Uploaded image for project: 'Jenkins'
  1. Jenkins
  2. JENKINS-24958

UsernameNotFoundException when ActiveDirectory used for API and token authentication

      When a valid username and api-token are used from the Jenkins Python API, the Jenkins server (version 1.582) returns an exception (see stack trace below).

      Note: When active-directory is not used, the Jenkins API authentication works (tested on Jenkins 1.554.2).

      ----- exception stack trace
      javax.servlet.ServletException: org.acegisecurity.userdetails.UsernameNotFoundException: Authentication was successful but cannot locate the user information for ci_dev_test
      at jenkins.security.BasicHeaderApiTokenAuthenticator.authenticate(BasicHeaderApiTokenAuthenticator.java:36)
      at jenkins.security.BasicHeaderProcessor.doFilter(BasicHeaderProcessor.java:72)
      at hudson.security.ChainedServletFilter$1.doFilter(ChainedServletFilter.java:87)
      at org.acegisecurity.context.HttpSessionContextIntegrationFilter.doFilter(HttpSessionContextIntegrationFilter.java:249)
      at hudson.security.HttpSessionContextIntegrationFilter2.doFilter(HttpSessionContextIntegrationFilter2.java:67)
      at hudson.security.ChainedServletFilter$1.doFilter(ChainedServletFilter.java:87)
      at hudson.security.ChainedServletFilter.doFilter(ChainedServletFilter.java:76)
      at hudson.security.HudsonFilter.doFilter(HudsonFilter.java:164)
      at org.eclipse.jetty.servlet.ServletHandler$CachedChain.doFilter(ServletHandler.java:1482)
      at org.kohsuke.stapler.compression.CompressionFilter.doFilter(CompressionFilter.java:46)
      at org.eclipse.jetty.servlet.ServletHandler$CachedChain.doFilter(ServletHandler.java:1482)
      at hudson.util.CharacterEncodingFilter.doFilter(CharacterEncodingFilter.java:81)
      at org.eclipse.jetty.servlet.ServletHandler$CachedChain.doFilter(ServletHandler.java:1474)
      at org.eclipse.jetty.servlet.ServletHandler.doHandle(ServletHandler.java:499)
      at org.eclipse.jetty.server.handler.ScopedHandler.handle(ScopedHandler.java:137)
      at org.eclipse.jetty.security.SecurityHandler.handle(SecurityHandler.java:533)
      at org.eclipse.jetty.server.session.SessionHandler.doHandle(SessionHandler.java:231)
      at org.eclipse.jetty.server.handler.ContextHandler.doHandle(ContextHandler.java:1086)
      at org.eclipse.jetty.servlet.ServletHandler.doScope(ServletHandler.java:428)
      at org.eclipse.jetty.server.session.SessionHandler.doScope(SessionHandler.java:193)
      at org.eclipse.jetty.server.handler.ContextHandler.doScope(ContextHandler.java:1020)
      at org.eclipse.jetty.server.handler.ScopedHandler.handle(ScopedHandler.java:135)
      at org.eclipse.jetty.server.handler.HandlerWrapper.handle(HandlerWrapper.java:116)
      at org.eclipse.jetty.server.Server.handle(Server.java:370)
      at org.eclipse.jetty.server.AbstractHttpConnection.handleRequest(AbstractHttpConnection.java:489)
      at org.eclipse.jetty.server.AbstractHttpConnection.headerComplete(AbstractHttpConnection.java:949)
      at org.eclipse.jetty.server.AbstractHttpConnection$RequestHandler.headerComplete(AbstractHttpConnection.java:1011)
      at org.eclipse.jetty.http.HttpParser.parseNext(HttpParser.java:644)
      at org.eclipse.jetty.http.HttpParser.parseAvailable(HttpParser.java:235)
      at org.eclipse.jetty.server.AsyncHttpConnection.handle(AsyncHttpConnection.java:82)
      at org.eclipse.jetty.io.nio.SelectChannelEndPoint.handle(SelectChannelEndPoint.java:668)
      at org.eclipse.jetty.io.nio.SelectChannelEndPoint$1.run(SelectChannelEndPoint.java:52)
      at winstone.BoundedExecutorService$1.run(BoundedExecutorService.java:77)
      at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1145)
      at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:615)
      at java.lang.Thread.run(Thread.java:745)
      Caused by: org.acegisecurity.userdetails.UsernameNotFoundException: Authentication was successful but cannot locate the user information for ci_dev_test
      at hudson.plugins.active_directory.ActiveDirectoryUnixAuthenticationProvider.retrieveUser(ActiveDirectoryUnixAuthenticationProvider.java:273)
      at hudson.plugins.active_directory.ActiveDirectoryUnixAuthenticationProvider.retrieveUser(ActiveDirectoryUnixAuthenticationProvider.java:196)
      at hudson.plugins.active_directory.ActiveDirectoryUnixAuthenticationProvider.retrieveUser(ActiveDirectoryUnixAuthenticationProvider.java:140)
      at hudson.plugins.active_directory.AbstractActiveDirectoryAuthenticationProvider.loadUserByUsername(AbstractActiveDirectoryAuthenticationProvider.java:30)
      at jenkins.security.ImpersonatingUserDetailsService.loadUserByUsername(ImpersonatingUserDetailsService.java:32)
      at hudson.model.User.impersonate(User.java:282)
      at jenkins.security.BasicHeaderApiTokenAuthenticator.authenticate(BasicHeaderApiTokenAuthenticator.java:31)
      ... 35 more

      Help us localize this page
      Page generated: 1-Oct-2014 5:11:08 PMREST APIJenkins ver. 1.582

          [JENKINS-24958] UsernameNotFoundException when ActiveDirectory used for API and token authentication

          Daniel Beck added a comment -

          Resolving as incomplete as requested additional information has not been provided in months.

          Daniel Beck added a comment - Resolving as incomplete as requested additional information has not been provided in months.

          Keith Davis added a comment -

          I'm having this same problem. What info exactly do you need?

          Keith Davis added a comment - I'm having this same problem. What info exactly do you need?

          Daniel Beck added a comment -

          See first comment.

          Daniel Beck added a comment - See first comment.

          Keith Davis added a comment -

          I just realized that the submitter was Jenkins Python API. I'm using a PHP and cURL. Seems like the same issue though. Basic same setup as Felix.

          <?php
          	$curl = curl_init("http://jenkinserver/job/myjob/config.xml");
          
          	curl_setopt($curl, CURLOPT_HTTPAUTH, CURLAUTH_BASIC);
          	curl_setopt($curl, CURLOPT_USERPWD, "username:apiToken");
          	curl_setopt($curl, CURLOPT_RETURNTRANSFER, true);
          
          	$sOutput = curl_exec($curl);
          
          	echo $sOutput ?: curl_error($curl);
          
          	curl_close($curl);
          ?>
          

          How is Active Directory configured?

          Not sure what you mean by this question. I thought there was not configuration for this machine, since it is joined to a domain.

          What version of the plugin are you using?

          1.39

          (Are both instances using the same plugin version? What happens when you configure the older Jenkins version to use Active Directory?)

          Both instances of what?

          In the affected instance, are you able to use the CLI (with authentication)?

          Don't know how to do this.

          The XML/JSON API (using e.g. curl)?

          Yes - Change the URL to http://jenkinserver/job/myjob/api/json, same effect.

          The Web UI?

          Not sure how to do this correctly, but tried with Chrome and got redirected to the Login page.

          What is shown on the /whoAmI web page?

          How do I do that for this process?

          Configure a log recorder with logger hudson.plugins.active_directory.ActiveDirectoryUnixAuthenticationProvider on level FINE. What gets logged around the time the error occurs?

          Can you tell me how to do that?

          Keith Davis added a comment - I just realized that the submitter was Jenkins Python API. I'm using a PHP and cURL. Seems like the same issue though. Basic same setup as Felix. <?php $curl = curl_init( "http: //jenkinserver/job/myjob/config.xml" ); curl_setopt($curl, CURLOPT_HTTPAUTH, CURLAUTH_BASIC); curl_setopt($curl, CURLOPT_USERPWD, "username:apiToken" ); curl_setopt($curl, CURLOPT_RETURNTRANSFER, true ); $sOutput = curl_exec($curl); echo $sOutput ?: curl_error($curl); curl_close($curl); ?> How is Active Directory configured? Not sure what you mean by this question. I thought there was not configuration for this machine, since it is joined to a domain. What version of the plugin are you using? 1.39 (Are both instances using the same plugin version? What happens when you configure the older Jenkins version to use Active Directory?) Both instances of what? In the affected instance, are you able to use the CLI (with authentication)? Don't know how to do this. The XML/JSON API (using e.g. curl)? Yes - Change the URL to http://jenkinserver/job/myjob/api/json , same effect. The Web UI? Not sure how to do this correctly, but tried with Chrome and got redirected to the Login page. What is shown on the /whoAmI web page? How do I do that for this process? Configure a log recorder with logger hudson.plugins.active_directory.ActiveDirectoryUnixAuthenticationProvider on level FINE. What gets logged around the time the error occurs? Can you tell me how to do that?

          Daniel Beck added a comment -

          Not sure what you mean by this question. I thought there was not configuration for this machine, since it is joined to a domain.

          To clarify, Active Directory Plugin. It has options in the security preferences.

          Both instances of what?

          The report mentions two Jenkins instances (at least that's my guess from the report mentioning two vastly different Jenkins versions). Does not apply to you.

          How do I do that for this process?

          Not sure what you mean. Just go to http://whateveryourjenkinshostnameis/whoAmI when logged in.

          Can you tell me how to do that?

          https://wiki.jenkins-ci.org/display/JENKINS/Logging


          One question I forgot:

          Does the user account you want to use actually exist in Active Directory, or only in Jenkins?

          Daniel Beck added a comment - Not sure what you mean by this question. I thought there was not configuration for this machine, since it is joined to a domain. To clarify, Active Directory Plugin. It has options in the security preferences. Both instances of what? The report mentions two Jenkins instances (at least that's my guess from the report mentioning two vastly different Jenkins versions). Does not apply to you. How do I do that for this process? Not sure what you mean. Just go to http://whateveryourjenkinshostnameis/whoAmI when logged in. Can you tell me how to do that? https://wiki.jenkins-ci.org/display/JENKINS/Logging One question I forgot: Does the user account you want to use actually exist in Active Directory, or only in Jenkins?

          Keith Davis added a comment -

          To clarify, Active Directory Plugin. It has options in the security preferences.

          Default settings (Domain Name & Domain controller are blank, Remove irrelevant groups is unchecked)

          Not sure what you mean. Just go to http://whateveryourjenkinshostnameis/whoAmI when logged in.

          Do you want all of this data (it's a lot)? The information is correct.

          https://wiki.jenkins-ci.org/display/JENKINS/Logging

          I did that, ran the test, the log is not capturing anything.

          Keith Davis added a comment - To clarify, Active Directory Plugin. It has options in the security preferences. Default settings (Domain Name & Domain controller are blank, Remove irrelevant groups is unchecked) Not sure what you mean. Just go to http://whateveryourjenkinshostnameis/whoAmI when logged in. Do you want all of this data (it's a lot)? The information is correct. https://wiki.jenkins-ci.org/display/JENKINS/Logging I did that, ran the test, the log is not capturing anything.

          Keith Davis added a comment -

          Even changed the logging level to ALL, still nothing.

          Keith Davis added a comment - Even changed the logging level to ALL, still nothing.

          Keith Davis added a comment -

          In fact, I just logged out and back in using the UI and that log still shows nothing. I also tried adding these 2 loggers, still nothing:

          hudson.plugins.active_directory.ActiveDirectoryAuthenticationProvider
          hudson.plugins.active_directory.ActiveDirectoryUserDetail

          Keith Davis added a comment - In fact, I just logged out and back in using the UI and that log still shows nothing. I also tried adding these 2 loggers, still nothing: hudson.plugins.active_directory.ActiveDirectoryAuthenticationProvider hudson.plugins.active_directory.ActiveDirectoryUserDetail

          We're seeming to hit this same issue. We use AD for all user access into Jenkins, and only add AD Groups in the global security config.

           

          laurin1 did you end up figuring this out?

          Kenneth Younger added a comment - We're seeming to hit this same issue. We use AD for all user access into Jenkins, and only add AD Groups in the global security config.   laurin1 did you end up figuring this out?

          Keith Davis added a comment -

          No. We switched to running a PHP script and uses the cURL extension.

          Keith Davis added a comment - No. We switched to running a PHP script and uses the cURL extension.

            Unassigned Unassigned
            mbells Matthew Bells
            Votes:
            0 Vote for this issue
            Watchers:
            8 Start watching this issue

              Created:
              Updated: