Create
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Sign up Log in
Products
See all
Community resources
Top groups
Explore all groups
Community resources
Learn
Community resources
Events
Community resources

Confluence user management via JIRA failed to authenticate

Admins
Admins June 6, 2019

Hello,

We have fresh self hosted installation of Jira Core 8.2.1 and Confluence 6.15.4 at two separate servers(LXC) with Ubuntu 18.04. Both applications were successfully installed, configured postgresql 9.6 database connection and apache2 http/https proxy. After license input there were configured internal user directories at both application with their own administrator accounts.

We have followed instruction from https://confluence.atlassian.com/doc/integrating-jira-and-confluence-2825.html and in part "Delegate user management to Jira" selected option with instruction https://confluence.atlassian.com/doc/connecting-to-crowd-or-jira-for-user-management-229838465.html.

After successfully created Application in "Jira User Server" with "application name"=confluence, secure password and IP of confluence server. We used those credentials in confluence "User Directories" -> added "Attlassian Jira" and tested settings. Problem is that we always get error:

"Connection test failed. Response from the server:
com.atlassian.crowd.exception.InvalidAuthenticationException: Application failed to authenticate"

We are getting same error if HTTPS proxy via apache2 is used.

Also run test with stopped JIRA service and got correct error from test that could not reach user management rest service: 

"Connection test failed. Response from the server:
The following URL does not specify a valid Crowd User Management REST service: http://jira.example.com/rest/usermanagement/1/search?entity-type=user&start-index=0&max-results=1&expand=user"

 

Logs from one of "test settings":

CONFLUENCE logs:
/var/atlassian/application-data/confluence/logs/atlassian-confluence.log:
2019-06-06 15:44:10,564 WARN [http-nio-8090-exec-6] [confluence.impl.hibernate.ConfluenceHibernateTransactionManager] doRollback Performing rollback. Transactions:
->[com.atlassian.confluence.user.crowd.ConfluenceCrowdDirectoryService.testConnection]: PROPAGATION_REQUIRED,ISOLATION_DEFAULT,readOnly (Session #994532257)
-- referer: http://confluence.example.com/plugins/servlet/embedded-crowd/configure/jira/ | url: /plugins/servlet/embedded-crowd/configure/jira/ | traceId: ef3f5f925d55be36 | userName: admin
2019-06-06 15:44:10,566 ERROR [http-nio-8090-exec-6] [crowd.embedded.admin.ConfigurationController] handleSubmit Configuration test failed for user directory: [ JIRA Server], type: [ CROWD ]
-- referer: http://confluence.example.com/plugins/servlet/embedded-crowd/configure/jira/ | url: /plugins/servlet/embedded-crowd/configure/jira/ | traceId: ef3f5f925d55be36 | userName: admin
com.atlassian.crowd.exception.runtime.OperationFailedException: com.atlassian.crowd.exception.InvalidAuthenticationException: Application failed to authenticate
...
Caused by: com.atlassian.crowd.exception.InvalidAuthenticationException: Application failed to authenticate
...

JIRA server apache logs:
/var/log/apache2/access.log
192.168.0.20 - - [06/Jun/2019:15:44:10 +0200] "POST /rest/usermanagement/1/search?entity-type=user&start-index=0&max-results=1&expand=user HTTP/1.1" 401 574 "-" "Apache-HttpClient/4.5.5 (Java/1.8.0_202)"

/var/log/apache2/error.log
[Thu Jun 06 15:44:10.561030 2019] [proxy:trace2] [pid 3324:tid 139655055881984] mod_proxy.c(663): [client 192.168.0.20:41802] AH03461: attempting to match URI path '/rest/usermanagement/1/search' against prefix '/' for proxying
[Thu Jun 06 15:44:10.561063 2019] [proxy:trace1] [pid 3324:tid 139655055881984] mod_proxy.c(748): [client 192.168.0.20:41802] AH03464: URI path '/rest/usermanagement/1/search' matches proxy handler 'proxy:http://localhost:8080/rest/usermanagement/1/search'
[Thu Jun 06 15:44:10.561077 2019] [authz_core:debug] [pid 3324:tid 139655055881984] mod_authz_core.c(809): [client 192.168.0.20:41802] AH01626: authorization result of Require all granted: granted
[Thu Jun 06 15:44:10.561082 2019] [authz_core:debug] [pid 3324:tid 139655055881984] mod_authz_core.c(809): [client 192.168.0.20:41802] AH01626: authorization result of <RequireAny>: granted
[Thu Jun 06 15:44:10.561092 2019] [proxy_http:trace1] [pid 3324:tid 139655055881984] mod_proxy_http.c(60): [client 192.168.0.20:41802] HTTP: canonicalising URL //localhost:8080/rest/usermanagement/1/search
[Thu Jun 06 15:44:10.561111 2019] [proxy:trace2] [pid 3324:tid 139655055881984] proxy_util.c(1968): [client 192.168.0.20:41802] http: found worker http://localhost:8080/ for http://localhost:8080/rest/usermanagement/1/search?entity-type=user&start-index=0&max-results=1&expand=user
[Thu Jun 06 15:44:10.561119 2019] [proxy:debug] [pid 3324:tid 139655055881984] mod_proxy.c(1228): [client 192.168.0.20:41802] AH01143: Running scheme http handler (attempt 0)
[Thu Jun 06 15:44:10.561124 2019] [proxy_http:trace1] [pid 3324:tid 139655055881984] mod_proxy_http.c(1904): [client 192.168.0.20:41802] HTTP: serving URL http://localhost:8080/rest/usermanagement/1/search?entity-type=user&start-index=0&max-results=1&expand=user
[Thu Jun 06 15:44:10.561129 2019] [proxy:debug] [pid 3324:tid 139655055881984] proxy_util.c(2162): AH00942: HTTP: has acquired connection for (localhost)
[Thu Jun 06 15:44:10.561135 2019] [proxy:debug] [pid 3324:tid 139655055881984] proxy_util.c(2215): [client 192.168.0.20:41802] AH00944: connecting http://localhost:8080/rest/usermanagement/1/search?entity-type=user&start-index=0&max-results=1&expand=user to localhost:8080
[Thu Jun 06 15:44:10.561142 2019] [proxy:debug] [pid 3324:tid 139655055881984] proxy_util.c(2424): [client 192.168.0.20:41802] AH00947: connected /rest/usermanagement/1/search?entity-type=user&start-index=0&max-results=1&expand=user to localhost:8080
[Thu Jun 06 15:44:10.561154 2019] [proxy:trace2] [pid 3324:tid 139655055881984] proxy_util.c(2707): HTTP: reusing backend connection [::1]:58496<>[::1]:8080
[Thu Jun 06 15:44:10.563631 2019] [proxy:debug] [pid 3324:tid 139655055881984] proxy_util.c(2177): AH00943: http: has released connection for (localhost)
[Thu Jun 06 15:44:10.563656 2019] [proxy_http:trace2] [pid 3324:tid 139655055881984] mod_proxy_http.c(1792): [client 192.168.0.20:41802] end body send

