Uploaded image for project: 'Jenkins'
  1. Jenkins
  2. JENKINS-52215

Jenkins authentication issue with Azure ADDS

    Details

    • Type: Bug
    • Status: Resolved (View Workflow)
    • Priority: Blocker
    • Resolution: Done
    • Component/s: azure-ad-plugin
    • Labels:
      None
    • Environment:
      Production
    • Similar Issues:

      Description

      I 'm facing issue when try to login into Jenkins using Azure AD plugin. After user/password authentication throwing below error instead of showing Jenkins dashboard.

      I tried authentication as Azure Active directory & OpenID both the cases error are same.

      I'm using openjdk version "1.8.0_171" & Jenkins : 2.121

       

      ----------

      A problem occurred while processing the request. Please check our bug tracker to see if a similar problem has already been reported. If it is already reported, please vote and put a comment on it to let us gauge the impact of the problem. If you think this is a new issue, please file a new issue. When you file an issue, make sure to add the entire stack trace, along with the version of Jenkins and relevant plugins. The users list might be also useful in understanding what has happened.

      Stack trace

      java.lang.IllegalStateException: Invalid nonce in the response at com.microsoft.jenkins.azuread.AzureSecurityRealm.validateAndParseIdToken(AzureSecurityRealm.java:239) at com.microsoft.jenkins.azuread.AzureSecurityRealm.doFinishLogin(AzureSecurityRealm.java:202) at java.lang.invoke.MethodHandle.invokeWithArguments(MethodHandle.java:627) at org.kohsuke.stapler.Function$MethodFunction.invoke(Function.java:343) at org.kohsuke.stapler.Function.bindAndInvoke(Function.java:184) at org.kohsuke.stapler.Function.bindAndInvokeAndServeResponse(Function.java:117) at org.kohsuke.stapler.MetaClass$1.doDispatch(MetaClass.java:129) at org.kohsuke.stapler.NameBasedDispatcher.dispatch(NameBasedDispatcher.java:58) at org.kohsuke.stapler.Stapler.tryInvoke(Stapler.java:715) Caused: javax.servlet.ServletException at org.kohsuke.stapler.Stapler.tryInvoke(Stapler.java:765) at org.kohsuke.stapler.Stapler.invoke(Stapler.java:845) at org.kohsuke.stapler.MetaClass$3.doDispatch(MetaClass.java:209) at org.kohsuke.stapler.NameBasedDispatcher.dispatch(NameBasedDispatcher.java:58) at org.kohsuke.stapler.Stapler.tryInvoke(Stapler.java:715) at org.kohsuke.stapler.Stapler.invoke(Stapler.java:845) at org.kohsuke.stapler.Stapler.invoke(Stapler.java:649) at org.kohsuke.stapler.Stapler.service(Stapler.java:238) at javax.servlet.http.HttpServlet.service(HttpServlet.java:790) at org.eclipse.jetty.servlet.ServletHolder.handle(ServletHolder.java:860) at org.eclipse.jetty.servlet.ServletHandler$CachedChain.doFilter(ServletHandler.java:1650) at hudson.util.PluginServletFilter$1.doFilter(PluginServletFilter.java:154) at hudson.util.PluginServletFilter.doFilter(PluginServletFilter.java:157) at org.eclipse.jetty.servlet.ServletHandler$CachedChain.doFilter(ServletHandler.java:1637) at com.microsoft.jenkins.azuread.AzureSecurityRealm$CrumbExempt.process(AzureSecurityRealm.java:343) at hudson.security.csrf.CrumbFilter.doFilter(CrumbFilter.java:73) at org.eclipse.jetty.servlet.ServletHandler$CachedChain.doFilter(ServletHandler.java:1637) at hudson.security.ChainedServletFilter$1.doFilter(ChainedServletFilter.java:84) at hudson.security.UnwrapSecurityExceptionFilter.doFilter(UnwrapSecurityExceptionFilter.java:51) at hudson.security.ChainedServletFilter$1.doFilter(ChainedServletFilter.java:87) at jenkins.security.ExceptionTranslationFilter.doFilter(ExceptionTranslationFilter.java:117) at hudson.security.ChainedServletFilter$1.doFilter(ChainedServletFilter.java:87) at org.acegisecurity.providers.anonymous.AnonymousProcessingFilter.doFilter(AnonymousProcessingFilter.java:125) at hudson.security.ChainedServletFilter$1.doFilter(ChainedServletFilter.java:87) at org.acegisecurity.ui.rememberme.RememberMeProcessingFilter.doFilter(RememberMeProcessingFilter.java:135) at hudson.security.ChainedServletFilter$1.doFilter(ChainedServletFilter.java:87) at org.acegisecurity.ui.AbstractProcessingFilter.doFilter(AbstractProcessingFilter.java:271) at hudson.security.ChainedServletFilter$1.doFilter(ChainedServletFilter.java:87) at jenkins.security.BasicHeaderProcessor.doFilter(BasicHeaderProcessor.java:93) at hudson.security.ChainedServletFilter$1.doFilter(ChainedServletFilter.java:87) at org.acegisecurity.context.HttpSessionContextIntegrationFilter.doFilter(HttpSessionContextIntegrationFilter.java:249) at hudson.security.HttpSessionContextIntegrationFilter2.doFilter(HttpSessionContextIntegrationFilter2.java:67) at hudson.security.ChainedServletFilter$1.doFilter(ChainedServletFilter.java:87) at hudson.security.ChainedServletFilter.doFilter(ChainedServletFilter.java:90) at hudson.security.HudsonFilter.doFilter(HudsonFilter.java:171) at org.eclipse.jetty.servlet.ServletHandler$CachedChain.doFilter(ServletHandler.java:1637) at org.kohsuke.stapler.compression.CompressionFilter.doFilter(CompressionFilter.java:49) at org.eclipse.jetty.servlet.ServletHandler$CachedChain.doFilter(ServletHandler.java:1637) at hudson.util.CharacterEncodingFilter.doFilter(CharacterEncodingFilter.java:82) at org.eclipse.jetty.servlet.ServletHandler$CachedChain.doFilter(ServletHandler.java:1637) at org.kohsuke.stapler.DiagnosticThreadNameFilter.doFilter(DiagnosticThreadNameFilter.java:30) at org.eclipse.jetty.servlet.ServletHandler$CachedChain.doFilter(ServletHandler.java:1637) at org.eclipse.jetty.servlet.ServletHandler.doHandle(ServletHandler.java:533) at org.eclipse.jetty.server.handler.ScopedHandler.handle(ScopedHandler.java:143) at org.eclipse.jetty.security.SecurityHandler.handle(SecurityHandler.java:524) at org.eclipse.jetty.server.handler.HandlerWrapper.handle(HandlerWrapper.java:132) at org.eclipse.jetty.server.handler.ScopedHandler.nextHandle(ScopedHandler.java:190) at org.eclipse.jetty.server.session.SessionHandler.doHandle(SessionHandler.java:1595) at org.eclipse.jetty.server.handler.ScopedHandler.nextHandle(ScopedHandler.java:188) at org.eclipse.jetty.server.handler.ContextHandler.doHandle(ContextHandler.java:1253) at org.eclipse.jetty.server.handler.ScopedHandler.nextScope(ScopedHandler.java:168) at org.eclipse.jetty.servlet.ServletHandler.doScope(ServletHandler.java:473) at org.eclipse.jetty.server.session.SessionHandler.doScope(SessionHandler.java:1564) at org.eclipse.jetty.server.handler.ScopedHandler.nextScope(ScopedHandler.java:166) at org.eclipse.jetty.server.handler.ContextHandler.doScope(ContextHandler.java:1155) at org.eclipse.jetty.server.handler.ScopedHandler.handle(ScopedHandler.java:141) at org.eclipse.jetty.server.handler.HandlerWrapper.handle(HandlerWrapper.java:132) at org.eclipse.jetty.server.Server.handle(Server.java:530) at org.eclipse.jetty.server.HttpChannel.handle(HttpChannel.java:347) at org.eclipse.jetty.server.HttpConnection.onFillable(HttpConnection.java:256) at org.eclipse.jetty.io.AbstractConnection$ReadCallback.succeeded(AbstractConnection.java:279) at org.eclipse.jetty.io.FillInterest.fillable(FillInterest.java:102) at org.eclipse.jetty.io.ChannelEndPoint$2.run(ChannelEndPoint.java:124) at org.eclipse.jetty.util.thread.strategy.EatWhatYouKill.doProduce(EatWhatYouKill.java:247) at org.eclipse.jetty.util.thread.strategy.EatWhatYouKill.produce(EatWhatYouKill.java:140) at org.eclipse.jetty.util.thread.strategy.EatWhatYouKill.run(EatWhatYouKill.java:131) at org.eclipse.jetty.util.thread.ReservedThreadExecutor$ReservedThread.run(ReservedThreadExecutor.java:382) at winstone.BoundedExecutorService$1.run(BoundedExecutorService.java:77) at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1149) at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:624) at java.lang.Thread.run(Thread.java:748)

        Attachments

          Activity

          Hide
          raphaelyu Raphael Yu added a comment -

          It means the Jenkins generated nonce is different from the one Azure sent back.

          Could you please check the value of two nonces?

          The generated one can be found in your browser request like: https://login.microsoftonline.com/8b0be46a-d471-47ce-9d26-66bb1f4875b3/oauth2/authorize?nonce=tZGHszaEx1&response_mode=....

          And the second one can be found in the request to http://<your host>/securityRealm/finishLogin. The id_token field in the form data is a JWT string which you can decode with https://jwt.io/

          Show
          raphaelyu Raphael Yu added a comment - It means the Jenkins generated nonce is different from the one Azure sent back. Could you please check the value of two nonces? The generated one can be found in your browser request like:  https://login.microsoftonline.com/8b0be46a-d471-47ce-9d26-66bb1f4875b3/oauth2/authorize?nonce=tZGHszaEx1&response_mode= .... And the second one can be found in the request to http://<your host>/securityRealm/finishLogin. The id_token field in the form data is a JWT string which you can decode with  https://jwt.io/
          Hide
          jobzombi Jonathan Burbano added a comment - - edited

          I am trying to integrate Jenkins with AAD.  I am getting this same error. When I look at the nonce in the URL, it is ZtwytiBakY. When I look at the payload, I get the same:

           

            "nonce": "ZtwytiBakY"

           

          What am I doing wrong? The server currently has a bad cert, so I get the:

          There is a problem with this website’s security certificate.

          Show
          jobzombi Jonathan Burbano added a comment - - edited I am trying to integrate Jenkins with AAD.  I am getting this same error. When I look at the nonce in the URL, it is ZtwytiBakY. When I look at the payload, I get the same:     "nonce": "ZtwytiBakY"   What am I doing wrong? The server currently has a bad cert, so I get the: There is a problem with this website’s security certificate.
          Hide
          badalk Badal Kotecha added a comment -

          Facing the same exact issue. What could we be doing wrong? the nonce matches from the request to the one returned in ID Token.

          Show
          badalk Badal Kotecha added a comment - Facing the same exact issue. What could we be doing wrong? the nonce matches from the request to the one returned in ID Token.
          Hide
          badalk Badal Kotecha added a comment -

          I found why the issue actually occurs. For my Jenkins VM on Azure I have used a DNS and I initially created a service principal with Reply URL which had the dns name(e.g. http://myjenkins.eastus.cloudapp.azure.com:8080/securityRealm/finishLogin). Post configuration I was getting an error "The reply url specified in the request does not match the reply urls configured for the application". I realized that the Reply url and the actual url was not matching as azure ad is trying to send the response to a URL with public IP of the jenkins VM. I had to configure the reply url using the IP.

          Once I fixed it I got this above issue when I was still trying to access jenkins instance (initial request) with dns (e.g. myjenkins.eastus.cloudapp.azure.com). I switched from DNS to IP based request in browser and it started working without any problems (e.g. http://40.x.x.232:8080)

          I am wondering though what would it take to configure it based on the DNS? Why it doesn't work?

           

          Regards

          Badal

          Show
          badalk Badal Kotecha added a comment - I found why the issue actually occurs. For my Jenkins VM on Azure I have used a DNS and I initially created a service principal with Reply URL which had the dns name(e.g. http://myjenkins.eastus.cloudapp.azure.com:8080/securityRealm/finishLogin ). Post configuration I was getting an error "The reply url specified in the request does not match the reply urls configured for the application". I realized that the Reply url and the actual url was not matching as azure ad is trying to send the response to a URL with public IP of the jenkins VM. I had to configure the reply url using the IP. Once I fixed it I got this above issue when I was still trying to access jenkins instance (initial request) with dns (e.g. myjenkins.eastus.cloudapp.azure.com). I switched from DNS to IP based request in browser and it started working without any problems (e.g. http://40.x.x.232:8080) I am wondering though what would it take to configure it based on the DNS? Why it doesn't work?   Regards Badal
          Hide
          badalk Badal Kotecha added a comment - - edited

          Looks like Jenkins redirection to IdP is passing redirect URI with public IP and not honoring the DNS names. This is what is causing the issue when Azure AD is posting back the ID token back to Jenkins as service principal is configured with proper host name but the redirect URI mentioned it with public IP and hence it is not matching. How do we fix this on the Jenkins side?

          Show
          badalk Badal Kotecha added a comment - - edited Looks like Jenkins redirection to IdP is passing redirect URI with public IP and not honoring the DNS names. This is what is causing the issue when Azure AD is posting back the ID token back to Jenkins as service principal is configured with proper host name but the redirect URI mentioned it with public IP and hence it is not matching. How do we fix this on the Jenkins side?
          Hide
          badalk Badal Kotecha added a comment -

          I got this resolved by changing the jenkins.model.JenkinsLocationConfiguration.xml and adding my host name in  jenkinsUrl (e.g. <jenkinsUrl>http://myjenkins.eastus.cloudapp.azure.com:8080/</jenkinsUrl>)

           

          Now in my azure service principal application I have given the reply URL as a complete host name / DNS and it is working

          Regards

          Badal

          Show
          badalk Badal Kotecha added a comment - I got this resolved by changing the jenkins.model.JenkinsLocationConfiguration.xml and adding my host name in  jenkinsUrl (e.g. <jenkinsUrl> http://myjenkins.eastus.cloudapp.azure.com:8080/ </jenkinsUrl>)   Now in my azure service principal application I have given the reply URL as a complete host name / DNS and it is working Regards Badal
          Hide
          azure_devops Azure DevOps added a comment -

          we can update the doc at least.

          Show
          azure_devops Azure DevOps added a comment - we can update the doc at least.
          Hide
          jieshe Jie Shen added a comment -

          Thanks for all your contribution! Badal Kotecha

          Show
          jieshe Jie Shen added a comment - Thanks for all your contribution! Badal Kotecha
          Hide
          jieshe Jie Shen added a comment -

          Badal Kotecha also writes an awesome blog on how to use Azure-ad-plugin. You can get it from here . Thanks again for his great contribution!

          Show
          jieshe Jie Shen added a comment - Badal Kotecha also writes an awesome blog on how to use Azure-ad-plugin. You can get it from here  . Thanks again for his great contribution!

            People

            • Assignee:
              jieshe Jie Shen
              Reporter:
              samim23 Samim Mohammad
            • Votes:
              0 Vote for this issue
              Watchers:
              5 Start watching this issue

              Dates

              • Created:
                Updated:
                Resolved: