Félix Belzunce Arcos added a comment - 2022-12-13 17:59 sebracs In the $JENKINS_HOME/config.xml in the active directory configuration section, what do you have for the groupLookupStrategy field? I am wondering if the problem is this PR I did https://github.com/jenkinsci/active-directory-plugin/pull/146

James Nord added a comment - 2022-12-16 11:12 sebracs please provide Jenkins logs for the corresponding error and jenkins versions and any other plugins and versions please. This to me looks like the security listener code (jenkins core and other plugins) is miss behaving.

James Nord added a comment - 2022-12-16 11:13 https://github.com/jenkinsci/active-directory-plugin/pull/128 introduced the code to notify security listeners.

Sebastian Racs added a comment - 2022-12-16 14:39 fbelzunc $JENKINS_HOME/config.xml: <groupLookupStrategy>AUTO</groupLookupStrategy> So this might have to do with https://github.com/jenkinsci/active-directory-plugin/pull/146 ? teilo I don't have too many more logs other than the ones I attached since we then rolled back to the working version v2.28 Jenkins versions 2.332.4 and 2.361.4 where both affected for us.

Sebastian Racs added a comment - 2022-12-16 14:40 One thing that might be relevant is that we have set hudson.plugins.active_directory.referral.ignore=true in order not to have it query all the AD referral trees too, which is very slow. We than have it print in the log everytime somebody logs in: JENKINS-42687 Might be more members for user CN=* REMOVED * javax.naming.PartialResultException: Unprocessed Continuation Reference(s); remaining name '* REMOVED *' at java.naming/com.sun.jndi.ldap.LdapCtx.processReturnCode(LdapCtx.java:3022) at java.naming/com.sun.jndi.ldap.LdapCtx.processReturnCode(LdapCtx.java:2996) at java.naming/com.sun.jndi.ldap.AbstractLdapNamingEnumeration.getNextBatch(AbstractLdapNamingEnumeration.java:148) at java.naming/com.sun.jndi.ldap.AbstractLdapNamingEnumeration.hasMoreImpl(AbstractLdapNamingEnumeration.java:217) at java.naming/com.sun.jndi.ldap.AbstractLdapNamingEnumeration.hasMore(AbstractLdapNamingEnumeration.java:189) at hudson.plugins.active_directory.ActiveDirectoryUnixAuthenticationProvider.parseMembers(ActiveDirectoryUnixAuthenticationProvider.java:794) at hudson.plugins.active_directory.ActiveDirectoryUnixAuthenticationProvider.resolveGroups(ActiveDirectoryUnixAuthenticationProvider.java:660) at hudson.plugins.active_directory.ActiveDirectoryUnixAuthenticationProvider.lambda$retrieveUser$0(ActiveDirectoryUnixAuthenticationProvider.java:422) at com.github.benmanes.caffeine.cache.BoundedLocalCache.lambda$doComputeIfAbsent$14(BoundedLocalCache.java:2406) at java.base/java.util.concurrent.ConcurrentHashMap.compute(ConcurrentHashMap.java:1908) at com.github.benmanes.caffeine.cache.BoundedLocalCache.doComputeIfAbsent(BoundedLocalCache.java:2404) at com.github.benmanes.caffeine.cache.BoundedLocalCache.computeIfAbsent(BoundedLocalCache.java:2387) at com.github.benmanes.caffeine.cache.LocalCache.computeIfAbsent(LocalCache.java:108) at com.github.benmanes.caffeine.cache.LocalManualCache.get(LocalManualCache.java:62) at hudson.plugins.active_directory.ActiveDirectoryUnixAuthenticationProvider.retrieveUser(ActiveDirectoryUnixAuthenticationProvider.java:454) at hudson.plugins.active_directory.ActiveDirectoryUnixAuthenticationProvider.retrieveUser(ActiveDirectoryUnixAuthenticationProvider.java:297) at hudson.plugins.active_directory.ActiveDirectoryUnixAuthenticationProvider.retrieveUser(ActiveDirectoryUnixAuthenticationProvider.java:223) at hudson.plugins.active_directory.ActiveDirectorySecurityRealm.authenticate(ActiveDirectorySecurityRealm.java:905) at hudson.security.AbstractPasswordBasedSecurityRealm.authenticate2(AbstractPasswordBasedSecurityRealm.java:74) at hudson.security.AbstractPasswordBasedSecurityRealm.doAuthenticate(AbstractPasswordBasedSecurityRealm.java:97) at hudson.security.AbstractPasswordBasedSecurityRealm$Authenticator.retrieveUser(AbstractPasswordBasedSecurityRealm.java:183) at org.springframework.security.authentication.dao.AbstractUserDetailsAuthenticationProvider.authenticate(AbstractUserDetailsAuthenticationProvider.java:133) at org.springframework.security.authentication.ProviderManager.authenticate(ProviderManager.java:182) at org.springframework.security.web.authentication.UsernamePasswordAuthenticationFilter.attemptAuthentication(UsernamePasswordAuthenticationFilter.java:85) at org.springframework.security.web.authentication.AbstractAuthenticationProcessingFilter.doFilter(AbstractAuthenticationProcessingFilter.java:227) at org.springframework.security.web.authentication.AbstractAuthenticationProcessingFilter.doFilter(AbstractAuthenticationProcessingFilter.java:217) at hudson.security.ChainedServletFilter$1.doFilter(ChainedServletFilter.java:99) at jenkins.security.BasicHeaderProcessor.doFilter(BasicHeaderProcessor.java:97) at hudson.security.ChainedServletFilter$1.doFilter(ChainedServletFilter.java:99) at org.springframework.security.web.context.SecurityContextPersistenceFilter.doFilter(SecurityContextPersistenceFilter.java:112) at org.springframework.security.web.context.SecurityContextPersistenceFilter.doFilter(SecurityContextPersistenceFilter.java:82) at hudson.security.HttpSessionContextIntegrationFilter2.doFilter(HttpSessionContextIntegrationFilter2.java:63) at hudson.security.ChainedServletFilter$1.doFilter(ChainedServletFilter.java:99) at hudson.security.ChainedServletFilter.doFilter(ChainedServletFilter.java:111) at hudson.security.HudsonFilter.doFilter(HudsonFilter.java:172) at org.eclipse.jetty.servlet.FilterHolder.doFilter(FilterHolder.java:202) at org.eclipse.jetty.servlet.ServletHandler$Chain.doFilter(ServletHandler.java:1635) at org.kohsuke.stapler.compression.CompressionFilter.doFilter(CompressionFilter.java:53) at org.eclipse.jetty.servlet.FilterHolder.doFilter(FilterHolder.java:202) at org.eclipse.jetty.servlet.ServletHandler$Chain.doFilter(ServletHandler.java:1635) at hudson.util.CharacterEncodingFilter.doFilter(CharacterEncodingFilter.java:86) at org.eclipse.jetty.servlet.FilterHolder.doFilter(FilterHolder.java:202) at org.eclipse.jetty.servlet.ServletHandler$Chain.doFilter(ServletHandler.java:1635) at org.kohsuke.stapler.DiagnosticThreadNameFilter.doFilter(DiagnosticThreadNameFilter.java:30) at org.eclipse.jetty.servlet.FilterHolder.doFilter(FilterHolder.java:202) at org.eclipse.jetty.servlet.ServletHandler$Chain.doFilter(ServletHandler.java:1635) at jenkins.security.SuspiciousRequestFilter.doFilter(SuspiciousRequestFilter.java:38) at org.eclipse.jetty.servlet.FilterHolder.doFilter(FilterHolder.java:202) at org.eclipse.jetty.servlet.ServletHandler$Chain.doFilter(ServletHandler.java:1635) at org.eclipse.jetty.servlet.ServletHandler.doHandle(ServletHandler.java:527) at org.eclipse.jetty.server.handler.ScopedHandler.handle(ScopedHandler.java:131) at org.eclipse.jetty.security.SecurityHandler.handle(SecurityHandler.java:549) at org.eclipse.jetty.server.handler.HandlerWrapper.handle(HandlerWrapper.java:122) at org.eclipse.jetty.server.handler.ScopedHandler.nextHandle(ScopedHandler.java:223) at org.eclipse.jetty.server.session.SessionHandler.doHandle(SessionHandler.java:1571) at org.eclipse.jetty.server.handler.ScopedHandler.nextHandle(ScopedHandler.java:221) at org.eclipse.jetty.server.handler.ContextHandler.doHandle(ContextHandler.java:1378) at org.eclipse.jetty.server.handler.ScopedHandler.nextScope(ScopedHandler.java:176) at org.eclipse.jetty.servlet.ServletHandler.doScope(ServletHandler.java:484) at org.eclipse.jetty.server.session.SessionHandler.doScope(SessionHandler.java:1544) at org.eclipse.jetty.server.handler.ScopedHandler.nextScope(ScopedHandler.java:174) at org.eclipse.jetty.server.handler.ContextHandler.doScope(ContextHandler.java:1300) at org.eclipse.jetty.server.handler.ScopedHandler.handle(ScopedHandler.java:129) at org.eclipse.jetty.server.handler.HandlerWrapper.handle(HandlerWrapper.java:122) at org.eclipse.jetty.server.Server.handle(Server.java:562) at org.eclipse.jetty.server.HttpChannel.lambda$handle$0(HttpChannel.java:505) at org.eclipse.jetty.server.HttpChannel.dispatch(HttpChannel.java:762) at org.eclipse.jetty.server.HttpChannel.handle(HttpChannel.java:497) at org.eclipse.jetty.server.HttpConnection.onFillable(HttpConnection.java:282) at org.eclipse.jetty.io.AbstractConnection$ReadCallback.succeeded(AbstractConnection.java:319) at org.eclipse.jetty.io.FillInterest.fillable(FillInterest.java:100) at org.eclipse.jetty.io.SelectableChannelEndPoint$1.run(SelectableChannelEndPoint.java:53) at org.eclipse.jetty.util.thread.strategy.AdaptiveExecutionStrategy.runTask(AdaptiveExecutionStrategy.java:412) at org.eclipse.jetty.util.thread.strategy.AdaptiveExecutionStrategy.consumeTask(AdaptiveExecutionStrategy.java:381) at org.eclipse.jetty.util.thread.strategy.AdaptiveExecutionStrategy.tryProduce(AdaptiveExecutionStrategy.java:268) at org.eclipse.jetty.util.thread.strategy.AdaptiveExecutionStrategy.lambda$new$0(AdaptiveExecutionStrategy.java:138) at org.eclipse.jetty.util.thread.ReservedThreadExecutor$ReservedThread.run(ReservedThreadExecutor.java:407) at org.eclipse.jetty.util.thread.QueuedThreadPool.runJob(QueuedThreadPool.java:894) at org.eclipse.jetty.util.thread.QueuedThreadPool$Runner.run(QueuedThreadPool.java:1038) at java.base/java.lang.Thread.run(Thread.java:829)

James Nord added a comment - 2022-12-19 10:33 - edited one thing that might be relevant is that we have set hudson.plugins.active_directory.referral.ignore=true in order not to have it query all the AD referral trees too, which is very slow. You may find that you are better off not doing that and instead use the global catalog port for AD - it knows everything about everyone and you will not get any referals. https://learn.microsoft.com/en-us/windows/win32/ad/global-catalog https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-2000-server/cc978012(v=technet.10)?redirectedfrom=MSDN GC port is 3268 or 3269 for SSL protected. users names, and their security groups should always available in the GC. Their email will usually be available (if not you could ask your admin to mark it for replication. in most modern setups it will be available IIRC) to do this just add the port to the end of the domain controller e.g where you have `dc1.example.com` -> `dc1.example.com:3268` or `dc1.example.com:636` -> `dc1.example.com:3269` please try using the global catalog and report back.

James Nord added a comment - 2022-12-19 10:41 fbelzunc irrespective we probably should make this a warning only (with a better message), when `referral.ignore=true`) When the user opts in to not following referrals they have opted into partial results. May be interesting if anyone is using groups for filtering - so maybe run by the security team too.

Marian Degel added a comment - 2023-01-23 14:07 We experience the same issue on Jenkins 2.346.3 after updating to Active Directory plugin 2.29. The error seems to be somewhat redundant, especifally regarding the "security listener code" that teilo mentioned (the stackstrace is shortened, as it goes on for 1k lines with the same error): 2023-01-23 12:25:00.470+0000 [id=1553718] WARNING h.i.i.InstallUncaughtExceptionHandler #handleException: Caught unhandled exception with ID 0d93d340-ba48-4f62-bcc8-19d15da03ca9 java.lang.StackOverflowError at java.base/java.security.AccessController.doPrivileged(Native Method) at java.naming/com.sun.naming.internal.VersionHelper.getJndiProperties(VersionHelper.java:166) at java.naming/com.sun.naming.internal.ResourceManager.getInitialEnvironment(ResourceManager.java:165) at java.naming/javax.naming.InitialContext.init(InitialContext.java:232) at java.naming/javax.naming.InitialContext.<init>(InitialContext.java:208) at java.naming/javax.naming.directory.InitialDirContext.<init>(InitialDirContext.java:101) at hudson.plugins.active_directory.ActiveDirectorySecurityRealm $DescriptorImpl .createDNSLookupContext(ActiveDirectorySecurityRealm.java:739) at hudson.plugins.active_directory.ActiveDirectorySecurityRealm $DescriptorImpl .obtainLDAPServer(ActiveDirectorySecurityRealm.java:748) at hudson.plugins.active_directory.ActiveDirectoryUnixAuthenticationProvider.obtainLDAPServers(ActiveDirectoryUnixAuthenticationProvider.java:314) at hudson.plugins.active_directory.ActiveDirectoryUnixAuthenticationProvider.retrieveUser(ActiveDirectoryUnixAuthenticationProvider.java:302) at hudson.plugins.active_directory.ActiveDirectoryUnixAuthenticationProvider.retrieveUser(ActiveDirectoryUnixAuthenticationProvider.java:224) at hudson.plugins.active_directory.AbstractActiveDirectoryAuthenticationProvider.loadUserByUsername(AbstractActiveDirectoryAuthenticationProvider.java:47) at hudson.plugins.active_directory.ActiveDirectorySecurityRealm.loadUserByUsername(ActiveDirectorySecurityRealm.java:900) at hudson.security.AbstractPasswordBasedSecurityRealm.loadUserByUsername2(AbstractPasswordBasedSecurityRealm.java:118) at jenkins.security.ImpersonatingUserDetailsService2.loadUserByUsername(ImpersonatingUserDetailsService2.java:29) at org.acegisecurity.userdetails.UserDetailsService.lambda $fromSpring $0 (UserDetailsService.java:42) at hudson.plugins.active_directory.ActiveDirectoryMailAddressResolverImpl.findMailAddressFor(ActiveDirectoryMailAddressResolverImpl.java:55) at hudson.tasks.MailAddressResolver.resolve(MailAddressResolver.java:122) at hudson.tasks.Mailer $UserProperty .getAddress(Mailer.java:748) at org.jenkinsci.plugins.useractivity.AuthenticatedUsersAuditor.logUserAuthentication(AuthenticatedUsersAuditor.java:85) at org.jenkinsci.plugins.useractivity.AuthenticatedUsersAuditor.authenticated(AuthenticatedUsersAuditor.java:47) at jenkins.security.SecurityListener.authenticated2(SecurityListener.java:55) at jenkins.security.SecurityListener.fireAuthenticated2(SecurityListener.java:117) at jenkins.security.SecurityListener.fireAuthenticated(SecurityListener.java:127) at hudson.plugins.active_directory.ActiveDirectoryUnixAuthenticationProvider.retrieveUser(ActiveDirectoryUnixAuthenticationProvider.java:225) at hudson.plugins.active_directory.AbstractActiveDirectoryAuthenticationProvider.loadUserByUsername(AbstractActiveDirectoryAuthenticationProvider.java:47) at hudson.plugins.active_directory.ActiveDirectorySecurityRealm.loadUserByUsername(ActiveDirectorySecurityRealm.java:900) at hudson.security.AbstractPasswordBasedSecurityRealm.loadUserByUsername2(AbstractPasswordBasedSecurityRealm.java:118) at jenkins.security.ImpersonatingUserDetailsService2.loadUserByUsername(ImpersonatingUserDetailsService2.java:29) at org.acegisecurity.userdetails.UserDetailsService.lambda $fromSpring $0 (UserDetailsService.java:42) at hudson.plugins.active_directory.ActiveDirectoryMailAddressResolverImpl.findMailAddressFor(ActiveDirectoryMailAddressResolverImpl.java:55) at hudson.tasks.MailAddressResolver.resolve(MailAddressResolver.java:122) at hudson.tasks.Mailer $UserProperty .getAddress(Mailer.java:748) at org.jenkinsci.plugins.useractivity.AuthenticatedUsersAuditor.logUserAuthentication(AuthenticatedUsersAuditor.java:85) at org.jenkinsci.plugins.useractivity.AuthenticatedUsersAuditor.authenticated(AuthenticatedUsersAuditor.java:47) at jenkins.security.SecurityListener.authenticated2(SecurityListener.java:55) at jenkins.security.SecurityListener.fireAuthenticated2(SecurityListener.java:117) at jenkins.security.SecurityListener.fireAuthenticated(SecurityListener.java:127) at hudson.plugins.active_directory.ActiveDirectoryUnixAuthenticationProvider.retrieveUser(ActiveDirectoryUnixAuthenticationProvider.java:225) at hudson.plugins.active_directory.AbstractActiveDirectoryAuthenticationProvider.loadUserByUsername(AbstractActiveDirectoryAuthenticationProvider.java:47) at hudson.plugins.active_directory.ActiveDirectorySecurityRealm.loadUserByUsername(ActiveDirectorySecurityRealm.java:900) at hudson.security.AbstractPasswordBasedSecurityRealm.loadUserByUsername2(AbstractPasswordBasedSecurityRealm.java:118) at jenkins.security.ImpersonatingUserDetailsService2.loadUserByUsername(ImpersonatingUserDetailsService2.java:29) at org.acegisecurity.userdetails.UserDetailsService.lambda $fromSpring $0 (UserDetailsService.java:42) at hudson.plugins.active_directory.ActiveDirectoryMailAddressResolverImpl.findMailAddressFor(ActiveDirectoryMailAddressResolverImpl.java:55) at hudson.tasks.MailAddressResolver.resolve(MailAddressResolver.java:122) at hudson.tasks.Mailer $UserProperty .getAddress(Mailer.java:748) at org.jenkinsci.plugins.useractivity.AuthenticatedUsersAuditor.logUserAuthentication(AuthenticatedUsersAuditor.java:85) at org.jenkinsci.plugins.useractivity.AuthenticatedUsersAuditor.authenticated(AuthenticatedUsersAuditor.java:47) at jenkins.security.SecurityListener.authenticated2(SecurityListener.java:55) at jenkins.security.SecurityListener.fireAuthenticated2(SecurityListener.java:117) at jenkins.security.SecurityListener.fireAuthenticated(SecurityListener.java:127) at hudson.plugins.active_directory.ActiveDirectoryUnixAuthenticationProvider.retrieveUser(ActiveDirectoryUnixAuthenticationProvider.java:225) at hudson.plugins.active_directory.AbstractActiveDirectoryAuthenticationProvider.loadUserByUsername(AbstractActiveDirectoryAuthenticationProvider.java:47) at hudson.plugins.active_directory.ActiveDirectorySecurityRealm.loadUserByUsername(ActiveDirectorySecurityRealm.java:900) at hudson.security.AbstractPasswordBasedSecurityRealm.loadUserByUsername2(AbstractPasswordBasedSecurityRealm.java:118) at jenkins.security.ImpersonatingUserDetailsService2.loadUserByUsername(ImpersonatingUserDetailsService2.java:29) at org.acegisecurity.userdetails.UserDetailsService.lambda $fromSpring $0 (UserDetailsService.java:42) at hudson.plugins.active_directory.ActiveDirectoryMailAddressResolverImpl.findMailAddressFor(ActiveDirectoryMailAddressResolverImpl.java:55) at hudson.tasks.MailAddressResolver.resolve(MailAddressResolver.java:122) at hudson.tasks.Mailer $UserProperty .getAddress(Mailer.java:748) at org.jenkinsci.plugins.useractivity.AuthenticatedUsersAuditor.logUserAuthentication(AuthenticatedUsersAuditor.java:85) at org.jenkinsci.plugins.useractivity.AuthenticatedUsersAuditor.authenticated(AuthenticatedUsersAuditor.java:47) at jenkins.security.SecurityListener.authenticated2(SecurityListener.java:55) at jenkins.security.SecurityListener.fireAuthenticated2(SecurityListener.java:117) at jenkins.security.SecurityListener.fireAuthenticated(SecurityListener.java:127) at