Skip to end of metadata
Go to start of metadata

Name

NTLM Authentication

Version

0.5.2

Author(s)

JIRAEXT:Daniel Pavel

Download

latest stable version is JIRAEXT:0.5.2, latest beta is JIRAEXT:0.5.3

Source (Subversion)

http://svn.atlassian.com/svn/public/contrib/jira/ntlmauth4jira

License

BSD

JIRA Version(s)

3.6, 3.7

Issue Tracking

http://developer.atlassian.com/jira/browse/NTLM

JIRA bug#

http://jira.atlassian.com/browse/JRA-2398

Source Download

 

News

  • 2007-09-10 : beta 0.5.3 uploaded
    • fixed NTLM-1
    • attempts to fix some plain form login issues
  • 2007-02-07 : bugfix release JIRAEXT:0.5.2, Jira-only
    • support for Jira 3.6 & 3.7
    • allow uppercase in username
    • workaround for RPC support
    • detect basic authentication attempts
  • 2007-02-05 : new release 0.6.2-rc1 (broken, don't use it)
    • should work with Jira 3.6 & 3.7
    • new domain settings detection code

General Description

This package (ntlmauth for Jira) is a NTLM-aware authentication filter for Atlassian Jira. It adds support for SSO in a corporate intranet.

The idea is to support NTLM login for one or more Windows domains, while also allowing the standard (form) Jira login when NTLM is not available or not allowed to the user. NTLM login can be restricted to a certain group of users within Jira.

The filter does all the NTLM business through jCIFS (http://jcifs.samba.org), so the computer Jira runs on must be part of a Windows domain.

Because this authentication feature is most likely to be used inside Windows AD intranets, the filter can, optionally, auto-create successfully authenticated domain users that do not already exist in Jira. This should make the initial deployment of Jira inside such network configurations somewhat easier.

For AD domains, if a LDAP configuration is associated, some user data can be pulled from the LDAP server (full user name and email). Access to Jira through NTLM can be limited to a certain LDAP group. Also, user login is allowed only if the user, property authenticated through NTLM, is also present in the LDAP server.

Known Issues

jcifs.smb.SmbAuthException: Invalid access to memory location

Icon

Occurs when more than one Domain Controller might respond to an authentication request (e.g. you have a primary and a backup DC).
NTLM being a two-phase protocol, ntlmauth4jira might send the two requests to different DCs. In this case, the second DC will not recognize the primary request as originating from itself, and will deny access.
Workaround: specify a domainController in your ntlm_auth.properties file. A fix is in the works.

163 Comments

  1. Daniel, please add your source and the binaries in a "standard" zip-file under "Attachments" in Confluence. Not all users and companies have a bz2 uncompress tool installed.

  2. Does someone have experiences with using this plugin with JIRA 3.6? - In that case: Does it work with JIRA 3.6?

  3. It worked fine for us with version 3.6.2, but after recent upgrade to 3.6.4 it seems it stopped working...

    Daniel: have you checked it?

    BTW: great plugin (thumbs up) 

    1. Hmm, after a few restarts, NTLM with 3.6.4 also works fine.

  4. I'm using this plug-in with JIRA 3.6.5. It  works fine with Firefox but I've experienced the following problem with Internet Explorer.

    Since Windows domain names are case insensitive, if any names contains upper case characters Internet Explore will pass to JIRA as is.

    But JIRA accepts as valid names only lower case strings and so login will fail.

    I've solved with the simple attached path.

    - Paolo

    1. Paolo, I'm running JIRA on windows and it seems that I run into the same as you with ntlm authentication.

      How can I recreate the jar file on windows with your changes? Can you send me the jar file with your changes?

      - Christian 

  5. I'm new to jira. We have jira running on windows. How do I get the plugin into my installation?

    I copied jcifs-1.2.9.jar and ntlmauth-0.5.1.jar into atlassian-jira\WEB-INF\lib and restarted several times. But plugin does not appear in plugin list.

    What is my fault?

     - Christian

    1. I got it running but it seems that I have the same as Paolo one comment before. The ntlm says ok, but I will not login into jira.

      - Christian

    2. The extension is not a plugin per se - it does not register as a Jira plugin, and cannot be enabled/disabled from the plugins administration page.

  6. I followed the basic install instructions and configured my properties file for my domain, but the authentication isn't working. I get the NTLM popup, but it won't authenticate. I've tried in both Firefox and IE, and I've tried with and without the domain prefix. I'm running JIRA Version 3.6.5-#161 under Java 1.5.0_09.

    Any ideas?

    1. Hello,

      Could you send me a relevant log fragment (with NTLM initialization and a few requests), after setting log level to DEBUG for ro.softwin (in WEB-INF/classes/log4j.properties) ?

      Thanks,
      -Daniel

  7. Is this package (ntlmauth for Jira) work for Confluence 2.3?

    Eric 

    1. There is a NTLM authenticator for Confluence at http://svn.atlassian.com/fisheye/viewrep/public/contrib/confluence/ntlm-authenticator (not sure if it works with 2.3 though)

  8. Looks like there are several bugs in the NTLM Auth and 3.7.x.

    1)  Printable and XML views of individual issues appears broken.  Looks like it might have something to do with the redirect

    2)  Editing the name of a Component fails, gives a permissions error.

    1. Hi,

      I also discovered exactly the same problems with NTLM plugin with JIRA 3.7.3. I will try to investigate the problem as no NTLM for us is a showstopper to upgrade to 3.7.3.

      Wojtek 

  9. Hello,

    I've uploaded a newer version that should work with JIRA 3.6 and 3.7.
    The uppercase usernames issue should be fixed as well.

    This version is still a RC, if you have any issues with it please let me know.

    Cheers,
    -Daniel

    1. Daniel,

      Thanks a lot for your work. I checked your plugin and it more or less works with JIRA 3.7.3 in our corporate environment.
      I've written "more or less" as contrary to version 0.5.x now I have problems with accessing some of our DC-s (we have a few Active Directory domains and some of domain controllers cannot be reached), thus effective people for these domains have no NTLM.
      In log file I have (I specially changed our DC address to something dummy):

      Feb 5, 2007 4:02:51 PM ro.softwin.elearning.jiratools.SMBHelper findDCPort
      WARNING: SMB connection failed on InetAddress mydc.mycompany.com/100.101.102.103:139
      jcifs.smb.SmbException:
      jcifs.util.transport.TransportException: Connection timeout
      at jcifs.util.transport.Transport.connect(Transport.java:178)
      at jcifs.smb.SmbTransport.connect(SmbTransport.java:287)
      at jcifs.smb.SmbSession.getChallenge(SmbSession.java:146)
      at ro.softwin.elearning.jiratools.SMBHelper.findDCPort(SMBHelper.java:62)
      at ro.softwin.elearning.jiratools.DomainConfig.confirmDC(DomainConfig.java:228)
      at ro.softwin.elearning.jiratools.DomainConfig.readConfig(DomainConfig.java:115)
      at ro.softwin.elearning.jiratools.DomainConfig.<init>(DomainConfig.java:96)
      at ro.softwin.elearning.jiratools.NTLMConfig.readConfigurationS(NTLMConfig.java:94)
      at ro.softwin.elearning.jiratools.NTLMConfig.readConfiguration(NTLMConfig.java:61)
      at ro.softwin.elearning.jiratools.NTLMConfig.read(NTLMConfig.java:189)
      at ro.softwin.elearning.jiratools.AbstractNTLMLoginFilter.init(AbstractNTLMLoginFilter.java:90)
      at ro.softwin.elearning.jiratools.NTLMLoginFilter.init(NTLMLoginFilter.java:139)
      at org.apache.catalina.core.ApplicationFilterConfig.getFilter(ApplicationFilterConfig.java:223)
      ...
      Feb 5, 2007 4:53:40 PM ro.softwin.elearning.jiratools.NTLMConfig readConfigurationS
      WARNING: failed to properly init domain MYDOMAIN.MYCOMPANY.COM, disabled

      Any ideas? The previous version worked without any problem for many weeks...

      Another thing:
      Do I understand correctly that now in properties files "domain" property should include fully qualified domains? My previous settings included only the first part of domain name - however the new version of this plugin fails with it.

      When will you commit the sources to SVN to enable others debugging & analyzing the sources?

      Great work!

      Regards,
      Wojtek

      1. Hello,

        For the first problem: in previous versions, localhost was used as a fallback DC, when a DC wasn't specified for the domain. This version does its best to autodetect DC and no longer uses localhost. Not the best idea, apparently.

        Try using "MYDOMAIN.domainController = localhost" in your configuration file. There's one thing I don't understand though – if those other DCs are not available (no direct connection, or machine down?), how did it work before? Trust domains?

        Second thing: you can now specify either "mydomain.mycompany.com", or "MYDOMAIN" in the configuration file. Having just the NetBios name (MYDOMAIN) allows me to guess the DC for the domain. Having the whole DNS name allows me to guess the exact DC and LDAP server address for that domain (LDAP credentials still have to be specified, though). But NTLM by itself should work with either configuration.

        As far as svn goes, I'll have to talk first to the Atlassian guys to give me access (smile).

        Cheers,
        -Daniel

        1. Daniel,

          Thanks for your explanation.
          In fact I haven't set domainController. But when I set it to "localhost" then often I get famous "jcifs.smb.SmbAuthException: Invalid access to memory location" exception.
          Now I am trying with separate domainController setting for each domain (with concrete DC host names instead of generic ones dynamically resolved in round-robin manner). It seems to work then.

          How it worked before: no idea (smile)
          For previous version I had no domainController setting too, but plugin somehow knew what to connect. We have dozens of domain controllers controlling our several trusted domains. At times, some DC-s may be down - and it should not cause NTLM to stop working as the authentication requests should dynamically be routed to up-and-running servers.

          With jcifs 1.2.9 and your old plugin I could just list all domains (not fully qualified). With jcifs 1.2.13 and both old and new plugin I have to fully qualify all my domains in domains setting.

          To receive access to SVN just write e-mail to SVN developer support.

          Regards,
          Wojtek

          1. I think this may be similar.  I am using the latest version 0.5.2, i am running on a linux server so I am specifying as single 'domain' and a 'domainController'.  At startup I am getting the following exception:

            2007-02-25 23:28:52,165 main WARN [softwin.elearning.jiratools.SMBHelper] SMB connection failed on InetAddress 192.168.3.11/192.168.3.11
            jcifs.smb.SmbException:
            jcifs.util.transport.TransportException
            java.net.ConnectException: Connection refused

             This IP address is that of the localhost, not the address I specified for the domainController.  Is this that 'fallback' behavior ?  I've upper and lower-cased the domain name to no avail.

            1. Hello,

              When the configuration is read, ntlmauth4jira checks the localhost for a SMB connection, in case no DC is given. If you're running on Linux, and haven't configured SAMBA to act as a DC, then the WARN message is normal behaviour.

              If you get no such message about the DC you've configured, it means that DC has been contacted, so all should be ok.

              But I take it from your post that NTLM authentication does not work for you? Do you get any other WARNings or ERRORs ?

              Cheers,
              -Daniel

              1. Ah ok, understood.  Yes at the end of those exceptions I see: "Could not connect to localhost's Windows authentication source!" 

                Are there any kind of positive messages I should be seeing, indicating that it was able to contact the domain ?  I added the log4j mods per the instructions.

                Also, on another note.  We have an outlook plugin that talks to JIRA via the SOAP/RPC interface.  Was wondering if you had any idea about what it would take to write a new login() method for the RPC that used NTLM. 

  10. Ok, so the 0.6.2-rc1 version was a fluke, don't use it.

    I've uploaded 0.5.2, which is 0.5.1 with bug fixes. This version should fare better.

    Cheers,
    -Daniel

    1. Daniel,

      Yesterday I installed 0.5.2 in production environment. Till now (about 20 hours) I haven't had any problems with that: people from different AD domains can login, I have no exceptions, auto creation of the users works fine, problems reported by Jeff Kwan (http://confluence.atlassian.com/display/JIRAEXT/NTLM+Authentication?focusedCommentId=8585582#comment-8585582) are solved .

      Thanks,

      Wojtek

  11. Does anyone know the proper syntax to use when attempting a login via RPC using NTLM? I want to check out some of the other plugins/apps here (Jira tray, namely) that uses RPC to log in, but it seems to reject me. The log is giving various '500' and '401' errors. I've tried:

    DOMAIN\user

    DOMAIN
    user

    user

    All with and without a password. Is there some other syntax I should use, or is this just a known limitation of a RPC/NTLM combo? Thanks!

    -mattyj 

    1. Matthew,

      I could login via RPC only if NTLM filter was omitted for RPC calls. Some time ago Jeff Turner corrected installation notes (see INSTALL file)

      In web.xml you have to set the following filter configuration to effectively disable NTLM for RPC calls:

      <filter-mapping>
      <filter-name>login_jira</filter-name>
      <url-pattern>/rpc/*</url-pattern>
      </filter-mapping>
      <filter-mapping>
      <filter-name>login_ntlm</filter-name>
      <url-pattern>/*</url-pattern>
      </filter-mapping>

      It works for me.

      Regards,
      Wojtek

  12. Hello,  
    My organization is testing this plugin for possible inclusion with our JIRA 3.7.3 rollout and I've noticed one odd behavior.  If a user is logged into a Windows domain account with no corresponding JIRA account (and with autoCreate set to no) that user cannot log in to JIRA even with a local JIRA account.  This error is logged: 
    ERROR [softwin.elearning.jiratools.NTLMLoginFilter] username: NTLM went ok but could log in.  Disabling NTLM for this session. 
    Is this the intended behavior or did we make an error in configuring the plugin?  Thanks!

    1. Hello,

      Yes, this is the intended behaviour – or at least, this is the way I thought it should work.

      You can go straight to the standard JIRA login page at <jira-server-url>/login.jsp (and bypass NTLM authentication completely). This works for all JIRA users, with or without a Windows domain acoount.

      In the case you've described, however, I guess a more graceful solution would be to redirect to the login.jsp page directly.

      Cheers,
      -Daniel

      1. Hi Daniel, 
        Thanks for replying so quickly.  Even if the user goes straight to the login.jsp page and uses a local JIRA account they still cannot log in provided they don't have a pre-existing account in JIRA that matches their Windows account (or if autoCreate is set to no).  For each session the error I listed above is logged.  Once an account is created inside of JIRA it works properly.  Thank you again for your assistance!

  13. The filter is not working for me.  I'm running on a windows laptop that's not on the DOMAIN so I specifiy the domain controller.  Then hit JIRA from another box that is on the domain.  The init seems to be fine:

    2007-03-07 10:20:10,159 main INFO [softwin.elearning.jiratools.LDAPConfig] Loading configuration from ntlm_ldap.properties
    2007-03-07 10:20:10,209 JiraQuartzScheduler_Worker-2 WARN [service.services.export.ExportService] No directory specified for export - not exporting
    2007-03-07 10:20:10,330 main DEBUG [softwin.elearning.jiratools.SMBHelper] Probing /192.168.10.1:139 for a SMB connection...
    2007-03-07 10:20:13,504 main INFO [softwin.elearning.jiratools.SMBHelper] Localhost Controller available: LMVAD11035713/192.168.10.1:139
    2007-03-07 10:20:13,504 main DEBUG [softwin.elearning.jiratools.SMBHelper] Probing 0.0.0.0<00>/192.168.3.21:139 for a SMB connection...
    2007-03-07 10:20:18,381 main INFO [softwin.elearning.jiratools.SMBHelper] Using Domain Controller IDC-SERVER-2<00>/192.168.3.21:139
    2007-03-07 10:20:18,381 main INFO [softwin.elearning.jiratools.LDAPConfig] domain IDC-S2 using ldap://192.168.3.21 : dc=IDC-S2,dc=local

    But every request seems to fail the "already filtered" test.  Is the NTLM filter supposed to be 'in front' of the standard JIRA login filter.

    2007-03-07 10:23:41,904 http-8080-Processor25 DEBUG [softwin.elearning.jiratools.NTLMLoginFilter] [null] GET http://192.168.3.148:8080/eonjira/ -1 bytes (Ref:null) (UA:Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.2; .NET CLR 1.1.4322))
    2007-03-07 10:23:41,904 http-8080-Processor25 DEBUG [softwin.elearning.jiratools.NTLMLoginFilter] needsNTLM: is IE renegociating?
    2007-03-07 10:23:41,904 http-8080-Processor25 DEBUG [softwin.elearning.jiratools.NTLMLoginFilter] needsNTLM: do we have an user already?
    2007-03-07 10:23:41,904 http-8080-Processor25 DEBUG [softwin.elearning.jiratools.NTLMLoginFilter] needsNTLM: wants form login?
    2007-03-07 10:23:41,904 http-8080-Processor25 DEBUG [softwin.elearning.jiratools.NTLMLoginFilter] needsNTLM: is authentication actually required?
    2007-03-07 10:23:41,914 http-8080-Processor25 DEBUG [softwin.elearning.jiratools.NTLMLoginFilter] needsNTLM: verdict = yes
    2007-03-07 10:23:41,914 http-8080-Processor25 DEBUG [softwin.elearning.jiratools.NTLMLoginFilter] allowsNTLM: did the NTLM previously fail?
    2007-03-07 10:23:41,914 http-8080-Processor25 DEBUG [softwin.elearning.jiratools.NTLMLoginFilter] allowsNTLM: already filtered?
    2007-03-07 10:23:41,914 http-8080-Processor25 DEBUG [softwin.elearning.jiratools.NTLMLoginFilter] request already filtered (/eonjira/)
    2007-03-07 10:23:41,914 http-8080-Processor25 DEBUG [softwin.elearning.jiratools.NTLMLoginFilter] NTLM not allowed for http://192.168.3.148:8080/eonjira/
    2007-03-07 10:23:42,144 http-8080-Processor25 DEBUG [softwin.elearning.jiratools.NTLMLoginFilter] [null] GET http://192.168.3.148:8080/eonjira/secure/Dashboard.jspa -1 bytes (Ref:null) (UA:Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.2; .NET CLR 1.1.4322))
    2007-03-07 10:23:42,144 http-8080-Processor25 DEBUG [softwin.elearning.jiratools.NTLMLoginFilter] needsNTLM: is IE renegociating?
    2007-03-07 10:23:42,144 http-8080-Processor25 DEBUG [softwin.elearning.jiratools.NTLMLoginFilter] needsNTLM: do we have an user already?
    2007-03-07 10:23:42,174 http-8080-Processor25 DEBUG [softwin.elearning.jiratools.NTLMLoginFilter] needsNTLM: wants form login?
    2007-03-07 10:23:42,174 http-8080-Processor25 DEBUG [softwin.elearning.jiratools.NTLMLoginFilter] needsNTLM: is authentication actually required?
    2007-03-07 10:23:42,174 http-8080-Processor25 DEBUG [softwin.elearning.jiratools.NTLMLoginFilter] needsNTLM: verdict = yes
    2007-03-07 10:23:42,174 http-8080-Processor25 DEBUG [softwin.elearning.jiratools.NTLMLoginFilter] allowsNTLM: did the NTLM previously fail?
    2007-03-07 10:23:42,174 http-8080-Processor25 DEBUG [softwin.elearning.jiratools.NTLMLoginFilter] allowsNTLM: already filtered?
    2007-03-07 10:23:42,174 http-8080-Processor25 DEBUG [softwin.elearning.jiratools.NTLMLoginFilter] request already filtered (/eonjira/secure/Dashboard.jspa)

    1. Hello,

      No, the NTLM filter is supposed to be instead of the standard JIRA login filter – replace it altogether.

      You should edit WEB-INF/web.xml as follows:

      • find the filter "login" (search for "<filter-name>login</filter-name>")
      • replace this section:

      <filter>
      <filter-name>login</filter-name>
      <filter-class>com.atlassian.seraph.filter.LoginFilter</filter-class>
      </filter>

      • with this:

      <filter>
      <filter-name>login_jira</filter-name>
      <filter-class>com.atlassian.seraph.filter.LoginFilter</filter-class>
      </filter>
      <filter>
      <filter-name>login_ntlm</filter-name>
      <filter-class>ro.softwin.elearning.jiratools.NTLMLoginFilter</filter-class>
      <init-param>
      <param-name>configuration</param-name>
      <param-value>ntlm_ldap.properties</param-value>
      </init-param>
      </filter>

      • now scroll down in the file, and replace this section:

      <filter-mapping>
      <filter-name>login</filter-name>
      <url-pattern>/*</url-pattern>
      </filter-mapping>

      • with this:

      <filter-mapping>
      <filter-name>login_jira</filter-name>
      <url-pattern>/rpc/*</url-pattern>
      </filter-mapping>
      <filter-mapping>
      <filter-name>login_ntlm</filter-name>
      <url-pattern>/*</url-pattern>
      </filter-mapping>

      Cheers,
      -Daniel

  14. Um, ok Duh (smile)  Thanks (smile)

     But on that note actually.  I am interested in creating a new login() method for the RPC stuff that would use the NTLM credentials, to grab a token based on the SSO stuff.  Since I guess the default JIRA filter just ignores the /rpc/* urls, do you think a specialized filter there might help with this  ?

    1. I am still having problems.  Getting a login/basic auth dialog from IE, but then takes me to the login.jsp with a invalid username password.  Do I need to update the seraph-config to use the BypassDefaultAuthenticator ?

      1. got it working thanks for the help

  15. Having a slight problem, every time i access JIRA i am challenged with basic auth form dialog.  putting in the windows credentials allows me to login and bypass the JIRA login, but I am not getting the 'single sign on' behavior, I should not be challenged at all, right ?

    1. Hello,

      Depends on you browser settings. It's usually unwise to just offer the user's authentication data to any server that asks, without the user's explicit permission, so browsers try not to.

      If you're using Mozilla (or any of the derivatives), check out the 'network.automatic-ntlm-auth.trusted-uris' option (in about:config). You can set it to a list of servers where the browser may offer your NTLM credentials automatically (e.g. 'http://first.server/jira,http://second.server/jira', etc).

      Internet Explorer, afaik, does offer your credentials to any server that asks, but only for intranet servers, where intranet is defined as any address that does not contain a dot (smile). But you can add your jira server to the 'Trusted Servers' list (it's somewhere in Internet Explorer Settings, I don't have it at hand right now), and automatic NTLM should happen.

      Cheers,
      -Daniel

  16. Hi Daniel,

    I'm not sure if it has to do with Jira 3.8, but I got NTLM install with our Jira new installation. Everything works correctly on Firefox. However on IE, if you you login failed (wrong password or username) you can't login to jira via the fall back form. I would need to close out of my IE and reopen the browser. I'm talking about on a computer that's not part of the domain. Do you have any idea why?  

     Thanks,
    Li

  17. Hi,

    We need to implement SSO using windows Kerberos support.  I've checked and looks like JCIFS has some support already. So before I start hacking (wink) was wondering, if any work is already being done in this area

  18. Hello,
        We're having a problem getting the ntlm plugin to failover on non-domain client computers. I've been banging my head on this for a couple days now. Here go the details:

    the jira server is a windows 2k3 on the domain we would like to authenticate against.

    We have users that  have AD accounts as well as users that have jira only/Local accounts

     When I connect from a workstation that is part of the AD Domain through IE, SSO works perfectly. There is no prompt for login. when i connect from the same machine using firefox, I am prompted for my login and password. I enter my AD login and password and get in without issue. If I enter a jira/local user account information, I get a failed login attempt and am brought to the login page where I can successfully login with the local user account.  This looks like its working fine.

    The issue is from a computer that is NOT part of the AD Domain. Using Firefox, I'm prompted for a login and password. If I enter my AD account info like this DOMAIN\Account, I get in with no problems. If I enter the local account info, the login fails and I'm brought to the local login page where I can login successfully. When I use IE I can login when prompted with DOMAIN\Account and get in. When I use IE and enter the local account info in the login box, the login fails and brings me to the jira local login page. If I try to login from this page using the local account, I CAN NOT login. The login repeatedly fails.

    So the problem is with trying to login from a computer that is not part of the AD Domain with a local jira account using IE.

    This occurs when the client machine (Not part of the AD) is on the same network as the server as well as when it's remote across the internet.

    I know the quick solution would be tell everyone to use firefox, but unfortunately some of our clients' computer are locked down pretty tight so they are stuck with IE. 

    I've tried to directly access http://jiraserver/login.jsp but I am still prompted for login and password before I get to the page.

     I'm thinking it may be an issue with IE but I'm not sure where to start. I've already tried changing the User Authentication options in security settings but that didn't help.

    Anybody have any ideas?

    Thanks in advance!

     -Dom

    1. Update:

        So everything functions properly on IE when you go to http://jiraserver/secure/Dashboard.jspa. You're prompted for a login and password. When you enter a local jira login and password, It fails and brings you to the login page. From here you can login to jira with a local account. 

      Is there anyway to get this functionality to work with http://jiraserver/login.jsp or even better http://jiraserver\\

      Thanks!

      -Dom.

  19. I keep getting the following error when trying to log in.  Does anyone have any ideas as to what the cause might be?

    2007-05-22 13:35:18,953 http-999-Processor25 ERROR [softwin.elearning.jiratools.NTLMWebHelper] logon failed
    jcifs.smb.SmbException: A duplicate name exists on the network.

  20. Hello... I have a major problem. We are using both AD accounts and local jira accounts. The local jira accounts authenticate fine but when we go to add comments using a local account we get a system error: com.atlassian.jira.exception.IssueNotFoundException: Issue with id 'null' or key 'null' could not be found in the system

    this is repeatable with all issues across all projects, not just one in particular. This only happens using IE 6. Firefox works fine.

    I've done some research and it seems to be a session timeout or not logged in error, but I know I'm logged in and there is no way the session timed out that quickly.

    we're running jira 3.7.4 standalone enterprise on windows 2k3 using java 1.5.0_08 

    Please help.

    Thanks!

    -Dom 

    1. I assume you are using the ntlmauth4j plugin? Have you tried increasing the JIRA log level (Admin -> Logging & Profiling) to see what's going on? The code contains log.error() and log.debug() calls that should show up.

      1. Jeff,

         I set com.atlassian.jira.web.filters.AccessLogFilter, com.atlassian.seraph, and com.opensymphony to Debug.

        Here an excerpt  from the atlassian-jira.log file. This is when I click "add" when I'm trying to add a comment.

        I don't see anything in there, but hopefully someone else can. 

        Thanks!

         -Dom

        --------------------------------- 

        2007-06-01 10:57:52,329 http-443-Processor24 DEBUG [atlassian.seraph.auth.DefaultAuthenticator] Session found; user already logged in
        2007-06-01 10:57:52,329 http-443-Processor24 DEBUG [atlassian.seraph.auth.DefaultAuthenticator] Session found; user already logged in
        2007-06-01 10:57:52,329 http-443-Processor24 DEBUG [atlassian.seraph.filter.SecurityFilter] requiredRoles = []
        2007-06-01 10:57:52,329 http-443-Processor24 DEBUG [atlassian.seraph.auth.DefaultAuthenticator] Session found; user already logged in
        2007-06-01 10:57:52,439 http-443-Processor24 INFO [jira.web.filters.AccessLogFilter] - https://jiradev/secure/AddComment.jspa 94010-1197 110
        2007-06-01 10:57:52,439 http-443-Processor24 INFO [jira.web.filters.AccessLogFilter] - https://jiradev/secure/AddComment.jspa 94010-1197 110
        2007-06-01 10:57:52,501 http-443-Processor24 ERROR [[Catalina].[localhost].[/].[jsp]] Servlet.service() for servlet jsp threw exception
        com.atlassian.jira.exception.IssueNotFoundException: Issue with id 'null' or key 'null' could not be found in the system
            at com.atlassian.jira.web.action.issue.AbstractIssueSelectAction.getIssue(AbstractIssueSelectAction.java:89)
            at com.atlassian.jira.web.action.issue.AbstractIssueSelectAction.getIssueObject(AbstractIssueSelectAction.java:347)
            at com.atlassian.jira.web.action.issue.AbstractIssueSelectAction.getSummaryIssue(AbstractIssueSelectAction.java:367)
            at org.apache.jsp.decorators.issuesummary_jsp._jspService(issuesummary_jsp.java:184)
            at org.apache.jasper.runtime.HttpJspBase.service(HttpJspBase.java:97)
            at javax.servlet.http.HttpServlet.service(HttpServlet.java:802)
            at org.apache.jasper.servlet.JspServletWrapper.service(JspServletWrapper.java:334)
            at org.apache.jasper.servlet.JspServlet.serviceJspFile(JspServlet.java:314)
            at org.apache.jasper.servlet.JspServlet.service(JspServlet.java:264)
            at javax.servlet.http.HttpServlet.service(HttpServlet.java:802)
            at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:252)
            at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:173)
            at org.apache.catalina.core.ApplicationDispatcher.invoke(ApplicationDispatcher.java:672)
            at org.apache.catalina.core.ApplicationDispatcher.doInclude(ApplicationDispatcher.java:574)
            at org.apache.catalina.core.ApplicationDispatcher.include(ApplicationDispatcher.java:499)
            at com.opensymphony.module.sitemesh.filter.PageFilter.writeDecorator(PageFilter.java:173)
            at com.opensymphony.module.sitemesh.filter.PageFilter.applyDecorator(PageFilter.java:158)
            at com.opensymphony.module.sitemesh.filter.PageFilter.doFilter(PageFilter.java:62)
            at com.atlassian.jira.web.filters.SitemeshExcludePathFilter.doFilter(SitemeshExcludePathFilter.java:38)
            at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:202)
            at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:173)
            at com.atlassian.seraph.filter.SecurityFilter.doFilter(SecurityFilter.java:182)
            at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:202)
            at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:173)
            at ro.softwin.elearning.jiratools.NTLMLoginFilter.doFilter(NTLMLoginFilter.java:136)
            at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:202)
            at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:173)
            at com.atlassian.util.profiling.filters.ProfilingFilter.doFilter(ProfilingFilter.java:132)
            at com.atlassian.jira.web.filters.JIRAProfilingFilter.doFilter(JIRAProfilingFilter.java:16)
            at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:202)
            at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:173)
            at com.atlassian.jira.web.filters.ActionCleanupDelayFilter.doFilter(ActionCleanupDelayFilter.java:41)
            at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:202)
            at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:173)
            at com.atlassian.jira.web.filters.RequestCleanupFilter.doFilter(RequestCleanupFilter.java:49)
            at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:202)
            at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:173)
            at com.atlassian.johnson.filters.JohnsonFilter.doFilter(JohnsonFilter.java:91)
            at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:202)
            at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:173)
            at com.atlassian.jira.web.filters.gzip.GzipFilter.doFilter(GzipFilter.java:72)
            at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:202)
            at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:173)
            at com.atlassian.core.filters.AbstractEncodingFilter.doFilter(AbstractEncodingFilter.java:37)
            at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:202)
            at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:173)
            at com.atlassian.jira.appconsistency.db.DatabaseCompatibilityEnforcerFilter.doFilter(DatabaseCompatibilityEnforcerFilter.java:39)
            at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:202)
            at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:173)
            at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:213)
            at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:178)
            at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:126)
            at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:105)
            at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:107)
            at org.apache.catalina.valves.AccessLogValve.invoke(AccessLogValve.java:541)
            at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:148)
            at org.apache.coyote.http11.Http11Processor.process(Http11Processor.java:869)
            at org.apache.coyote.http11.Http11BaseProtocol$Http11ConnectionHandler.processConnection(Http11BaseProtocol.java:664)
            at org.apache.tomcat.util.net.PoolTcpEndpoint.processSocket(PoolTcpEndpoint.java:527)
            at org.apache.tomcat.util.net.LeaderFollowerWorkerThread.runIt(LeaderFollowerWorkerThread.java:80)
            at org.apache.tomcat.util.threads.ThreadPool$ControlRunnable.run(ThreadPool.java:684)
            at java.lang.Thread.run(Thread.java:595)
        2007-06-01 10:57:52,501 http-443-Processor24 ERROR [[Catalina].[localhost].[/].[action]] Servlet.service() for servlet action threw exception
        com.atlassian.jira.exception.IssueNotFoundException: Issue with id 'null' or key 'null' could not be found in the system
            at com.atlassian.jira.web.action.issue.AbstractIssueSelectAction.getIssue(AbstractIssueSelectAction.java:89)
            at com.atlassian.jira.web.action.issue.AbstractIssueSelectAction.getIssueObject(AbstractIssueSelectAction.java:347)
            at com.atlassian.jira.web.action.issue.AbstractIssueSelectAction.getSummaryIssue(AbstractIssueSelectAction.java:367)
            at org.apache.jsp.decorators.issuesummary_jsp._jspService(issuesummary_jsp.java:184)
            at org.apache.jasper.runtime.HttpJspBase.service(HttpJspBase.java:97)
            at javax.servlet.http.HttpServlet.service(HttpServlet.java:802)
            at org.apache.jasper.servlet.JspServletWrapper.service(JspServletWrapper.java:334)
            at org.apache.jasper.servlet.JspServlet.serviceJspFile(JspServlet.java:314)
            at org.apache.jasper.servlet.JspServlet.service(JspServlet.java:264)
            at javax.servlet.http.HttpServlet.service(HttpServlet.java:802)
            at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:252)
            at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:173)
            at org.apache.catalina.core.ApplicationDispatcher.invoke(ApplicationDispatcher.java:672)
            at org.apache.catalina.core.ApplicationDispatcher.doInclude(ApplicationDispatcher.java:574)
            at org.apache.catalina.core.ApplicationDispatcher.include(ApplicationDispatcher.java:499)
            at com.opensymphony.module.sitemesh.filter.PageFilter.writeDecorator(PageFilter.java:173)
            at com.opensymphony.module.sitemesh.filter.PageFilter.applyDecorator(PageFilter.java:158)
            at com.opensymphony.module.sitemesh.filter.PageFilter.doFilter(PageFilter.java:62)
            at com.atlassian.jira.web.filters.SitemeshExcludePathFilter.doFilter(SitemeshExcludePathFilter.java:38)
            at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:202)
            at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:173)
            at com.atlassian.seraph.filter.SecurityFilter.doFilter(SecurityFilter.java:182)
            at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:202)
            at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:173)
            at ro.softwin.elearning.jiratools.NTLMLoginFilter.doFilter(NTLMLoginFilter.java:136)
            at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:202)
            at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:173)
            at com.atlassian.util.profiling.filters.ProfilingFilter.doFilter(ProfilingFilter.java:132)
            at com.atlassian.jira.web.filters.JIRAProfilingFilter.doFilter(JIRAProfilingFilter.java:16)
            at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:202)
            at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:173)
            at com.atlassian.jira.web.filters.ActionCleanupDelayFilter.doFilter(ActionCleanupDelayFilter.java:41)
            at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:202)
            at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:173)
            at com.atlassian.jira.web.filters.RequestCleanupFilter.doFilter(RequestCleanupFilter.java:49)
            at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:202)
            at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:173)
            at com.atlassian.johnson.filters.JohnsonFilter.doFilter(JohnsonFilter.java:91)
            at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:202)
            at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:173)
            at com.atlassian.jira.web.filters.gzip.GzipFilter.doFilter(GzipFilter.java:72)
            at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:202)
            at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:173)
            at com.atlassian.core.filters.AbstractEncodingFilter.doFilter(AbstractEncodingFilter.java:37)
            at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:202)
            at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:173)
            at com.atlassian.jira.appconsistency.db.DatabaseCompatibilityEnforcerFilter.doFilter(DatabaseCompatibilityEnforcerFilter.java:39)
            at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:202)
            at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:173)
            at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:213)
            at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:178)
            at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:126)
            at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:105)
            at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:107)
            at org.apache.catalina.valves.AccessLogValve.invoke(AccessLogValve.java:541)
            at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:148)
            at org.apache.coyote.http11.Http11Processor.process(Http11Processor.java:869)
            at org.apache.coyote.http11.Http11BaseProtocol$Http11ConnectionHandler.processConnection(Http11BaseProtocol.java:664)
            at org.apache.tomcat.util.net.PoolTcpEndpoint.processSocket(PoolTcpEndpoint.java:527)
            at org.apache.tomcat.util.net.LeaderFollowerWorkerThread.runIt(LeaderFollowerWorkerThread.java:80)
            at org.apache.tomcat.util.threads.ThreadPool$ControlRunnable.run(ThreadPool.java:684)
            at java.lang.Thread.run(Thread.java:595)
        2007-06-01 10:57:52,564 http-443-Processor24 ERROR [500ErrorPage] Exception caught in 500 page Issue with id 'null' or key 'null' could not be found in the system
        com.atlassian.jira.exception.IssueNotFoundException: Issue with id 'null' or key 'null' could not be found in the system
            at com.atlassian.jira.web.action.issue.AbstractIssueSelectAction.getIssue(AbstractIssueSelectAction.java:89)
            at com.atlassian.jira.web.action.issue.AbstractIssueSelectAction.getIssueObject(AbstractIssueSelectAction.java:347)
            at com.atlassian.jira.web.action.issue.AbstractIssueSelectAction.getSummaryIssue(AbstractIssueSelectAction.java:367)
            at org.apache.jsp.decorators.issuesummary_jsp._jspService(issuesummary_jsp.java:184)
            at org.apache.jasper.runtime.HttpJspBase.service(HttpJspBase.java:97)
            at javax.servlet.http.HttpServlet.service(HttpServlet.java:802)
            at org.apache.jasper.servlet.JspServletWrapper.service(JspServletWrapper.java:334)
            at org.apache.jasper.servlet.JspServlet.serviceJspFile(JspServlet.java:314)
            at org.apache.jasper.servlet.JspServlet.service(JspServlet.java:264)
            at javax.servlet.http.HttpServlet.service(HttpServlet.java:802)
            at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:252)
            at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:173)
            at org.apache.catalina.core.ApplicationDispatcher.invoke(ApplicationDispatcher.java:672)
            at org.apache.catalina.core.ApplicationDispatcher.doInclude(ApplicationDispatcher.java:574)
            at org.apache.catalina.core.ApplicationDispatcher.include(ApplicationDispatcher.java:499)
            at com.opensymphony.module.sitemesh.filter.PageFilter.writeDecorator(PageFilter.java:173)
            at com.opensymphony.module.sitemesh.filter.PageFilter.applyDecorator(PageFilter.java:158)
            at com.opensymphony.module.sitemesh.filter.PageFilter.doFilter(PageFilter.java:62)
            at com.atlassian.jira.web.filters.SitemeshExcludePathFilter.doFilter(SitemeshExcludePathFilter.java:38)
            at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:202)
            at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:173)
            at com.atlassian.seraph.filter.SecurityFilter.doFilter(SecurityFilter.java:182)
            at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:202)
            at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:173)
            at ro.softwin.elearning.jiratools.NTLMLoginFilter.doFilter(NTLMLoginFilter.java:136)
            at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:202)
            at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:173)
            at com.atlassian.util.profiling.filters.ProfilingFilter.doFilter(ProfilingFilter.java:132)
            at com.atlassian.jira.web.filters.JIRAProfilingFilter.doFilter(JIRAProfilingFilter.java:16)
            at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:202)
            at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:173)
            at com.atlassian.jira.web.filters.ActionCleanupDelayFilter.doFilter(ActionCleanupDelayFilter.java:41)
            at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:202)
            at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:173)
            at com.atlassian.jira.web.filters.RequestCleanupFilter.doFilter(RequestCleanupFilter.java:49)
            at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:202)
            at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:173)
            at com.atlassian.johnson.filters.JohnsonFilter.doFilter(JohnsonFilter.java:91)
            at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:202)
            at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:173)
            at com.atlassian.jira.web.filters.gzip.GzipFilter.doFilter(GzipFilter.java:72)
            at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:202)
            at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:173)
            at com.atlassian.core.filters.AbstractEncodingFilter.doFilter(AbstractEncodingFilter.java:37)
            at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:202)
            at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:173)
            at com.atlassian.jira.appconsistency.db.DatabaseCompatibilityEnforcerFilter.doFilter(DatabaseCompatibilityEnforcerFilter.java:39)
            at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:202)
            at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:173)
            at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:213)
            at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:178)
            at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:126)
            at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:105)
            at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:107)
            at org.apache.catalina.valves.AccessLogValve.invoke(AccessLogValve.java:541)
            at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:148)
            at org.apache.coyote.http11.Http11Processor.process(Http11Processor.java:869)
            at org.apache.coyote.http11.Http11BaseProtocol$Http11ConnectionHandler.processConnection(Http11BaseProtocol.java:664)
            at org.apache.tomcat.util.net.PoolTcpEndpoint.processSocket(PoolTcpEndpoint.java:527)
            at org.apache.tomcat.util.net.LeaderFollowerWorkerThread.runIt(LeaderFollowerWorkerThread.java:80)
            at org.apache.tomcat.util.threads.ThreadPool$ControlRunnable.run(ThreadPool.java:684)
            at java.lang.Thread.run(Thread.java:595)
        2007-06-01 10:57:52,782 http-443-Processor23 DEBUG [atlassian.seraph.auth.DefaultAuthenticator] Session found; user already logged in
        2007-06-01 10:57:52,782 http-443-Processor23 DEBUG [atlassian.seraph.auth.DefaultAuthenticator] Session found; user already logged in
        2007-06-01 10:57:52,782 http-443-Processor23 DEBUG [atlassian.seraph.filter.SecurityFilter] requiredRoles = []
        2007-06-01 10:57:52,782 http-443-Processor23 DEBUG [atlassian.seraph.auth.DefaultAuthenticator] Session found; user already logged in
        2007-06-01 10:57:52,798 http-443-Processor23 DEBUG [atlassian.seraph.auth.DefaultAuthenticator] Session found; user already logged in
        2007-06-01 10:57:52,798 http-443-Processor23 DEBUG [atlassian.seraph.auth.DefaultAuthenticator] Session found; user already logged in
        2007-06-01 10:57:52,798 http-443-Processor23 DEBUG [atlassian.seraph.filter.SecurityFilter] requiredRoles = []
        2007-06-01 10:57:52,798 http-443-Processor23 DEBUG [atlassian.seraph.auth.DefaultAuthenticator] Session found; user already logged in
        2007-06-01 10:57:52,814 http-443-Processor23 DEBUG [atlassian.seraph.auth.DefaultAuthenticator] Session found; user already logged in
        2007-06-01 10:57:52,814 http-443-Processor23 DEBUG [atlassian.seraph.auth.DefaultAuthenticator] Session found; user already logged in
        2007-06-01 10:57:52,814 http-443-Processor23 DEBUG [atlassian.seraph.filter.SecurityFilter] requiredRoles = []
        2007-06-01 10:57:52,814 http-443-Processor23 DEBUG [atlassian.seraph.auth.DefaultAuthenticator] Session found; user already logged in

        1. Hello,

          It appears to be the IE POST issue – it first POSTs an empty request under NTLM, then when NTLM is re-negociated, POSTs the real request.

          However, this was supposed to be fixed long ago. What version of ntlmauth4jira are you using?

          Cheers,
          -Daniel

          1. Daniel,

              We're running ntlmauth4jira 0.5.2 on Jira 3.7.4 enterprise standalone. Do I have something configured wrong?

            Thanks!

            -Dom

            1. Hey Guys.... Any word on this?

              Thanks!

              -Dom 

            2. Anybody have any suggestions on how to fix this... we're still having this problem.

              Thanks!
              -DOm

  21. Hi all, I thought I'd just share my findings. I first used the confluence NTLM code which was based on this code, I had problems in my Ubuntu Linux environment with SMBHelper, just removing the static block at the start of the class solved the problem, If I understand it, the code tries to use localhost as the SMB authenticator, which only works if JIRA is deployed on a windows platform...

    Platform is Ubuntu6.10(dapper)/Jboss405/Java5

    The authentication seemed to work fine on a test system that had already been restored, but when setup with a blank system to verify users get created with jira-users group, the login didn't appear to work.  Failing with the curious 'A duplicate name exists on the network' repeated in posts above.  This is pivotal to me using the NTLM authenticator so Ill investigate and post findings.

    1. Ive now updated the Confluence NTLM plugin to auto create authenticated users and auto-register them to confluence-users. This was a major administration saver for me migrating a few hundred users from AD managed groups to confluence-managed groups. The confluence code also uses the 'osuser.xml' file as its source of LDAP stuff, simplifying deployment (for me).

  22. Ive just found that the NTLM authenticator didnt work when acessed through Apache/mod-jk forwarder, but works find when accessed direct.

    My Jira system has an Apache VirtualServer that includes the necessary mod-jk directives, this was working before the upgrade.  All it would to is pickup references to htpp://server/jira and redirect to https://server/jira.

    When I updated 3.9.2 with the NTLM code which works fine when connecting to http://devserver:8080/jira, but unfortunately didn't function in a similar way when going through an apache mod-jk path.

    I'm wondering if this is  common to NTLM.  Ive got the NTLM stuff working fine for confluence - but I haven't done this test yet.

    Has anyone used this apache/mod-jk/jboss configuration withNTLM?

    1. New day, new server, it does work, honest - must be weird config.

  23. I had this running nicely until IE7 users came on board.   I couldn't getting this to work reliably with IE7.  It seem to work at times or for some users.  NTLM-IE7 problems are described on the net but I couldn't find a fix so I had to revert to Jira's LDAP passwords.

    Does anyone else have a fix to this problem?

  24. Ironically my experience is the opposite.  IE7 seems to work fine for me but IE6 doesn't work reliably when going through apache/mod-jk (I have two servers, only test works, live is borked, giving IE6 users nothing but a blank page).

  25. The situation:
    I have an existing JIRA server with users.
    The users were setup with the same username as they have the in AD.

    What I wanted to do is to install the plugin so that existing JIRA users can continue logging in, now using their AD passwords and for new JIRA users to be auto created by the plugin.

    I have 2 issues.

    1) Corrupted login: at first I thought it worked, however although an existing JIRA user (me) seemed to be logged via NTLM closer inspection revealed that they were only half logged in, in the top right it still says log-in although when you click change password you can see all the user properties on the left pane.. weird! Also admins seemed to lose all their settings panels although they still appeared to be part of admins group. There were no error logs.

     
    2) Failed to create: the next thing I tried was with an AD user that didnt have an existing JIRA entry, this failed completely with the logs showing the error (also attached):

    http://localhost:8080/jira/
    2007-07-31 10:44:39,774 http-8080-2 DEBUG [softwin.elearning.jiratools.JIRAUserUtils] user autocreation denied for SRP_COMPANYWIDE, will not create tldeloford

    Any help much appreciated.

    Regards,
    Tom Deloford

    -----------------

     2007-07-31 10:44:20,599 Thread-1 INFO [softwin.elearning.jiratools.LDAPConfig] Loading configuration from ntlm_ldap.properties
    2007-07-31 10:44:20,614 JiraQuartzScheduler_Worker-3 WARN [service.services.export.ExportService] Backup directory E:\jira3-9\backups does not exist
    2007-07-31 10:44:20,864 Thread-1 DEBUG [softwin.elearning.jiratools.SMBHelper] Probing /10.171.9.44:139 for a SMB connection...
    2007-07-31 10:44:21,036 Thread-1 INFO [softwin.elearning.jiratools.SMBHelper] Localhost Controller available: Z-ISV06M0677.detica.com/10.171.9.44:139
    2007-07-31 10:44:21,036 Thread-1 WARN [softwin.elearning.jiratools.LDAPConfig] no 'java.naming.provider.url' for domain SRP_COMPANYWIDE; user data will not be available
    2007-07-31 10:44:21,036 Thread-1 INFO [softwin.elearning.jiratools.LDAPConfig] domain SRP_COMPANYWIDE using null : null
    [Filter: profiling] Using parameter [jira_profile]
    [Filter: profiling] defaulting to off [autostart=false]
    [Filter: profiling] Turning filter off [jira_profile=off]
    2007-07-31 10:44:21,568 Thread-1 [webwork.dispatcher.ServletDispatcher] Unable to find 'webwork.multipart.saveDir' property setting. Defaulting to javax.servlet.context.tempdir
    2007-07-31 10:44:22,771 http-8080-1 DEBUG [softwin.elearning.jiratools.NTLMLoginFilter] [null] GET http://localhost:8080/jira/ -1 bytes (Ref:null) (UA:Mozilla/5.0 (Windows; U; Windows NT 5.1; en-GB; rv:1.8.0.1) Gecko/20060111 Firefox/1.5.0.1)
    2007-07-31 10:44:22,771 http-8080-1 DEBUG [softwin.elearning.jiratools.NTLMLoginFilter] needsNTLM: is IE renegociating?
    2007-07-31 10:44:22,771 http-8080-1 DEBUG [softwin.elearning.jiratools.NTLMLoginFilter] needsNTLM: do we have an user already?
    2007-07-31 10:44:22,771 http-8080-1 DEBUG [softwin.elearning.jiratools.NTLMLoginFilter] needsNTLM: wants form login?
    2007-07-31 10:44:22,771 http-8080-1 DEBUG [softwin.elearning.jiratools.NTLMLoginFilter] needsNTLM: is authentication actually required?
    2007-07-31 10:44:22,771 http-8080-1 DEBUG [softwin.elearning.jiratools.NTLMLoginFilter] needsNTLM: verdict = yes
    2007-07-31 10:44:22,771 http-8080-1 DEBUG [softwin.elearning.jiratools.NTLMLoginFilter] allowsNTLM: did the NTLM previously fail?
    2007-07-31 10:44:22,771 http-8080-1 DEBUG [softwin.elearning.jiratools.NTLMLoginFilter] allowsNTLM: already filtered?
    2007-07-31 10:44:22,771 http-8080-1 DEBUG [softwin.elearning.jiratools.NTLMLoginFilter] allowsNTLM: verdict = yes
    2007-07-31 10:44:39,242 http-8080-1 DEBUG [softwin.elearning.jiratools.NTLMLoginFilter] [null] GET http://localhost:8080/jira/ -1 bytes (Ref:null) (UA:Mozilla/5.0 (Windows; U; Windows NT 5.1; en-GB; rv:1.8.0.1) Gecko/20060111 Firefox/1.5.0.1)
    2007-07-31 10:44:39,242 http-8080-1 DEBUG [softwin.elearning.jiratools.NTLMLoginFilter] needsNTLM: is IE renegociating?
    2007-07-31 10:44:39,242 http-8080-1 DEBUG [softwin.elearning.jiratools.NTLMLoginFilter] needsNTLM: do we have an user already?
    2007-07-31 10:44:39,242 http-8080-1 DEBUG [softwin.elearning.jiratools.NTLMLoginFilter] needsNTLM: wants form login?
    2007-07-31 10:44:39,242 http-8080-1 DEBUG [softwin.elearning.jiratools.NTLMLoginFilter] needsNTLM: is authentication actually required?
    2007-07-31 10:44:39,242 http-8080-1 DEBUG [softwin.elearning.jiratools.NTLMLoginFilter] needsNTLM: verdict = yes
    2007-07-31 10:44:39,242 http-8080-1 DEBUG [softwin.elearning.jiratools.NTLMLoginFilter] allowsNTLM: did the NTLM previously fail?
    2007-07-31 10:44:39,242 http-8080-1 DEBUG [softwin.elearning.jiratools.NTLMLoginFilter] allowsNTLM: already filtered?
    2007-07-31 10:44:39,242 http-8080-1 DEBUG [softwin.elearning.jiratools.NTLMLoginFilter] allowsNTLM: verdict = yes
    2007-07-31 10:44:39,258 http-8080-2 DEBUG [softwin.elearning.jiratools.NTLMLoginFilter] [null] GET http://localhost:8080/jira/ -1 bytes (Ref:null) (UA:Mozilla/5.0 (Windows; U; Windows NT 5.1; en-GB; rv:1.8.0.1) Gecko/20060111 Firefox/1.5.0.1)
    2007-07-31 10:44:39,258 http-8080-2 DEBUG [softwin.elearning.jiratools.NTLMLoginFilter] needsNTLM: is IE renegociating?
    2007-07-31 10:44:39,258 http-8080-2 DEBUG [softwin.elearning.jiratools.NTLMLoginFilter] needsNTLM: do we have an user already?
    2007-07-31 10:44:39,258 http-8080-2 DEBUG [softwin.elearning.jiratools.NTLMLoginFilter] needsNTLM: wants form login?
    2007-07-31 10:44:39,258 http-8080-2 DEBUG [softwin.elearning.jiratools.NTLMLoginFilter] needsNTLM: is authentication actually required?
    2007-07-31 10:44:39,258 http-8080-2 DEBUG [softwin.elearning.jiratools.NTLMLoginFilter] needsNTLM: verdict = yes
    2007-07-31 10:44:39,258 http-8080-2 DEBUG [softwin.elearning.jiratools.NTLMLoginFilter] allowsNTLM: did the NTLM previously fail?
    2007-07-31 10:44:39,258 http-8080-2 DEBUG [softwin.elearning.jiratools.NTLMLoginFilter] allowsNTLM: already filtered?
    2007-07-31 10:44:39,258 http-8080-2 DEBUG [softwin.elearning.jiratools.NTLMLoginFilter] allowsNTLM: verdict = yes
    2007-07-31 10:44:39,274 http-8080-2 DEBUG [softwin.elearning.jiratools.NTLMWebHelper] tentative NTLM: [\TLDeloford]
    2007-07-31 10:44:39,774 http-8080-2 INFO [softwin.elearning.jiratools.NTLMLoginFilter] NTLM ok as [SRP_COMPANYWIDE\TLDeloford] at http://localhost:8080/jira/
    2007-07-31 10:44:39,774 http-8080-2 DEBUG [softwin.elearning.jiratools.JIRAUserUtils] user autocreation denied for SRP_COMPANYWIDE, will not create tldeloford
    2007-07-31 10:44:39,774 http-8080-2 DEBUG [softwin.elearning.jiratools.NTLMLoginFilter] User TLDeloford not found in JIRA
    2007-07-31 10:44:39,774 http-8080-2 ERROR [softwin.elearning.jiratools.NTLMLoginFilter] TLDeloford: NTLM went ok but could log in.  Disabling NTLM for this session.
    2007-07-31 10:44:40,133 http-8080-2 DEBUG [softwin.elearning.jiratools.NTLMLoginFilter] [null] GET http://localhost:8080/jira/secure/Dashboard.jspa -1 bytes (Ref:null) (UA:Mozilla/5.0 (Windows; U; Windows NT 5.1; en-GB; rv:1.8.0.1) Gecko/20060111 Firefox/1.5.0.1)
    2007-07-31 10:44:40,133 http-8080-2 DEBUG [softwin.elearning.jiratools.NTLMLoginFilter] needsNTLM: is IE renegociating?
    2007-07-31 10:44:40,133 http-8080-2 DEBUG [softwin.elearning.jiratools.NTLMLoginFilter] needsNTLM: do we have an user already?
    2007-07-31 10:44:40,133 http-8080-2 DEBUG [softwin.elearning.jiratools.NTLMLoginFilter] needsNTLM: wants form login?
    2007-07-31 10:44:40,133 http-8080-2 DEBUG [softwin.elearning.jiratools.NTLMLoginFilter] needsNTLM: is authentication actually required?
    2007-07-31 10:44:40,133 http-8080-2 DEBUG [softwin.elearning.jiratools.NTLMLoginFilter] needsNTLM: verdict = yes
    2007-07-31 10:44:40,133 http-8080-2 DEBUG [softwin.elearning.jiratools.NTLMLoginFilter] allowsNTLM: did the NTLM previously fail?
    2007-07-31 10:44:40,133 http-8080-2 INFO [softwin.elearning.jiratools.NTLMLoginFilter] /jira/secure/Dashboard.jspa session has previously tried NTLM, and failed
    2007-07-31 10:44:40,133 http-8080-2 DEBUG [softwin.elearning.jiratools.NTLMLoginFilter] NTLM not allowed for http://localhost:8080/jira/secure/Dashboard.jspa

    ............ 

  26. We're using the NTLM auth plugin and it's working fine in general, so firstly thanks very much for making this available!

    One problem we're experiencing is to do with notification emails. If a user reads a notification email after starting Outlook, images and styles are not properly displayed/applied in the email and Outlook will pop up a username/password dialog. Once the user enters their details and Outlook has successfully authenticated against JIRA, then everything works fine from then on and emails can be viewed correctly with no further authentication prompts. Switching on debug logging in JIRA when this happens shows that automatic NTLM auth is failing for that initial request (no more details given though).

    We were hoping to avoid users having to authenticate to see the emails correctly, given that they're already logged in.

    Can anyone offer any advice ? One suggestion is that we change something in web.xml to put the stylesheets and image files outside of authentication but I'm not quite sure what to change there.

     Thanks in advance for any tips.

    1. Hi Simon,

      I know your problem - the same happens to us. I bet you don't use routinely Internet Explorer on your computers.

      AFAIK JIRA and the plugin is innocent. The problem rather lies on Outlook side. I read once in some Microsoft documentation (now I cannot completely recall URL and I failed to google for it) that Outlook does not by itself fetch user windows logon data from the system to perform transparent NTLM authentication - it can only reuse already existing NTLM data which reside in the system after you authenticated using e.g. Internet Explorer or just ask you for username and password to proceed. So if you normally (or just before using Outlook) don't use IE to access JIRA, you will have to manually log in from Outlook - but only once. If you use IE to access JIRA (or any other NTLM protected web resource in your intranet) then Outook should not ask you for the password.

      You may take a look also at: http://jira.atlassian.com/browse/JRA-10023.

      Is this your case?

      Wojtek  

      1. Hello Wojtek,

        That is pretty much the case. Once you open a mail or reply to it it prompts you to login - this is itself confusing to people because they're not sure what exactly they are logging in to or which password to use, or why just replying to a mail is asking them to login. Also, when using the preview pane as most people do it does not ask you to log in, the mails just look rubbish.

        I have found that adding this to the web.xml seems to let it work, but I'm not sure why or if there are any other negatives from doing this:

        <filter-mapping>
        <filter-name>login_jira</filter-name>
        <url-pattern>/images/*</url-pattern>
        </filter-mapping>
        
        <filter-mapping>
        <filter-name>login_jira</filter-name>
        <url-pattern>/styles/*</url-pattern>
        </filter-mapping>
        

        > If you use IE to access JIRA (or any other NTLM protected web resource in your intranet) then Outook should not ask you for the password

        Hrm, we do, but it still seems to ask for the password. I don't believe outlook automatically sends the NTLM information when requested as IE does. 

        Thanks a lot for your answer.

        jamie

        1. Jamie,

          Your solution maybe works but it's rather a hack. If I understand it correctly you may end up with standard JIRA login mechanism whenever web resources are referred from any HTML e-mail sent to JIRA users.

          Are you sure that it works even if there is no JIRA "auth token" valid (i.e. unexpired - it can be created by NTLM plugin transparently) in the system? I mean: e.g. Outook used just after a clean system reboot and before any NTLM capable browser is opened?

          I am quite confused by the last part of your post: in our environment if you at least once visited JIRA site with IE (btw: JIRA does not ask then for your password at all) then Outlook does not ask you for any password - it just shows all the graphics in HTML mail. Do you want to say that NTLM from IE does not work for you with JIRA with this plugin?

          Regards,

          Wojtek 

          1. Hi Wojtek,

            I don't mind using a hack so long as it works (wink)

            I am sure that it works if you don't have NTLM capable browser running. I have been testing this using a simple cmd line http client such as perl's "get". By default, if I run:

            GET http://localhost:8490/styles/combined.css
            User-Agent: lwp-request/2.07
            ... other headers ...
            Client-Warning: Unsupported authentication scheme 'ntlm'

            but when I add the above lines to web.xml and run that GET, i get the stylesheet. And so it works in outlook as well, even without any browsers running.

            > I am quite confused by the last part of your post: in our environment if you at least once visited JIRA site with IE (btw: JIRA does not ask then for your password at all) then Outlook does not ask you for any password - it just shows all the graphics in HTML mail. Do you want to say that NTLM from IE does not work for you with JIRA with this plugin?

            NTLM from IE is definitely working (jira never asks for a password). But it is not working from outlook. Perhaps our environments are different in that outlook is configured not to send the token to just any site that asks for it?

            I had a quick look at NTLMLoginFilter.java and it seems to say that authentication is not required if the request is for "/styles/global_printable.css" or "/styles/global.css". However the emails don't actually reference those stylesheets. Also no mention is made of icons. Do you know what the intention is behind that code?

            thanks a lot, jamie

            1. Regarding your last question - I have no idea. Maybe Daniel Pavel could help us here?

              Regarding Outlook you may take a look at: http://support.microsoft.com/kb/820281 (the last section).

              Regards,

              Wojtek 

  27. (question) Has anyone have success with this code using IE6?  I have IE7 working nicely, IE6 gives me a blank page?  I'm working with some forked code (from here) used for Confluence NTLM.  Not sure if this is (a) bug in IE6, (b) bug in forked code (c) general problem.

    If this code has been proved with IE6 the Confluence code I'll need to merge a more recent copy.  Comments appreciated.

    1. Hello,

      We have been using this plugin with Enterprise JIRA (e.g. 3.6.x and 3.7.x) for many months (currently last stable version 0.5.2 which can be downloaded from this page) with IE6 (6.0.2900 - on Win XP SP2 and Win 2003 Server) and FF2 without problems against several federated AD domains.

      Could you switch on debug info and check messages there.

      Regards,

      Wojtek 

      1. OK thanks for the confirmation.  I wonder, what do you think about extending this plugin to also provide SSO for confluence?  This plugin's configuration is pretty comprehensive! it would be great to leverage that for Confluence also, thoughts? or fork again?

        1. While this plugin is great for JIRA, Confluence has built-in AD integration.

          1. True, in various combinations of auth only, auth+groups, via osuser, via atlassian-user.  However It does *not support NTLM out of the box*, this is why someone forked the code from this plugin into the confluence NTLM plugin.  I'm doing some development on that that makes use of existing osuser and atlassian user  xml files for LDAP cum DC identification, though is not as advanced or as versaitle as this plugins config is.  Hence suggestion to add what little code there must be for a Confluence NTLM authenticator _here_

            1. It may not technically be NTLM under the covers; but when I go to Confluence, I get auto logged in via LDAP (using atlassian-user). And that's as NTLM as I will ever need, much better than out-of-the-box JIRA...

  28. I have a weird problem. 99% of the time this plugin works for people. But it seems like every time I restart JIRA someone (a different person each time) can't login.  Restart JIRA and it's fine for that person but might break for someone else... Once it breaks, it's broken until JIRA is restarted.  We've tried with both FF and IE6, and they seem to be able to log in to other NTLM sites but not JIRA. Also, I checked their user account and it isn't locked/password expired/etc.

    2007-08-22 15:55:49,860 http-80-Processor20 DEBUG [softwin.elearning.jiratools.NTLMLoginFilter] [null] GET http://jira//styles/combined.css -1 bytes (Ref:null) (UA:Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0; .NET CLR 1.1.4322; .NET CLR 2.0.50727))
    2007-08-22 15:55:49,860 http-80-Processor20 DEBUG [softwin.elearning.jiratools.NTLMLoginFilter] needsNTLM: is IE renegociating?
    2007-08-22 15:55:49,860 http-80-Processor20 DEBUG [softwin.elearning.jiratools.NTLMLoginFilter] needsNTLM: do we have an user already?
    2007-08-22 15:55:49,860 http-80-Processor20 DEBUG [softwin.elearning.jiratools.NTLMLoginFilter] needsNTLM: wants form login?
    2007-08-22 15:55:49,860 http-80-Processor20 DEBUG [softwin.elearning.jiratools.NTLMLoginFilter] needsNTLM: is authentication actually required?
    2007-08-22 15:55:49,860 http-80-Processor20 DEBUG [softwin.elearning.jiratools.NTLMLoginFilter] needsNTLM: verdict = yes
    2007-08-22 15:55:49,860 http-80-Processor20 DEBUG [softwin.elearning.jiratools.NTLMLoginFilter] allowsNTLM: did the NTLM previously fail?
    2007-08-22 15:55:49,860 http-80-Processor20 DEBUG [softwin.elearning.jiratools.NTLMLoginFilter] allowsNTLM: already filtered?
    2007-08-22 15:55:49,860 http-80-Processor20 DEBUG [softwin.elearning.jiratools.NTLMLoginFilter] allowsNTLM: verdict = yes
    2007-08-22 15:55:49,860 http-80-Processor20 DEBUG [softwin.elearning.jiratools.NTLMWebHelper] tentative NTLM: [ccl\djarvis]
    2007-08-22 15:55:49,860 http-80-Processor20 ERROR [softwin.elearning.jiratools.NTLMWebHelper] logon failed
    jcifs.smb.SmbAuthException: Logon failure: unknown user name or bad password.
     at jcifs.smb.SmbTransport.checkStatus(SmbTransport.java:503)
     at jcifs.smb.SmbTransport.send(SmbTransport.java:614)
     at jcifs.smb.SmbSession.sessionSetup(SmbSession.java:277)
     at jcifs.smb.SmbSession.send(SmbSession.java:233)
     at jcifs.smb.SmbTree.treeConnect(SmbTree.java:154)
     at jcifs.smb.SmbSession.logon(SmbSession.java:169)
     at ro.softwin.elearning.jiratools.SMBHelper.doDCLogon(SMBHelper.java:163)
     at ro.softwin.elearning.jiratools.NTLMWebHelper.doNTLM(NTLMWebHelper.java:114)
     at ro.softwin.elearning.jiratools.NTLMLoginFilter.doNTLM(NTLMLoginFilter.java:194)
     at ro.softwin.elearning.jiratools.NTLMLoginFilter.doFilter(NTLMLoginFilter.java:151)
     at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:202)
     at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:173)
     at com.atlassian.jira.web.filters.ActionCleanupDelayFilter.doFilter(ActionCleanupDelayFilter.java:43)
     at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:202)
     at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:173)
     at com.atlassian.jira.web.filters.RequestCleanupFilter.doFilter(RequestCleanupFilter.java:49)
     at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:202)
     at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:173)
     at com.atlassian.core.filters.AbstractEncodingFilter.doFilter(AbstractEncodingFilter.java:37)
     at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:202)
     at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:173)
     at com.atlassian.jira.appconsistency.db.DatabaseCompatibilityEnforcerFilter.doFilter(DatabaseCompatibilityEnforcerFilter.java:39)
     at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:202)
     at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:173)
     at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:213)
     at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:178)
     at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:126)
     at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:105)
     at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:107)
     at org.apache.catalina.valves.AccessLogValve.invoke(AccessLogValve.java:541)
     at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:148)
     at org.apache.coyote.http11.Http11Processor.process(Http11Processor.java:869)
     at org.apache.coyote.http11.Http11BaseProtocol$Http11ConnectionHandler.processConnection(Http11BaseProtocol.java:664)
     at org.apache.tomcat.util.net.PoolTcpEndpoint.processSocket(PoolTcpEndpoint.java:527)
     at org.apache.tomcat.util.net.LeaderFollowerWorkerThread.runIt(LeaderFollowerWorkerThread.java:80)
     at org.apache.tomcat.util.threads.ThreadPool$ControlRunnable.run(ThreadPool.java:684)
     at java.lang.Thread.run(Unknown Source)
    2007-08-22 15:55:49,876 http-80-Processor20 INFO [softwin.elearning.jiratools.NTLMLoginFilter] NTLM login failed, falling back to standard authentication
    

    I'm stuck trying to figure this out - any ideas?

    1. We're running into this exact same issue.  We were doing fine during our initial testing with a few users, but once we got all of our developmentdept on (~80 users) we're now seeing this issue all over the place.  Its like the plugin cant handle all of the requests or something.

      We are really hoping to take advantage of this plug-in for seamless SSO of JIRA.  Does anyone have any ideas how to whats causing this this?

       Thanks!

      1. Do you happen to have multiple DC's with a loadbalancer?  I have someone using basically the same code for confluence, and this configuration causes similar problems.  im looking at in but as I cant test its tricky to progress...

        1. Nope.  Just one DC.

           Any other thoughts?

          1. Are you using the Confluence NTLM code or the JIRA NTLM Jar? Agreed its tricky. Im gearing up to be able to build and test this plugin - see below!

            For the record!

            Icon

            As far as I can tell, Daniel hasn't been active on this project since February, I think it's in a working state, and there has certainly been some great work done to date.

            I havent looked here in great detail and have spent most effort in the confluence forked code to which I added LDAP zero-ish conf support.  I was put off looking at the this project as it was a maven1 build, however, I've just noticed that I can use confluence dependencies (for which maven2 builds exist).  The result is that Im going to take a walk through the JIRA code, and get a better handle on Jcifs. This will allow me help people with problems. Currently, Im no NTLM expert but hopefully can learn enough to answer such questions, and contribute to the project

            I can test JIRA and CONFLUENCE ntlm in my companies (Active Directory) environment and would dearly love to get it working to solve *my* headaches of automatic user registration.  Feel free to come along for the ride!

    2. We have a very similar problem. I've found that sometimes it works if they use the FQDN of the machine instead of the "jira" alias that we have. That normally solves it, but if not sometimes the short name, and occasionally the IP address. Whilst this is not a satisfactory solution we are getting by with it for the moment.

      There is some anecdotal evidence that there can be problems when the users are authenticated against either a win2k or win2k3 server (sorry not sure which one is causing the problem). One of the user that has a problem uses both a win2k and XP machine.

      cheers, jamie

      1. Jamie,

        Using the full FQDN worked for us - http://jira.xxx.com/ instead of just http://jira/

        Thanks for the great suggestion,

         David

  29. Does anyone know if this plugin is supposed to work in 3.74 and later versions? Our production server is 3.74 and development is at 3.10 right now, and we're running into some issues with local JIRA users being able to log in from non-domain laptops...

    1. The authentication stuff hasnt changed (to the best of my knowledge) I have had NTLM working (for IE7) for JIRA 3.9.2 .

      If your non-domain laptops run windows my belief is that the given local domain/user will not be able to log in (despite the form based login fallback).  My suggestion is for those users to use non-IE browsers which will at least allow them to login, albeit through a basic auth prompt.

  30. Is there any reason why this plugin could not be made to work with the SOAP interface? At the moment the instructions specify that you should disable the ntlm login filter for "/rpc/*". However, this is where it would be most useful, as currently it's necessary to hard-code a password in the soap client scripts. As this is an AD password that's obviously very undesirable.

    Also, has anyone had any experience using Vintela SSO for Java? We seem to be piloting it here and I was hoping to use it to replace this plugin... users that have problems logging in to jira don't seem to have problems using my example servlet that is authenticated via VSJ.

    cheers, jamie

    1. Re: rpc, please raise a bug in the issue system.  I haven't seen VSJ, intere$ting.

    2. Hello, 

      I am not sure if NTLM for RPC is the best idea. Or at least it will not solve all our problems.

      NTLM is handled in transparent way (full SSO) by Sun JVM (more precisely by HTTP connection implementation) only on Windows machines (in native way AFAIK). Many popular projects - e.g. Axis, which uses by default their own HTTP client implementation and Eclipse Mylyn (using Apache commons-http) have serious difficulties (complicated configuration) in supporting NTLM and virtually fail when it comes to transparent SSO (you have to configure/set your username/password explicitly - which is quite obvious as these purely Java libraries have no acces to native Windows logon data).

      Regarding passwords sent in client scripts, I have two solutions:

      1. use HTTPS and your passwords are not sent anymore in clear text
      2. create in JIRA special SOAP user (with password managed by JIRA - you can do it and then switch JIRA back to external user/password management) - then your scripts will not need to use AD account anymore

      I hope it helps.

      Regards,

      Wojtek 

      P.S. We use Vintela for Java. It works fine for us to achieve SSO for web services (SOAP for instance), but we use Kerberos and not NTLM as a authentication mechanism. 

      1. Hi,

        I know this subject is getting old, but I am also interested in NTLM for RPC. We have developped a small application that connects to JIRA through SOAP for our own use only. Basically the authentication is forwarded to JIRA. Using NTLM and automatic user creation is reducing the amount of times a user has to be created, not to say the number of passwords to synchronize, so basically I can't see why the NTLM should not be extended to RPC/SOAP.

        BTW what is "groupMemberAttribute = memberOf" in ntlmauth-ldap.properties used for? I would very much have liked it to match the LDAP groups to JIRA groups at user creation so the new user does not get all JIRA groups as default...

        Regards,

        Ian Pottier

  31. Will 0.5.3 fix the IE post issues we've been having?

    Thanks!

    -DOm

  32. So after some testing, 0.5.3 doesn't seem to fix the IE POST re-negotiation issues.  I've tested this on jira 3.11 using 0.5.3 on a windows server. From a computer not on the domain. Firefox works as expected.  Any idea when this will be resolved?

    Thanks!

    -DOm

  33. I get the following error:

    07.11.2007 14:41:23 ro.softwin.elearning.jiratools.NTLMWebHelper doNTLM
    SCHWERWIEGEND: logon failed
    jcifs.smb.SmbException: Logon failure: the user has not been granted the requested logon type at this computer.
     at jcifs.smb.SmbTransport.checkStatus(SmbTransport.java:514)

    I use Jira 3.11 and Tomcat 5.5. Where can I see the DEBUG messages? Does anyone know what the problem is? Jira is installed locally on my machine!

  34. Sorry - I seem to have posted this to the wrong page.

    Afternoon -

    I'm trying to use the forked version as it appears to do what I want, namely NTLM authentication plus add the user to the confluence-users group. Also, production box is Solaris, so this appears to give me the ability to specify a DC. I am testing on Windows, as things involving AD and NTLM seem to work better there, when all works I will move it to solaris.

    Part of my problem is there seem to be several versions of this plugin, but I have downloaded and built from the source in subversion: http://svn.atlassian.com/svn/public/contrib/confluence/libraries/ntlmauth/trunk, rev 12716.

    When using the standard ntlmauth.properties from subversion, I get a number parse error... so I worked out I had to add:

    Now when someone logs in they get the error:

    If they are already in the confluence-users group, and they refresh this page, it works. If not they continue to receive this error.
    When clicking logout:

    I'm still working on other problems with this, but if anyone has any ideas I'd be grateful. Also is anyone from Atlassian saying when/if they're going to incorporate NTLM authentication?
    thanks, jamie

  35. The NTLM Sign on works but get the following error when I click on logout link in Confluence.  

    Cause:

    org.apache.velocity.exception.MethodInvocationException: Invocation of method 'getText' in class com.atlassian.confluence.user.actions.LogoutAction threw exception class org.springframework.transaction.UnexpectedRollbackException : Transaction has been rolled back because it has been marked as rollback-only
     at org.apache.velocity.runtime.parser.node.ASTMethod.execute(ASTMethod.java:309)
    caused by: org.springframework.transaction.UnexpectedRollbackException: Transaction has been rolled back because it has been marked as rollback-only
     at org.springframework.transaction.support.AbstractPlatformTransactionManager.commit(AbstractPlatformTransactionManager.java:469)

    Stack Trace: [hide] org.apache.velocity.exception.MethodInvocationException: Invocation of method 'getText' in  class com.atlassian.confluence.user.actions.LogoutAction threw exception class org.springframework.transaction.UnexpectedRollbackException : Transaction has been rolled back because it has been marked as rollback-only

            at org.apache.velocity.runtime.parser.node.ASTMethod.execute(ASTMethod.java:309)

            at org.apache.velocity.runtime.parser.node.ASTReference.execute(ASTReference.java:207)

            at org.apache.velocity.runtime.parser.node.ASTReference.render(ASTReference.java:250)

            at org.apache.velocity.runtime.parser.node.SimpleNode.render(SimpleNode.java:271)

            at org.apache.velocity.Template.merge(Template.java:296)

            at com.opensymphony.webwork.dispatcher.VelocityResult.doExecute(VelocityResult.java:91)

            at com.atlassian.xwork.results.ProfiledVelocityResult.doExecute(ProfiledVelocityResult.java:21)

            at com.opensymphony.webwork.dispatcher.WebWorkResultSupport.execute(WebWorkResultSupport.java:116)

            at com.opensymphony.xwork.DefaultActionInvocation.executeResult(DefaultActionInvocation.java:263)

            at com.opensymphony.xwork.DefaultActionInvocation.invoke(DefaultActionInvocation.java:187)

            at com.opensymphony.xwork.interceptor.AroundInterceptor.intercept(AroundInterceptor.java:35)

            at com.opensymphony.xwork.DefaultActionInvocation.invoke(DefaultActionInvocation.java:165)

            at com.atlassian.confluence.util.LoggingContextInterceptor.intercept(LoggingContextInterceptor.java:48)

            at com.opensymphony.xwork.DefaultActionInvocation.invoke(DefaultActionInvocation.java:165)

            at com.atlassian.confluence.security.actions.PermissionCheckInterceptor.intercept(PermissionCheckInterceptor.java:47)

            at com.opensymphony.xwork.DefaultActionInvocation.invoke(DefaultActionInvocation.java:165)

            at com.atlassian.confluence.pages.actions.PageAwareInterceptor.intercept(PageAwareInterceptor.java:114)

            at com.opensymphony.xwork.DefaultActionInvocation.invoke(DefaultActionInvocation.java:165)

            at com.atlassian.confluence.spaces.actions.SpaceAwareInterceptor.intercept(SpaceAwareInterceptor.java:67)

            at com.opensymphony.xwork.DefaultActionInvocation.invoke(DefaultActionInvocation.java:165)

            at com.opensymphony.xwork.interceptor.AroundInterceptor.intercept(AroundInterceptor.java:35)

            at com.opensymphony.xwork.DefaultActionInvocation.invoke(DefaultActionInvocation.java:165)

            at com.atlassian.confluence.core.actions.LastModifiedInterceptor.intercept(LastModifiedInterceptor.java:39)

            at com.opensymphony.xwork.DefaultActionInvocation.invoke(DefaultActionInvocation.java:165)

            at com.atlassian.confluence.core.ConfluenceAutowireInterceptor.intercept(ConfluenceAutowireInterceptor.java:25)

            at com.opensymphony.xwork.DefaultActionInvocation.invoke(DefaultActionInvocation.java:165)

            at com.opensymphony.xwork.interceptor.AroundInterceptor.intercept(AroundInterceptor.java:35)

            at com.opensymphony.xwork.DefaultActionInvocation.invoke(DefaultActionInvocation.java:165)

            at com.opensymphony.xwork.interceptor.AroundInterceptor.intercept(AroundInterceptor.java:35)

            at com.opensymphony.xwork.DefaultActionInvocation.invoke(DefaultActionInvocation.java:165)

            at com.atlassian.xwork.interceptors.XWorkTransactionInterceptor.intercept(XWorkTransactionInterceptor.java:98)

            at com.opensymphony.xwork.DefaultActionInvocation.invoke(DefaultActionInvocation.java:165)

            at com.opensymphony.xwork.interceptor.AroundInterceptor.intercept(AroundInterceptor.java:35)

            at com.opensymphony.xwork.DefaultActionInvocation.invoke(DefaultActionInvocation.java:165)

            at com.opensymphony.xwork.DefaultActionProxy.execute(DefaultActionProxy.java:115)

            at com.opensymphony.webwork.dispatcher.ServletDispatcher.serviceAction(ServletDispatcher.java:229)

            at com.opensymphony.webwork.dispatcher.ServletDispatcher.service(ServletDispatcher.java:199)

            at javax.servlet.http.HttpServlet.service(HttpServlet.java:803)

            at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:269)

            at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:188)

            at com.opensymphony.module.sitemesh.filter.PageFilter.parsePage(PageFilter.java:118)

            at com.atlassian.confluence.util.profiling.ProfilingPageFilter.parsePage(ProfilingPageFilter.java:137)

            at com.opensymphony.module.sitemesh.filter.PageFilter.doFilter(PageFilter.java:54)

            at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:215)

            at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:188)

            at com.atlassian.core.filters.ServletContextThreadLocalFilter.doFilter(ServletContextThreadLocalFilter.java:21)

            at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:215)

            at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:188)

            at com.atlassian.confluence.util.LoggingContextFilter.doFilter(LoggingContextFilter.java:46)

            at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:215)

            at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:188)

            at com.atlassian.confluence.util.UserThreadLocalFilter.doFilter(UserThreadLocalFilter.java:44)

            at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:215)

            at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:188)

            at com.atlassian.seraph.filter.SecurityFilter.doFilter(SecurityFilter.java:182)

            at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:215)

            at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:188)

            at com.atlassian.seraph.filter.LoginFilter.doFilter(LoginFilter.java:161)

            at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:215)

            at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:188)

            at com.jnj.confluence.NTLMFilter.doFilter(NTLMFilter.java:161)

            at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:215)

            at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:188)

            at com.atlassian.confluence.util.ClusterHeaderFilter.doFilter(ClusterHeaderFilter.java:35)

            at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:215)

            at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:188)

            at com.atlassian.johnson.filters.JohnsonFilter.doFilter(JohnsonFilter.java:96)

            at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:215)

            at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:188)

            at org.springframework.orm.hibernate.support.OpenSessionInViewFilter.doFilterInternal(OpenSessionInViewFilter.java:174)

            at com.atlassian.spring.filter.FlushingSpringSessionInViewFilter.doFilterInternal(FlushingSpringSessionInViewFilter.java:29)

            at org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:76)

            at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:215)

            at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:188)

            at com.atlassian.util.profiling.filters.ProfilingFilter.doFilter(ProfilingFilter.java:140)

            at com.atlassian.core.filters.ProfilingAndErrorFilter.doFilter(ProfilingAndErrorFilter.java:27)

            at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:215)

            at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:188)

            at com.atlassian.confluence.util.RequestCacheThreadLocalFilter.doFilter(RequestCacheThreadLocalFilter.java:25)

            at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:215)

            at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:188)

            at com.atlassian.core.filters.gzip.GzipFilter.doFilter(GzipFilter.java:61)

            at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:215)

            at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:188)

            at com.atlassian.core.filters.AbstractEncodingFilter.doFilter(AbstractEncodingFilter.java:37)

            at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:215)

            at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:188)

            at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:210)

            at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:174)

            at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:127)

            at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:117)

            at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:108)

            at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:151)

            at org.apache.coyote.http11.Http11Processor.process(Http11Processor.java:870)

            at org.apache.coyote.http11.Http11BaseProtocol$Http11ConnectionHandler.processConnection(Http11BaseProtocol.java:665)

            at org.apache.tomcat.util.net.PoolTcpEndpoint.processSocket(PoolTcpEndpoint.java:528)

            at org.apache.tomcat.util.net.LeaderFollowerWorkerThread.runIt(LeaderFollowerWorkerThread.java:81)

            at org.apache.tomcat.util.threads.ThreadPool$ControlRunnable.run(ThreadPool.java:685)

            at java.lang.Thread.run(Thread.java:595)

    caused by:

    org.springframework.transaction.UnexpectedRollbackException: Transaction has been rolled back because it has been marked as rollback-only

            at org.springframework.transaction.support.AbstractPlatformTransactionManager.commit(AbstractPlatformTransactionManager.java:469)

            at org.springframework.transaction.interceptor.TransactionAspectSupport.doCommitTransactionAfterReturning(TransactionAspectSupport.java:266)

            at org.springframework.transaction.interceptor.TransactionInterceptor.invoke(TransactionInterceptor.java:106)

            at org.springframework.aop.framework.ReflectiveMethodInvocation.proceed(ReflectiveMethodInvocation.java:170)

            at org.springframework.aop.framework.JdkDynamicAopProxy.invoke(JdkDynamicAopProxy.java:176)

            at $Proxy19.getUser(Unknown Source)

            at com.jnj.confluence.ConfluenceUserHelper.checkForGroups(ConfluenceUserHelper.java:237)

            at com.jnj.confluence.ConfluenceUserHelper.processUser(ConfluenceUserHelper.java:116)

            at com.jnj.confluence.NTLMAwareAuthenticator.getUser(NTLMAwareAuthenticator.java:99)

            at com.atlassian.seraph.auth.AbstractAuthenticator.getUser(AbstractAuthenticator.java:44)

            at com.atlassian.seraph.filter.LoginFilter$SecurityHttpRequestWrapper.getUserPrincipal(LoginFilter.java:243)

            at com.atlassian.seraph.filter.LoginFilter$SecurityHttpRequestWrapper.getRemoteUser(LoginFilter.java:237)

            at com.atlassian.confluence.core.ConfluenceActionSupport.getRemoteUser(ConfluenceActionSupport.java:235)

            at com.atlassian.confluence.core.ConfluenceActionSupport.getLocale(ConfluenceActionSupport.java:549)

            at com.atlassian.confluence.core.ConfluenceActionSupport.getI18n(ConfluenceActionSupport.java:603)

            at com.atlassian.confluence.core.ConfluenceActionSupport.getText(ConfluenceActionSupport.java:136)

            at sun.reflect.GeneratedMethodAccessor118.invoke(Unknown Source)

            at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)

            at java.lang.reflect.Method.invoke(Method.java:585)

            at org.apache.velocity.runtime.parser.node.ASTMethod.execute(ASTMethod.java:260)

            at org.apache.velocity.runtime.parser.node.ASTReference.execute(ASTReference.java:207)

            at org.apache.velocity.runtime.parser.node.ASTReference.render(ASTReference.java:250)

            at org.apache.velocity.runtime.parser.node.SimpleNode.render(SimpleNode.java:271)

            at org.apache.velocity.Template.merge(Template.java:296)

            at com.opensymphony.webwork.dispatcher.VelocityResult.doExecute(VelocityResult.java:91)

            at com.atlassian.xwork.results.ProfiledVelocityResult.doExecute(ProfiledVelocityResult.java:21)

            at com.opensymphony.webwork.dispatcher.WebWorkResultSupport.execute(WebWorkResultSupport.java:116)

            at com.opensymphony.xwork.DefaultActionInvocation.executeResult(DefaultActionInvocation.java:263)

            at com.opensymphony.xwork.DefaultActionInvocation.invoke(DefaultActionInvocation.java:187)

            at com.opensymphony.xwork.interceptor.AroundInterceptor.intercept(AroundInterceptor.java:35)

            at com.opensymphony.xwork.DefaultActionInvocation.invoke(DefaultActionInvocation.java:165)

            at com.atlassian.confluence.util.LoggingContextInterceptor.intercept(LoggingContextInterceptor.java:48)

            at com.opensymphony.xwork.DefaultActionInvocation.invoke(DefaultActionInvocation.java:165)

            at com.atlassian.confluence.security.actions.PermissionCheckInterceptor.intercept(PermissionCheckInterceptor.java:47)

            at com.opensymphony.xwork.DefaultActionInvocation.invoke(DefaultActionInvocation.java:165)

            at com.atlassian.confluence.pages.actions.PageAwareInterceptor.intercept(PageAwareInterceptor.java:114)

            at com.opensymphony.xwork.DefaultActionInvocation.invoke(DefaultActionInvocation.java:165)

            at com.atlassian.confluence.spaces.actions.SpaceAwareInterceptor.intercept(SpaceAwareInterceptor.java:67)

            at com.opensymphony.xwork.DefaultActionInvocation.invoke(DefaultActionInvocation.java:165)

            at com.opensymphony.xwork.interceptor.AroundInterceptor.intercept(AroundInterceptor.java:35)

            at com.opensymphony.xwork.DefaultActionInvocation.invoke(DefaultActionInvocation.java:165)

            at com.atlassian.confluence.core.actions.LastModifiedInterceptor.intercept(LastModifiedInterceptor.java:39)

            at com.opensymphony.xwork.DefaultActionInvocation.invoke(DefaultActionInvocation.java:165)

            at com.atlassian.confluence.core.ConfluenceAutowireInterceptor.intercept(ConfluenceAutowireInterceptor.java:25)

            at com.opensymphony.xwork.DefaultActionInvocation.invoke(DefaultActionInvocation.java:165)

            at com.opensymphony.xwork.interceptor.AroundInterceptor.intercept(AroundInterceptor.java:35)

            at com.opensymphony.xwork.DefaultActionInvocation.invoke(DefaultActionInvocation.java:165)

            at com.opensymphony.xwork.interceptor.AroundInterceptor.intercept(AroundInterceptor.java:35)

            at com.opensymphony.xwork.DefaultActionInvocation.invoke(DefaultActionInvocation.java:165)

            at com.atlassian.xwork.interceptors.XWorkTransactionInterceptor.intercept(XWorkTransactionInterceptor.java:98)

            at com.opensymphony.xwork.DefaultActionInvocation.invoke(DefaultActionInvocation.java:165)

            at com.opensymphony.xwork.interceptor.AroundInterceptor.intercept(AroundInterceptor.java:35)

            at com.opensymphony.xwork.DefaultActionInvocation.invoke(DefaultActionInvocation.java:165)

            at com.opensymphony.xwork.DefaultActionProxy.execute(DefaultActionProxy.java:115)

            at com.opensymphony.webwork.dispatcher.ServletDispatcher.serviceAction(ServletDispatcher.java:229)

            at com.opensymphony.webwork.dispatcher.ServletDispatcher.service(ServletDispatcher.java:199)

            at javax.servlet.http.HttpServlet.service(HttpServlet.java:803)

            at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:269)

            at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:188)

            at com.opensymphony.module.sitemesh.filter.PageFilter.parsePage(PageFilter.java:118)

            at com.atlassian.confluence.util.profiling.ProfilingPageFilter.parsePage(ProfilingPageFilter.java:137)

            at com.opensymphony.module.sitemesh.filter.PageFilter.doFilter(PageFilter.java:54)

            at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:215)

            at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:188)

            at com.atlassian.core.filters.ServletContextThreadLocalFilter.doFilter(ServletContextThreadLocalFilter.java:21)

            at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:215)

            at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:188)

            at com.atlassian.confluence.util.LoggingContextFilter.doFilter(LoggingContextFilter.java:46)

            at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:215)

            at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:188)

            at com.atlassian.confluence.util.UserThreadLocalFilter.doFilter(UserThreadLocalFilter.java:44)

            at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:215)

            at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:188)

            at com.atlassian.seraph.filter.SecurityFilter.doFilter(SecurityFilter.java:182)

            at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:215)

            at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:188)

            at com.atlassian.seraph.filter.LoginFilter.doFilter(LoginFilter.java:161)

            at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:215)

            at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:188)

            at com.jnj.confluence.NTLMFilter.doFilter(NTLMFilter.java:161)

            at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:215)

            at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:188)

            at com.atlassian.confluence.util.ClusterHeaderFilter.doFilter(ClusterHeaderFilter.java:35)

            at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:215)

            at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:188)

            at com.atlassian.johnson.filters.JohnsonFilter.doFilter(JohnsonFilter.java:96)

            at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:215)

            at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:188)

            at org.springframework.orm.hibernate.support.OpenSessionInViewFilter.doFilterInternal(OpenSessionInViewFilter.java:174)

            at com.atlassian.spring.filter.FlushingSpringSessionInViewFilter.doFilterInternal(FlushingSpringSessionInViewFilter.java:29)

            at org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:76)

            at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:215)

            at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:188)

            at com.atlassian.util.profiling.filters.ProfilingFilter.doFilter(ProfilingFilter.java:140)

            at com.atlassian.core.filters.ProfilingAndErrorFilter.doFilter(ProfilingAndErrorFilter.java:27)

            at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:215)

            at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:188)

            at com.atlassian.confluence.util.RequestCacheThreadLocalFilter.doFilter(RequestCacheThreadLocalFilter.java:25)

            at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:215)

            at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:188)

            at com.atlassian.core.filters.gzip.GzipFilter.doFilter(GzipFilter.java:61)

            at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:215)

            at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:188)

            at com.atlassian.core.filters.AbstractEncodingFilter.doFilter(AbstractEncodingFilter.java:37)

            at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:215)

            at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:188)

            at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:210)

            at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:174)

            at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:127)

            at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:117)

            at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:108)

            at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:151)

            at org.apache.coyote.http11.Http11Processor.process(Http11Processor.java:870)

            at org.apache.coyote.http11.Http11BaseProtocol$Http11ConnectionHandler.processConnection(Http11BaseProtocol.java:665)

            at org.apache.tomcat.util.net.PoolTcpEndpoint.processSocket(PoolTcpEndpoint.java:528)

            at org.apache.tomcat.util.net.LeaderFollowerWorkerThread.runIt(LeaderFollowerWorkerThread.java:81)

            at org.apache.tomcat.util.threads.ThreadPool$ControlRunnable.run(ThreadPool.java:685)

            at java.lang.Thread.run(Thread.java:595)

  36. Hi,

    does anyone use the jiraissues macro in confluence with active ntlm authentication in jira?

    This combination is not working in my installation (confluence receives a zero length file from jira, absolutley no logging information.....).

    When deactivating the ntlm authentication in web.xml the jiraissues macro is working again.

     
    Cheers

     
    Thomas

    1. We have the same problem, environment is JIRA 3.12.2 & Confluence 2.8.3, Confluence is configured as a trusted app in JIRA.  This error is logged in Confluence each time we try and use a jiraissues macro:

      [confluence.extra.jira.JiraIssuesMacro] getChannelElement Error while trying to assemble the RSS result: Error on line -1: Premature end of file.

       Nothing is logged on the JIRA side.  Deactivating NTLM auth in web.xml resolves the problem.  Turning off NTLM auth for our production JIRA install isn't a valid option and ideally we'd like this to work without purchasing a SSO application.  Any assistance would be greatly apprecaited.

  37. Got 0.5.3 working in 30 mins right out of the box - Now I just need to get the LDAP server properties setup so it will correctly pull the user full name and email on autocreate.  Thanks so much for this!

    Our environment:  IE 6, Windows 2003 native domain, with JIRA 3.11

  38. Has anyone gotten the displayname and mail values to pull from LDAP when a new user is automatically created?
    I believe I have the correct values in ntlm_ldap.properties, since I got them from the "add_user_via_LDAP-adminfa15-0[1].9.jar" JIRA plugin that we have working - It is able to correctly pull all the attributes.

    So right now, I get a new user automatically created, but JIRA's full name and email fields are not correctly filled in. 

    I've put the log4j.properties LDAPConfigurer to "debug", but don't see any additional stuff being written to stdout or stderr logs.

    Any suggestions?  Could someone post their ntlm_ldap.properties file if you have this working??

    Thanks!

    1. Here's my current properties file - Can anyone spot a problem?
      ---------------------

  39. HEy folks,

    i got the following error while integrating the plugin,

    The configuration for ladap ist gotten from the jira ldap auth ones,so it should be right i guess. 

    1. given the exception I'd guess you don't have ntlm.jar in your WEB-INF/lib folder. Have a look in your deployed war.

      1. No it works, but when a user opens the jira page, he will be promtped for credentials two time, one from the browser (IE7) and then by the jira login page (there is a message with "Wrong Login").

        Why this happens?

        Which preferences have to set in JIra to get this plugin to work?

        Installed - OK

        Log - OK

        Login - ERROR

  40. Just a followup to my previous posts about not getting the email and username filled in when a user is auto created.  That was my brain fart, since I was testing with an account that didn't have meaningful values in those fields. 

    So just following the instructions provided here, we are authenticating against LDAP (Windows AD) with SSO (no login prompt), and user accounts are automatically if they don't already exists. 

     Very Nice!  

  41. Hi all,We are using the Open Source NTLM SSO plugin with Standalone 2.7 with SQL & Active Directory. We find that occasionally the plugin will not load and present the user with the Login Page and the user gets stuck!!
    Is it possible for us to also add the LDAP connecotor in seraph-config.xml so we can basically have LDAP as a failover to the NTLM SSO. I know the open source SSO is not supported but if you can provide some work around help that would be good. Or if you know of possible other issues that might be causing this issue.

    We noticed that the IE Security Setting have a big part to play. Has anyone else had similar issues.

    1. We are having a similar problem with IE6, Server 2003, Jira 3.10.2
      I just upgraded to the 0.5.3 beta from 0.5.2, but this didn't help.
      When the NTLM auth fails I see this in the log file:

      2008-03-07 12:22:28,518 http-8080-Processor22 ERROR softwin.elearning.jiratools.NTLMWebHelper logon failed
      jcifs.smb.SmbAuthException: Access is denied.
      at jcifs.smb.SmbTransport.checkStatus(SmbTransport.java:503)
      at jcifs.smb.SmbTransport.send(SmbTransport.java:614)
      at jcifs.smb.SmbSession.sessionSetup(SmbSession.java:277)
      at jcifs.smb.SmbSession.send(SmbSession.java:233)
      at jcifs.smb.SmbTree.treeConnect(SmbTree.java:154)
      at jcifs.smb.SmbSession.logon(SmbSession.java:169)
      at ro.softwin.elearning.jiratools.SMBHelper.doDCLogon(Unknown Source)
      ...

      We have two domain controllers and unless I specify a DC in the ntlm_ldap.properties file I get the "Invalid access to memory location" error. After specifying the DC we are seeing random failures like the one above. Usually I tell people to wait for 10 minutes and try again and it works. Any ideas how to solve this problem?

      1. Same problem here, but with IE 7. So far there hasn't been a problem observed with Firefox. Usually, the users have to wait for about 5-10 minutes, restart IE and it suddenly works.

        2009-10-20 08:33:02,309 http-80-4 ERROR [softwin.elearning.jiratools.NTLMWebHelper] logon failed
        jcifs.smb.SmbAuthException: Access is denied.
            at jcifs.smb.SmbTransport.checkStatus(SmbTransport.java:503)
            at jcifs.smb.SmbTransport.send(SmbTransport.java:614)
            at jcifs.smb.SmbSession.sessionSetup(SmbSession.java:277)
            at jcifs.smb.SmbSession.send(SmbSession.java:233)
            at jcifs.smb.SmbTree.treeConnect(SmbTree.java:154)
            at jcifs.smb.SmbSession.logon(SmbSession.java:169)
            at ro.softwin.elearning.jiratools.SMBHelper.doDCLogon(SMBHelper.java:173)
            at ro.softwin.elearning.jiratools.NTLMWebHelper.doNTLM(NTLMWebHelper.java:152)
            at ro.softwin.elearning.jiratools.NTLMLoginFilter.doNTLM(NTLMLoginFilter.java:219)
            at ro.softwin.elearning.jiratools.NTLMLoginFilter.doFilter(NTLMLoginFilter.java:173)

  42. Hi all!

    I see there has been a discussion about the RPC previously, but I can't understand the outcome of it. I have enabled the NTLM plugin and it works fine from the IE/FireFox, but I can't access Jira via the Eclipse MyLyn plugin.If looking in the web.xml the rpc is set to use login_jira, and MyLyn works with local Jira-accounts, but not the NTML-accounts.  

    Does the problem belong to this plugin, or the MyLyn-plugin? 

    Has anybody succesfully used the NTLM-plugin together with  MyLyn for an NTLM-account? If so, did you do any special configurations?

    Will enabling  the shipped LDAP-configuration solve the problem, or will I only get a conflict the NTLM-login?

    1. Mylyn has limited support for NTLM authentication. Please refer to this FAQ entry for more details: 

      http://wiki.eclipse.org/index.php/Mylyn_FAQ#NTLM_authentication

  43. Hello,

    I would like to ask you for help.

    I am using:
    - Jira EE 3.12.1, which is instaled on PC in domain A
    - domain B
    - pc PC_A, which is in domain A
    - pc PC_B, which is in domain B
    - user X, has account in domain A,B and Jira
    - user Y, has account in domain A and Jira

    I have instaled ntlm authentication plugin 0.5.2 according to the manual, which was in the files readme and instal, both are in the plugin instalation file

    On both computers (PC_A and PC_B):
    - I have changed Firefox about:config by adding Jira URL into network.automatic-ntlm-auth.trusted-uris variable.
    - In Internet Explorer I have added Jira URL into internet options / security / local intranet / sites

    When I log in to PC_A as user X or Y, I am able to visit Jira site without need to log in to Jira both from Internet Explorer and Firefox.
    When I log in to PC_B as user X and use Firefox, I am able to visit Jira without need to log in
    When I log in to PC_B as user Y and use Firefox, I am able to log in to Jira when I add /login.jsp after Jira url (user Y is not in domain B so he must log in)

    Only problem is when I log in to PC_B as user X or Y and use Internet Explorer 7 :
    - I am not able to visit Jira site as user X, becouse Jira responds that user does not exist
    - I am not able to log in to Jira even when I add /login.jsp after Jira url (not working for user X and Y)

    Is for anyone working loging to Jira from different domain when using Internet Exporer 7 ?

    Thanks for help and tips.

    ivo

  44. Hi,

    I am looking for help building the plugin from source.

    I downloaded the source from the trunk and tried to build it using maven 2, but I get the following problem:

    [INFO] [compiler:compile]
    [INFO] No sources to compile

    does one need to make changes in pom.xml or project.xml in order to generate class files?

    1. Eeeerrrrr..... OK I figured it out on my own...

       So I have added some "features" to the plugin:

      # If set, user will get this password in JIRA. Else the password is auto-generated

      autoCreatePwd =Tomtegubba

      # If set, user will be added to/removed from (JIRA) groups that begin with this pattern
         userJIRAGroupPattern = jira-,confluence-

      Basically autoCreatePwd helps you to assigned the same password to all auto-created users in JIRA so you can use the password for RPC/SOAP access for example.

      userJIRAGroupPattern (is not really a pattern match but this could be done) will watch groups that a LDAP user is member of but also not a member of in the LDAP server and if equivalent groups are found in JIRA, the user will be added/removed from these groups. This should help administering user memberships on the LDAP only (NOTE: Groups are not auto-created nor deleted).

      If some of you have interest for this code (based on trunk revision 9844) let me know.

  45. Will there be a final 0.5.3 Version? Got Jira 3.13 working with 0.5.3 beta (smile) !

  46. Hi Daniel, I wonder if there is any provision to handle the case of duplicated name from different domains. Usually this can be taken care of by prefixing the user name with domain when creating user profile but not in in this case based on my test.

  47. Has anyone had luck installing JIRA on Windows 2008 64 bit using NTLM Authentication?  I got JIRA up and running and LDAP works as well, however I LOVE this plug-in and spoiled my programming department using it.  I had it working on a Windows 2003 32 bit server just fine but we are moving forward with 2008 in my department and I suppose on the bleeding edge.

    When I install 5.2 it doesn't seem to do anything, I can still log in but with 5.3 tomcat becomes unresponsive.  I also tried using a few versions of the jCIFS (and beta) but just couldn't get it to work.  Any ideas?

  48. I have been running the 0.5.3 beta in JIRA 3.11 successfully, however testing shows that the AUTOCREATE user function is broken in JIRA 3.13.  Domain authentication works fine though, so if you don't need the autocreate feature, then you are OK. 

    Anyone gotten the autocreate working in 3.13?  We really need it before we can upgrade to 3.13!!!

    1. I got it working after replacing follow line in ro.softwin.elearning.jiratools.JIRAUserUtils

      user = JiraUserUtils.createJiraUser(_username,RandomGenerator.randomString(PASSWORD_LENGTH),"",null);

      withuser = com.atlassian.core.user.UserUtils.createUser(username, RandomGenerator._randomString(PASSWORD_LENGTH), "", null);The reason is com.atlassian.jira.util.JiraUserUtils is no longer supported in 3.13.

      1. Thanks Fred, but where do I find "ro.softwin.elearning.jiratools.JIRAUserUtils"...

        I found it - Thanks.

        1. Fred, we are not java programmers and are struggling to get this recompiled and packaged - Can you provide your updated jar with the fix for all of going to 3.13? (attach to this page)  That would be a very big help!!!   Thanks.

          1. I've attached the fix based on stable release 0.5.2 to this page. Go to Tools > Attachments and you should find it.
            I haven't tested this jar file though. What I'm using is a proprietary customized package. But it contains the same one-liner fix.

  49. Did anyone ever get the LDAP group functionality working?  I am using 0.5.3 and tried many syntax variations but could never get success (sad)

    Here the section in the ntlm_ldap.properties I'm referencing....

    -----------------

    #  If set, LDAP users must be members of this LDAP group (specified either by full DN or just CN) to be allowed NTLM login.
    #requiredLDAPGroup =

  50. Hi Fred,

    I have the same issue as Tyler. I read in the install doc for the plugin that "If you want to build the classes yourself, there is a build.sh script that should work on most unices." However I cannot find the script? Could you please attach either the script of as Tyler requested updated jar? I would be of great help as our IT dept are getting pressure from management for this feature.

    Thanks

  51. Hi Fred,

    Many thanks for the uploaded JAR (smile) Auto creation now working, and management are off my back! It's turning into a great Friday!

    Many thanks

  52. I'm using Jira 3.13 and the uploaded jar. I'm not as fortuante as Jamie Blanking. I cant get it to work.

    This is from the log:

    2008-10-27 17:48:25,905 http-8088-Processor23 DEBUG [softwin.elearning.jiratools.NTLMLoginFilter] [null] POST http://yapp.tooling.sandvik.com:8088/login.jsp 0 bytes (Ref:http://yapp.tooling.sandvik.com:8088/secure/Dashboard.jspa) (UA:Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR 2.0.50727; .NET CLR 1.1.4322))
    2008-10-27 17:48:25,905 http-8088-Processor23 DEBUG [softwin.elearning.jiratools.NTLMLoginFilter] needsNTLM: is IE renegociating?
    2008-10-27 17:48:25,905 http-8088-Processor23 DEBUG [softwin.elearning.jiratools.NTLMLoginFilter] needsNTLM: do we have an user already?
    2008-10-27 17:48:25,905 http-8088-Processor23 DEBUG [softwin.elearning.jiratools.NTLMLoginFilter] needsNTLM: wants form login?
    2008-10-27 17:48:25,905 http-8088-Processor23 DEBUG [softwin.elearning.jiratools.NTLMLoginFilter] needsNTLM: is authentication actually required?
    2008-10-27 17:48:25,905 http-8088-Processor23 DEBUG [softwin.elearning.jiratools.NTLMLoginFilter] needsNTLM: verdict = yes
    2008-10-27 17:48:25,905 http-8088-Processor23 DEBUG [softwin.elearning.jiratools.NTLMLoginFilter] allowsNTLM: did the NTLM previously fail?
    2008-10-27 17:48:25,905 http-8088-Processor23 INFO [softwin.elearning.jiratools.NTLMLoginFilter] /login.jsp session has previously tried NTLM, and failed
    2008-10-27 17:48:25,905 http-8088-Processor23 DEBUG [softwin.elearning.jiratools.NTLMLoginFilter] NTLM not allowed for http://yapp.tooling.sandvik.com:8088/login.jsp

  53. I still cannot get Fred's modified 0.5.2 jar working 100% - If the user is already in JIRA, then NTLM authentication is working fine and single-sign-on (SSO) also works great - But when a new user hits the JIRA instance, this is what I get in output...

     2008-10-30 11:26:41,333 http-8081-Processor23 WARN [softwin.elearning.jiratools.JIRAUserUtils] will create JIRA user t99511 from (NNG\t99511)
    2008-10-30 11:26:41,521 http-8081-Processor23 ERROR [softwin.elearning.jiratools.NTLMLoginFilter] NTLM went ok but could not login to JIRA.
    2008-10-30 11:26:41,521 http-8081-Processor23 ERROR [softwin.elearning.jiratools.NTLMLoginFilter] This could be either a bad login, or you might have configured a custom Authenticator for JIRA.
    2008-10-30 11:26:41,521 http-8081-Processor23 ERROR [softwin.elearning.jiratools.NTLMLoginFilter] Check the README.
    2008-10-30 11:26:41,521 http-8081-Processor23 ERROR [softwin.elearning.jiratools.NTLMLoginFilter] T99511: NTLM went ok but could log in.  Disabling NTLM for this session.

    The wierd thing is that the account IS created correctly in JIRA, but it is not added automatically to the jira-users group and even if I manually add the new account to the group, the user still can't login.  

    1. Correction - If I close and relaunch IE, then the new user can get logged in with SSO after they've been added to the jira-users group. 

      So my only outstanding issue is that new users aren't been automatically added to the default user group using this plugin with JIRA 3.13. 

      Anyone have an idea?

      Jamie, are your new users being added to the group correctly? 

      1. Got it fixed - Hope this helps others...

        With the 0.5.2 NTLM plugin and JIRA 3.11, the ntlm_ldap.properties file requiredJIRAGroup property was not required.  New users that were automatically created would be added to the jira-users group at the same time.

        With the "Fred-patched" 0.5.2 NTLM plugin and JIRA 3.13, the ntlm_ldap.properties file requiredJIRAGroup property IS required. So to fix, all I had to do is set the following...

        #  If set, JIRA users must be members of this JIRA group to be allowed NTLM login.
        #  If autoCreate is also set, newly created users are made members of this group.
        requiredJIRAGroup = jira-users

  54. Hi

    I'm a new in JIRA and i have a question: for SSO authentication the NTLM plugin is all what i need? Is Crowd required?

    Thanks for answear

  55. Hi

    I think that i configured corectly ntlm_uuth.properties, becouse when my application serwer is running up there is a log:

    When i typy url to jira i have an error:

    Have You any suggestions about this error?
    Thanks for help

    1. This looks like a problem with the JCifs library, we had the same thing with the 5. NTLM Authenticator for Confluence, Comments 07-08 an unexpected 0byte challege response seems to get generated (8byte expected), if you are using > 1.2.24 (eg 1.3.0) try downgrading to 1.24 and see if the IndexOutOfBoundsException goes away...

      1. Thanks a lot Andy. You are the best (smile)

  56. Hi Daniel!

    First let me say thanks for the work you do on that plugin - great job!

    We use the JIRA NTLM plugin to authenticate our users from a linux based JIRA installation against MS Active Directory 2003 and I had to change a few things in source code.
    Maybe the things I did are helpful for anybody else or further development, so I add the two diff files for the files I changed:

    1.) Removed the dependency on JiraUserUtils

    JIRAUserUtils.diff

    2.) We use a dedicated domain controller within our netwerk. Thus we have to configure the "jcifs.http.domainController" to make sure, the jcifs library uses the correct domain controller. To make sure, the
    "jcifs.*" properties are used, I add the following to LDAPConfig.java:

    LDAPConfig.java.diff

    Maybe this is useful!

    Cheers!

    Thomas

  57. Hello again!

    Found a problem with trusted applications trying to login to Jira. This for example happens when one uses the "jira-portlet" macro in Confluence. Add another class to do the certificate checks and User name retrieving (appended class to this comment), had to change NTLMLoginFilter.java also:

    NTLMLoginFilter.java

    and here's the new class:

    CertificateUserUtils.java

    Hope this is useful!

    Cheers!

    Thomas

    1. Hi Thomas,

      What version of Jira (or other libraries) did you compile the NTLM Trusted app fix against?  Trying to get it to work with 3.13.1 & the codebase seems to have moved on quite a lot & it won't compile.

      Thanks,

      Matthew

    2. Hello again!

      I've got this code compiling with Jira 3.13.1 and by adding the atlassian-trusted-apps-core 1.0 jar in the project.xml file but it doesn't appear to work.

      Looks like the incoming request from Confluence is missing the Seraph HTTP headers (e.g. X-Seraph-Trusted-App-Cert,X-Seraph-Trusted-App-ID etc)more info

      Is there any part of the Atlassian code that would strip headers from a request?  When we edit the web.xml to point back to the Jira login filter it all works fine.  When we use the NTLMLogin Filter is all goes bady wrong.

      I'm guessing that this code worked with a previous version of Jira but I don't know which & what has changed in the codebase.

      Matthew

  58. Hi,

    I'm using JIRA 3.13 + CROWD 1.4.4 (Build:#304) + SSL + NTLM (NTLM Authentification version 0.5.3)

    An exception is thrown while updating AD user:


    ntlm_ldap.properties:

    Without NTLM Authentication module works fine.
    Any ideas?

    Thanks.

  59. Is there a way to configure JIRA to be able to use SSO NTLM login as well as "normal" password based login? The reason why we need this is because we have user based logins (SSO) and group logins like "development-team-xy" ("normal" login). Hopefully I explained it correctly (smile). Thank you!

    1. Michael,

      YES - It will do SSO login, but will throw up the login screen if user is not recognized - At that point you can put in a JIRA username and password.  Also, you can bypass SSO by going right to the login.jspa (I don't remember the actual URL)

      1. I put a link to /login.jsp into the Introduction (Admin>General Config) which shows on the default dashboard

  60. Hi Everone!!!

    I have a question: is it possible that NTLM_plugin dosen't receive users e-mail from AD? When an example user has e-mail user@abc.com and it is in JIRA. In domain this user has e-mail user@domain.com. When user is logged into JIRA his own e-mail (user@abc.com) is rewrited by domain e-mail (user@domain.com). I want to use non-domain e-mail for JIRA users. Is it possible?

    Thanks for answear

  61. Hi,

    I am having problems with this plug-in (version 0.5.2) on JIRA 3.12.

    When the user is logged into a Windows computer with a username that does not exist in JIRA, they are unable to log in manually to JIRA (with JIRA credentials), even if they go to the login.jsp page.

    However, when they are logged into Windows with a username does exist in JIRA, then everything works fine. They can log in with SSO, or they can choose to log in with JIRA credentials at the login.jsp page.

    We are not trying to create a new user in JIRA using LDAP. We are just trying to log in.

    From reading the logs, it looks as if the process tries to failover to the default login page, but then it is being prevented from executing.

    Am I reading the logs correctly? Can anyone assist?

    thanks,

    P

  62. NTLM & Trusted Application

    We're finding we can't establish a working trust application link to Jira with the NTLM plugin.   This is quite a major issue for us and we'll need to take the plugin out quite soon if we can't find a fix.

    Did you managed to test the code submitted by Thomas Haselwanter?

    It seems to be a known issue with the code.

  63. Finally got this working perfectly with jira 3.13.4!

    Turned out you need a specific version of the jcifs jar (that being jcifs-1.2.25.jar*)* ive attached it. That in combination with the modi-fed 0.5.2 version of the plugin thanks to fred!

    Other than that just make sure you get all your settings right! I found it handy to set up the built in LDAP service in jira first to make sure everything was right with my LDAP settings.

  64. Hi,

    I've a problem to use this nice plugin on linux with jira 3.13.2.

    I've configured activedirecory as ldap (this works) but with ntlm i've got always an 401 error page.

    In the catalina.out:
    org.apache.jk.server.JkCoyoteHandler - Response already commited

    I'm using jcifs-1.2.25.jar and freds modified version 0.5.2.

    Could someone help me, please.

