dashboards[720661]: {"type":"ops","@timestamp":"2026-02-19T23:11:59Z","tags":[],"pid":720661,"os":{"load":[0.03,0.34,0.28],"mem":{"total":67418681344,"free":59232260096},"uptime":>
Feb 19 23:11:59 #### opensearch-dashboards[720661]: {"type":"log","@timestamp":"2026-02-19T23:11:59Z","tags":["debug","metrics"],"pid":720661,"message":"Refreshing metrics"}
Feb 19 23:12:04 #### opensearch-dashboards[720661]: {"type":"ops","@timestamp":"2026-02-19T23:12:04Z","tags":[],"pid":720661,"os":{"load":[0.03,0.33,0.28],"mem":{"total":67418681344,"free":59235434496},"uptime":>
Feb 19 23:12:04 #### opensearch-dashboards[720661]: {"type":"log","@timestamp":"2026-02-19T23:12:04Z","tags":["debug","metrics"],"pid":720661,"message":"Refreshing metrics"}
Feb 19 23:12:09 #### opensearch-dashboards[720661]: {"type":"ops","@timestamp":"2026-02-19T23:12:09Z","tags":[],"pid":720661,"os":{"load":[0.02,0.32,0.28],"mem":{"total":67418681344,"free":59239899136},"uptime":>
Feb 19 23:12:09 #### opensearch-dashboards[720661]: {"type":"log","@timestamp":"2026-02-19T23:12:09Z","tags":["debug","metrics"],"pid":720661,"message":"Refreshing metrics"}
Feb 19 23:12:14 #### opensearch-dashboards[720661]: {"type":"ops","@timestamp":"2026-02-19T23:12:14Z","tags":[],"pid":720661,"os":{"load":[0.02,0.32,0.28],"mem":{"total":67418681344,"free":59244326912},"uptime":>
Feb 19 23:12:14 #### opensearch-dashboards[720661]: {"type":"log","@timestamp":"2026-02-19T23:12:14Z","tags":["debug","metrics"],"pid":720661,"message":"Refreshing metrics"}
Feb 19 23:12:19 #### opensearch-dashboards[720661]: {"type":"ops","@timestamp":"2026-02-19T23:12:19Z","tags":[],"pid":720661,"os":{"load":[0.02,0.31,0.28],"mem":{"total":67418681344,"free":59247038464},"uptime":>
Feb 19 23:12:19 #### opensearch-dashboards[720661]: {"type":"log","@timestamp":"2026-02-19T23:12:19Z","tags":["debug","metrics"],"pid":720661,"message":"Refreshing metrics"}

● filebeat.service - Filebeat sends log files to Logstash or directly to Elasticsearch.
     Loaded: loaded (/usr/lib/systemd/system/filebeat.service; enabled; preset: disabled)
     Active: active (running) since Wed 2025-11-26 16:32:45 UTC; 2 months 24 days ago
       Docs: https://www.elastic.co/products/beats/filebeat
   Main PID: 86749 (filebeat)
      Tasks: 23 (limit: 410999)
     Memory: 39.6M (peak: 41.7M)
        CPU: 11min 30.016s
     CGroup: /system.slice/filebeat.service
             └─86749 /usr/share/filebeat/bin/filebeat --environment systemd -c /etc/filebeat/filebeat.yml --path.home /usr/share/filebeat --path.config /etc/filebeat --path.data /var/lib/filebeat --path.logs /var/log/filebeat

Nikhil Gurjar

unread,
Feb 20, 2026, 6:06:02 AM (4 days ago) Feb 20
to Wazuh | Mailing List
Hi  dwight c,

Just to confirm—are you seeing the status 500, Internal Server Error after the Microsoft Entra ID login page?

If yes, this typically indicates that the Redirect URL is not configured correctly in Entra ID. Additionally, please check your config.yml file to ensure the Kibana URL path is correctly configured.

To help us investigate further, could you please share the relevant logs from your environment using the commands below: (Reference documentation: https://documentation.wazuh.com/current/user-manual/user-administration/single-sign-on/administrator/microsoft-entra-id.html)

journalctl -u wazuh-dashboard | grep -iE 'err|warn|fail'
cat /var/log/wazuh-indexer/wazuh-cluster.log | grep -iE 'err|warn|fail'

Looking forward to your update.

Best regards,
Nikhil

dwight c

unread,
Feb 20, 2026, 8:49:18 AM (4 days ago) Feb 20
to Wazuh | Mailing List
I got it to work. The issue was in the Config file, I was missing  authentication_backend: type: noop under the saml_auth_domain section 

Nikhil Gurjar

unread,
Feb 22, 2026, 11:33:47 PM (2 days ago) Feb 22
to Wazuh | Mailing List
Hi  dwight c,

Glad to hear that it is working as expected. Please don't hesitate to contact us if you've encountered any other issues.

Best regards,
Nikhil
Reply all
Reply to author
Forward
0 new messages