Come for the products,
stay for the community

The Atlassian Community can help you and your team get more value out of Atlassian products and practices.

Atlassian Community about banner
4,360,004
Community Members
 
Community Events
168
Community Groups

Confluence user management via JIRA failed to authenticate

Hello,

We have fresh self hosted installation of Jira Core 8.2.1 and Confluence 6.15.4 at two separate servers(LXC) with Ubuntu 18.04. Both applications were successfully installed, configured postgresql 9.6 database connection and apache2 http/https proxy. After license input there were configured internal user directories at both application with their own administrator accounts.

We have followed instruction from https://confluence.atlassian.com/doc/integrating-jira-and-confluence-2825.html and in part "Delegate user management to Jira" selected option with instruction https://confluence.atlassian.com/doc/connecting-to-crowd-or-jira-for-user-management-229838465.html.

After successfully created Application in "Jira User Server" with "application name"=confluence, secure password and IP of confluence server. We used those credentials in confluence "User Directories" -> added "Attlassian Jira" and tested settings. Problem is that we always get error:

"Connection test failed. Response from the server:
com.atlassian.crowd.exception.InvalidAuthenticationException: Application failed to authenticate"

We are getting same error if HTTPS proxy via apache2 is used.

Also run test with stopped JIRA service and got correct error from test that could not reach user management rest service: 

"Connection test failed. Response from the server:
The following URL does not specify a valid Crowd User Management REST service: http://jira.example.com/rest/usermanagement/1/search?entity-type=user&start-index=0&max-results=1&expand=user"

 

Logs from one of "test settings":

CONFLUENCE logs:
/var/atlassian/application-data/confluence/logs/atlassian-confluence.log:
2019-06-06 15:44:10,564 WARN [http-nio-8090-exec-6] [confluence.impl.hibernate.ConfluenceHibernateTransactionManager] doRollback Performing rollback. Transactions:
->[com.atlassian.confluence.user.crowd.ConfluenceCrowdDirectoryService.testConnection]: PROPAGATION_REQUIRED,ISOLATION_DEFAULT,readOnly (Session #994532257)
-- referer: http://confluence.example.com/plugins/servlet/embedded-crowd/configure/jira/ | url: /plugins/servlet/embedded-crowd/configure/jira/ | traceId: ef3f5f925d55be36 | userName: admin
2019-06-06 15:44:10,566 ERROR [http-nio-8090-exec-6] [crowd.embedded.admin.ConfigurationController] handleSubmit Configuration test failed for user directory: [ JIRA Server], type: [ CROWD ]
-- referer: http://confluence.example.com/plugins/servlet/embedded-crowd/configure/jira/ | url: /plugins/servlet/embedded-crowd/configure/jira/ | traceId: ef3f5f925d55be36 | userName: admin
com.atlassian.crowd.exception.runtime.OperationFailedException: com.atlassian.crowd.exception.InvalidAuthenticationException: Application failed to authenticate
...
Caused by: com.atlassian.crowd.exception.InvalidAuthenticationException: Application failed to authenticate
...

JIRA server apache logs:
/var/log/apache2/access.log
192.168.0.20 - - [06/Jun/2019:15:44:10 +0200] "POST /rest/usermanagement/1/search?entity-type=user&start-index=0&max-results=1&expand=user HTTP/1.1" 401 574 "-" "Apache-HttpClient/4.5.5 (Java/1.8.0_202)"

/var/log/apache2/error.log
[Thu Jun 06 15:44:10.561030 2019] [proxy:trace2] [pid 3324:tid 139655055881984] mod_proxy.c(663): [client 192.168.0.20:41802] AH03461: attempting to match URI path '/rest/usermanagement/1/search' against prefix '/' for proxying
[Thu Jun 06 15:44:10.561063 2019] [proxy:trace1] [pid 3324:tid 139655055881984] mod_proxy.c(748): [client 192.168.0.20:41802] AH03464: URI path '/rest/usermanagement/1/search' matches proxy handler 'proxy:http://localhost:8080/rest/usermanagement/1/search'
[Thu Jun 06 15:44:10.561077 2019] [authz_core:debug] [pid 3324:tid 139655055881984] mod_authz_core.c(809): [client 192.168.0.20:41802] AH01626: authorization result of Require all granted: granted
[Thu Jun 06 15:44:10.561082 2019] [authz_core:debug] [pid 3324:tid 139655055881984] mod_authz_core.c(809): [client 192.168.0.20:41802] AH01626: authorization result of <RequireAny>: granted
[Thu Jun 06 15:44:10.561092 2019] [proxy_http:trace1] [pid 3324:tid 139655055881984] mod_proxy_http.c(60): [client 192.168.0.20:41802] HTTP: canonicalising URL //localhost:8080/rest/usermanagement/1/search
[Thu Jun 06 15:44:10.561111 2019] [proxy:trace2] [pid 3324:tid 139655055881984] proxy_util.c(1968): [client 192.168.0.20:41802] http: found worker http://localhost:8080/ for http://localhost:8080/rest/usermanagement/1/search?entity-type=user&start-index=0&max-results=1&expand=user
[Thu Jun 06 15:44:10.561119 2019] [proxy:debug] [pid 3324:tid 139655055881984] mod_proxy.c(1228): [client 192.168.0.20:41802] AH01143: Running scheme http handler (attempt 0)
[Thu Jun 06 15:44:10.561124 2019] [proxy_http:trace1] [pid 3324:tid 139655055881984] mod_proxy_http.c(1904): [client 192.168.0.20:41802] HTTP: serving URL http://localhost:8080/rest/usermanagement/1/search?entity-type=user&start-index=0&max-results=1&expand=user
[Thu Jun 06 15:44:10.561129 2019] [proxy:debug] [pid 3324:tid 139655055881984] proxy_util.c(2162): AH00942: HTTP: has acquired connection for (localhost)
[Thu Jun 06 15:44:10.561135 2019] [proxy:debug] [pid 3324:tid 139655055881984] proxy_util.c(2215): [client 192.168.0.20:41802] AH00944: connecting http://localhost:8080/rest/usermanagement/1/search?entity-type=user&start-index=0&max-results=1&expand=user to localhost:8080
[Thu Jun 06 15:44:10.561142 2019] [proxy:debug] [pid 3324:tid 139655055881984] proxy_util.c(2424): [client 192.168.0.20:41802] AH00947: connected /rest/usermanagement/1/search?entity-type=user&start-index=0&max-results=1&expand=user to localhost:8080
[Thu Jun 06 15:44:10.561154 2019] [proxy:trace2] [pid 3324:tid 139655055881984] proxy_util.c(2707): HTTP: reusing backend connection [::1]:58496<>[::1]:8080
[Thu Jun 06 15:44:10.563631 2019] [proxy:debug] [pid 3324:tid 139655055881984] proxy_util.c(2177): AH00943: http: has released connection for (localhost)
[Thu Jun 06 15:44:10.563656 2019] [proxy_http:trace2] [pid 3324:tid 139655055881984] mod_proxy_http.c(1792): [client 192.168.0.20:41802] end body send

 

If you require more information or higher level of apache trace logs I can provide them.

 

With kind regards,

Jan Gardian

Admin

 

2 answers

1 accepted

0 votes
Answer accepted

So after few testing with configuring User Directories in Confluence to use Atlassian Jira main problem was in "Server URL" input.

If you have configured https proxy via Apache2/Nginx your base URL in jira is e.g. "https://jira.example.com" but at the same time jira runs without proxy at "http://jira.example.com:8080".

So in User Directory Server URL you should input "http://jira.example.com:8080" and not base jira URL. I also tested connecting via Proxy Host "https://jira.example.com" but could not connect to backend which runs on localhost.

Hi all,

 

I know this topic is quite old, but the accepted answer is potentially a workaround of another bigger problem.

Since we faced the same issue, we were able to keep "https://jira.example.com" in the Server URL configuration. We solved it this way:

  1. In the Nginx configuration, make sure to not have the line: proxy_set_header Authorization ""; (Atlassian wiki source)
    1. If so, delete it and reload configuration (nginx -s reload)
  2. If running Nginx and Jira on the same machine like OP, make sure localhost and 127.0.0.1 are correctly set in /etc/hosts
  3. Add jira base URL in /etc/hosts associated to 127.0.0.1
    1. e.g. 127.0.0.1 localhost jira.example.com
  4. If using Jira user directories from Confluence as OP, make sure to correctly configure the application (e.g. Confluence) with:
    1. Application IP address (e.g. 192.168.1.24)
    2. Application hostname (e.g. confluence.example.com)
    3. Localhost (127.0.0.1)

Cheers,

Dylan

Hi,

why is the mod_authz_core module enabled? Did you whitelist the Confluence URL in Jira. Are there any entries in the Jira application log?

Best

JP

Hello,

Mod_authz_core module is enabled by default apache2 installation. On this module depend modules mod_auhtz_user, mod_authz_server. Also it is used by "Require all granted" configuration that is advised in instruction for apache2 proxy for jira at https://confluence.atlassian.com/kb/proxying-atlassian-server-applications-with-apache-http-server-mod_proxy_http-806032611.html.

Yes whitelist contains:

http\:\/\/confluence\.example\.com.*  Regular expression  Allow incoming true

https\:\/\/confluence\.example\.com.*  Regular expression Allow incoming true

http://confluence.example.com  Domain name Allow incoming true

https://confluence.example.com  Domain name Allow incoming true

 

Tested confluence url and all Outgoing and Incoming are ok.

 

My vhost configuration for apache2(we also do not use any context path as for one application we use one server):

<VirtualHost _default_:80>
ServerName jira.example.com

ProxyRequests Off

<Proxy *>
Require all granted
</Proxy>

RequestHeader unset Authorization
ProxyPass / http://localhost:8080/
ProxyPassReverse / http://localhost:8080/

LogLevel trace6
ErrorLog ${APACHE_LOG_DIR}/error.log
CustomLog ${APACHE_LOG_DIR}/access.log combined

</VirtualHost>

 

Regarding Jira application logs I do not see any logs from times when running "Test Settings" from confluence. Only logs can be seen in apache logs.

 

With kind regards,

Jan Gardian

Tested same configuration with http proxy via nginx engine and got same behavior as with apache2. In both cases still getting response 401 "Application failed to authenticate".

Is there some other settings that I need to allow application in confluence or in jira other than whitelist? For SSL I also added internal CA into atlassian keystore. But with SSL or without still getting 401.

Like Dmitrii likes this

Suggest an answer

Log in or Sign up to answer
TAGS
Community showcase
Published in Jira

Online AMA this week: Your project management questions answered by Jira Design Lead James Rotanson

We know that great teams require amazing project management chops. It's no surprise that great teams who use Jira have strong project managers, effective workflows, and secrets that bring planning ...

179 views 1 6
Read article

Atlassian Community Events