Uploaded image for project: 'Jenkins'
  1. Jenkins
  2. JENKINS-37934

NTLM Authentication No Matter What

    Details

    • Type: Bug
    • Status: Fixed but Unreleased (View Workflow)
    • Priority: Major
    • Resolution: Fixed
    • Component/s: git-client-plugin
    • Labels:
    • Environment:
      Windows 2012 R2, Jenkins 5.1, TFS-Plugin (latest), Git-Plugin (latest)
    • Similar Issues:

      Description

      1. Follow instructions on TFS-Plugin site for TFS-GIT
      2. Test-Connection fails
      3. Tasks fail with credentials
      4. Change service account to run under domain user with TFS access
      5. Test-Connection passes with credentials
      6. Change credentials to none
      7. Test-Connection still passes
      8. Leave credentials on Task
      9. Task builds successfully
      10. Set credentials on Task to None
      11. Task still builds successfully.
      12. Change the service account back to the SYSTEM
      13. it will not work no matter what credentials I use.

        Attachments

          Activity

          Hide
          oli_at_jsi Olivier Dagenais added a comment -

          It looks like on Windows, when attempting to connect to a Git repository hosted on TFS, NTLM authentication will be attempted using the identity the Jenkins process is running under and, consequently, the configured credentials are ignored.

          Show
          oli_at_jsi Olivier Dagenais added a comment - It looks like on Windows, when attempting to connect to a Git repository hosted on TFS, NTLM authentication will be attempted using the identity the Jenkins process is running under and, consequently, the configured credentials are ignored.
          Hide
          oli_at_jsi Olivier Dagenais added a comment -

          As far as I can tell, this happens when using JGit on Windows, because the JRE will automatically try NTLM and, if that doesn't work (either there's no user or the user has no access to TFS), there's no fallback to NTLM using the supplied credentials. There is a possibility of a fallback to using Kerberos, but that's less common.

          The next thing to try would be configuring JGit to use the Apache HTTP Client instead of the JRE's.

          Show
          oli_at_jsi Olivier Dagenais added a comment - As far as I can tell, this happens when using JGit on Windows, because the JRE will automatically try NTLM and, if that doesn't work (either there's no user or the user has no access to TFS), there's no fallback to NTLM using the supplied credentials. There is a possibility of a fallback to using Kerberos, but that's less common. The next thing to try would be configuring JGit to use the Apache HTTP Client instead of the JRE's.
          Hide
          markewaite Mark Waite added a comment -

          If the problem is JGit specific, then you might also consider trying to use the command line git implementation inside the TFS plugin (if the TFS plugin exposes a user interface to select the git implementation).

          Show
          markewaite Mark Waite added a comment - If the problem is JGit specific, then you might also consider trying to use the command line git implementation inside the TFS plugin (if the TFS plugin exposes a user interface to select the git implementation).
          Hide
          oli_at_jsi Olivier Dagenais added a comment -

          Mark Waite: The TFS plugin doesn't do too much with the git-client-plugin; there's a dependency on git-plugin to be able to subclass RevisionParameterAction to be able to ask for a specific commit to be built, as well as pass around some extra data and be able to more loosely match repository URLs.

          I am hoping you will see, via my testing in pull request #216, that you can take tfs-plugin out of the equation.

          Joshua Barton: The above pull request might be relevant to your interests...

          Show
          oli_at_jsi Olivier Dagenais added a comment - Mark Waite : The TFS plugin doesn't do too much with the git-client-plugin; there's a dependency on git-plugin to be able to subclass RevisionParameterAction to be able to ask for a specific commit to be built, as well as pass around some extra data and be able to more loosely match repository URLs. I am hoping you will see, via my testing in pull request #216 , that you can take tfs-plugin out of the equation. Joshua Barton : The above pull request might be relevant to your interests...
          Hide
          markewaite Mark Waite added a comment -

          Since pull request 216 was included in git client plugin 2.1.0 in Nov 2016, I assume you should be able to test with the jgit-apache implementation that was included.

          Show
          markewaite Mark Waite added a comment - Since pull request 216 was included in git client plugin 2.1.0 in Nov 2016, I assume you should be able to test with the jgit-apache implementation that was included.
          Hide
          markewaite Mark Waite added a comment -

          A fix was also included in JGit to allow NTLM authentication to be used more reliably on Windows. The JGit version with the fix is included in git client plugin 3.0.0-beta5.

          Show
          markewaite Mark Waite added a comment - A fix was also included in JGit to allow NTLM authentication to be used more reliably on Windows. The JGit version with the fix is included in git client plugin 3.0.0-beta5.

            People

            • Assignee:
              dastahel David Staheli
              Reporter:
              foobartn Joshua Barton
            • Votes:
              0 Vote for this issue
              Watchers:
              3 Start watching this issue

              Dates

              • Created:
                Updated:
                Resolved: