Uploaded image for project: 'Jenkins'
  1. Jenkins
  2. JENKINS-64111

AD Authentication Does not Work for Jenkins Login

    • Icon: Bug Bug
    • Resolution: Unresolved
    • Icon: Major Major
    • None
    • OS - Distributor ID: Ubuntu
      Description: Ubuntu 18.04.4 LTS
      Release: 18.04
      Codename: bionic

      Jenkins - 2.264
      AD Plugin - 2.19
      Java - Open JDK

      Hi, we have been using Jenkins authentication with AD plugin and it was working fine since last Friday, on this weekend we had restarted our Jenkins Server and since then we are not able to Login to Jenkins and gets below error.

       

      [LDAP: error code 8 - 00002028: LdapErr: DSID-0C09026E, comment: The server requires binds to turn on integrity checking if SSL\TLS are not already active on the connection, data 0, v2580]

      javax.naming.AuthenticationNotSupportedException: [LDAP: error code 8 - 00002028: LdapErr: DSID-0C09026E, comment: The server requires binds to turn on integrity checking if SSL\TLS are not already active on the connection, data 0, v2580]
      at com.sun.jndi.ldap.LdapCtx.mapErrorCode(LdapCtx.java:3252)
      at com.sun.jndi.ldap.LdapCtx.processReturnCode(LdapCtx.java:3207)
      at com.sun.jndi.ldap.LdapCtx.processReturnCode(LdapCtx.java:2993)
      at com.sun.jndi.ldap.LdapCtx.connect(LdapCtx.java:2907)
      at com.sun.jndi.ldap.LdapCtx.ensureOpen(LdapCtx.java:2799)
      at com.sun.jndi.ldap.LdapCtx.ensureOpen(LdapCtx.java:2772)
      at com.sun.jndi.ldap.LdapCtx.reconnect(LdapCtx.java:2697)
      at hudson.plugins.active_directory.ActiveDirectorySecurityRealm$DescriptorImpl.bind(ActiveDirectorySecurityRealm.java:666)
      at hudson.plugins.active_directory.ActiveDirectorySecurityRealm$DescriptorImpl.bind(ActiveDirectorySecurityRealm.java:544)
      at hudson.plugins.active_directory.ActiveDirectoryDomain$DescriptorImpl.doValidateTest(ActiveDirectoryDomain.java:336)

       

      All the AD certificates are store in the keystore and it was working fine but after restart on weekend we are not able to login, AD plugin configuration remains same.

       

          [JENKINS-64111] AD Authentication Does not Work for Jenkins Login

          Jim Witte added a comment -

          Same issue happened to our Jenkins instance, running on ubuntu 18.04 LTS. Traced it to an openjdk update. I put a hold on the following packages and our AD authentication is unaffected.

          openjdk-8-jdk
          openjdk-8-jdk-headless
          openjdk-8-jre
          openjdk-8-jre-headless

           

          Jim Witte added a comment - Same issue happened to our Jenkins instance, running on ubuntu 18.04 LTS. Traced it to an openjdk update. I put a hold on the following packages and our AD authentication is unaffected. openjdk-8-jdk openjdk-8-jdk-headless openjdk-8-jre openjdk-8-jre-headless  

          Alex Fung added a comment -

          Thank you Jim! Our Jenkins instance was also affected by this issue, and downgrading openjdk8 back to 8u77-b03-3ubuntu3 from 8u272-b10-0ubuntu1 (and restarting the Jenkins server) did the trick – AD authentication was restored.

          Alex Fung added a comment - Thank you Jim! Our Jenkins instance was also affected by this issue, and downgrading openjdk8 back to 8u77-b03-3ubuntu3 from 8u272-b10-0ubuntu1 (and restarting the Jenkins server) did the trick – AD authentication was restored.

          I think the issue is well explained here https://support.tibco.com/s/article/LdapErr-DSID-0C090257-comment-The-server-requires-binds-to-turn-on-integrity-checking-if-SSL-TLS-are-not-already-active-on-the-connection

          > This issue is the result of a non-default domain policy set in active directory that enforces all LDAP authentication to be secured with SSL.

          > This policy on the domain controller is: "Domain controller: LDAP server signing requirements" and if set to "Require signing" the LDAP data-signing option must be negotiated unless Transport Layer Security/Secure Socket Layer (TLS/SSL) is being used. This also sets the following registry key on all domain controllers:

          > HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NTDS\Parameters\LDAPServerIntegrity=2
          If this policy is configured on one's domain controllers in a Windows Domain, non-secure LDAP authentication will fail.

          Félix Belzunce Arcos added a comment - I think the issue is well explained here https://support.tibco.com/s/article/LdapErr-DSID-0C090257-comment-The-server-requires-binds-to-turn-on-integrity-checking-if-SSL-TLS-are-not-already-active-on-the-connection > This issue is the result of a non-default domain policy set in active directory that enforces all LDAP authentication to be secured with SSL. > This policy on the domain controller is: "Domain controller: LDAP server signing requirements" and if set to "Require signing" the LDAP data-signing option must be negotiated unless Transport Layer Security/Secure Socket Layer (TLS/SSL) is being used. This also sets the following registry key on all domain controllers: > HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NTDS\Parameters\LDAPServerIntegrity=2 If this policy is configured on one's domain controllers in a Windows Domain, non-secure LDAP authentication will fail.

            fbelzunc Félix Belzunce Arcos
            bhardwajme Abhishek Bhardwaj
            Votes:
            0 Vote for this issue
            Watchers:
            3 Start watching this issue

              Created:
              Updated: