Symptoms

When attempting to integrate a NTLM proxy within JIRA, any of the below can occur:

1. JIRA will be unable to access the Atlassian Marketplace through the Universal Plugin Manager.
2. Fisheye application links may not work.
3. Support Tools (Hercules scan) will be unable to run as it cannot fetch the require metadata.
4. Built-in feedback will no longer work.
5. 'What's new' gadget will not be able to retrieve information.
6. The below JVM arguments may not be recognised:
   -Dhttp.proxyHost
-Dhttp.nonProxyHosts
-Dhttp.proxyPort
-Dhttp.proxyUser
-Dhttp.proxyPassword
-Dhttp.auth.ntlm.domain

The following appears in the atlassian-jira.log:

2012-06-22 11:22:22,363 StreamsCompletionService::thread-3 ERROR bmills 681x247x6 1ku2b0i 10.128.49.73 /plugins/servlet/streams [apache.commons.httpclient.HttpMethodDirector] Credentials cannot be used for NTLM authentication: org.apache.commons.httpclient.UsernamePasswordCredentials
org.apache.commons.httpclient.auth.InvalidCredentialsException: Credentials cannot be used for NTLM authentication: org.apache.commons.httpclient.UsernamePasswordCredentials
	at org.apache.commons.httpclient.auth.NTLMScheme.authenticate(NTLMScheme.java:331)
	at org.apache.commons.httpclient.HttpMethodDirector.authenticateProxy(HttpMethodDirector.java:319)
	at org.apache.commons.httpclient.HttpMethodDirector.authenticate(HttpMethodDirector.java:231)
	at org.apache.commons.httpclient.HttpMethodDirector.executeMethod(HttpMethodDirector.java:169)
	at org.apache.commons.httpclient.HttpClient.executeMethod(HttpClient.java:396)
	at org.apache.commons.httpclient.HttpClient.executeMethod(HttpClient.java:324)
	at com.atlassian.sal.core.net.HttpClientRequest.executeMethod(HttpClientRequest.java:479)
	at com.atlassian.sal.core.net.HttpClientRequest.executeAndReturn(HttpClientRequest.java:306)
	at com.atlassian.plugins.rest.module.jersey.JerseyRequest.executeAndReturn(JerseyRequest.java:158)
	at com.atlassian.applinks.core.auth.ApplicationLinkRequestAdaptor.execute(ApplicationLinkRequestAdaptor.java:85)
	at com.atlassian.streams.internal.AppLinksActivityProvider.fetch(AppLinksActivityProvider.java:416)
	at com.atlassian.streams.internal.AppLinksActivityProvider.access$200(AppLinksActivityProvider.java:96)
	at com.atlassian.streams.internal.AppLinksActivityProvider$1.call(AppLinksActivityProvider.java:178)
	at com.atlassian.streams.internal.AppLinksActivityProvider$1.call(AppLinksActivityProvider.java:170)
	at com.atlassian.streams.internal.FeedBuilder$ToFeedCallable$1.call(FeedBuilder.java:115)
	at com.atlassian.streams.internal.FeedBuilder$ToFeedCallable$1.call(FeedBuilder.java:110)
	at java.util.concurrent.FutureTask$Sync.innerRun(Unknown Source)
	at java.util.concurrent.FutureTask.run(Unknown Source)
	at java.util.concurrent.Executors$RunnableAdapter.call(Unknown Source)
	at java.util.concurrent.FutureTask$Sync.innerRun(Unknown Source)
	at java.util.concurrent.FutureTask.run(Unknown Source)
	at com.atlassian.util.concurrent.LimitedExecutor$Runner.run(LimitedExecutor.java:96)
	at com.atlassian.sal.core.executor.ThreadLocalDelegateRunnable.run(ThreadLocalDelegateRunnable.java:34)
	at java.util.concurrent.ThreadPoolExecutor$Worker.runTask(Unknown Source)
	at java.util.concurrent.ThreadPoolExecutor$Worker.run(Unknown Source)
	at java.lang.Thread.run(Unknown Source)

Cause

Currently JIRA and Stash does not support all implementations of integration with NTLM proxies and due to this certain areas of JIRA will not function fully when using one. For further information, please take a look at the below issues:

• Fisheye:  FE-4164 - Getting issue details... STATUS  
• JIRA: JRA-2398 - Getting issue details... STATUS
• Universal Plugin Manager:  Unable to locate Jira server for this macro. It may be due to Application Link configuration.
• Shared Access Layer:  Unable to locate Jira server for this macro. It may be due to Application Link configuration.

Workaround

As you can see from past comments: here and here, customers reported success by following the steps below:

• Install Cntlm Authentication Proxy locally to their JIRA/Stash server

• Configured and tested it to make sure "Cntlm" works with their corporate NTLM and then used the parameters

  How to test Cntlm is working with your NTLM

  Update your user, domain, and proxy information in cntlm.ini, then test your proxy with this command (run in your Cntlm installation folder):

  cntlm -c cntlm.ini -I -M http://google.ro
  

  It will ask for your password, and hopefully print your required authentication information, which must be saved in your cntlm.ini

  Sample cntlm.ini:

  Username            user
  Domain              domain
  
  # provide actual value if autodetection fails
  # Workstation         pc-name
  
  Proxy               my_proxy_server.com:80
  NoProxy             127.0.0.*, 192.168.*
  
  Listen              127.0.0.1:54321
  Listen              192.168.1.42:8080
  Gateway             no
  
  SOCKS5Proxy         5000
  # provide socks auth info if you want it
  # SOCKS5User          socks-user:socks-password
  
  # printed authentication info from the previous step
  Auth            NTLMv2
  PassNTLMv2      98D6986BCFA9886E41698C1686B58A09
  

  Note: on linux the config file is cntlm.conf

• Have the configuration described on Configure an outbound proxy for use in Jira server point to the local "Cntlm" proxy instead - and that one will do the job to talk to NTLM.

There are no other current workarounds for Fisheye - please see FISH-436 for further information.