Splunk Cloud Platform

Securing Splunk Cloud Platform

Troubleshoot token authentication

If a token fails authentication for any reason, the Splunk platform writes a message to splunkd.log with additional information. As a Splunk administrator, you can read this log file to get information on why authentication with the token failed.

For additional information, you can enable debug logging on Splunk Enterprise instances only. Splunk Enterprise writes information about token authentication using the JsonWebTokenHandler tag. See Enable debug logging for instructions. After you have enabled debug logging, look for this tag when you review logs for information on problems that occur with token authentication.

Common problems for token authentication

Following are a list of common problems that can occur with token authentication.

Splunk platform instance displays "Token authentication is disabled"

If you receive this error message, either in Splunk Web or through a REST command, it means that you have not enabled token authentication.

cURL command returns "call not properly authenticated"

This message means that authentication to the Splunk platform instance with the token you presented was not successful.

  • Confirm that the token is enabled. If it is not, and it has not yet expired, enable it if you have permission, or contact your administrator.
  • Confirm that the token is valid and has not expired. If it has expired, create a new one if you have permission, or contact your administrator. You cannot extend token validity.
  • Confirm that the "Not before" validity time for the token has passed. If it hasn't, either wait or create a new token if you have permission.
  • Confirm that the token has not been deleted. If it has, create a new one if you have permission.
  • Confirm that the account that is associated with the token exists. If it doesn't, create one, then create a new token and assign that user to the token, if you have permission.
  • Confirm that you use the full token as it was generated. If you don't have the full token, request or create a new one, if you have permission.
  • Confirm that you are using a token on the same Splunk platform instance where it was issued.
  • If your Splunk platform instance uses an LDAP server for authentication, confirm that the user exists and is not disabled on LDAP server.
  • If your Splunk instance uses an LDAP server for authentication, confirm that the instance can connect to the LDAP server.

Error received "KV store not ready"

This message means that app key value store (KV store) has not been enabled. Enable KV store if you have permission, or contact your administrator.

Last modified on 22 October, 2021
Use authentication tokens   SPL safeguards for risky commands

This documentation applies to the following versions of Splunk Cloud Platform: 9.3.2408, 8.2.2112, 8.2.2201, 8.2.2203, 8.2.2202, 9.0.2205, 9.0.2208, 9.0.2209, 9.0.2303, 9.0.2305, 9.1.2308, 9.1.2312, 9.2.2403, 9.2.2406 (latest FedRAMP release)


Was this topic useful?







You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters