-
Bug
-
Resolution: Not A Defect
-
Minor
-
Jenkins 1.5.9.2
Active Directory plugin 1.39
When activating the Active directory plugin i am able to connect to the domain via the test button. I see the user groups are available as the red boxes beside them go away once active. However in the log file i see the following error every 15 seconds and I am currently unable to log into jenkins via my AD credentials.
Jan 26, 2015 7:00:24 AM WARNING hudson.plugins.active_directory.ActiveDirectorySecurityRealm$DescriptorImpl bind Failed to authenticate while binding to server.domain.com:3268 javax.naming.AuthenticationException: [LDAP: error code 49 - 80090308: LdapErr: DSID-0C0903A9, comment: AcceptSecurityContext error, data 52e, v1db1] at com.sun.jndi.ldap.LdapCtx.mapErrorCode(LdapCtx.java:3032) at com.sun.jndi.ldap.LdapCtx.processReturnCode(LdapCtx.java:2978) at com.sun.jndi.ldap.LdapCtx.processReturnCode(LdapCtx.java:2780) at com.sun.jndi.ldap.LdapCtx.connect(LdapCtx.java:2694) at com.sun.jndi.ldap.LdapCtx.ensureOpen(LdapCtx.java:2580) at com.sun.jndi.ldap.LdapCtx.ensureOpen(LdapCtx.java:2567) at com.sun.jndi.ldap.LdapCtx.reconnect(LdapCtx.java:2563) at hudson.plugins.active_directory.ActiveDirectorySecurityRealm$DescriptorImpl.bind(ActiveDirectorySecurityRealm.java:514) at hudson.plugins.active_directory.ActiveDirectorySecurityRealm$DescriptorImpl.bind(ActiveDirectorySecurityRealm.java:430) at hudson.plugins.active_directory.ActiveDirectoryUnixAuthenticationProvider.retrieveUser(ActiveDirectoryUnixAuthenticationProvider.java:273) at hudson.plugins.active_directory.ActiveDirectoryUnixAuthenticationProvider.retrieveUser(ActiveDirectoryUnixAuthenticationProvider.java:219) at hudson.plugins.active_directory.ActiveDirectoryUnixAuthenticationProvider.retrieveUser(ActiveDirectoryUnixAuthenticationProvider.java:163) at org.acegisecurity.providers.dao.AbstractUserDetailsAuthenticationProvider.authenticate(AbstractUserDetailsAuthenticationProvider.java:122) at org.acegisecurity.providers.ProviderManager.doAuthentication(ProviderManager.java:200) at org.acegisecurity.AbstractAuthenticationManager.authenticate(AbstractAuthenticationManager.java:47) at jenkins.security.BasicHeaderRealPasswordAuthenticator.authenticate(BasicHeaderRealPasswordAuthenticator.java:55) at jenkins.security.BasicHeaderProcessor.doFilter(BasicHeaderProcessor.java:79) at hudson.security.ChainedServletFilter$1.doFilter(ChainedServletFilter.java:87) at org.acegisecurity.context.HttpSessionContextIntegrationFilter.doFilter(HttpSessionContextIntegrationFilter.java:249) at hudson.security.HttpSessionContextIntegrationFilter2.doFilter(HttpSessionContextIntegrationFilter2.java:67) at hudson.security.ChainedServletFilter$1.doFilter(ChainedServletFilter.java:87) at hudson.security.ChainedServletFilter.doFilter(ChainedServletFilter.java:76) at hudson.security.HudsonFilter.doFilter(HudsonFilter.java:164) at org.eclipse.jetty.servlet.ServletHandler$CachedChain.doFilter(ServletHandler.java:1482) at org.kohsuke.stapler.compression.CompressionFilter.doFilter(CompressionFilter.java:46) at org.eclipse.jetty.servlet.ServletHandler$CachedChain.doFilter(ServletHandler.java:1482) at hudson.util.CharacterEncodingFilter.doFilter(CharacterEncodingFilter.java:81) at org.eclipse.jetty.servlet.ServletHandler$CachedChain.doFilter(ServletHandler.java:1482) at org.kohsuke.stapler.DiagnosticThreadNameFilter.doFilter(DiagnosticThreadNameFilter.java:30) at org.eclipse.jetty.servlet.ServletHandler$CachedChain.doFilter(ServletHandler.java:1474) at org.eclipse.jetty.servlet.ServletHandler.doHandle(ServletHandler.java:499) at org.eclipse.jetty.server.handler.ScopedHandler.handle(ScopedHandler.java:137) at org.eclipse.jetty.security.SecurityHandler.handle(SecurityHandler.java:533) at org.eclipse.jetty.server.session.SessionHandler.doHandle(SessionHandler.java:231) at org.eclipse.jetty.server.handler.ContextHandler.doHandle(ContextHandler.java:1086) at org.eclipse.jetty.servlet.ServletHandler.doScope(ServletHandler.java:428) at org.eclipse.jetty.server.session.SessionHandler.doScope(SessionHandler.java:193) at org.eclipse.jetty.server.handler.ContextHandler.doScope(ContextHandler.java:1020) at org.eclipse.jetty.server.handler.ScopedHandler.handle(ScopedHandler.java:135) at org.eclipse.jetty.server.handler.HandlerWrapper.handle(HandlerWrapper.java:116) at org.eclipse.jetty.server.Server.handle(Server.java:370) at org.eclipse.jetty.server.AbstractHttpConnection.handleRequest(AbstractHttpConnection.java:489) at org.eclipse.jetty.server.AbstractHttpConnection.headerComplete(AbstractHttpConnection.java:949) at org.eclipse.jetty.server.AbstractHttpConnection$RequestHandler.headerComplete(AbstractHttpConnection.java:1011) at org.eclipse.jetty.http.HttpParser.parseNext(HttpParser.java:644) at org.eclipse.jetty.http.HttpParser.parseAvailable(HttpParser.java:235) at org.eclipse.jetty.server.AsyncHttpConnection.handle(AsyncHttpConnection.java:82) at org.eclipse.jetty.io.nio.SelectChannelEndPoint.handle(SelectChannelEndPoint.java:668) at org.eclipse.jetty.io.nio.SelectChannelEndPoint$1.run(SelectChannelEndPoint.java:52) at winstone.BoundedExecutorService$1.run(BoundedExecutorService.java:77) at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1146) at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:615) at java.lang.Thread.run(Thread.java:701) Jan 26, 2015 7:00:24 AM WARNING hudson.plugins.active_directory.ActiveDirectoryUnixAuthenticationProvider retrieveUser Credential exception trying to authenticate against domain.com domain org.acegisecurity.BadCredentialsException: Either no such user 'user@domain.com' or incorrect password; nested exception is javax.naming.AuthenticationException: [LDAP: error code 49 - 80090308: LdapErr: DSID-0C0903A9, comment: AcceptSecurityContext error, data 52e, v1db1] at hudson.plugins.active_directory.ActiveDirectorySecurityRealm$DescriptorImpl.bind(ActiveDirectorySecurityRealm.java:445) at hudson.plugins.active_directory.ActiveDirectoryUnixAuthenticationProvider.retrieveUser(ActiveDirectoryUnixAuthenticationProvider.java:273) at hudson.plugins.active_directory.ActiveDirectoryUnixAuthenticationProvider.retrieveUser(ActiveDirectoryUnixAuthenticationProvider.java:219) at hudson.plugins.active_directory.ActiveDirectoryUnixAuthenticationProvider.retrieveUser(ActiveDirectoryUnixAuthenticationProvider.java:163) at org.acegisecurity.providers.dao.AbstractUserDetailsAuthenticationProvider.authenticate(AbstractUserDetailsAuthenticationProvider.java:122) at org.acegisecurity.providers.ProviderManager.doAuthentication(ProviderManager.java:200) at org.acegisecurity.AbstractAuthenticationManager.authenticate(AbstractAuthenticationManager.java:47) at jenkins.security.BasicHeaderRealPasswordAuthenticator.authenticate(BasicHeaderRealPasswordAuthenticator.java:55) at jenkins.security.BasicHeaderProcessor.doFilter(BasicHeaderProcessor.java:79) at hudson.security.ChainedServletFilter$1.doFilter(ChainedServletFilter.java:87) at org.acegisecurity.context.HttpSessionContextIntegrationFilter.doFilter(HttpSessionContextIntegrationFilter.java:249) at hudson.security.HttpSessionContextIntegrationFilter2.doFilter(HttpSessionContextIntegrationFilter2.java:67) at hudson.security.ChainedServletFilter$1.doFilter(ChainedServletFilter.java:87) at hudson.security.ChainedServletFilter.doFilter(ChainedServletFilter.java:76) at hudson.security.HudsonFilter.doFilter(HudsonFilter.java:164) at org.eclipse.jetty.servlet.ServletHandler$CachedChain.doFilter(ServletHandler.java:1482) at org.kohsuke.stapler.compression.CompressionFilter.doFilter(CompressionFilter.java:46) at org.eclipse.jetty.servlet.ServletHandler$CachedChain.doFilter(ServletHandler.java:1482) at hudson.util.CharacterEncodingFilter.doFilter(CharacterEncodingFilter.java:81) at org.eclipse.jetty.servlet.ServletHandler$CachedChain.doFilter(ServletHandler.java:1482) at org.kohsuke.stapler.DiagnosticThreadNameFilter.doFilter(DiagnosticThreadNameFilter.java:30) at org.eclipse.jetty.servlet.ServletHandler$CachedChain.doFilter(ServletHandler.java:1474) at org.eclipse.jetty.servlet.ServletHandler.doHandle(ServletHandler.java:499) at org.eclipse.jetty.server.handler.ScopedHandler.handle(ScopedHandler.java:137) at org.eclipse.jetty.security.SecurityHandler.handle(SecurityHandler.java:533) at org.eclipse.jetty.server.session.SessionHandler.doHandle(SessionHandler.java:231) at org.eclipse.jetty.server.handler.ContextHandler.doHandle(ContextHandler.java:1086) at org.eclipse.jetty.servlet.ServletHandler.doScope(ServletHandler.java:428) at org.eclipse.jetty.server.session.SessionHandler.doScope(SessionHandler.java:193) at org.eclipse.jetty.server.handler.ContextHandler.doScope(ContextHandler.java:1020) at org.eclipse.jetty.server.handler.ScopedHandler.handle(ScopedHandler.java:135) at org.eclipse.jetty.server.handler.HandlerWrapper.handle(HandlerWrapper.java:116) at org.eclipse.jetty.server.Server.handle(Server.java:370) at org.eclipse.jetty.server.AbstractHttpConnection.handleRequest(AbstractHttpConnection.java:489) at org.eclipse.jetty.server.AbstractHttpConnection.headerComplete(AbstractHttpConnection.java:949) at org.eclipse.jetty.server.AbstractHttpConnection$RequestHandler.headerComplete(AbstractHttpConnection.java:1011) at org.eclipse.jetty.http.HttpParser.parseNext(HttpParser.java:644) at org.eclipse.jetty.http.HttpParser.parseAvailable(HttpParser.java:235) at org.eclipse.jetty.server.AsyncHttpConnection.handle(AsyncHttpConnection.java:82) at org.eclipse.jetty.io.nio.SelectChannelEndPoint.handle(SelectChannelEndPoint.java:668) at org.eclipse.jetty.io.nio.SelectChannelEndPoint$1.run(SelectChannelEndPoint.java:52) at winstone.BoundedExecutorService$1.run(BoundedExecutorService.java:77) at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1146) at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:615) at java.lang.Thread.run(Thread.java:701) Caused by: javax.naming.AuthenticationException: [LDAP: error code 49 - 80090308: LdapErr: DSID-0C0903A9, comment: AcceptSecurityContext error, data 52e, v1db1] at com.sun.jndi.ldap.LdapCtx.mapErrorCode(LdapCtx.java:3032) at com.sun.jndi.ldap.LdapCtx.processReturnCode(LdapCtx.java:2978) at com.sun.jndi.ldap.LdapCtx.processReturnCode(LdapCtx.java:2780) at com.sun.jndi.ldap.LdapCtx.connect(LdapCtx.java:2694) at com.sun.jndi.ldap.LdapCtx.ensureOpen(LdapCtx.java:2580) at com.sun.jndi.ldap.LdapCtx.ensureOpen(LdapCtx.java:2567) at com.sun.jndi.ldap.LdapCtx.reconnect(LdapCtx.java:2563) at hudson.plugins.active_directory.ActiveDirectorySecurityRealm$DescriptorImpl.bind(ActiveDirectorySecurityRealm.java:514) at hudson.plugins.active_directory.ActiveDirectorySecurityRealm$DescriptorImpl.bind(ActiveDirectorySecurityRealm.java:430) ... 44 more
