Splunk® Enterprise

Securing Splunk Enterprise

Download manual as PDF

Download topic as PDF

Troubleshoot token authentication

If a token fails authentication for any reason, Splunk Enterprise writes a message to splunkd.log with additional information. As a Splunk administrator, you can read this log file to get information on why authentication with the token failed.

For additional information, you can enable debug logging. Splunk Enterprise writes information about token authentication using the JsonWebTokenHandler tag. See Enable debug logging for instructions. After you have enabled debug logging, look for this tag when you review logs for information on problems that occur with token authentication.

Common problems for token authentication

Following are a list of common problems that can occur with token authentication.

Splunk instance displays "Token authentication is disabled"

If you receive this error message, either in Splunk Web or through a REST command, it means that you have not enabled token authentication.

cURL command returns "call not properly authenticated"

This message means that authentication to the Splunk platform instance with the token you presented was not successful.

  • Confirm that the token is enabled. If it is not, and it has not yet expired, enable it if you have permission, or contact your administrator.
  • Confirm that the token is valid and has not expired. If it has expired, create a new one if you have permission, or contact your administrator. You cannot extend token validity.
  • Confirm that the "Not before" validity time for the token has passed. If it hasn't, either wait or create a new token if you have permission.
  • Confirm that the token has not been deleted. If it has, create a new one if you have permission.
  • Confirm that the account that is associated with the token exists. If it doesn't, create one, then create a new token and assign that user to the token, if you have permission.
  • Confirm that you use the full token as it was generated. If you don't have the full token, request or create a new one, if you have permission.
  • Confirm that you are using a token on the same Splunk platform instance where it was issued.
  • If your Splunk platform instance uses an LDAP server for authentication, confirm that the user exists and is not disabled on LDAP server.
  • If your Splunk instance uses an LDAP server for authentication, confirm that the instance can connect to the LDAP server.

Error received "KV store not ready"

This message means that app key value store (KV store) has not been enabled. Enable KV store if you have permission, or contact your administrator.

PREVIOUS
Use authentication tokens
  NEXT
Set up user authentication with LDAP

This documentation applies to the following versions of Splunk® Enterprise: 7.3.0, 7.3.1, 7.3.2


Was this documentation topic helpful?

Enter your email address, and someone from the documentation team will respond to you:

Please provide your comments here. Ask a question or make a suggestion.

You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters