JIRA is Unable to Use NTLM Authentication

Still need help?

The Atlassian Community is here for you.

Ask the community

The content on this page relates to platforms which are not supported for JIRA Applications. Consequently, Atlassian cannot guarantee providing any support for it. Please be aware that this material is provided for your information only and using it is done so at your own risk.


Symptoms

When attempting to integrate a NTLM proxy within JIRA, any of the below can occur:

  1. JIRA will be unable to access the Atlassian Marketplace through the Universal Plugin Manager.
  2. Fisheye application links may not work.
  3. Support Tools (Hercules scan) will be unable to run as it cannot fetch the require metadata.
  4. Built-in feedback will no longer work.
  5. 'What's new' gadget will not be able to retrieve information.
  6. The below JVM arguments may not be recognised:
    -Dhttp.proxyHost
    -Dhttp.nonProxyHosts
    -Dhttp.proxyPort
    -Dhttp.proxyUser
    -Dhttp.proxyPassword
    -Dhttp.auth.ntlm.domain

The following appears in the atlassian-jira.log:

2012-06-22 11:22:22,363 StreamsCompletionService::thread-3 ERROR bmills 681x247x6 1ku2b0i 10.128.49.73 /plugins/servlet/streams [apache.commons.httpclient.HttpMethodDirector] Credentials cannot be used for NTLM authentication: org.apache.commons.httpclient.UsernamePasswordCredentials
org.apache.commons.httpclient.auth.InvalidCredentialsException: Credentials cannot be used for NTLM authentication: org.apache.commons.httpclient.UsernamePasswordCredentials
	at org.apache.commons.httpclient.auth.NTLMScheme.authenticate(NTLMScheme.java:331)
	at org.apache.commons.httpclient.HttpMethodDirector.authenticateProxy(HttpMethodDirector.java:319)
	at org.apache.commons.httpclient.HttpMethodDirector.authenticate(HttpMethodDirector.java:231)
	at org.apache.commons.httpclient.HttpMethodDirector.executeMethod(HttpMethodDirector.java:169)
	at org.apache.commons.httpclient.HttpClient.executeMethod(HttpClient.java:396)
	at org.apache.commons.httpclient.HttpClient.executeMethod(HttpClient.java:324)
	at com.atlassian.sal.core.net.HttpClientRequest.executeMethod(HttpClientRequest.java:479)
	at com.atlassian.sal.core.net.HttpClientRequest.executeAndReturn(HttpClientRequest.java:306)
	at com.atlassian.plugins.rest.module.jersey.JerseyRequest.executeAndReturn(JerseyRequest.java:158)
	at com.atlassian.applinks.core.auth.ApplicationLinkRequestAdaptor.execute(ApplicationLinkRequestAdaptor.java:85)
	at com.atlassian.streams.internal.AppLinksActivityProvider.fetch(AppLinksActivityProvider.java:416)
	at com.atlassian.streams.internal.AppLinksActivityProvider.access$200(AppLinksActivityProvider.java:96)
	at com.atlassian.streams.internal.AppLinksActivityProvider$1.call(AppLinksActivityProvider.java:178)
	at com.atlassian.streams.internal.AppLinksActivityProvider$1.call(AppLinksActivityProvider.java:170)
	at com.atlassian.streams.internal.FeedBuilder$ToFeedCallable$1.call(FeedBuilder.java:115)
	at com.atlassian.streams.internal.FeedBuilder$ToFeedCallable$1.call(FeedBuilder.java:110)
	at java.util.concurrent.FutureTask$Sync.innerRun(Unknown Source)
	at java.util.concurrent.FutureTask.run(Unknown Source)
	at java.util.concurrent.Executors$RunnableAdapter.call(Unknown Source)
	at java.util.concurrent.FutureTask$Sync.innerRun(Unknown Source)
	at java.util.concurrent.FutureTask.run(Unknown Source)
	at com.atlassian.util.concurrent.LimitedExecutor$Runner.run(LimitedExecutor.java:96)
	at com.atlassian.sal.core.executor.ThreadLocalDelegateRunnable.run(ThreadLocalDelegateRunnable.java:34)
	at java.util.concurrent.ThreadPoolExecutor$Worker.runTask(Unknown Source)
	at java.util.concurrent.ThreadPoolExecutor$Worker.run(Unknown Source)
	at java.lang.Thread.run(Unknown Source)

Cause

Currently JIRA and Stash does not support all implementations of integration with NTLM proxies and due to this certain areas of JIRA will not function fully when using one. For further information, please take a look at the below issues:

  • Fisheye: FISH-436 
  • JIRA: JRA-2398 - Getting issue details... STATUS
  • Universal Plugin Manager:  UPM-1104 - Getting issue details... STATUS
  • Shared Access Layer:  SAL-166 - Getting issue details... STATUS

Workaround

As you can see from past comments: here and here, customers reported success by following the steps below:

  • Install Cntlm Authentication Proxy locally to their JIRA/Stash server
  • Configured and tested it to make sure "Cntlm" works with their corporate NTLM and then used the parameters

    How to test Cntlm is working with your NTLM

    Update your user, domain, and proxy information in cntlm.ini, then test your proxy with this command (run in your Cntlm installation folder):

    cntlm -c cntlm.ini -I -M http://google.ro
    

    It will ask for your password, and hopefully print your required authentication information, which must be saved in your cntlm.ini

    Sample cntlm.ini:

    Username            user
    Domain              domain
    
    # provide actual value if autodetection fails
    # Workstation         pc-name
    
    Proxy               my_proxy_server.com:80
    NoProxy             127.0.0.*, 192.168.*
    
    Listen              127.0.0.1:54321
    Listen              192.168.1.42:8080
    Gateway             no
    
    SOCKS5Proxy         5000
    # provide socks auth info if you want it
    # SOCKS5User          socks-user:socks-password
    
    # printed authentication info from the previous step
    Auth            NTLMv2
    PassNTLMv2      98D6986BCFA9886E41698C1686B58A09
    

    Note: on linux the config file is cntlm.conf

  • Have the configuration described on How to Configure an Outbound HTTP and HTTPS Proxy for JIRA applications point to the local "Cntlm" proxy instead - and that one will do the job to talk to NTLM.

There are no other current workarounds for Fisheye - please see FISH-436 for further information.

 

Last modified on Nov 2, 2018

Was this helpful?

Yes
No
Provide feedback about this article
Powered by Confluence and Scroll Viewport.