-
Bug
-
Resolution: Not A Defect
-
Major
-
Windows Server 2016, running Jenkins WAR-File as Windows-Service with Service-Wrapper, Active-Directory-Plugin working, installed is latest Plugin-Version 105.vf0d0de2a_b_8a_5
When opening Jenkins, the standard-login-form appears and no SSO happens.
Login with correct AD-Credentials is successfull then.
Jenkins-Log shows that Plugin/Waffle is running. When calling the context root / Jenkins Starturl the log shows, that the authentication works fine. My User-ID is logged.
But then nothing happens. No Redirect on the first Jenkins-Page.
Before Upgrading to 2.479.1 the plugin works fine without any config changes.
c.g.f.j.n.NegotiateSSO#startFilter: Starting Security Filter
2024-11-08 10:06:13.058+0000 [id=561] INFO w.s.NegotiateSecurityFilter#setPrincipalFormat: principal format: BOTH
2024-11-08 10:06:13.058+0000 [id=561] INFO w.s.NegotiateSecurityFilter#setRoleFormat: role format: BOTH
2024-11-08 10:06:13.059+0000 [id=561] INFO w.s.s.SecurityFilterProviderCollection#<init>: loading 'waffle.servlet.spi.NegotiateSecurityFilterProvider'
2024-11-08 10:06:13.060+0000 [id=561] INFO w.s.s.SecurityFilterProviderCollection#<init>: loading 'waffle.servlet.spi.BasicSecurityFilterProvider'
2024-11-08 10:06:13.060+0000 [id=561] INFO w.s.NegotiateSecurityFilter#init: [waffle.servlet.NegotiateSecurityFilter] started
2024-11-08 10:06:13.060+0000 [id=561] INFO w.s.NegotiateSecurityFilter#init: [waffle.servlet.NegotiateSecurityFilter] started
...
2024-11-08 10:06:38.897+0000 [id=561] INFO w.s.NegotiateSecurityFilter#doFilter: successfully logged in user: <correkt-Domain removed>\<correct userid removed>
2024-11-08 10:06:54.874+0000 [id=541] INFO h.p.a.ActiveDirectoryAuthenticationProvider#<init>: Active Directory domain is DC=prod,DC=d001,DC=loc
[JENKINS-74827] Plugin not working since upgrade 2.462.x -> 2.479.1
Basil Crow
added a comment - installed is latest Plugin-Version 105.vf0d0de2a_b_8a_5
Users of the Windows Negotiate SSO plugin must upgrade it to version 136.vda_2b_6a_744b_d8 in lockstep with upgrading Jenkins core 2.475 or newer.
Basil Crow
added a comment - installed is latest Plugin-Version 105.vf0d0de2a_b_8a_5
Users of the Windows Negotiate SSO plugin must upgrade it to version 136.vda_2b_6a_744b_d8 in lockstep with upgrading Jenkins core 2.475 or newer. 
Bryson Gibbons
added a comment - Mark Waite is correct that you need to update negotiate-sso-plugin after the upgrade for it to work again. The changeover in dependencies makes it very hard to create a release that would work on both the older and newer releases.
You will not need any config changes to negotiate-sso-plugin; you just need to update it.
I'm not sure on if your config will allow it, but on my server I was able to log in With username and password and access the plugin management page. Another possible option is manually editing the settings to disable negotiate-sso-plugin, restarting the Jenkins service, and then logging in via username and password to update the plugin.
Bryson Gibbons
added a comment - Mark Waite is correct that you need to update negotiate-sso-plugin after the upgrade for it to work again. The changeover in dependencies makes it very hard to create a release that would work on both the older and newer releases.
You will not need any config changes to negotiate-sso-plugin; you just need to update it.
I'm not sure on if your config will allow it, but on my server I was able to log in With username and password and access the plugin management page. Another possible option is manually editing the settings to disable negotiate-sso-plugin, restarting the Jenkins service, and then logging in via username and password to update the plugin. 
Markus
added a comment - I updated the plugin to the latest version and now everything works fine! Many thanks for your help!
After reading the upgrade-guide before the update it was clear, that many Plugins have to be updated. But the Plugin-Manager doesn't offer a newer Version for this plugin and so I openend this Ticket.
The Problem was, that my company has done some strange things with our WebProxy (as part of RZ-transition in October) and so I had not the newest Plugin-Meta-Data available in Jenkins.
So please forgive me wasting your time ... 
Markus
added a comment - I updated the plugin to the latest version and now everything works fine! Many thanks for your help!
After reading the upgrade-guide before the update it was clear, that many Plugins have to be updated. But the Plugin-Manager doesn't offer a newer Version for this plugin and so I openend this Ticket.
The Problem was, that my company has done some strange things with our WebProxy (as part of RZ-transition in October) and so I had not the newest Plugin-Meta-Data available in Jenkins.
So please forgive me wasting your time ... 
The 136.vda_2b_6a_744b_d8 plugin release is required for Jenkins 2.475 and later. Those versions have upgraded from Spring Security 5 to Spring Security 6. It requires the same steps to install it as are required for the LDAP plugin, the CAS plugin, and the reverse proxy auth plugin. Those steps are described in the Jenkins 2.479.1 upgrade guide as: