Uploaded image for project: 'Jenkins'
  1. Jenkins
  2. JENKINS-26603

Active Directory trying to connect to AD server every 15 seconds with a user ID

    XMLWordPrintable

    Details

    • Similar Issues:

      Description

      When activating the Active directory plugin i am able to connect to the domain via the test button. I see the user groups are available as the red boxes beside them go away once active. However in the log file i see the following error every 15 seconds and I am currently unable to log into jenkins via my AD credentials.

      Jan 26, 2015 7:00:24 AM WARNING hudson.plugins.active_directory.ActiveDirectorySecurityRealm$DescriptorImpl bind
      Failed to authenticate while binding to server.domain.com:3268
      javax.naming.AuthenticationException: [LDAP: error code 49 - 80090308: LdapErr: DSID-0C0903A9, comment: AcceptSecurityContext error, data 52e, v1db1]
      	at com.sun.jndi.ldap.LdapCtx.mapErrorCode(LdapCtx.java:3032)
      	at com.sun.jndi.ldap.LdapCtx.processReturnCode(LdapCtx.java:2978)
      	at com.sun.jndi.ldap.LdapCtx.processReturnCode(LdapCtx.java:2780)
      	at com.sun.jndi.ldap.LdapCtx.connect(LdapCtx.java:2694)
      	at com.sun.jndi.ldap.LdapCtx.ensureOpen(LdapCtx.java:2580)
      	at com.sun.jndi.ldap.LdapCtx.ensureOpen(LdapCtx.java:2567)
      	at com.sun.jndi.ldap.LdapCtx.reconnect(LdapCtx.java:2563)
      	at hudson.plugins.active_directory.ActiveDirectorySecurityRealm$DescriptorImpl.bind(ActiveDirectorySecurityRealm.java:514)
      	at hudson.plugins.active_directory.ActiveDirectorySecurityRealm$DescriptorImpl.bind(ActiveDirectorySecurityRealm.java:430)
      	at hudson.plugins.active_directory.ActiveDirectoryUnixAuthenticationProvider.retrieveUser(ActiveDirectoryUnixAuthenticationProvider.java:273)
      	at hudson.plugins.active_directory.ActiveDirectoryUnixAuthenticationProvider.retrieveUser(ActiveDirectoryUnixAuthenticationProvider.java:219)
      	at hudson.plugins.active_directory.ActiveDirectoryUnixAuthenticationProvider.retrieveUser(ActiveDirectoryUnixAuthenticationProvider.java:163)
      	at org.acegisecurity.providers.dao.AbstractUserDetailsAuthenticationProvider.authenticate(AbstractUserDetailsAuthenticationProvider.java:122)
      	at org.acegisecurity.providers.ProviderManager.doAuthentication(ProviderManager.java:200)
      	at org.acegisecurity.AbstractAuthenticationManager.authenticate(AbstractAuthenticationManager.java:47)
      	at jenkins.security.BasicHeaderRealPasswordAuthenticator.authenticate(BasicHeaderRealPasswordAuthenticator.java:55)
      	at jenkins.security.BasicHeaderProcessor.doFilter(BasicHeaderProcessor.java:79)
      	at hudson.security.ChainedServletFilter$1.doFilter(ChainedServletFilter.java:87)
      	at org.acegisecurity.context.HttpSessionContextIntegrationFilter.doFilter(HttpSessionContextIntegrationFilter.java:249)
      	at hudson.security.HttpSessionContextIntegrationFilter2.doFilter(HttpSessionContextIntegrationFilter2.java:67)
      	at hudson.security.ChainedServletFilter$1.doFilter(ChainedServletFilter.java:87)
      	at hudson.security.ChainedServletFilter.doFilter(ChainedServletFilter.java:76)
      	at hudson.security.HudsonFilter.doFilter(HudsonFilter.java:164)
      	at org.eclipse.jetty.servlet.ServletHandler$CachedChain.doFilter(ServletHandler.java:1482)
      	at org.kohsuke.stapler.compression.CompressionFilter.doFilter(CompressionFilter.java:46)
      	at org.eclipse.jetty.servlet.ServletHandler$CachedChain.doFilter(ServletHandler.java:1482)
      	at hudson.util.CharacterEncodingFilter.doFilter(CharacterEncodingFilter.java:81)
      	at org.eclipse.jetty.servlet.ServletHandler$CachedChain.doFilter(ServletHandler.java:1482)
      	at org.kohsuke.stapler.DiagnosticThreadNameFilter.doFilter(DiagnosticThreadNameFilter.java:30)
      	at org.eclipse.jetty.servlet.ServletHandler$CachedChain.doFilter(ServletHandler.java:1474)
      	at org.eclipse.jetty.servlet.ServletHandler.doHandle(ServletHandler.java:499)
      	at org.eclipse.jetty.server.handler.ScopedHandler.handle(ScopedHandler.java:137)
      	at org.eclipse.jetty.security.SecurityHandler.handle(SecurityHandler.java:533)
      	at org.eclipse.jetty.server.session.SessionHandler.doHandle(SessionHandler.java:231)
      	at org.eclipse.jetty.server.handler.ContextHandler.doHandle(ContextHandler.java:1086)
      	at org.eclipse.jetty.servlet.ServletHandler.doScope(ServletHandler.java:428)
      	at org.eclipse.jetty.server.session.SessionHandler.doScope(SessionHandler.java:193)
      	at org.eclipse.jetty.server.handler.ContextHandler.doScope(ContextHandler.java:1020)
      	at org.eclipse.jetty.server.handler.ScopedHandler.handle(ScopedHandler.java:135)
      	at org.eclipse.jetty.server.handler.HandlerWrapper.handle(HandlerWrapper.java:116)
      	at org.eclipse.jetty.server.Server.handle(Server.java:370)
      	at org.eclipse.jetty.server.AbstractHttpConnection.handleRequest(AbstractHttpConnection.java:489)
      	at org.eclipse.jetty.server.AbstractHttpConnection.headerComplete(AbstractHttpConnection.java:949)
      	at org.eclipse.jetty.server.AbstractHttpConnection$RequestHandler.headerComplete(AbstractHttpConnection.java:1011)
      	at org.eclipse.jetty.http.HttpParser.parseNext(HttpParser.java:644)
      	at org.eclipse.jetty.http.HttpParser.parseAvailable(HttpParser.java:235)
      	at org.eclipse.jetty.server.AsyncHttpConnection.handle(AsyncHttpConnection.java:82)
      	at org.eclipse.jetty.io.nio.SelectChannelEndPoint.handle(SelectChannelEndPoint.java:668)
      	at org.eclipse.jetty.io.nio.SelectChannelEndPoint$1.run(SelectChannelEndPoint.java:52)
      	at winstone.BoundedExecutorService$1.run(BoundedExecutorService.java:77)
      	at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1146)
      	at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:615)
      	at java.lang.Thread.run(Thread.java:701)
      
      Jan 26, 2015 7:00:24 AM WARNING hudson.plugins.active_directory.ActiveDirectoryUnixAuthenticationProvider retrieveUser
      Credential exception trying to authenticate against domain.com domain
      org.acegisecurity.BadCredentialsException: Either no such user 'user@domain.com' or incorrect password; nested exception is javax.naming.AuthenticationException: [LDAP: error code 49 - 80090308: LdapErr: DSID-0C0903A9, comment: AcceptSecurityContext error, data 52e, v1db1]
      	at hudson.plugins.active_directory.ActiveDirectorySecurityRealm$DescriptorImpl.bind(ActiveDirectorySecurityRealm.java:445)
      	at hudson.plugins.active_directory.ActiveDirectoryUnixAuthenticationProvider.retrieveUser(ActiveDirectoryUnixAuthenticationProvider.java:273)
      	at hudson.plugins.active_directory.ActiveDirectoryUnixAuthenticationProvider.retrieveUser(ActiveDirectoryUnixAuthenticationProvider.java:219)
      	at hudson.plugins.active_directory.ActiveDirectoryUnixAuthenticationProvider.retrieveUser(ActiveDirectoryUnixAuthenticationProvider.java:163)
      	at org.acegisecurity.providers.dao.AbstractUserDetailsAuthenticationProvider.authenticate(AbstractUserDetailsAuthenticationProvider.java:122)
      	at org.acegisecurity.providers.ProviderManager.doAuthentication(ProviderManager.java:200)
      	at org.acegisecurity.AbstractAuthenticationManager.authenticate(AbstractAuthenticationManager.java:47)
      	at jenkins.security.BasicHeaderRealPasswordAuthenticator.authenticate(BasicHeaderRealPasswordAuthenticator.java:55)
      	at jenkins.security.BasicHeaderProcessor.doFilter(BasicHeaderProcessor.java:79)
      	at hudson.security.ChainedServletFilter$1.doFilter(ChainedServletFilter.java:87)
      	at org.acegisecurity.context.HttpSessionContextIntegrationFilter.doFilter(HttpSessionContextIntegrationFilter.java:249)
      	at hudson.security.HttpSessionContextIntegrationFilter2.doFilter(HttpSessionContextIntegrationFilter2.java:67)
      	at hudson.security.ChainedServletFilter$1.doFilter(ChainedServletFilter.java:87)
      	at hudson.security.ChainedServletFilter.doFilter(ChainedServletFilter.java:76)
      	at hudson.security.HudsonFilter.doFilter(HudsonFilter.java:164)
      	at org.eclipse.jetty.servlet.ServletHandler$CachedChain.doFilter(ServletHandler.java:1482)
      	at org.kohsuke.stapler.compression.CompressionFilter.doFilter(CompressionFilter.java:46)
      	at org.eclipse.jetty.servlet.ServletHandler$CachedChain.doFilter(ServletHandler.java:1482)
      	at hudson.util.CharacterEncodingFilter.doFilter(CharacterEncodingFilter.java:81)
      	at org.eclipse.jetty.servlet.ServletHandler$CachedChain.doFilter(ServletHandler.java:1482)
      	at org.kohsuke.stapler.DiagnosticThreadNameFilter.doFilter(DiagnosticThreadNameFilter.java:30)
      	at org.eclipse.jetty.servlet.ServletHandler$CachedChain.doFilter(ServletHandler.java:1474)
      	at org.eclipse.jetty.servlet.ServletHandler.doHandle(ServletHandler.java:499)
      	at org.eclipse.jetty.server.handler.ScopedHandler.handle(ScopedHandler.java:137)
      	at org.eclipse.jetty.security.SecurityHandler.handle(SecurityHandler.java:533)
      	at org.eclipse.jetty.server.session.SessionHandler.doHandle(SessionHandler.java:231)
      	at org.eclipse.jetty.server.handler.ContextHandler.doHandle(ContextHandler.java:1086)
      	at org.eclipse.jetty.servlet.ServletHandler.doScope(ServletHandler.java:428)
      	at org.eclipse.jetty.server.session.SessionHandler.doScope(SessionHandler.java:193)
      	at org.eclipse.jetty.server.handler.ContextHandler.doScope(ContextHandler.java:1020)
      	at org.eclipse.jetty.server.handler.ScopedHandler.handle(ScopedHandler.java:135)
      	at org.eclipse.jetty.server.handler.HandlerWrapper.handle(HandlerWrapper.java:116)
      	at org.eclipse.jetty.server.Server.handle(Server.java:370)
      	at org.eclipse.jetty.server.AbstractHttpConnection.handleRequest(AbstractHttpConnection.java:489)
      	at org.eclipse.jetty.server.AbstractHttpConnection.headerComplete(AbstractHttpConnection.java:949)
      	at org.eclipse.jetty.server.AbstractHttpConnection$RequestHandler.headerComplete(AbstractHttpConnection.java:1011)
      	at org.eclipse.jetty.http.HttpParser.parseNext(HttpParser.java:644)
      	at org.eclipse.jetty.http.HttpParser.parseAvailable(HttpParser.java:235)
      	at org.eclipse.jetty.server.AsyncHttpConnection.handle(AsyncHttpConnection.java:82)
      	at org.eclipse.jetty.io.nio.SelectChannelEndPoint.handle(SelectChannelEndPoint.java:668)
      	at org.eclipse.jetty.io.nio.SelectChannelEndPoint$1.run(SelectChannelEndPoint.java:52)
      	at winstone.BoundedExecutorService$1.run(BoundedExecutorService.java:77)
      	at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1146)
      	at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:615)
      	at java.lang.Thread.run(Thread.java:701)
      Caused by: javax.naming.AuthenticationException: [LDAP: error code 49 - 80090308: LdapErr: DSID-0C0903A9, comment: AcceptSecurityContext error, data 52e, v1db1]
      	at com.sun.jndi.ldap.LdapCtx.mapErrorCode(LdapCtx.java:3032)
      	at com.sun.jndi.ldap.LdapCtx.processReturnCode(LdapCtx.java:2978)
      	at com.sun.jndi.ldap.LdapCtx.processReturnCode(LdapCtx.java:2780)
      	at com.sun.jndi.ldap.LdapCtx.connect(LdapCtx.java:2694)
      	at com.sun.jndi.ldap.LdapCtx.ensureOpen(LdapCtx.java:2580)
      	at com.sun.jndi.ldap.LdapCtx.ensureOpen(LdapCtx.java:2567)
      	at com.sun.jndi.ldap.LdapCtx.reconnect(LdapCtx.java:2563)
      	at hudson.plugins.active_directory.ActiveDirectorySecurityRealm$DescriptorImpl.bind(ActiveDirectorySecurityRealm.java:514)
      	at hudson.plugins.active_directory.ActiveDirectorySecurityRealm$DescriptorImpl.bind(ActiveDirectorySecurityRealm.java:430)
      	... 44 more
      

        Attachments

          Activity

          Hide
          danielbeck Daniel Beck added a comment -

          Are you sure 'user@domain.com' is valid syntax for this? Have you tried 'domain\user' or 'user'?

          Show
          danielbeck Daniel Beck added a comment - Are you sure 'user@domain.com' is valid syntax for this? Have you tried 'domain\user' or 'user'?
          Hide
          crtut Chris Tuttle added a comment -

          Yes. i removed company logins and domain names and put generic names in the log. sorry i had not identified that in the original post.

          Show
          crtut Chris Tuttle added a comment - Yes. i removed company logins and domain names and put generic names in the log. sorry i had not identified that in the original post.
          Hide
          crtut Chris Tuttle added a comment -

          the problem is that the particular user in question isnt physically attempting to log into the system at the time.

          the error starts immediatly when i turn on the plugin.

          Show
          crtut Chris Tuttle added a comment - the problem is that the particular user in question isnt physically attempting to log into the system at the time. the error starts immediatly when i turn on the plugin.
          Hide
          teilo James Nord added a comment -

          something is hitting jenkins with some username. I would suggest sniffing the tcp traffic and looking at the requests to identify the source.

          Show
          teilo James Nord added a comment - something is hitting jenkins with some username. I would suggest sniffing the tcp traffic and looking at the requests to identify the source.
          Hide
          teilo James Nord added a comment -

          One source of this is the Hudson Tray Application - if that user recently changed their password then you may need to reconfigure this app - there are possibly other integrations as well (such as scripts calling the API etc)

          Show
          teilo James Nord added a comment - One source of this is the Hudson Tray Application - if that user recently changed their password then you may need to reconfigure this app - there are possibly other integrations as well (such as scripts calling the API etc)
          Hide
          teilo James Nord added a comment -

          Jenkins doesn't randomly try to authenticate users out of thin air - so I am closing this as not a bug.

          If you are looking for some help to diagnose what is causing jenkins to attempt to authenticate I would suggest you ask on the jenkins Freenode IRC channel or on the jenkins users mailing list.

          Show
          teilo James Nord added a comment - Jenkins doesn't randomly try to authenticate users out of thin air - so I am closing this as not a bug. If you are looking for some help to diagnose what is causing jenkins to attempt to authenticate I would suggest you ask on the jenkins Freenode IRC channel or on the jenkins users mailing list.
          Hide
          mcmoe Moe Kobeissi added a comment -

          Chris Tuttle, did you manage to figure out what was causing the burst of authentication requests?

          Show
          mcmoe Moe Kobeissi added a comment - Chris Tuttle , did you manage to figure out what was causing the burst of authentication requests?
          Hide
          jorgziegler Jörg Ziegler added a comment -

          James Nord/Moe Kobeissi: I just stumbled over a similar (the same?) issue. For me the auth burst came from swarm slaves attempting to authenticate themselves.
          I also faced the issue that neither the slaves nor me as a user could authenticate against AD.

          To make the problem go away I manually had to change the authentication strategy in config.xml to hudson.security.AuthorizationStrategy$Unsecured
          Then, after re-entering the password on the security configuration page authentication against AD worked again.

          This happened after an attempted LTS upgrade from jenkins 1.651.2 to 2.7.1 using plugin version 1.47.
          Note that before the upgrade the authentication worked fine and so did it once I had re-entered the password.

          Show
          jorgziegler Jörg Ziegler added a comment - James Nord / Moe Kobeissi : I just stumbled over a similar (the same?) issue. For me the auth burst came from swarm slaves attempting to authenticate themselves. I also faced the issue that neither the slaves nor me as a user could authenticate against AD. To make the problem go away I manually had to change the authentication strategy in config.xml to hudson.security.AuthorizationStrategy$Unsecured Then, after re-entering the password on the security configuration page authentication against AD worked again. This happened after an attempted LTS upgrade from jenkins 1.651.2 to 2.7.1 using plugin version 1.47. Note that before the upgrade the authentication worked fine and so did it once I had re-entered the password.

            People

            • Assignee:
              Unassigned
              Reporter:
              crtut Chris Tuttle
            • Votes:
              0 Vote for this issue
              Watchers:
              5 Start watching this issue

              Dates

              • Created:
                Updated:
                Resolved: