Setting up JIRA using windows authentication

After searching a bit more I came across another existing KB that explains this better and provides the next steps to follow: Using Integrated Security with MsSQL for Jira.  This article explains in even more detail how to make this work with your version of Jira and older versions of Jira as well.

Andy

Andy,

I installed Jira 7.4, so I shouldn't have to download the driver correct?

Andy,

Also I tried the below config with specific information to the string in "". I left whats not enclosed in "" as it reads below. Is that correct?

<url>jdbc:jtds:sqlserver://"serverName:port"/"databaseName";autoCommit=false;useNTLMv2=true;domain="domainName"</url>
<driver-class>net.sourceforge.jtds.jdbc.Driver</driver-class>

Adam,
That's right, in 7.4 the JTDS driver is already included with Jira.  With 7.4 you will want the dbconfig.xml file to have these kind of example entries:

    <url>jdbc:jtds:sqlserver://andysqlserver123:1433/jiradb;instance=MSSQLSERVER;autoCommit=false;integratedsecurity=true;domain=example.com</url>
    <driver-class>net.sourceforge.jtds.jdbc.Driver</driver-class>
    <username>username</username>
    <password>password</password>

I wasn't sure about your example with quotes, so I just wanted to provide an example where the sql server name is andysqlserver123, the SQL instance is using the default port of 1433, the database name is jiradb, (the instance name is usually optional, it might be required if you have more than one SQL service running on that hostname/address), and in this case the domain name is example.com.


The older KB suggests using the useNTLMv2=true parameter.  However the newer KB instead suggests using the integratedsecurity=true value instead.   I would tend to lean towards the newer parameter as a means to connect Jira with this database in this case.

Please let me know the results.
Andy

<url>jdbc:jtds:sqlserver://OURSERVERNAME:1433/JIRA;autoCommit=false;integratedsecurity=true;domain=FQDN</url>
    <driver-class>net.sourceforge.jtds.jdbc.Driver</driver-class>
    <username>username</username>
    <password>password</password>

So I reconfigured the dbconfig file with the above settings. I tried both NTLM and intergartedsecurity and got this error: An attempt to login using SQL authentication failed. Server is configured for Windows authentication only. [ CLIENT: IP ]. I assume username and password string should be blank since it would be bad to have a pw in plain text, and the Atlassian JIRA service is running with the service account that has dbo permissions assigned to the DB I created.

Actually the username and password values in the dbconfig need to be accurate in 7.4.   You will likely need to use a DOMAIN\username format for the useraccount.

If you were using the newer Microsoft driver in Jira 7.5+ then those fields still have to exist in the dbconfig, but they don't necessarily need be the correct values in this version of Jira.

Andrew,

After making the username/pw change I'm still getting the same error in SQL.

Andrew, do you have a recommendation?

Andrew,

Can you also verify which services should be running for JIRA, and confirm it should be running with the domain service account I created that also has dbo set for the JIRA DB.

Hi Adam and Gary,

Sorry for the delay in response here.

The guide we have in https://confluence.atlassian.com/jirakb/using-integrated-security-with-mssql-for-jira-939494383.html has some slightly different configurations steps between 7.4 versions of Jira and later 7.5 and above.

In reviewing these I am noticing that the 7.4 and before versions do not explicitly mention using the windows/domain account to start the Jira Service.  However the 7.5 instructions, that use the newer MS driver do clearly indicate to do this in this kind of configuration.   So if we still are struggling to get 7.4 setup this way, perhaps you can try with a 7.5 or 7.6 version of Jira and follow the steps we have there.   It looks like this version requires the use of an additional dll in order to get Jira to be able to authenticate in that setup.

Also I wanted to check with you in regards to the OS that Jira is running on top of; is this a Windows Server?  Or is this perhaps a Linux/Unix based OS?   The reason I ask is that there have been documented instances of Linux/Unix operating systems that when trying to use Jira 7.5 or higher can still connect to the database, but are unable to use this kind of authentication.   I suspect it might relate back to the use of this dll in this version and that there might not be a corresponding library available to non-windows platforms that would be needed to authenticate correctly.

Forgive me for copy/pasting nearly that whole article, but if I understand your network restrictions you might not be able to view the KB on our documentation site.   As such

Microsoft Driver for SQL Server for JIRA 7.5+

Microsoft SQL Server driver will pick up domain credentials from the user that starts the Atlassian JIRA Windows service, credentials appear not to be needed in the dbconfig.xml -

• <username>
• <password>

However, tags needs to still be present in the dbconfig.xml file as JIRA still looks for it on startup.

Please convert the dbconfig.xml to the newer format from JTDS - Updating JDBC URL for Microsoft SQL Server

• Ensure that integratedsecurity=true is present
• You can remove domain=<mydomain> from the <url> string as it is not used by the Microsoft Driver
• Leave the <username> and <password> tags in as JIRA still checks for the presence of these 2 entities.

    <url>jdbc:jtds:sqlserver://[servername\[InstanceName:][portNumber];databaseName=[database];integratedsecurity=true;</url>
    <driver-class>net.sourceforge.jtds.jdbc.Driver</driver-class>
    <username>[dummyuser]</username>
    <password>[dummypassword]</password>

The Atlassian JIRA Windows service will need to start as the SQL Domain User that needs to connect to the SQL Server.

• If the Windows Service is still running as the "Local System Account" then JIRA will try to access the SQL Server as that account and you may see an error that Login failed for user "Local System Account"

2017-10-15 02:34:35,809 JIRA-Bootstrap ERROR      [c.a.config.bootstrap.DefaultAtlassianBootstrapManager] Could not successfully test your database: 
com.microsoft.sqlserver.jdbc.SQLServerException: Login failed for user 'MYDOMAIN\WIN-1236CNIQFHD$'. ClientConnectionId:cd2010e0-ae0b-41df-ac97-3e47c76cf2ef

• You will need to change the Atlassian JIRA Windows service owner to the SQL Domain User
• Make sure that the SQL Domain User has write access to (especially if service was previously starting as Local System account) -

  • $JIRA_Home 

  • $JIRA_Install/work

  • $JIRA_Instal/temp

  • $JIRA_Install/logs

Further configuration required with Microsoft SQL Server driver -

There will need to be some configuration done based on Microsoft's documentation and would require sqljdbc_auth.dll.

Add the following into the JVM argument and restart JIRA in order for it to use sqljdbc_auth.dll -

-Djava.library.path=C:\Microsoft JDBC Driver 6.0 for SQL Server\sqljdbc_<version>\enu\auth\x64

Please check our documentation on Setting properties and options on startup on how to set the JVM argument.

I am interested to see if perhaps trying these steps with a Jira 7.5+ might yield some better results.

Please let me know

Andy

Andy,

I downloaded 7.6 and installed it, also configured the domain service account and created the JIRA DB with dbo permissions for the account. Attempting to configure the dbconfig.xml, but the file is nowhere to be found under the Atlassian directory. Tried to configure the connection through the web interface and received the following error as well.

Error connecting to database

Login failed for user 'N025-JIRA-SVC'.

Hi Adam,

The dbconfig.xml will need to exist in the $JIRAHOME/ root directory.   This home directory will have other subdirectories in it with names such as 'data', 'import', 'export', 'plugins', etc.  However there typically are not very many other files in this same folder itself.

This home directory might not exist on the first startup of Jira.   But you can go into the $JIRAINSTALL/bin/ directory and run the config.bat file.  This utility allows you to setup the home directory as well as try to configure the database, and what port the webserver is hosting on. (If you get an error that this utility can't find the correct version of Java, then I would recommend installing your own Oracle Java JRE or Java JDK that is an x64 version, and then setting up the JAVA_HOME variable, and restarting the OS.   These steps might be necessary before you can use the Jira config tool I recommend here.   Steps on how to do this are in the Installing Java document on our site.)

I tend to suggest this as a method to use over the setup wizard gui because it will let you set certain parameters before Jira starts up.  Also it will create this dbconfig.xml file and the other directories needed when you save in this utility.   If we can get the SQL authentication setup correctly this way before starting Jira, the setup wizard will still launch, but it will just prompt you for the basic information it needs to create a new Jira database, and not information like SQL credentials.   In this case, with this kind of setup, we are not expecting the dbconfig.xml to actually have the correct username and password.  But those username and password tags have to exist in this file.   If we're doing this correctly, and starting Jira via a service, that service should be configured to start as this Windows/Domain user.

Since you're seeing this login failure, I think there is a specific section of the previously mentioned KB that explains there is the need for an additional dll file to be included so that this account and authenticate with SQL in this way:

Further configuration required with Microsoft SQL Server driver -

There will need to be some configuration done based on Microsoft's documentation and would require sqljdbc_auth.dll.

Add the following into the JVM argument and restart JIRA in order for it to use sqljdbc_auth.dll -

-Djava.library.path=C:\Microsoft JDBC Driver 6.0 for SQL Server\sqljdbc_<version>\enu\auth\x64

Please check our documentation on Setting properties and options on startup on how to set the JVM argument.

 

If you are running a 32-bit Java Virtual Machine (JVM), use the sqljdbc_auth.dll file in the x86 folder, even if the operating system is the x64 version. If you are running a 64-bit JVM on a x64 processor, use the sqljdbc_auth.dll file in the x64 folder.

Also I would expect in this kind of setup that the username is going to need to have a format of either DOMAIN\username or HOSTCOMPUTER\username in order to use Windows Authentication in this manner.   The fact that you only see this username as a login failure tends to indicate to me that we might not be specifying where that user account is coming from.    It might also help to check with the MS SQL server itself under the security/accounts section to make sure that the SQL user in question also is following that same naming convention there.

Andy,

I installed Java so I could run the config.bat file, then when through the configuration to create the xml below. (I removed the server name, username and password in this copy)

<?xml version="1.0" encoding="UTF-8"?>

<jira-database-config>
  <name>defaultDS</name>
  <delegator-name>default</delegator-name>
  <database-type>mssql</database-type>
  <schema-name>dbo</schema-name>
  <jdbc-datasource>
    <url>jdbc:sqlserver://SERVERNAME:1433;databaseName=JIRA;integratedSecurity=true</url>
    <driver-class>com.microsoft.sqlserver.jdbc.SQLServerDriver</driver-class>
    <username>DOMAIN\USERNAME</username>
    <password>PASSWORD</password>
    <pool-min-size>20</pool-min-size>
    <pool-max-size>20</pool-max-size>
    <pool-max-wait>30000</pool-max-wait>
    <validation-query>select 1</validation-query>
    <min-evictable-idle-time-millis>60000</min-evictable-idle-time-millis>
    <time-between-eviction-runs-millis>300000</time-between-eviction-runs-millis>
    <pool-max-idle>20</pool-max-idle>
    <pool-remove-abandoned>true</pool-remove-abandoned>
    <pool-remove-abandoned-timeout>300</pool-remove-abandoned-timeout>
    <pool-test-on-borrow>false</pool-test-on-borrow>
    <pool-test-while-idle>true</pool-test-while-idle>
  </jdbc-datasource>
</jira-database-config>

I read through There will need to be some configuration done based on Microsoft's documentation and would require sqljdbc_auth.dll., but I was unable to locate that dll. Should that have been installed on the server when JIRA was installed.

New error in SQL - Login failed for user "" Attempting to use an NT account name with SQL Server Authentication.

Hi Adam,

In this case, I don't believe that Jira is including this sqljdbc_auth.dll.  Sorry that part wasn't clear.

Instead this is something that you can download from Microsoft's site: https://www.microsoft.com/en-us/download/details.aspx?id=11774

That link offers you either an exe or a tar.gz download package.  I tested the tar.gz and I found that it did have the path to that specific dll in the /enu/auth/x64/ directory.

Do I just copy that tar.gz to a directory? Or do I have to do something else with it?

That is an archive file.  You need to extract that archive in order to locate the sqljdbc_auth.dll file within it.   This archive type is not something Windows default compression can extract if I recall.  You might need to use a program like 7zip to open this archive.

Once you have extracted this file, you need to place it in a directory such as

C:\Microsoft JDBC Driver 6.0 for SQL Server\sqljdbc_<version>\enu\auth\x64

Once you do this, then you need to edit the startup options in Jira to tell Jira where how to load this jar.  You can add this in with a JVM startup parameter of:

-Djava.library.path=C:\Microsoft JDBC Driver 6.0 for SQL Server\sqljdbc_<version>\enu\auth\x64

 but you will need to follow the steps in Setting properties and options on startup to do this.   The steps on how to do this are different depending if you're starting Jira as a service as I think you would be here.

Andrew,

So I extracted sqljdbc_6.0.8112.100_enu.tar to C:\Microsoft JDBC Driver 6.0 for SQL Server\sqljdbc_6.0\enu\auth\x64 dir. Looking at the catalina log I'm getting the below error.

03-Jan-2018 08:07:27.400 INFO [main] org.apache.catalina.core.AprLifecycleListener.lifecycleEvent The APR based Apache Tomcat Native library which allows optimal performance in production environments was not found on the java.library.path: C:\Microsoft JDBC Driver 6.0 for SQL Server\sqljdbc_6.0\enu\auth\x64

I also followed the "Setting properties for Windows services via command line" from https://confluence.atlassian.com/adminjiraserver/setting-properties-and-options-on-startup-938847831.html

That's an INFO message.  It is not indicative that there is actually any error or problem here.  I think we can actually safely ignore that particular message here. 

Are you seeing a problem with Jira actually starting up? 

Went I extracted the file using 7ZIP, it is a .tar file. Is that what it suppose to be, because you mentioned a dll and their wasn't one in the zip.

