Hi,

We have an issue when the first active directory server listed in the AD plugin configuration is unavailable, it does not failover to any of the others configured. This means users are locked out of Jenkins.

We have 2 AD servers configured in this instance

1. ADSERVER8.ad.company.com
2. ADSERVER7.ad.company.com

If #1 is offline, #2 is not used.

The Active Directory Health Status checker just hangs when submit is clicked. It draws a red progress bar and stops before it reaches the end. Normally it would check all the configured AD servers.

Here is a snippet from the log (ADSERVER8.ad.company.com is down):

2022-09-08 08:57:12.300+0000 [id=43]    WARNING    h.p.a.ActiveDirectorySecurityRealm$DescriptorImpl#bind: Failed to bind to ADSERVER8.ad.company.com:3268
java.net.ConnectException: Connection refused (Connection refused)
    at java.base/java.net.PlainSocketImpl.socketConnect(Native Method)
    at java.base/java.net.AbstractPlainSocketImpl.doConnect(AbstractPlainSocketImpl.java:399)
    at java.base/java.net.AbstractPlainSocketImpl.connectToAddress(AbstractPlainSocketImpl.java:242)
    at java.base/java.net.AbstractPlainSocketImpl.connect(AbstractPlainSocketImpl.java:224)
    at java.base/java.net.SocksSocketImpl.connect(SocksSocketImpl.java:392)
    at java.base/java.net.Socket.connect(Socket.java:609)
    at java.naming/com.sun.jndi.ldap.Connection.createSocket(Connection.java:335)
    at java.naming/com.sun.jndi.ldap.Connection.<init>(Connection.java:231)
Caused: javax.naming.CommunicationException: ADSERVER8.ad.company.com:3268 [Root exception is java.net.ConnectException: Connection refused (Connection refused)]
    at java.naming/com.sun.jndi.ldap.Connection.<init>(Connection.java:252)
    at java.naming/com.sun.jndi.ldap.LdapClient.<init>(LdapClient.java:137)
    at java.naming/com.sun.jndi.ldap.LdapClient.getInstance(LdapClient.java:1616)
    at java.naming/com.sun.jndi.ldap.LdapCtx.connect(LdapCtx.java:2847)
    at java.naming/com.sun.jndi.ldap.LdapCtx.<init>(LdapCtx.java:348)
    at java.naming/com.sun.jndi.ldap.LdapCtxFactory.getLdapCtxFromUrl(LdapCtxFactory.java:262)
    at java.naming/com.sun.jndi.ldap.LdapCtxFactory.getUsingURL(LdapCtxFactory.java:226)
    at java.naming/com.sun.jndi.ldap.LdapCtxFactory.getLdapCtxInstance(LdapCtxFactory.java:183)
    at hudson.plugins.active_directory.ActiveDirectorySecurityRealm$DescriptorImpl.bind(ActiveDirectorySecurityRealm.java:670)
    at hudson.plugins.active_directory.ActiveDirectorySecurityRealm$DescriptorImpl.bind(ActiveDirectorySecurityRealm.java:601)
    at hudson.plugins.active_directory.ActiveDirectorySecurityRealm$DescriptorImpl.bind(ActiveDirectorySecurityRealm.java:566)
    at hudson.plugins.active_directory.ActiveDirectoryUnixAuthenticationProvider.lambda$retrieveUser$0(ActiveDirectoryUnixAuthenticationProvider.java:354)
    at com.github.benmanes.caffeine.cache.BoundedLocalCache.lambda$doComputeIfAbsent$14(BoundedLocalCache.java:2413)
    at java.base/java.util.concurrent.ConcurrentHashMap.compute(ConcurrentHashMap.java:1908)
    at com.github.benmanes.caffeine.cache.BoundedLocalCache.doComputeIfAbsent(BoundedLocalCache.java:2411)
    at com.github.benmanes.caffeine.cache.BoundedLocalCache.computeIfAbsent(BoundedLocalCache.java:2394)
    at com.github.benmanes.caffeine.cache.LocalCache.computeIfAbsent(LocalCache.java:108)
    at com.github.benmanes.caffeine.cache.LocalManualCache.get(LocalManualCache.java:62)
    at hudson.plugins.active_directory.ActiveDirectoryUnixAuthenticationProvider.retrieveUser(ActiveDirectoryUnixAuthenticationProvider.java:454)
    at hudson.plugins.active_directory.ActiveDirectoryUnixAuthenticationProvider.retrieveUser(ActiveDirectoryUnixAuthenticationProvider.java:297)
    at hudson.plugins.active_directory.ActiveDirectoryUnixAuthenticationProvider.retrieveUser(ActiveDirectoryUnixAuthenticationProvider.java:223)
    at hudson.plugins.active_directory.AbstractActiveDirectoryAuthenticationProvider.loadUserByUsername(AbstractActiveDirectoryAuthenticationProvider.java:47)
    at hudson.plugins.active_directory.ActiveDirectorySecurityRealm.loadUserByUsername(ActiveDirectorySecurityRealm.java:899)
    at hudson.plugins.active_directory.ActiveDirectoryStatus$ServerHealth.computeLoginExecutionTime(ActiveDirectoryStatus.java:208)
    at hudson.plugins.active_directory.ActiveDirectoryStatus$ServerHealth.<init>(ActiveDirectoryStatus.java:182)
    at hudson.plugins.active_directory.ActiveDirectoryStatus$1.compute(ActiveDirectoryStatus.java:120)
    at jenkins.util.ProgressiveRendering$1.run(ProgressiveRendering.java:122)
    at jenkins.security.ImpersonatingScheduledExecutorService$1.run(ImpersonatingScheduledExecutorService.java:67)
    at java.base/java.util.concurrent.Executors$RunnableAdapter.call(Executors.java:515)
    at java.base/java.util.concurrent.FutureTask.run(FutureTask.java:264)
    at java.base/java.util.concurrent.ScheduledThreadPoolExecutor$ScheduledFutureTask.run(ScheduledThreadPoolExecutor.java:304)
    at java.base/java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1128)
    at java.base/java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:628)
    at java.base/java.lang.Thread.run(Thread.java:829)
2022-09-08 08:57:12.301+0000 [id=43]    WARNING    h.p.a.ActiveDirectorySecurityRealm$DescriptorImpl#bind: All attempts to login failed for user CN=username,OU=Business,OU=Users,OU=ORG,OU=EMEA,DC=ad,DC=company,DC=com
2022-09-08 08:57:12.301+0000 [id=43]    WARNING    j.util.ProgressiveRendering$1#run: failed to compute /ad-health/
java.net.ConnectException: Connection refused (Connection refused)
    at java.base/java.net.PlainSocketImpl.socketConnect(Native Method)
    at java.base/java.net.AbstractPlainSocketImpl.doConnect(AbstractPlainSocketImpl.java:399)
    at java.base/java.net.AbstractPlainSocketImpl.connectToAddress(AbstractPlainSocketImpl.java:242)
    at java.base/java.net.AbstractPlainSocketImpl.connect(AbstractPlainSocketImpl.java:224)
    at java.base/java.net.SocksSocketImpl.connect(SocksSocketImpl.java:392)
    at java.base/java.net.Socket.connect(Socket.java:609)
    at java.naming/com.sun.jndi.ldap.Connection.createSocket(Connection.java:335)
    at java.naming/com.sun.jndi.ldap.Connection.<init>(Connection.java:231)
Caused: javax.naming.CommunicationException: ADSERVER8.ad.company.com:3268 [Root exception is java.net.ConnectException: Connection refused (Connection refused)]
    at java.naming/com.sun.jndi.ldap.Connection.<init>(Connection.java:252)
    at java.naming/com.sun.jndi.ldap.LdapClient.<init>(LdapClient.java:137)
    at java.naming/com.sun.jndi.ldap.LdapClient.getInstance(LdapClient.java:1616)
    at java.naming/com.sun.jndi.ldap.LdapCtx.connect(LdapCtx.java:2847)
    at java.naming/com.sun.jndi.ldap.LdapCtx.<init>(LdapCtx.java:348)
    at java.naming/com.sun.jndi.ldap.LdapCtxFactory.getLdapCtxFromUrl(LdapCtxFactory.java:262)
    at java.naming/com.sun.jndi.ldap.LdapCtxFactory.getUsingURL(LdapCtxFactory.java:226)
    at java.naming/com.sun.jndi.ldap.LdapCtxFactory.getLdapCtxInstance(LdapCtxFactory.java:183)
    at hudson.plugins.active_directory.ActiveDirectorySecurityRealm$DescriptorImpl.bind(ActiveDirectorySecurityRealm.java:670)
    at hudson.plugins.active_directory.ActiveDirectorySecurityRealm$DescriptorImpl.bind(ActiveDirectorySecurityRealm.java:601)
    at hudson.plugins.active_directory.ActiveDirectorySecurityRealm$DescriptorImpl.bind(ActiveDirectorySecurityRealm.java:566)
    at hudson.plugins.active_directory.ActiveDirectoryUnixAuthenticationProvider.lambda$retrieveUser$0(ActiveDirectoryUnixAuthenticationProvider.java:354)
Caused: org.acegisecurity.AuthenticationServiceException: Failed to bind to LDAP server with the bind name/password; nested exception is javax.naming.CommunicationException: ADSERVER8.ad.company.com:3268 [Root exception is java.net.ConnectException: Connection refused (Connection refused)]
    at hudson.plugins.active_directory.ActiveDirectoryUnixAuthenticationProvider.lambda$retrieveUser$0(ActiveDirectoryUnixAuthenticationProvider.java:360)
    at com.github.benmanes.caffeine.cache.BoundedLocalCache.lambda$doComputeIfAbsent$14(BoundedLocalCache.java:2413)
    at java.base/java.util.concurrent.ConcurrentHashMap.compute(ConcurrentHashMap.java:1908)
    at com.github.benmanes.caffeine.cache.BoundedLocalCache.doComputeIfAbsent(BoundedLocalCache.java:2411)
    at com.github.benmanes.caffeine.cache.BoundedLocalCache.computeIfAbsent(BoundedLocalCache.java:2394)
    at com.github.benmanes.caffeine.cache.LocalCache.computeIfAbsent(LocalCache.java:108)
    at com.github.benmanes.caffeine.cache.LocalManualCache.get(LocalManualCache.java:62)
    at hudson.plugins.active_directory.ActiveDirectoryUnixAuthenticationProvider.retrieveUser(ActiveDirectoryUnixAuthenticationProvider.java:454)
    at hudson.plugins.active_directory.ActiveDirectoryUnixAuthenticationProvider.retrieveUser(ActiveDirectoryUnixAuthenticationProvider.java:297)
    at hudson.plugins.active_directory.ActiveDirectoryUnixAuthenticationProvider.retrieveUser(ActiveDirectoryUnixAuthenticationProvider.java:223)
    at hudson.plugins.active_directory.AbstractActiveDirectoryAuthenticationProvider.loadUserByUsername(AbstractActiveDirectoryAuthenticationProvider.java:47)
    at hudson.plugins.active_directory.ActiveDirectorySecurityRealm.loadUserByUsername(ActiveDirectorySecurityRealm.java:899)
    at hudson.plugins.active_directory.ActiveDirectoryStatus$ServerHealth.computeLoginExecutionTime(ActiveDirectoryStatus.java:208)
    at hudson.plugins.active_directory.ActiveDirectoryStatus$ServerHealth.<init>(ActiveDirectoryStatus.java:182)
    at hudson.plugins.active_directory.ActiveDirectoryStatus$1.compute(ActiveDirectoryStatus.java:120)
    at jenkins.util.ProgressiveRendering$1.run(ProgressiveRendering.java:122)
    at jenkins.security.ImpersonatingScheduledExecutorService$1.run(ImpersonatingScheduledExecutorService.java:67)
    at java.base/java.util.concurrent.Executors$RunnableAdapter.call(Executors.java:515)
    at java.base/java.util.concurrent.FutureTask.run(FutureTask.java:264)
    at java.base/java.util.concurrent.ScheduledThreadPoolExecutor$ScheduledFutureTask.run(ScheduledThreadPoolExecutor.java:304)
    at java.base/java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1128)
    at java.base/java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:628)
    at java.base/java.lang.Thread.run(Thread.java:829)

Thanks,

Bill.