Skip to main content
Skip table of contents

Configure Windows Authentication for the SOAP API

  1. Create a domain service account.

    The IIS application pool for the LogRhythm SOAP API must be granted permissions in the LogRhythm databases to validate the Windows user’s permissions. The preferred method is to create a domain account for this purpose in Active Directory. Alternatively, you can use the default IIS ApplicationPoolIdentity and grant the web server services (<domain>\<hostname>$) permission in the databases, but this is not as secure.

  2. Enable Kerberos delegation in Active Directory.
    1. Using the Active Directory Users and Computers snap-in, find the web server’s computer account.
    2. Open the properties for the Computer and click the Delegation tab.
    3. Select Trust this computer for delegation to any service (Kerberos only).
    4. If you want to use constrained delegation (the “specified services only” option), first complete this setup and verify Kerberos authentication is working correctly from a client application. Then reconfigure Delegation with a restricted set of services.
  3. Configure the IIS Application Pool to use the new domain service account.
    1. On the LogRhythm SOAP API server, open the Internet Information Services (IIS) Manager.
    2. Select Application Pools.
    3. Open the Advanced Settings for the LogRhythmAppPool.
    4. Open the Identity dialog. Select Custom Account and enter the account name and password for the service account.
  4. Verify Windows Authentication is enabled in IIS.
    1. On the LogRhythm SOAP API server, open the Internet Information Services (IIS) Manager.
    2. Select the LogRhythm Web Site.
    3. In the Features view, open Authentication.Anonymous Authentication, Basic Authentication, and Windows Authentication should be enabled. Other methods should be disabled.
    4. Select Windows Authentication, and then select Providers. Negotiate should be at the top of the list.
    5. Select Windows Authentication and then select Advanced Settings. Enable Kernel-mode authentication should be selected.
  5. Configure SQL Server for Kerberos authentication.
    1. On each LogRhythm XM, PM or DPX, run SQL Server Configuration Manager.
    2. Select SQL Server Services.
    3. For the SQL Server service, note the service account listed under Log On As.
    4. Do one of the following:
      • If the SQL Server service account is NT AUTHORITY\LOCALSERVICE, configure it to use NT AUTHORITY\NETWORKSERVICE.

        A database restart is required. Shut down all LogRhythm services before you restart the database.

      • If the SQL Server service account is LocalSystem or NT AUTHORITY\NETWORKSERVICE (preferred), then the Kerberos Service Principal Names (SPN) should be registered automatically when SQL Server starts.
      • If the SQL Server service account is a domain account, then the Service Principal Names must be registered manually. As a domain administrator, execute the following commands for each XM, PM, or DPX.

        The SPN values need to be registered for each LogRhythm appliance your application may be querying. Alternatively, you can also run the SQL Server Service on each LogRhythm appliance with the SPN <sql service account>.
        setspn -S MSSQLSvc/<fully qualified domain name>:1433 <domain>\<sql service account>
        setspn -S MSSQLSvc /<host name>:1433 <domain>\<sql service account>

  6. Grant the web server service account permissions in the LogRhythmEMDB.
    1. On the LogRhythm XM or PM, run SQL Server Management Studio.
    2. Open server / Security / Logins and create a New Login.
    3. Enter or select the web server service account created in Step 1.
    4. On the User Mapping page, select the LogRhythmEMDB and select the LogRhythmRestrictedAnalyst role.
  7. Configure the client.
    1. The Windows Communication Foundation (WCF) client application must be configured to enable delegation of credentials.
    2. In the client’s web.config, define an endpoint behavior for all the service references that use Windows Authentication and add the following behavior for delegation.
      <behaviors>
      <endpointBehaviors>
      <behavior name ="DelegateBehavior">
      <clientCredentials>
      <windows allowedImpersonationLevel ="Delegation"/>
      </clientCredentials>
      </behavior>
      </endpointBehaviors>
      </behaviors>

      <client>
      <endpoint
      address="https://webserver/LogRhythm.API/Services/LogQueryServiceWindowsAuth.svc"
      binding="basicHttpBinding"
      bindingConfiguration="LogQueryServiceWindowsAuth_LogQueryService"
      contract="LogQueryService.LogQueryService"
      name="LogQueryServiceWindowsAuth_LogQueryService"
      behaviorConfiguration="DelegateBehavior"/>
      </client>
    3. You can also specify the delegation in your .NET client code, following the instantiation of the LogRhythm service you are using:
      <LogRhythmClient>.ClientCredentials.Windows.AllowedImpersonationLevel = System.Security.Principal.TokenImpersonationLevel.Delegation;

If you did not already complete the following two steps when you installed the SOAP API, you must do so now.

Configure the IIS Application Pool to Use the Service Account

Initialize Users in the Web Configuration

JavaScript errors detected

Please note, these errors can depend on your browser setup.

If this problem persists, please contact our support.

Contact Support Close