    Thanks alot.

    Sascha

  65. Hi guys,

    I managed to make this plug-in working with JIRA v4.0#466 except the Dashboard where I have this errors:

    Any help on fixing this issue will be aprecieted!

    Thanks!

    1. Radu,

      I've seen this error and I have fixed it by modifying WEB-INF/web.xml with 2 filter mappings (not sure now if they both are needed)

      However now, I have stucked with the following info:

      I'm not sure, but it seems as if the behaviour of the default Authenticator between 3.x and 4.0 has changed, and the plugin is no longer compatible with it(sad)

      Here is what the README says

      To fool Jira in letting the user login without proper (as far as Jira is
      concerned) credentials, the default Authenticator implementation is replaced
      with a custom one that will accept as password, for any user, a (long) runtime
      generated random key. However, this trick only works when the default
      Jira authenticator is used; that is, when the seraph-config.xml file has not
      been altered (much)

      Please let me know if you encounter this problem.
      Cheers,
      Lukasz
      PS. My environ: Jira4.0, ntlmauth4jira-0.5.3, jcifs-1.2.25

      1. Hi!

        I've finally manage to run this plugin with Jira 4.0! The problem was that Jira 4.0 uses JiraOsUserAuthenticator instead of DefaultAuthenticator. There are 2 solutions:

        1. switching athentication back to DefaultAuthenticator
          seraph-config.xml
          81c81
          <     <authenticator class="com.atlassian.jira.security.login.JiraOsUserAuthenticator"/>
          ---
          >     <authenticator class="com.atlassian.seraph.auth.DefaultAuthenticator"/>
        2. making ro.softwin.elearning.jiratools.BypassDefaultAuthenticator a subclass of JiraOsUserAuthenticator

        Temporarily I have chosen the first one. The problem is that I am evaluating Jira so I do not have access to Jira source code, thus I don't know the consequences of such solution. According to documentation JiraOsUserAuthenticator introduces only some event handling

        public class JiraOsUserAuthenticator
        extends com.atlassian.seraph.auth.DefaultAuthenticator

        A simple wrapper over Seraphs DefaultAuthenticator that allows us to jump in on certain events. It uses OSUsers authetication mechanisms

        , so getting rid of this should be harmless. I hope.

        Cheers,
        Lucas
        PS. One more thing. In order to be able to uses jcifs-1.3.12 instead of jcifs-1.2.25 I had to provide additional options to java

        -Djcifs.smb.lmCompatibility=0 -Djcifs.smb.client.useExtendedSecurity=false
        
        1. HI,

          I prepare seraph-config.xml and web.xml  with your suggestion and now NTLM work ok but dashboard not work :)

          Gadget error:"Error loading gadget: org.apache.shindig.gadgets.GadgetException: Unable to retrieve gadget xml. HTTP error 401"

          Any ideas how to correct it ???

          Rafal

        2. HI all,

          I  am encountering the same issue as Viking - the log in is working, but I cannot see anything on the dashboard, even as jira-administrator. I am kind of desperate here and want to make this work. Does anybody have this working and put me in the right direction ? Also, it would be great to know where to look exactly for a solution, as I don't have any idea what exactly is broken now.

          I followed the steps Lukasz was writing (changing web.xml, seraph-config.xml) and also added the java opts in a system variable on windows; same error message:

          Error loading gadget: org.apache.shindig.gadgets.GadgetException: Unable to retrieve gadget xml. HTTP error 401

          Cheers,

          Christoph

  66. NTLM SSO authentication is completely broken in our Prod JIRA 3.13 instance with Windows 7 clients unless we add the following registry entry to the client....

    • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa
    • If it doesn't exist, create a DWORD value named LmCompatibilityLevel and set the value to 1 to use LM NTLM and NTLMv2 if is negociated, this is

    ......Fellow IT staff say this is an unnacceptable fix, because it lowers the security mechanism of the entire client, just to make 1 application (JIRA) work.  Is there anything that can be done to this plugin to "update" it to work with Windows 7 out of the box?

    1. Hi,

      we had to do the same (Windows Vista in our case).

      The problem is that Lsa=3 (which is the default since Vista) means "Use NTLM version 2", everything below this value means "Use NTLM version 1". JCIFS is unable to provide correct NTLMv2 functionality, JESPA (not free and payed) should be used instead. More info at jcifs HTTP authenticator page

  67. Any plans for NTLM to support JIRA 4.0 for SSO? Would love to get it going/supported.

    Respectfully,

    -Jeremy N

  68. Hi,

    I am testing the NTLM Authentication plugin ver. 0.5.3 beta with JIRA 3.13 and it seems that is not working for me. When I try to open JIRA the logon form shows up and in my logfile appears

    When I enter domain username and password the user is logged but I would like to the user automatically logged in. In my ntlm_ldap.properties file is:

    Any ideas how to configure this plugin or anyone got the same problem and solve it?

    1. Hi,

      in my case this was caused by incorrect jcifs version. However, I wasn't able to find compatible version without sideffects (if you have 800 users there's still somebody who has a problem :) )

  69. Hi Paul,

    I need a step by step Tutorial in order to Install NTLN plugin in my Jira 4.0 Enterprise (Evaluation), my Jira is installed on Windows 2003 Server, Tomcat 6.0 and SQL Server 2005, thanks.

  70. It really would be amazing to have this functionality in 4.1.Are you at all thinking about configuring this for any version above 3.7?

  71. Hello everybody,

    I succesfully managed to create a plugin that uses standard NTLM functionality (absolutely no need to use jcifs if you don't need to get email+use fullname, e.g. you use Crowd). It's a combination of ApacheHttpServer + mod_auth_sspi + mod_proxy_ajp + ApacheTomcat. The trick is simple:

    - use mod_auth_sspi for jira/confluence location in Apache

    - use mod_proxy_ajp to proxy all connections for jira/confluence from HttpServer to Tomcat

    - setup Tomcat to get user from apache (to make getRemoteUser call return the user)

    - disable remote access for Tomcat (just localhost ajp connection provider) to make the solution secure

    - use the altered version of this plugin the does not use jcifs, just gets the username from HttpServletRequest.getRemoteUser()

    Alternatively, I can publish the jira and confluence plugins somewhere on studio.atlassian.com

    1. Ladislav,

      I've managed to set up apache with the mod_auth_sspi and mod_proxy_ajp, and have them redirecting to the JIRA app. However I haven't been able to disable remote access (is it in a properties file or a conf/.xml file?) nor grab remote user via getRemoteUser(), therefore I can't get around the builtin JIRA authentication yet. Can you provide a more detailed list of instructions?

      I'm assuming what you are suggesting here is going to require source changes to this existing plugin in order for it to work. I have no problem building the plugin myself for this purpose, but I would like to have a better idea of what I'm to do before I continue on.

      Thanks!

      1. Hi Troy,

        open your Tomcat\conf\server.xml file and change the following:

        - find Connector section with protocol HTTP/1.1, usually at port 8080 and comment it out - this will disable direct access without providing NTLM username

        - find Connector section with protocol AJP/1.3, usually at port 8009 and add these attributes: URIEncoding="UTF-8" tomcatAuthentication="false" address="127.0.0.1"

        To explain the 3 attributes:

        - URIEncoding solves issue with accent characters in jira quick search

        - tomcatAuthentication forces Tomcat to use HttpServer authentication rather than its own - this will cause getRemoteUser to return NTLM username

        - address tells Tomcat to listen/accept only localhost connections

        Don't forget to set auth-ssp section in http server and use as many log entries as possible in your plugin :)

        1. Hello Ladislav,

          I configured my mod_auth_ssp as mentioned above and have the following problem:

          request.getRemoteUser() is always null. The Authentification with Apache mod_auth_ssp works in IE, but the User is not forwarded to the Confluence Tomcat. I tried everything, also tomcatAuthentication="false".

          Could you post your apache settings in httpd.conf?

          Thanks,

          Heiko

      2. Oh, I almost forgot to read the part about plugin changes. Of course you have to change the source - this plugin covers the whole communication between tomcat and active directory to confirm NTLM hash validity. This part in NTLMLoginFilter.doFilter method has to be removed and replaced by simple getRemoteUser call to get the username.

        1. Hello Ladislav Lencucha,

          could you publish your jira and confluence plugins somewhere?

          I'm trying to set up Jira and Confluence with NTLM/SSO without using crowd

          1. Sorry for the delay (it's one year, uf), here it is:

            http://www.lacike.sk/?p=184

  72. Hello everyone,

    I am currently in the process of trying to use this with the newest version of Jira (4.1.2) and I have not yet seen any success.  That being said, I am not seeing the same errors as others who have tried to run with Jira > 3.7.  The error I am getting is:

    jcifs.util.transport.TransportException: java.io.IOException
    java.io.IOException: Failed to establish session with (LOCALHOST)/123.123.123.123
      at jcifs.smb.SmbTransport.ssn139(SmbTransport.java:230)
      at jcifs.smb.SmbTransport.negotiate(SmbTransport.java:247)
      at jcifs.smb.SmbTransport.doConnect(SmbTransport.java:309)
      at jcifs.util.transport.Transport.run(Transport.java:232)
      at java.lang.Thread.run(Thread.java:619)
    ...
    Followed by another of the same error

    This may be a simple problem which will eventually lead me down the path that others have seen, but for the life of me I cannot understand why the smb is trying to connect to the localhost (which has obv. been changed to hide the address).  The ntlm_ldap.properties file is as follows:

    domains = MYDOMAIN
    domainController = ANOTHERHOST.MYDOMAIN.com
    bypassJIRAAuthentication = yes
    java.naming.factory.initial = com.sun.jndi.ldap.LdapCtxFactory
    java.naming.referral = follow
    java.naming.provider.url = ldap://122.122.122.122
    searchBase = DC=MYDOMAIN,DC=com
    uidAttribute = sAMAccountName
    java.naming.security.principal = user@MYDOMAIN.com
    java.naming.security.credentials = password

    Perhaps I am missing something extremely obvious, but possibly not.
    Any insight would be worth a lot to me.

    Thanks

  73. Hi,

    I have attached a patch to http://jira.atlassian.com/browse/JRA-2398 which makes the plugin work at our site with JIRA 4.3.2. The patch is based on version 0.5.2 of the plugin.

    Thomas

    1. Hi,
      I tried instal it on JIRA 4.3.4 but receive error when open my JIRA page...

      java.lang.NoClassDefFoundError: com/atlassian/seraph/filter/SecurityHttpRequestWrapper
              at ro.softwin.elearning.jiratools.NTLMLoginFilter.doFilter(NTLMLoginFilter.java:95)
              at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:235)
              at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206)
              at com.atlassian.plugin.servlet.filter.IteratingFilterChain.doFilter(IteratingFilterChain.java:46)
              at com.atlassian.plugin.servlet.filter.DelegatingPluginFilter$1.doFilter(DelegatingPluginFilter.java:66)
              at com.atlassian.oauth.serviceprovider.internal.servlet.OAuthFilter.doFilter(OAuthFilter.java:71)
              at com.atlassian.plugin.servlet.filter.DelegatingPluginFilter.doFilter(DelegatingPluginFilter.java:74)
              at com.atlassian.plugin.servlet.filter.IteratingFilterChain.doFilter(IteratingFilterChain.java:42)
              at com.atlassian.plugin.servlet.filter.ServletFilterModuleContainerFilter.doFilter(ServletFilterModuleContainerFilter.java:77)
              at com.atlassian.plugin.servlet.filter.ServletFilterModuleContainerFilter.doFilter(ServletFilterModuleContainerFilter.java:63)
              at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:235)
              at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206)
              at com.atlassian.jira.web.filters.ActionCleanupDelayFilter.doFilter(ActionCleanupDelayFilter.java:59)
              at com.atlassian.core.filters.AbstractHttpFilter.doFilter(AbstractHttpFilter.java:31)
              at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:235)
              at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206)
              at com.atlassian.jira.web.filters.RequestCleanupFilter.doFilter(RequestCleanupFilter.java:53)
              at com.atlassian.core.filters.AbstractHttpFilter.doFilter(AbstractHttpFilter.java:31)
              at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:235)
              at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206)
              at org.tuckey.web.filters.urlrewrite.UrlRewriteFilter.doFilter(UrlRewriteFilter.java:350)
              at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:235)
              at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206)
              at com.atlassian.gzipfilter.GzipFilter.doFilterInternal(GzipFilter.java:81)
              at com.atlassian.gzipfilter.GzipFilter.doFilter(GzipFilter.java:51)
              at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:235)
              at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206)
              at com.atlassian.plugin.servlet.filter.IteratingFilterChain.doFilter(IteratingFilterChain.java:46)
              at com.atlassian.plugin.servlet.filter.ServletFilterModuleContainerFilter.doFilter(ServletFilterModuleContainerFilter.java:77)
              at com.atlassian.plugin.servlet.filter.ServletFilterModuleContainerFilter.doFilter(ServletFilterModuleContainerFilter.java:63)
              at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:235)
              at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206)
              at com.atlassian.core.filters.cache.AbstractCachingFilter.doFilter(AbstractCachingFilter.java:33)
              at com.atlassian.core.filters.AbstractHttpFilter.doFilter(AbstractHttpFilter.java:31)
              at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:235)
              at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206)
              at com.atlassian.core.filters.encoding.AbstractEncodingFilter.doFilter(AbstractEncodingFilter.java:41)
              at com.atlassian.core.filters.AbstractHttpFilter.doFilter(AbstractHttpFilter.java:31)
              at com.atlassian.jira.web.filters.PathMatchingEncodingFilter.doFilter(PathMatchingEncodingFilter.java:49)
              at com.atlassian.core.filters.AbstractHttpFilter.doFilter(AbstractHttpFilter.java:31)
              at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:235)
              at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206)
              at com.atlassian.jira.web.monitor.ActiveRequestsFilter$PassToChainFilterFunc.doFilter(ActiveRequestsFilter.java:346)
              at com.atlassian.jira.web.monitor.ActiveRequestsFilter$DebugLogFilterFunc.doFilter(ActiveRequestsFilter.java:463)
              at com.atlassian.jira.web.monitor.ActiveRequestsFilter.doFilter(ActiveRequestsFilter.java:173)
              at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:235)
              at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206)
              at com.atlassian.jira.startup.JiraStartupChecklistFilter.doFilter(JiraStartupChecklistFilter.java:76)
      		at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:235)
              at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206)
              at com.atlassian.multitenant.servlet.MultiTenantServletFilter.doFilter(MultiTenantServletFilter.java:91)
              at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:235)
              at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206)
              at com.atlassian.jira.web.filters.JiraFirstFilter.doFilter(JiraFirstFilter.java:67)
              at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:235)
              at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206)
              at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:233)
              at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:191)
              at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:127)
              at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:102)
              at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:109)
              at org.apache.catalina.valves.AccessLogValve.invoke(AccessLogValve.java:554)
              at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:298)
              at org.apache.coyote.http11.Http11Processor.process(Http11Processor.java:859)
              at org.apache.coyote.http11.Http11Protocol$Http11ConnectionHandler.process(Http11Protocol.java:588)
              at org.apache.tomcat.util.net.JIoEndpoint$Worker.run(JIoEndpoint.java:489)
              at java.lang.Thread.run(Thread.java:619)

      Any ideas?

  74. In case someone comes to this page in search of NTLMv2 solution:

    TechTime Initiative Group http://techtime.co.nz, an Atlassian Expert in New Zealand has been providing NTLMv2 (handles v1 too) authenticator for Confluence and Jira, based on Jespa from IOPlex (http://www.ioplex.com) for over 2 years at a quite reasonable one-off price of NZ$150 (plus Jespa's license fee payable to IOPlex).

    1. I setup it with Jira 4.4.1 and it works perfect for me. Thank you for link!

  75. Hello,

    is there anybody who got this working wiht the latest JIRA 5.0.2 ?? i need SSO over NTLM and this plugin wont work for me ... under user >> user-directories >> windows-ad i can connect successful to the LDAP-Server ... but the plugin wont work

    1. This plugins has not been maintained for a long time. If you require NTLM authentication for Jira 5.x you can use our plugin based on Jespa from IOPlex.

      You can try it for free here: http://turningright.co.nz/display/TurningRight/NTLM+Authenticator

  76. Has anyone succesfully got this going with JIRA 5?

    I understand its old, but I actually did get it partially working. You recieved the SSO prompt (so IE just logged you in, and firefox gave you a popup prompt to login).

    However JIRA didn't have knowlege of the authentication, so you still had to log onto JIRA once you had logged in via NTLM SSO.