hudson.plugins.active_directory.ActiveDirectoryUnixAuthenticationProvider.retrieveUser(ActiveDirectoryUnixAuthenticationProvider.java:225) at hudson.plugins.active_directory.AbstractActiveDirectoryAuthenticationProvider.loadUserByUsername(AbstractActiveDirectoryAuthenticationProvider.java:47) at hudson.plugins.active_directory.ActiveDirectorySecurityRealm.loadUserByUsername(ActiveDirectorySecurityRealm.java:900) at hudson.security.AbstractPasswordBasedSecurityRealm.loadUserByUsername2(AbstractPasswordBasedSecurityRealm.java:118) at jenkins.security.ImpersonatingUserDetailsService2.loadUserByUsername(ImpersonatingUserDetailsService2.java:29) at org.acegisecurity.userdetails.UserDetailsService.lambda $fromSpring $0 (UserDetailsService.java:42) at hudson.plugins.active_directory.ActiveDirectoryMailAddressResolverImpl.findMailAddressFor(ActiveDirectoryMailAddressResolverImpl.java:55) at hudson.tasks.MailAddressResolver.resolve(MailAddressResolver.java:122) at hudson.tasks.Mailer $UserProperty .getAddress(Mailer.java:748) at org.jenkinsci.plugins.useractivity.AuthenticatedUsersAuditor.logUserAuthentication(AuthenticatedUsersAuditor.java:85) at org.jenkinsci.plugins.useractivity.AuthenticatedUsersAuditor.authenticated(AuthenticatedUsersAuditor.java:47) at jenkins.security.SecurityListener.authenticated2(SecurityListener.java:55) at jenkins.security.SecurityListener.fireAuthenticated2(SecurityListener.java:117) at jenkins.security.SecurityListener.fireAuthenticated(SecurityListener.java:127) at hudson.plugins.active_directory.ActiveDirectoryUnixAuthenticationProvider.retrieveUser(ActiveDirectoryUnixAuthenticationProvider.java:225) at hudson.plugins.active_directory.AbstractActiveDirectoryAuthenticationProvider.loadUserByUsername(AbstractActiveDirectoryAuthenticationProvider.java:47) at hudson.plugins.active_directory.ActiveDirectorySecurityRealm.loadUserByUsername(ActiveDirectorySecurityRealm.java:900) at hudson.security.AbstractPasswordBasedSecurityRealm.loadUserByUsername2(AbstractPasswordBasedSecurityRealm.java:118) at jenkins.security.ImpersonatingUserDetailsService2.loadUserByUsername(ImpersonatingUserDetailsService2.java:29) at org.acegisecurity.userdetails.UserDetailsService.lambda $fromSpring $0 (UserDetailsService.java:42) at hudson.plugins.active_directory.ActiveDirectoryMailAddressResolverImpl.findMailAddressFor(ActiveDirectoryMailAddressResolverImpl.java:55) at hudson.tasks.MailAddressResolver.resolve(MailAddressResolver.java:122) at hudson.tasks.Mailer $UserProperty .getAddress(Mailer.java:748) at org.jenkinsci.plugins.useractivity.AuthenticatedUsersAuditor.logUserAuthentication(AuthenticatedUsersAuditor.java:85) at org.jenkinsci.plugins.useractivity.AuthenticatedUsersAuditor.authenticated(AuthenticatedUsersAuditor.java:47) at jenkins.security.SecurityListener.authenticated2(SecurityListener.java:55) at jenkins.security.SecurityListener.fireAuthenticated2(SecurityListener.java:117) at jenkins.security.SecurityListener.fireAuthenticated(SecurityListener.java:127) at hudson.plugins.active_directory.ActiveDirectoryUnixAuthenticationProvider.retrieveUser(ActiveDirectoryUnixAuthenticationProvider.java:225) at hudson.plugins.active_directory.AbstractActiveDirectoryAuthenticationProvider.loadUserByUsername(AbstractActiveDirectoryAuthenticationProvider.java:47) at hudson.plugins.active_directory.ActiveDirectorySecurityRealm.loadUserByUsername(ActiveDirectorySecurityRealm.java:900) at hudson.security.AbstractPasswordBasedSecurityRealm.loadUserByUsername2(AbstractPasswordBasedSecurityRealm.java:118) at jenkins.security.ImpersonatingUserDetailsService2.loadUserByUsername(ImpersonatingUserDetailsService2.java:29) at org.acegisecurity.userdetails.UserDetailsService.lambda $fromSpring $0 (UserDetailsService.java:42) at hudson.plugins.active_directory.ActiveDirectoryMailAddressResolverImpl.findMailAddressFor(ActiveDirectoryMailAddressResolverImpl.java:55) at hudson.tasks.MailAddressResolver.resolve(MailAddressResolver.java:122) at hudson.tasks.Mailer $UserProperty .getAddress(Mailer.java:748) at org.jenkinsci.plugins.useractivity.AuthenticatedUsersAuditor.logUserAuthentication(AuthenticatedUsersAuditor.java:85) at org.jenkinsci.plugins.useractivity.AuthenticatedUsersAuditor.authenticated(AuthenticatedUsersAuditor.java:47) at jenkins.security.SecurityListener.authenticated2(SecurityListener.java:55) at jenkins.security.SecurityListener.fireAuthenticated2(SecurityListener.java:117) at jenkins.security.SecurityListener.fireAuthenticated(SecurityListener.java:127) at hudson.plugins.active_directory.ActiveDirectoryUnixAuthenticationProvider.retrieveUser(ActiveDirectoryUnixAuthenticationProvider.java:225) at hudson.plugins.active_directory.AbstractActiveDirectoryAuthenticationProvider.loadUserByUsername(AbstractActiveDirectoryAuthenticationProvider.java:47) at hudson.plugins.active_directory.ActiveDirectorySecurityRealm.loadUserByUsername(ActiveDirectorySecurityRealm.java:900) at hudson.security.AbstractPasswordBasedSecurityRealm.loadUserByUsername2(AbstractPasswordBasedSecurityRealm.java:118) at jenkins.security.ImpersonatingUserDetailsService2.loadUserByUsername(ImpersonatingUserDetailsService2.java:29) at org.acegisecurity.userdetails.UserDetailsService.lambda $fromSpring $0 (UserDetailsService.java:42) at hudson.plugins.active_directory.ActiveDirectoryMailAddressResolverImpl.findMailAddressFor(ActiveDirectoryMailAddressResolverImpl.java:55) at hudson.tasks.MailAddressResolver.resolve(MailAddressResolver.java:122) at hudson.tasks.Mailer $UserProperty .getAddress(Mailer.java:748) at org.jenkinsci.plugins.useractivity.AuthenticatedUsersAuditor.logUserAuthentication(AuthenticatedUsersAuditor.java:85) at org.jenkinsci.plugins.useractivity.AuthenticatedUsersAuditor.authenticated(AuthenticatedUsersAuditor.java:47) at jenkins.security.SecurityListener.authenticated2(SecurityListener.java:55) at jenkins.security.SecurityListener.fireAuthenticated2(SecurityListener.java:117) at jenkins.security.SecurityListener.fireAuthenticated(SecurityListener.java:127) at hudson.plugins.active_directory.ActiveDirectoryUnixAuthenticationProvider.retrieveUser(ActiveDirectoryUnixAuthenticationProvider.java:225) at hudson.plugins.active_directory.AbstractActiveDirectoryAuthenticationProvider.loadUserByUsername(AbstractActiveDirectoryAuthenticationProvider.java:47) at hudson.plugins.active_directory.ActiveDirectorySecurityRealm.loadUserByUsername(ActiveDirectorySecurityRealm.java:900) at hudson.security.AbstractPasswordBasedSecurityRealm.loadUserByUsername2(AbstractPasswordBasedSecurityRealm.java:118) at jenkins.security.ImpersonatingUserDetailsService2.loadUserByUsername(ImpersonatingUserDetailsService2.java:29) at org.acegisecurity.userdetails.UserDetailsService.lambda $fromSpring $0 (UserDetailsService.java:42) at hudson.plugins.active_directory.ActiveDirectoryMailAddressResolverImpl.findMailAddressFor(ActiveDirectoryMailAddressResolverImpl.java:55) at hudson.tasks.MailAddressResolver.resolve(MailAddressResolver.java:122) at hudson.tasks.Mailer $UserProperty .getAddress(Mailer.java:748) at org.jenkinsci.plugins.useractivity.AuthenticatedUsersAuditor.logUserAuthentication(AuthenticatedUsersAuditor.java:85) at org.jenkinsci.plugins.useractivity.AuthenticatedUsersAuditor.authenticated(AuthenticatedUsersAuditor.java:47) at jenkins.security.SecurityListener.authenticated2(SecurityListener.java:55) at jenkins.security.SecurityListener.fireAuthenticated2(SecurityListener.java:117) at jenkins.security.SecurityListener.fireAuthenticated(SecurityListener.java:127) at hudson.plugins.active_directory.ActiveDirectoryUnixAuthenticationProvider.retrieveUser(ActiveDirectoryUnixAuthenticationProvider.java:225) at hudson.plugins.active_directory.AbstractActiveDirectoryAuthenticationProvider.loadUserByUsername(AbstractActiveDirectoryAuthenticationProvider.java:47) at hudson.plugins.active_directory.ActiveDirectorySecurityRealm.loadUserByUsername(ActiveDirectorySecurityRealm.java:900) at hudson.security.AbstractPasswordBasedSecurityRealm.loadUserByUsername2(AbstractPasswordBasedSecurityRealm.java:118) at jenkins.security.ImpersonatingUserDetailsService2.loadUserByUsername(ImpersonatingUserDetailsService2.java:29) at org.acegisecurity.userdetails.UserDetailsService.lambda $fromSpring $0 (UserDetailsService.java:42) at hudson.plugins.active_directory.ActiveDirectoryMailAddressResolverImpl.findMailAddressFor(ActiveDirectoryMailAddressResolverImpl.java:55) at hudson.tasks.MailAddressResolver.resolve(MailAddressResolver.java:122) at hudson.tasks.Mailer $UserProperty .getAddress(Mailer.java:748) at org.jenkinsci.plugins.useractivity.AuthenticatedUsersAuditor.logUserAuthentication(AuthenticatedUsersAuditor.java:85) at org.jenkinsci.plugins.useractivity.AuthenticatedUsersAuditor.authenticated(AuthenticatedUsersAuditor.java:47) at jenkins.security.SecurityListener.authenticated2(SecurityListener.java:55) at jenkins.security.SecurityListener.fireAuthenticated2(SecurityListener.java:117) at jenkins.security.SecurityListener.fireAuthenticated(SecurityListener.java:127) at hudson.plugins.active_directory.ActiveDirectoryUnixAuthenticationProvider.retrieveUser(ActiveDirectoryUnixAuthenticationProvider.java:225) at hudson.plugins.active_directory.AbstractActiveDirectoryAuthenticationProvider.loadUserByUsername(AbstractActiveDirectoryAuthenticationProvider.java:47) at hudson.plugins.active_directory.ActiveDirectorySecurityRealm.loadUserByUsername(ActiveDirectorySecurityRealm.java:900) at hudson.security.AbstractPasswordBasedSecurityRealm.loadUserByUsername2(AbstractPasswordBasedSecurityRealm.java:118) at jenkins.security.ImpersonatingUserDetailsService2.loadUserByUsername(ImpersonatingUserDetailsService2.java:29) at org.acegisecurity.userdetails.UserDetailsService.lambda $fromSpring $0 (UserDetailsService.java:42) at hudson.plugins.active_directory.ActiveDirectoryMailAddressResolverImpl.findMailAddressFor(ActiveDirectoryMailAddressResolverImpl.java:55) at hudson.tasks.MailAddressResolver.resolve(MailAddressResolver.java:122) [...] at hudson.tasks.Mailer $UserProperty .getAddress(Mailer.java:748) at org.jenkinsci.plugins.useractivity.AuthenticatedUsersAuditor.logUserAuthentication(AuthenticatedUsersAuditor.java:85) at org.jenkinsci.plugins.useractivity.AuthenticatedUsersAuditor.authenticated(AuthenticatedUsersAuditor.java:47) at jenkins.security.SecurityListener.authenticated2(SecurityListener.java:55) at jenkins.security.SecurityListener.fireAuthenticated2(SecurityListener.java:117) at jenkins.security.SecurityListener.fireAuthenticated(SecurityListener.java:127) at hudson.plugins.active_directory.ActiveDirectoryUnixAuthenticationProvider.retrieveUser(ActiveDirectoryUnixAuthenticationProvider.java:225) at hudson.plugins.active_directory.AbstractActiveDirectoryAuthenticationProvider.loadUserByUsername(AbstractActiveDirectoryAuthenticationProvider.java:47) at hudson.plugins.active_directory.ActiveDirectorySecurityRealm.loadUserByUsername(ActiveDirectorySecurityRealm.java:900) at hudson.security.AbstractPasswordBasedSecurityRealm.loadUserByUsername2(AbstractPasswordBasedSecurityRealm.java:118) at jenkins.security.ImpersonatingUserDetailsService2.loadUserByUsername(ImpersonatingUserDetailsService2.java:29) at org.acegisecurity.userdetails.UserDetailsService.lambda $fromSpring $0 (UserDetailsService.java:42) For the groupLookupStrategy we use RECURSIVE, which souldn't cause the issue IMHO. Strangely enough the error does not seem to appear on our similarly setup test server which is running Jenkins 2.361.4 with Active Directory plugin 2.29.