azure-ad-plugin icon indicating copy to clipboard operation
azure-ad-plugin copied to clipboard

Published 20 hours ago verified publisher icon jenkinsci

Azure AD Authorization is currently not working on Jenkins because it can't find the users, e.g. it is loading forever and does not return any user

Open Raviyadav409 opened this issue 2 years ago • 26 comments

We are using jenkins latest application version i.e 2.361.1

Jenkins application version :- Jenkins 2.361.1 Helm Version : 4.2.0 Azure AD Plugin Version: 267.v5b_dfb_514d9fd Operating system: Linux/windows Helm Chart Version link :- https://artifacthub.io/packages/helm/jenkinsci/jenkins/4.2.0 Web Browser: Any Cluster- GKE CLUSTER GKE Cluster Version:- v1.21.14-gke.700

Azure AD Authorization is currently not working on Jenkins because it can't find the users, e.g. it is loading forever and does not return any user, Even We have already make App registration and provided all permissions .

image-2022-09-21-16-19-03-567

MicrosoftTeams-image

Raviyadav409 avatar Sep 26 '22 06:09 Raviyadav409

You can perhaps work around the problem by checking the "Disable graph integration" box in the Jenkins security settings. That way, Jenkins won't attempt to query all users and groups from Azure AD, and you have to paste the names and IDs as text instead. I do this to minimize the information leaks in case the Jenkins controller is somehow compromised.

KalleOlaviNiemitalo avatar Sep 26 '22 06:09 KalleOlaviNiemitalo

Stumbled upon a workaround here, I haven't taken the time to dig into the code the figure out why it works, but if you follow these steps I think you'll have a working graph integration:

  1. Enable Azure AD authentication, make sure you can use the test functionality to lookup your UPN and set access control to Logged in users can do anything. Click Save
  2. Change authorization to Azure AD and click the Administrator checkbox next to Authenticated users. Also, click Disable graph integration and click Save
  3. Go add some random entry under the matrix, I used my UPN and clicked the Administrator checkbox. Click save
  4. Finally, go back and uncheck Disable graph integration and click save

At this point the group/user lookup works. I've done this on two distinct jenkins boxes and had the same result. You'll probably want to remove admin from authenticated users and add at least one entry for yourself. I think the bug had something to do with the list of authorized entities being empty, but that's just a guess. I've checked and the fix persists after restart.

Good luck!

hawknewton avatar Sep 26 '22 23:09 hawknewton

@hawknewton I have tried your workaround but it did not work in my case. In your case, is the UPN your email or AAD object ID? According to Jenkins' user profile page, my UPN should be the email, but I can only use the object ID as a valid UPN while testing connection for authentication or putting into the AAD authorization matrix. EDIT: somehow it worked, but it definitely did not work when I was logged in as admin. It worked when I logged in as an Azure AD user though. So the flow that worked for me is:

  1. Sign in as admin user, set up the AAD authentication. Save it.
  2. In the Authorization section, select AAD Matrix-based security, and give Administer permission to Authenticated Users. Save it.
  3. Log out of admin user and log in as an AAD user. Now you should be able to look up users/groups. Add yourself/your group there, give yourself Administer permission and remove Administer permission from Authenticated Users for safety.

tgquan67 avatar Sep 27 '22 14:09 tgquan67

@hawknewton @tgquan67 Hi guys, I tried the Both scenarios but it still not working , In both cases i found the same ACCESS DENIED Issue .

Screenshot (19)

Screenshot (20) Screenshot (21)

Raviyadav409 avatar Sep 30 '22 12:09 Raviyadav409

@Raviyadav409 when you tried what I posted, was you able to search for users/groups? Notice that you have to enable graph integration to be able to search, otherwise you will have to enter the user manually in a very specific and precise way, or else the user will not be granted anything. Basically in my case there are 2 requirements:

  • You have to be signed in as an AAD user to search
  • You have to grant Administer permission to Authenticated Users first before logging out of admin, or else you will be locked out, as admin user will not be available once you enable AAD authentication.

tgquan67 avatar Sep 30 '22 15:09 tgquan67

Hi @tgquan67 i have singed as AAD .For your reference i have attached screenshot as below . image

And one thing i would like to mention is i'm not able to search for users/groups . We have already make App registration and provided all permissions. U can see all permission here as well .!!

image

Raviyadav409 avatar Oct 03 '22 04:10 Raviyadav409

On my side the permissions are different

image

I think you will at least need Directory.Read.All to search for users/groups (refer to https://github.com/jenkinsci/azure-ad-plugin/issues/89).

tgquan67 avatar Oct 03 '22 06:10 tgquan67

I think you will at least need Directory.Read.All

you shouldn't need that, is there any errors in the browser console or Jenkins logs?

timja avatar Oct 03 '22 07:10 timja

Stumbled upon a workaround here, I haven't taken the time to dig into the code the figure out why it works, but if you follow these steps I think you'll have a working graph integration:

1. Enable Azure AD authentication, make sure you can use the test functionality to lookup your UPN and set access control to `Logged in users can do anything`.  Click `Save`

2. Change authorization to `Azure AD` and click the `Administrator` checkbox next to `Authenticated users`.  Also, click `Disable graph integration` and click Save

3. Go add some random entry under the matrix, I used my UPN and clicked the `Administrator` checkbox.  Click save

4. Finally, go back and uncheck `Disable graph integration` and click save

At this point the group/user lookup works. I've done this on two distinct jenkins boxes and had the same result. You'll probably want to remove admin from authenticated users and add at least one entry for yourself. I think the bug had something to do with the list of authorized entities being empty, but that's just a guess. I've checked and the fix persists after restart.

Good luck!

This fixed it for me, thanks a lot. The logs were totally silent with no clues as to what the underlying root cause might be.

andysworkshop avatar Oct 05 '22 12:10 andysworkshop

Hi @andysworkshop @tgquan67 @hawknewton @KalleOlaviNiemitalo Azure ad matrix based is working now but when we are providing the access the of All read permission to authenticated users managed jenkins is not visible on jenkins home page . And also when we are providing the admin permission to our user even i provide Administer to myself in that case also not able to find the managed jenkins on jenkins page . Here is the attached Screenshot . we need to add this screenshot in above image u can see i have marked check to the Administer box for myself Yadav ravi and for other user as well .

managed-jenkins is not visible

in the above image clearly u can see managed jenkins is missing for the user having Administer access.

Apart from that i'm facing other issue regarding jenkins login . once i setup the things for azure ad security matrix based after that i'm not able to login in jenkins as admin . Even i'm using correct username and password for the jenkins . here is the screenshot for that .

image

Raviyadav409 avatar Oct 11 '22 03:10 Raviyadav409

@Raviyadav409 I'm not sure about your first question, but for your second question, once you have set up a different authentication scheme, you will not be able to use admin user from the built-in database (refer to https://issues.jenkins.io/browse/JENKINS-15063 for more detail).

tgquan67 avatar Oct 11 '22 07:10 tgquan67

Has anyone tried the update 2.361.2 to see if that resolves this issue?

cap-mevans avatar Oct 11 '22 18:10 cap-mevans

Hii @cap-mevans sorry to infrom we haven't get this application update at container level .

U can check ArtifactHub is using 2.361.1 jenkins version

https://artifacthub.io/packages/helm/jenkinsci/jenkins

image

Raviyadav409 avatar Oct 12 '22 05:10 Raviyadav409

artifact hub is now updated FWIW

timja avatar Oct 13 '22 07:10 timja

Hi All,

I tested the azure ad matrix based security in latest jenkins version i.e 2.361.2 . In this version i'm also getting the same issue what i have raised earlier . U can find the that issue in below .

image

Hi @andysworkshop @tgquan67 @hawknewton @KalleOlaviNiemitalo Azure ad matrix based is working now but when we are providing the access the of All read permission to authenticated users managed jenkins is not visible on jenkins home page . And also when we are providing the admin permission to our user even i provide Administer to myself in that case also not able to find the managed jenkins on jenkins page . Here is the attached Screenshot . we need to add this screenshot in above image u can see i have marked check to the Administer box for myself Yadav ravi and for other user as well .

managed-jenkins is not visible

in the above image clearly u can see managed jenkins is missing for the user having Administer access.

Apart from that i'm facing other issue regarding jenkins login . once i setup the things for azure ad security matrix based after that i'm not able to login in jenkins as admin . Even i'm using correct username and password for the jenkins . here is the screenshot for that .

image

Raviyadav409 avatar Oct 18 '22 05:10 Raviyadav409

Did you add those user by selecting from search box (with graph integration enabled) or you just forcefully added them there while graph integration disabled? Because even if the name there is a bit incorrect, the permission will not take effect. In my case, the names there are displayed in [email protected] (user-object-id-in-AD) or groupname (group-object-id-in-AD) format. In the past I also tried to manually add my name there with graph integration disabled, but it's quite hard to figure out the correct format without seeing the correct it in your particular case at least once.

tgquan67 avatar Oct 18 '22 08:10 tgquan67

@tgquan67 FYI , for me search box is not appearing at azure ad matrix based security . so i just disable graph integration and then i added users manually .

Raviyadav409 avatar Oct 18 '22 08:10 Raviyadav409

One way to know if the name you added is correct is to enable graph integration again. I think when you enable it, any invalid entry you added will be crossed out.

tgquan67 avatar Oct 18 '22 21:10 tgquan67

@tgquan67 FYI , In my case every entry which i have added manaully is correct one and that entry is not getting crossed out . It means my all entries correct and authorized . But Still when i giving the admin access to that entry . That is not working as expected . It means that user or entry is not getting any admin permission .

Raviyadav409 avatar Oct 20 '22 13:10 Raviyadav409

Hi @andysworkshop @tgquan67 @hawknewton @KalleOlaviNiemitalo, I too have similar issue. I tested the azure ad matrix based security in latest jenkins version i.e 2.372. while i configure global security, user names are not able to find. image Below is the permission/admin conset on azure, image

Any suggestion to fix this Jenkins Azure integration?

madhulikap0903 avatar Nov 07 '22 15:11 madhulikap0903

@madhulikap0903 the only thing I realized in my case is that you have to give all permissions to Authenticated Users, and then log out of admin account and relogin as an AD user. Only then could I search for AD users/groups. Remember that once you log out of admin user, you won't be able to relogin as admin.

tgquan67 avatar Nov 07 '22 21:11 tgquan67

You may not need to log out, saving the config and refreshing the page should be enough.

timja avatar Nov 07 '22 22:11 timja

I face the same issue within the /manage/configureSecurity/ global configuration page, BUT it works within a jobs configuration page.

Empty results list in global config image

Working results list in job config* image

Jenkins 2.361.3 Azure AD Plugin 267.v5b_dfb_514d9fd

(*) the first Enable project-based security config section appears to be for the Project-based matrix, the second for the Azure-based matrix

mgrobelinp44 avatar Nov 14 '22 12:11 mgrobelinp44

I had this issue when setting the plugin up. All the previous steps were tried, or attempted, as I had to roll back the config to the point before I configured the Azure plugin a few times after getting locked out.

  1. Configure the Security Realm for Azure Active Directory
  2. Test if it finds an account
  3. hit save
  4. check the Authorization to Active directory matrix based box
  5. do not hit save
  6. as a precaution, since I've been locked out a few times, add Anonymous and Authenticated Users to Administer overall
  7. save, log out.
  8. Since anon has admin access (don't forget to disable afterward) continue to configure the settings
  9. go back into the add azure user/group
  10. test lookup for user/group
  11. if it works, then add the correct user/group from azure ad, and pop that champagne to celebrate
  12. if It's still not working, continue to the next steps
  13. disable graph integration
  14. hit save
  15. go back to add the user/group
  16. add the user's UPN or group's Object ID, set to admin for now
  17. hit save
  18. go back and uncheck Disable graph integration
  19. hit save
  20. go back and check if it’s working now (it did for me, ymmv) Hope it helps!

doogalbeez avatar Apr 26 '23 00:04 doogalbeez

Have the same issue on Jenkins 2.346.3 and Azure AD Plugin Version 306.va_7083923fd50 it started working after re-enabling option "Disable graph integration"

ZamElek avatar Sep 05 '23 12:09 ZamElek

I'm having the same issue on Jenkins Jenkins 2.426.1 with latest Azure ad plugin on multiple servers. Disabling and reenabling Graph integration resolves it, but it cannot be done without disruption to group based security permissions. It should be considered priority 1 issue for this plugin.

lukolszewski avatar Feb 22 '24 12:02 lukolszewski