[JENKINS-26603] Active Directory trying to connect to AD server every 15 seconds with a user ID
Chris Tuttle
added a comment - Yes. i removed company logins and domain names and put generic names in the log. sorry i had not identified that in the original post.
Chris Tuttle
added a comment - Yes. i removed company logins and domain names and put generic names in the log. sorry i had not identified that in the original post. Chris Tuttle
added a comment - the problem is that the particular user in question isnt physically attempting to log into the system at the time.
the error starts immediatly when i turn on the plugin.
Chris Tuttle
added a comment - the problem is that the particular user in question isnt physically attempting to log into the system at the time.
the error starts immediatly when i turn on the plugin. something is hitting jenkins with some username. I would suggest sniffing the tcp traffic and looking at the requests to identify the source.
One source of this is the Hudson Tray Application - if that user recently changed their password then you may need to reconfigure this app - there are possibly other integrations as well (such as scripts calling the API etc)
Jenkins doesn't randomly try to authenticate users out of thin air - so I am closing this as not a bug.
If you are looking for some help to diagnose what is causing jenkins to attempt to authenticate I would suggest you ask on the jenkins Freenode IRC channel or on the jenkins users mailing list.
crtut, did you manage to figure out what was causing the burst of authentication requests?
Jörg Ziegler
added a comment - teilo/mcmoe: I just stumbled over a similar (the same?) issue. For me the auth burst came from swarm slaves attempting to authenticate themselves.
I also faced the issue that neither the slaves nor me as a user could authenticate against AD.
To make the problem go away I manually had to change the authentication strategy in config.xml to hudson.security.AuthorizationStrategy$Unsecured
Then, after re-entering the password on the security configuration page authentication against AD worked again.
This happened after an attempted LTS upgrade from jenkins 1.651.2 to 2.7.1 using plugin version 1.47.
Note that before the upgrade the authentication worked fine and so did it once I had re-entered the password.
Jörg Ziegler
added a comment - teilo / mcmoe : I just stumbled over a similar (the same?) issue. For me the auth burst came from swarm slaves attempting to authenticate themselves.
I also faced the issue that neither the slaves nor me as a user could authenticate against AD.
To make the problem go away I manually had to change the authentication strategy in config.xml to hudson.security.AuthorizationStrategy$Unsecured
Then, after re-entering the password on the security configuration page authentication against AD worked again.
This happened after an attempted LTS upgrade from jenkins 1.651.2 to 2.7.1 using plugin version 1.47.
Note that before the upgrade the authentication worked fine and so did it once I had re-entered the password. 
Are you sure 'user@domain.com' is valid syntax for this? Have you tried 'domain\user' or 'user'?