-
Bug
-
Resolution: Fixed
-
Major
-
None
-
Jenkins ver 1.595 on Windows Server 2012. AD plugin version 1.39
I'm attemping to do AD authentication with the latest AD plugin. I need to authenticate against two domains (that trust each other but are NOT in the same forest. This works fine in other applications doing LDAP). Individually, configuring each of these domains work. But when I attempt to add two separated by commas as per the docs, only the first entry works. Can anyone recommend a solution?
I get errors like "Credential exception trying to authenticate against myotherdomain.com domain and: org.acegisecurity.BadCredentialsException: Either no such user 'user@myotherdomain.com' or incorrect password; nested exception is javax.naming.AuthenticationException: [LDAP: error code 49 - 80090308: LdapErr: DSID-0C0903A9, comment: AcceptSecurityContext error, data 52e, v1db1] --> my user definitely exists. Tested with other LDAP enabled apps. Also, I'm the admin for LDAP.
I believe this is an issue with the binding credentials Jenkins is using, which is a show stopper because Jenkins won't allow me to configure two separate binding credentials - even with the LDAP plugin.
- duplicates
-
JENKINS-17338 Not able add Multiple Active directory in Active directory plugin
-
- Resolved
-
[JENKINS-26899] Multiple domain authentication when not part of the same forest
Dan D
added a comment - I'll try again regarding no spaces - but I'm sure I took out any whitespace (in the logs when i first started troubleshooting, I did see a whitespace initially when jenkins joined the single username to the attempted domain).
It does seem to attempt to tack on both domains, but it seems it only asks one of the servers on the list. (I added two domain controllers for each domain separated by a comma as well)
If the UNIX implementation is being called under the hood, a) can that implementation be configured to bind using 2 diff credentials and b) would i be able to hand edit the config file to configure it since GUI wouldn't work?
Dan D
added a comment - I'll try again regarding no spaces - but I'm sure I took out any whitespace (in the logs when i first started troubleshooting, I did see a whitespace initially when jenkins joined the single username to the attempted domain).
It does seem to attempt to tack on both domains, but it seems it only asks one of the servers on the list. (I added two domain controllers for each domain separated by a comma as well)
If the UNIX implementation is being called under the hood, a) can that implementation be configured to bind using 2 diff credentials and b) would i be able to hand edit the config file to configure it since GUI wouldn't work? Dan D
added a comment - Made sure there were no whitespaces in either the domain or the domain controller field. Same problem.
Dan D
added a comment - Made sure there were no whitespaces in either the domain or the domain controller field. Same problem. We also face this problem. When two Active Directory domains are configured, the xml API call is not successful; however the same user is successfully able to login on the web interface. It looks like it is always trying to authenticate as Anonymous even though we pass the User and API token.
We invoke the API as below:
wget -d -O JobInfo.xml --http-user=MyUser --http-password=MyAPIToken --secure-protocol=TLSv1 http://jenkins.mydomain/job/TESTJOB/api/xml
Error message:
Authentication required<!--You are authenticated as: anonymousGroups that you are in:Permission you need to have (but didn't): hudson.model.Hudson.Read ... which is implied by: hudson.security.Permission.GenericRead ... which is implied by: hudson.model.HSkipping 337 bytes of body: [udson.Administer
Our Jenkins ver. 1.596.2 on Windows 2008 R2
Hi Mates,
We have the same issue here in AGFA and it's a blocker.
I tried to use LDAP plugin instead but it doesn't help and it's too slow.
Thanks for your help,
./FM
NB : Usgin Jenkins LTS 1.625 & Plugin 1.41
Frédéric Meyrou
added a comment - - edited Hi Mates,
We have the same issue here in AGFA and it's a blocker.
I tried to use LDAP plugin instead but it doesn't help and it's too slow.
Thanks for your help,
./FM
NB : Usgin Jenkins LTS 1.625 & Plugin 1.41 to really get this to work you would need to have the same bind user (with the same password) in both domains.
You do not need to fully specify the domain for the bind user - it should default to the domain of the AD controller you are talking to.
e.g. for domains foo.com and example.net you would need a user binduser on each domain (binduser@foo.com & binduser@example.net) and the user would need the same password.
The domains should not need to be part of the same forest.
If you use anonymous bind then things may not work as expected.
teilo are you saying that you managed to get this working?
Using your examples doesn't appear to work for me. Can you post an image of your settings?
Thanks in advance
Mark Grills
added a comment - - edited teilo are you saying that you managed to get this working?
Using your examples doesn't appear to work for me. Can you post an image of your settings?
Thanks in advance grillba try https://support.cloudbees.com/hc/en-us/articles/223826668-Active-Directory-AD-Plugin-multiple-untrusted-domains
Mark Grills
added a comment - Thank you teilo!
We finally managed to get this working across forests in our Jenkins environment (ver 2.19.1)
FYI for everyone else: We couldn't get it working at first as we had a dot "." in our Bind DN which Jenkins didn't like when specifying multiple domains. Once removed it worked as documented.
Great write up by the way.
Mark Grills
added a comment - Thank you teilo !
We finally managed to get this working across forests in our Jenkins environment (ver 2.19.1)
FYI for everyone else: We couldn't get it working at first as we had a dot "." in our Bind DN which Jenkins didn't like when specifying multiple domains. Once removed it worked as documented.
Great write up by the way. 
Appreciate it. I believe the documentation makes the assumption that the domains must be in the same forest (due to some other related bugs in the tracker) but the docs do not explicitly state that, so I question the validity of that statement.