-
Bug
-
Resolution: Not A Defect
-
Minor
-
None
I have troubles setting up the negotiate-sso-plugin.
Jenkins is running as SYSTEM on ci01.example.local at port 8080
Active Directory Login is working
If I try to access jenkins from another domain machine (Allow Localhost is active) it redirects many times to http://ci01.example.local:8080/login?from=%2Flogin%3Ffrom%3D%252Flogin%253Ffrom%253D%25252Flogin%25253F[...] - Decoded: {{http://ci01.example.local:8080/login?from=/login?from=/login?from=/login?from=/login?from=/login?from=/login?from=/login?from=/login?from=/login?from=/login?from=
/login?from=/login?from=/login?from=/login?from=/login?from=/login?from=/login?from=/login?from=/login?from=/login?from=/login?from=/login?from=/login?from=/login?from=/login?from=/login?from=/login?from=/login?from=/}}
Here is the log from waffle and com.github.farmgeek4life.jenkins.negotiatesso.NegotiateSSO:
[JENKINS-32365] Repeating URL Redirection
Florian Huber
added a comment - Hi,
it happens on both urls.
The SPN for the Computer Object are the following:
{{setspn -L ci01
Registered ServicePrincipalNames for CN=CI01,OU=Member Server,DC=example,DC=local:
HTTP/ci01
HTTP/ci01.example.local
TERMSRV/CI01
TERMSRV/ci01.example.local
RestrictedKrbHost/CI01
HOST/CI01
RestrictedKrbHost/ci01.example.local
HOST/ci01.example.local
}}
Kerberos Delegation is unset:
Florian Huber
added a comment - Hi,
it happens on both urls.
The SPN for the Computer Object are the following:
{{setspn -L ci01
Registered ServicePrincipalNames for CN=CI01,OU=Member Server,DC=example,DC=local:
HTTP/ci01
HTTP/ci01.example.local
TERMSRV/CI01
TERMSRV/ci01.example.local
RestrictedKrbHost/CI01
HOST/CI01
RestrictedKrbHost/ci01.example.local
HOST/ci01.example.local
}}
Kerberos Delegation is unset:
Bryson Gibbons
added a comment - I would like you to check some of these troubleshooting steps for Waffle, which is the backend system being used for Negotiate SSO. https://github.com/dblock/waffle/blob/master/Docs/Troubleshooting.md
I will be able to look into my working configuration a little more in a couple of days.
Bryson Gibbons
added a comment - I would like you to check some of these troubleshooting steps for Waffle, which is the backend system being used for Negotiate SSO. https://github.com/dblock/waffle/blob/master/Docs/Troubleshooting.md
I will be able to look into my working configuration a little more in a couple of days. Florian Huber
added a comment - Hi!
I found out the problem! In the Usesdirectory Settings (Active Directory) the Bind DN wasn't set.
Login worked for localhost authentification - but with kerberos it run into the reload/redirect loop.
I found out that Windows logged successful kerberos logins, so i tried to get more information from Jenkins and cranked up the ROOT logger!
Maybe there should be a remark in the documentation that the BindDN must be set to work!
Florian Huber
added a comment - Hi!
I found out the problem! In the Usesdirectory Settings (Active Directory) the Bind DN wasn't set.
Login worked for localhost authentification - but with kerberos it run into the reload/redirect loop.
I found out that Windows logged successful kerberos logins, so i tried to get more information from Jenkins and cranked up the ROOT logger!
Maybe there should be a remark in the documentation that the BindDN must be set to work! 
Are you going to "http://ci01.example.local:8080/" or to "http://ci01.example.local:8080/login"? There is a potential issue with accessing "/login", and I haven't seen your issue previously.
Also, there is one further step needed in order for the plugin to work - is there an HTTP/ci01.example.local SPN set on the computer object in Active Directory? If not, Active Directory will not allow a Negotiate/Kerberos automatic login through the host system.