 

If you require more information or higher level of apache trace logs I can provide them.

 

With kind regards,

Jan Gardian

Admin

 

Answer
Watch
Like Be the first to like this
2068 views

2 answers

1 accepted

0 votes
Answer accepted
Admins
Admins June 12, 2019

So after few testing with configuring User Directories in Confluence to use Atlassian Jira main problem was in "Server URL" input.

If you have configured https proxy via Apache2/Nginx your base URL in jira is e.g. "https://jira.example.com" but at the same time jira runs without proxy at "http://jira.example.com:8080".

So in User Directory Server URL you should input "http://jira.example.com:8080" and not base jira URL. I also tested connecting via Proxy Host "https://jira.example.com" but could not connect to backend which runs on localhost.

View More Comments
Dylan
Dylan August 5, 2021

Hi all,

 

I know this topic is quite old, but the accepted answer is potentially a workaround of another bigger problem.

Since we faced the same issue, we were able to keep "https://jira.example.com" in the Server URL configuration. We solved it this way:

  1. In the Nginx configuration, make sure to not have the line: proxy_set_header Authorization ""; (Atlassian wiki source)
    1. If so, delete it and reload configuration (nginx -s reload)
  2. If running Nginx and Jira on the same machine like OP, make sure localhost and 127.0.0.1 are correctly set in /etc/hosts
  3. Add jira base URL in /etc/hosts associated to 127.0.0.1
    1. e.g. 127.0.0.1 localhost jira.example.com
  4. If using Jira user directories from Confluence as OP, make sure to correctly configure the application (e.g. Confluence) with:
    1. Application IP address (e.g. 192.168.1.24)
    2. Application hostname (e.g. confluence.example.com)
    3. Localhost (127.0.0.1)

Cheers,

Dylan

Like
Reply
0 votes
JP _AC Bielefeld Leader_
JP _AC Bielefeld Leader_
Rising Star
Rising Star
Rising Stars are recognized for providing high-quality answers to other users. Rising Stars receive a certificate of achievement and are on the path to becoming Community Leaders.
Get recognized
June 6, 2019

Hi,

why is the mod_authz_core module enabled? Did you whitelist the Confluence URL in Jira. Are there any entries in the Jira application log?

Best

JP

View More Comments
Admins
Admins June 7, 2019

Hello,

Mod_authz_core module is enabled by default apache2 installation. On this module depend modules mod_auhtz_user, mod_authz_server. Also it is used by "Require all granted" configuration that is advised in instruction for apache2 proxy for jira at https://confluence.atlassian.com/kb/proxying-atlassian-server-applications-with-apache-http-server-mod_proxy_http-806032611.html.

Yes whitelist contains:

http\:\/\/confluence\.example\.com.*  Regular expression  Allow incoming true

https\:\/\/confluence\.example\.com.*  Regular expression Allow incoming true

http://confluence.example.com  Domain name Allow incoming true

https://confluence.example.com  Domain name Allow incoming true

 

Tested confluence url and all Outgoing and Incoming are ok.

 

My vhost configuration for apache2(we also do not use any context path as for one application we use one server):

<VirtualHost _default_:80>
ServerName jira.example.com

ProxyRequests Off

<Proxy *>
Require all granted
</Proxy>

RequestHeader unset Authorization
ProxyPass / http://localhost:8080/
ProxyPassReverse / http://localhost:8080/

LogLevel trace6
ErrorLog ${APACHE_LOG_DIR}/error.log
CustomLog ${APACHE_LOG_DIR}/access.log combined

</VirtualHost>

 

Regarding Jira application logs I do not see any logs from times when running "Test Settings" from confluence. Only logs can be seen in apache logs.

 

With kind regards,

Jan Gardian

Like
Admins
Admins June 12, 2019

Tested same configuration with http proxy via nginx engine and got same behavior as with apache2. In both cases still getting response 401 "Application failed to authenticate".

Is there some other settings that I need to allow application in confluence or in jira other than whitelist? For SSL I also added internal CA into atlassian keystore. But with SSL or without still getting 401.

Like Dmitrii likes this
Reply

Suggest an answer

Log in or Sign up to answer
Jira
Jira Software
TAGS
AUG Leaders

Atlassian Community Events

    See all events