Create
cancel
Showing results for 
Search instead for 
Did you mean: 
Sign up Log in
Deleted user
0 / 0 points
Next:
badges earned

Your Points Tracker
Challenges
Leaderboard
  • Global
  • Feed

Badge for your thoughts?

You're enrolled in our new beta rewards program. Join our group to get the inside scoop and share your feedback.

Join group
Recognition
Give the gift of kudos
You have 0 kudos available to give
Who do you want to recognize?
Why do you want to recognize them?
Kudos
Great job appreciating your peers!
Check back soon to give more kudos.

Past Kudos Given
No kudos given
You haven't given any kudos yet. Share the love above and you'll see it here.

It's not the same without you

Join the community to find out what other Atlassian users are discussing, debating and creating.

Atlassian Community Hero Image Collage

Confluence user management via JIRA failed to authenticate

Hello,

We have fresh self hosted installation of Jira Core 8.2.1 and Confluence 6.15.4 at two separate servers(LXC) with Ubuntu 18.04. Both applications were successfully installed, configured postgresql 9.6 database connection and apache2 http/https proxy. After license input there were configured internal user directories at both application with their own administrator accounts.

We have followed instruction from https://confluence.atlassian.com/doc/integrating-jira-and-confluence-2825.html and in part "Delegate user management to Jira" selected option with instruction https://confluence.atlassian.com/doc/connecting-to-crowd-or-jira-for-user-management-229838465.html.

After successfully created Application in "Jira User Server" with "application name"=confluence, secure password and IP of confluence server. We used those credentials in confluence "User Directories" -> added "Attlassian Jira" and tested settings. Problem is that we always get error:

"Connection test failed. Response from the server:
com.atlassian.crowd.exception.InvalidAuthenticationException: Application failed to authenticate"

We are getting same error if HTTPS proxy via apache2 is used.

Also run test with stopped JIRA service and got correct error from test that could not reach user management rest service: 

"Connection test failed. Response from the server:
The following URL does not specify a valid Crowd User Management REST service: http://jira.example.com/rest/usermanagement/1/search?entity-type=user&start-index=0&max-results=1&expand=user"

 

Logs from one of "test settings":

CONFLUENCE logs:
/var/atlassian/application-data/confluence/logs/atlassian-confluence.log:
2019-06-06 15:44:10,564 WARN [http-nio-8090-exec-6] [confluence.impl.hibernate.ConfluenceHibernateTransactionManager] doRollback Performing rollback. Transactions:
->[com.atlassian.confluence.user.crowd.ConfluenceCrowdDirectoryService.testConnection]: PROPAGATION_REQUIRED,ISOLATION_DEFAULT,readOnly (Session #994532257)
-- referer: http://confluence.example.com/plugins/servlet/embedded-crowd/configure/jira/ | url: /plugins/servlet/embedded-crowd/configure/jira/ | traceId: ef3f5f925d55be36 | userName: admin
2019-06-06 15:44:10,566 ERROR [http-nio-8090-exec-6] [crowd.embedded.admin.ConfigurationController] handleSubmit Configuration test failed for user directory: [ JIRA Server], type: [ CROWD ]
-- referer: http://confluence.example.com/plugins/servlet/embedded-crowd/configure/jira/ | url: /plugins/servlet/embedded-crowd/configure/jira/ | traceId: ef3f5f925d55be36 | userName: admin
com.atlassian.crowd.exception.runtime.OperationFailedException: com.atlassian.crowd.exception.InvalidAuthenticationException: Application failed to authenticate
...
Caused by: com.atlassian.crowd.exception.InvalidAuthenticationException: Application failed to authenticate
...

JIRA server apache logs:
/var/log/apache2/access.log
192.168.0.20 - - [06/Jun/2019:15:44:10 +0200] "POST /rest/usermanagement/1/search?entity-type=user&start-index=0&max-results=1&expand=user HTTP/1.1" 401 574 "-" "Apache-HttpClient/4.5.5 (Java/1.8.0_202)"