That can be confusing.  TAR is one compression format, and GZ is another.   Some compression programs just understand this is a single archive, while others are far more strict in regards to the file extensions and in turn treat them as two separate archives.  If you opened this file with something like 7zip and still only see the tar, then you will likely need to extract that tar file as well, after you have extracted that from the gz archive.   When I extract this file, I do have a path of

/sqljdbc_6.0/enu/auth/x64/sqljdbc_auth.dll

For that dll file.   Since you seemed to have the corresponding path, I was hopeful that you also saw the dll file in there as well, but if you are not seeing this file when you extract the archive, then perhaps we should try to download the exe option from that Microsoft link instead: https://www.microsoft.com/en-us/download/details.aspx?id=11774 and in turn try to run that as a means to make sure that your system has this dll installed somewhere.  Once you can find this specific dll on the system, then you can update the startup option to refer to that specific path so that this dll can be used by Jira when it starts up.

Andrew,

I was able to extract the .tar and the dll showed up in the folder I created C:\Microsoft JDBC Driver 6.0 for SQL Server\sqljdbc_6.0\enu\auth\x64. I also verified -Djava.library.path=C:\Microsoft JDBC Driver 6.0 for SQL Server\sqljdbc_6.0\enu\auth\x64 was added to the Java Options.

Can you verify the dbconfig.xml below is correct? I took out the server name and password in this example, but all the rest is configured as is.

<?xml version="1.0" encoding="UTF-8"?>

<jira-database-config>
  <name>defaultDS</name>
  <delegator-name>default</delegator-name>
  <database-type>mssql</database-type>
  <schema-name>dbo</schema-name>
  <jdbc-datasource>
    <url>jdbc:jtds:sqlserver://SERVERNAME:1433;databaseName=JIRA;integratedsecurity=true;</url>
    <driver-class>com.microsoft.sqlserver.jdbc.SQLServerDriver</driver-class>
    <username>SOF\N025-JIRA-SVC</username>
    <password>PASSWORD</password>
    <pool-min-size>20</pool-min-size>
    <pool-max-size>20</pool-max-size>
    <pool-max-wait>30000</pool-max-wait>
    <validation-query>select 1</validation-query>
    <min-evictable-idle-time-millis>60000</min-evictable-idle-time-millis>
    <time-between-eviction-runs-millis>300000</time-between-eviction-runs-millis>
    <pool-max-idle>20</pool-max-idle>
    <pool-remove-abandoned>true</pool-remove-abandoned>
    <pool-remove-abandoned-timeout>300</pool-remove-abandoned-timeout>
    <pool-test-on-borrow>false</pool-test-on-borrow>
    <pool-test-while-idle>true</pool-test-while-idle>
  </jdbc-datasource>
</jira-database-config>

Hi Adam,

Thanks for posting back. I took a look at this dbconfig.xml, but I think I found a problem. I believe your URL tag needs to look like this instead:

<url>jdbc:sqlserver://SERVERNAME:1433;databaseName=JIRA;integratedsecurity=true;</url>

The one you posted still had the format for the 'jdbc:jtds:sqlserver....'  but we need to remove that old reference to the jtds in Jira 7.5.x and higher.  Everything else in your dbconfig.xml looked ok to me.

I also found that our KB on this was not updated to reflect this change, so I have also gone through to update that as well.  Sorry about that.

Once you have that set, I believe the next step is to make sure that the Windows Service that starts Jira is configured to be started by a user account that is a Windows user on your Domain.  

Let us know how it goes.

Andy

Andrew,

Looks like that worked, but is it normal to see 18 instances of the server account to be connected the SQL in the Activity Monitor? Also do you know if this application supports connection to a SQL cluster with multiple nodes?

By default Jira has a connection pool value of 20, so that would seem to fit in with the 18 separate connections you are seeing.  You can try to Tune the connection pool settings, but just be aware that incorrectly adjusting this can negatively effect performance in Jira very easily.

As for the clustered SQL support, that's a great question.  So far I have not been able to find any official documentation that states Atlassian supports that particular database configuration.  There is an older feature request that I believe we need to have updated now in https://jira.atlassian.com/browse/JRASERVER-43873

The limitation there was the older jdbc database driver did not support that kind of connection.  But since you are now using the official Microsoft database driver, I believe this could work.   Since the Supported Platforms does not currently include this setup (nor does the Connecting Jira to MS SQL 2014 guide), I do not believe that Atlassian's standard support offerings would technically support that data setup just yet.

Due to our network I cant get to that link you suggested. Also the service account is a domain account and has DB Owner permissions to the SQL DB. Also have the service account running the Atlassian JIRA Service (tomcat8.exe)on the application server. I tried the other JIRA service and just get an OOPS page.

As far as I know Jiira does not support domain accounts for sql server. You need to make a database user and setup a trusted SQL connection. 

You can also use a workaround but there is a disclaimer about using it.  Hopefully you have access to this page:

https://confluence.atlassian.com/jirakb/setup-windows-based-active-directory-authentication-with-sql-server-720407218.html

The "unsupported" workaround resulted in an error.