/var/log/apache2/error.log
[Thu Jun 06 15:44:10.561030 2019] [proxy:trace2] [pid 3324:tid 139655055881984] mod_proxy.c(663): [client 192.168.0.20:41802] AH03461: attempting to match URI path '/rest/usermanagement/1/search' against prefix '/' for proxying
[Thu Jun 06 15:44:10.561063 2019] [proxy:trace1] [pid 3324:tid 139655055881984] mod_proxy.c(748): [client 192.168.0.20:41802] AH03464: URI path '/rest/usermanagement/1/search' matches proxy handler 'proxy:http://localhost:8080/rest/usermanagement/1/search'
[Thu Jun 06 15:44:10.561077 2019] [authz_core:debug] [pid 3324:tid 139655055881984] mod_authz_core.c(809): [client 192.168.0.20:41802] AH01626: authorization result of Require all granted: granted
[Thu Jun 06 15:44:10.561082 2019] [authz_core:debug] [pid 3324:tid 139655055881984] mod_authz_core.c(809): [client 192.168.0.20:41802] AH01626: authorization result of <RequireAny>: granted
[Thu Jun 06 15:44:10.561092 2019] [proxy_http:trace1] [pid 3324:tid 139655055881984] mod_proxy_http.c(60): [client 192.168.0.20:41802] HTTP: canonicalising URL //localhost:8080/rest/usermanagement/1/search
[Thu Jun 06 15:44:10.561111 2019] [proxy:trace2] [pid 3324:tid 139655055881984] proxy_util.c(1968): [client 192.168.0.20:41802] http: found worker http://localhost:8080/ for http://localhost:8080/rest/usermanagement/1/search?entity-type=user&start-index=0&max-results=1&expand=user
[Thu Jun 06 15:44:10.561119 2019] [proxy:debug] [pid 3324:tid 139655055881984] mod_proxy.c(1228): [client 192.168.0.20:41802] AH01143: Running scheme http handler (attempt 0)
[Thu Jun 06 15:44:10.561124 2019] [proxy_http:trace1] [pid 3324:tid 139655055881984] mod_proxy_http.c(1904): [client 192.168.0.20:41802] HTTP: serving URL http://localhost:8080/rest/usermanagement/1/search?entity-type=user&start-index=0&max-results=1&expand=user
[Thu Jun 06 15:44:10.561129 2019] [proxy:debug] [pid 3324:tid 139655055881984] proxy_util.c(2162): AH00942: HTTP: has acquired connection for (localhost)
[Thu Jun 06 15:44:10.561135 2019] [proxy:debug] [pid 3324:tid 139655055881984] proxy_util.c(2215): [client 192.168.0.20:41802] AH00944: connecting http://localhost:8080/rest/usermanagement/1/search?entity-type=user&start-index=0&max-results=1&expand=user to localhost:8080
[Thu Jun 06 15:44:10.561142 2019] [proxy:debug] [pid 3324:tid 139655055881984] proxy_util.c(2424): [client 192.168.0.20:41802] AH00947: connected /rest/usermanagement/1/search?entity-type=user&start-index=0&max-results=1&expand=user to localhost:8080
[Thu Jun 06 15:44:10.561154 2019] [proxy:trace2] [pid 3324:tid 139655055881984] proxy_util.c(2707): HTTP: reusing backend connection [::1]:58496<>[::1]:8080
[Thu Jun 06 15:44:10.563631 2019] [proxy:debug] [pid 3324:tid 139655055881984] proxy_util.c(2177): AH00943: http: has released connection for (localhost)
[Thu Jun 06 15:44:10.563656 2019] [proxy_http:trace2] [pid 3324:tid 139655055881984] mod_proxy_http.c(1792): [client 192.168.0.20:41802] end body send

 

If you require more information or higher level of apache trace logs I can provide them.

 

With kind regards,

Jan Gardian

Admin

 

2 answers

1 accepted

0 votes
Answer accepted

So after few testing with configuring User Directories in Confluence to use Atlassian Jira main problem was in "Server URL" input.

If you have configured https proxy via Apache2/Nginx your base URL in jira is e.g. "https://jira.example.com" but at the same time jira runs without proxy at "http://jira.example.com:8080".

So in User Directory Server URL you should input "http://jira.example.com:8080" and not base jira URL. I also tested connecting via Proxy Host "https://jira.example.com" but could not connect to backend which runs on localhost.

0 votes

Hi,

why is the mod_authz_core module enabled? Did you whitelist the Confluence URL in Jira. Are there any entries in the Jira application log?

Best

JP

Hello,

Mod_authz_core module is enabled by default apache2 installation. On this module depend modules mod_auhtz_user, mod_authz_server. Also it is used by "Require all granted" configuration that is advised in instruction for apache2 proxy for jira at https://confluence.atlassian.com/kb/proxying-atlassian-server-applications-with-apache-http-server-mod_proxy_http-806032611.html.

Yes whitelist contains:

http\:\/\/confluence\.example\.com.*  Regular expression  Allow incoming true

https\:\/\/confluence\.example\.com.*  Regular expression Allow incoming true

http://confluence.example.com  Domain name Allow incoming true

https://confluence.example.com  Domain name Allow incoming true

 

Tested confluence url and all Outgoing and Incoming are ok.

 

My vhost configuration for apache2(we also do not use any context path as for one application we use one server):

<VirtualHost _default_:80>
ServerName jira.example.com

ProxyRequests Off

<Proxy *>
Require all granted
</Proxy>

RequestHeader unset Authorization
ProxyPass / http://localhost:8080/
ProxyPassReverse / http://localhost:8080/

LogLevel trace6
ErrorLog ${APACHE_LOG_DIR}/error.log
CustomLog ${APACHE_LOG_DIR}/access.log combined

</VirtualHost>

 

Regarding Jira application logs I do not see any logs from times when running "Test Settings" from confluence. Only logs can be seen in apache logs.

 

With kind regards,

Jan Gardian

Tested same configuration with http proxy via nginx engine and got same behavior as with apache2. In both cases still getting response 401 "Application failed to authenticate".

Is there some other settings that I need to allow application in confluence or in jira other than whitelist? For SSL I also added internal CA into atlassian keystore. But with SSL or without still getting 401.

Like Dmitrii likes this

Suggest an answer

Log in or Sign up to answer
TAGS
Community showcase
Published in Jira Service Management

JSM June Challenge #2: Share how your business teams became ITSM rockstars

For JSM June Challenge #2, share how your non-technical teams like HR, legal, marketing, finance, and beyond started using Jira Service Management! Tell us: Did they ask to start using it or...

326 views 9 7
Read article

Community Events

Connect with like-minded Atlassian users at free events near you!

Find an event

Connect with like-minded Atlassian users at free events near you!

Unfortunately there are no Community Events near you at the moment.

Host an event

You're one step closer to meeting fellow Atlassian users at your local event. Learn more about Community Events

Events near you