JIRA Client

Synchronization fails with https proxy when authentication required

Details

  • Type: Bug Bug
  • Status: Closed Closed
  • Priority: Major Major
  • Resolution: Fixed
  • Affects Version/s: 2.0.1
  • Fix Version/s: 2.1
  • Component/s: None
  • Environment:
    Windows XP
  • Backlog Order:
    4,375,000
  • Iteration:
    JC-2.1 (Oct 2009)

Description

JIRA client was working fine last week and I was quite happy with the tool.

This week, our IT department turned on authentication for the proxy server and now JIRA client won't connect. The proxy server sends an NTLM authentication challenge, if that fails it sends a Basic auth challenge.

I configured the proxy using Tools --> Configure HTTP proxy, I checked that the username and password is correct and all fields look sane. However JIRA client won't connect (it gets HTTP/407 proxy authentication required).

Is JIRA client capable of logging into proxy server for HTTPS (not just HTTP) requests? If not, how soon can this feature get added? I am on a trial period and there are several others in my department who are evaluating this tool. Please help correct this issue as I am very happy with the tool but cannot use it at present, and I cannot change my IT department's policies (unfortunately)

Activity

Ascending order - Click to sort in descending order
Hide
Permalink
Igor Sereda added a comment -
Sam, thanks for posting this problem. I will need to run some checks to see what's going on. If JIRA Client 2.0.1 cannot work with your environment, I hope we can add fix to the upcoming 2.1 release.
Show
Igor Sereda added a comment - Sam, thanks for posting this problem. I will need to run some checks to see what's going on. If JIRA Client 2.0.1 cannot work with your environment, I hope we can add fix to the upcoming 2.1 release.
Hide
Permalink
Igor Sereda added a comment -
Sam, do you have information what Proxy server are you running?

May I also ask you to run JIRA Client in verbose mode with jiraclient_verbose.bat, reproduce the problem and send logs to support@almworks.com? (Detailed instructions are given here: http://forum.almworks.com/index.php?showtopic=329 )

Thanks!
Show
Igor Sereda added a comment - Sam, do you have information what Proxy server are you running? May I also ask you to run JIRA Client in verbose mode with jiraclient_verbose.bat, reproduce the problem and send logs to support@almworks.com? (Detailed instructions are given here: http://forum.almworks.com/index.php?showtopic=329 ) Thanks!
Hide
Permalink
Sam Post added a comment -
Unfortunately I do not know what proxy server our IT department is running - no clue if it's squid or something else.

Also I am not comfortable sending all the logs without personally reading all the data - which I don't have time to do today. However I have included the relevant error messages from the tracker0.log.1 file below. Let me know if this is not sufficient to reproduce and/or fix the issue, and I will try to find time to scan all the logs and send them out.

As I mentioned previously, our proxy server sends an NTLM challenge and a Basic Auth challlenge and will accept either.

I also tried adding in my NTLM domain to my username but that didn't help (same error message)

I googled the error message below and you might find the following helpful (or not)

http://mail-archives.apache.org/mod_mbox/ws-axis-user/200609.mbox/%3C451C2D7B.2030007@vivisimo.com%3E (need to set a domain for NTLM auth?)



20100115-080631.249 WARNING [Apache:SEVERE] Credentials cannot be used for NTLM authentication: org.apache.commons.httpclient.UsernamePasswordCredentials
org.apache.commons.httpclient.auth.InvalidCredentialsException: Credentials cannot be used for NTLM authentication: org.apache.commons.httpclient.UsernamePasswordCredentials
at org.apache.commons.httpclient.auth.NTLMScheme.authenticate(NTLMScheme.java:331)
at org.apache.commons.httpclient.HttpMethodDirector.authenticateProxy(HttpMethodDirector.java:319)
at org.apache.commons.httpclient.HttpMethodDirector.executeConnect(HttpMethodDirector.java:490)
at org.apache.commons.httpclient.HttpMethodDirector.executeWithRetry(HttpMethodDirector.java:390)
at org.apache.commons.httpclient.HttpMethodDirector.executeMethod(HttpMethodDirector.java:170)
at org.apache.commons.httpclient.HttpClient.executeMethod(HttpClient.java:396)
at org.apache.commons.httpclient.HttpClient.executeMethod(HttpClient.java:324)
at z.hkz.a(Z:17)
at z.hnp.a(Z:331)
at z.hnp.a(Z:186)
at z.egk.a(Z:387)
at z.egk.r(Z:317)
at z.egk.c(Z:86)
at z.ub.a(Z:59)
at z.dyk.b(Z:265)
at z.dyk.a(Z:141)
at z.dyk.a(Z:125)
at z.dyk.b(Z:85)
at z.adb.d(Z:69)
at z.hmv.a(Z:32)
at z.ccm.a(Z:159)
at z.ccm.j(Z:102)
at z.ejy.a(Z:114)
at z.ejy.a(Z:858)
at z.hjy.a(Z:74)
at z.hjy.a(Z:48)
at z.cp.d(Z:77)
at z.cp.e(Z:26)
at z.clk.run(Z:258)
at z.fdy.run(Z:303)
at java.lang.Thread.runUnknown Source
at z.goo.run(Z:12)
==========================================================================================
20100115-080631.264 FINE >> "CONNECT SERVER_REMOVED.COM:443 HTTP/1.1"
20100115-080631.264 FINE >> "User-Agent: Jakarta Commons-HttpClient/3.0[\r][\n]"
20100115-080631.264 FINE >> "Proxy-Connection: Keep-Alive[\r][\n]"
20100115-080631.264 FINE >> "Host: SERVER_REMOVED.com[\r][\n]"
20100115-080631.264 FINE >> "[\r][\n]"
20100115-080631.374 FINE << "HTTP/1.1 407 Proxy Authentication Required[\r][\n]"
20100115-080631.374 FINE << "Proxy-Authenticate: NTLM[\r][\n]"
20100115-080631.374 FINE << "Proxy-Authenticate: BASIC realm="REMOVED"[\r][\n]"
20100115-080631.374 FINE << "Cache-Control: no-cache[\r][\n]"
20100115-080631.374 FINE << "Pragma: no-cache[\r][\n]"
20100115-080631.374 FINE << "Content-Type: text/html; charset=utf-8[\r][\n]"
20100115-080631.374 FINE << "Proxy-Connection: close[\r][\n]"
20100115-080631.374 FINE << "Set-Cookie: BCSI-CS394D0C17=2; Path=/[\r][\n]"
20100115-080631.374 FINE << "Connection: close[\r][\n]"
20100115-080631.374 FINE << "Content-Length: 810[\r][\n]"
20100115-080631.374 INFO HLI: proxy auth required
20100115-080631.405 INFO z.ctn@19b4e60 failed with exception
z.hdi: server responded [407 Proxy Authentication Required]
at z.egk.a(Z:399)
at z.egk.r(Z:317)
at z.egk.c(Z:86)
at z.ub.a(Z:59)
at z.dyk.b(Z:265)
at z.dyk.a(Z:141)
at z.dyk.a(Z:125)
at z.dyk.b(Z:85)
at z.adb.d(Z:69)
at z.hmv.a(Z:32)
at z.ccm.a(Z:159)
at z.ccm.j(Z:102)
at z.ejy.a(Z:114)
at z.ejy.a(Z:858)
at z.hjy.a(Z:74)
at z.hjy.a(Z:48)
at z.cp.d(Z:77)
at z.cp.e(Z:26)
at z.clk.run(Z:258)
at z.fdy.run(Z:303)
at java.lang.Thread.runUnknown Source
at z.goo.run(Z:12)
==========================================================================================
20100115-080631.405 FINE << "<HTML><HEAD>[\n]"
20100115-080631.405 FINE << "<TITLE>Access Denied</TITLE>[\n]"
20100115-080631.405 FINE << "</HEAD>[\n]"
20100115-080631.405 FINE << "<BODY>[\n]"
20100115-080631.405 FINE << "<FONT face="Helvetica">[\n]"
20100115-080631.405 FINE << "<big><strong></strong></big><BR>[\n]"
20100115-080631.405 FINE << "</FONT>[\n]"
20100115-080631.405 FINE << "<blockquote>[\n]"
20100115-080631.405 FINE << "<TABLE border=0 cellPadding=1 width="80%">[\n]"
20100115-080631.405 FINE << "<TR><TD>[\n]"
20100115-080631.405 FINE << "<FONT face="Helvetica">[\n]"
20100115-080631.405 FINE << "<big>Access Denied (authentication_failed)</big>[\n]"
20100115-080631.405 FINE << "<BR>[\n]"
20100115-080631.405 FINE << "<BR>[\n]"
20100115-080631.405 FINE << "</FONT>[\n]"
20100115-080631.405 FINE << "</TD></TR>[\n]"
20100115-080631.405 FINE << "<TR><TD>[\n]"
20100115-080631.405 FINE << "<FONT face="Helvetica">[\n]"
20100115-080631.405 FINE << "Your credentials could not be authenticated: "Credentials required.". You will not be permitted access until your credentials can be verified.[\n]"
20100115-080631.405 FINE << "</FONT>[\n]"
20100115-080631.405 FINE << "</TD></TR>[\n]"
20100115-080631.405 FINE << "<TR><TD>[\n]"
20100115-080631.405 FINE << "<FONT face="Helvetica">[\n]"
20100115-080631.405 FINE << "This is typically caused by an incorrect username and/or password, but could also be caused by network problems.[\n]"
20100115-080631.405 FINE << "</FONT>[\n]"
20100115-080631.405 FINE << "</TD></TR>[\n]"
20100115-080631.405 FINE << "<TR><TD>[\n]"
20100115-080631.405 FINE << "<FONT face="Helvetica" SIZE=2>[\n]"
20100115-080631.405 FINE << "<BR>[\n]"
20100115-080631.405 FINE << "For assistance, contact your network support team.[\n]"
20100115-080631.405 FINE << "</FONT>[\n]"
20100115-080631.405 FINE << "</TD></TR>[\n]"
20100115-080631.405 FINE << "</TABLE>[\n]"
20100115-080631.405 FINE << "</blockquote>[\n]"
20100115-080631.405 FINE << "</FONT>[\n]"
20100115-080631.405 FINE << "</BODY></HTML>[\n]"
20100115-080631.405 INFO updateIssues unsuccessful
Show
Sam Post added a comment - Unfortunately I do not know what proxy server our IT department is running - no clue if it's squid or something else. Also I am not comfortable sending all the logs without personally reading all the data - which I don't have time to do today. However I have included the relevant error messages from the tracker0.log.1 file below. Let me know if this is not sufficient to reproduce and/or fix the issue, and I will try to find time to scan all the logs and send them out. As I mentioned previously, our proxy server sends an NTLM challenge and a Basic Auth challlenge and will accept either. I also tried adding in my NTLM domain to my username but that didn't help (same error message) I googled the error message below and you might find the following helpful (or not) http://mail-archives.apache.org/mod_mbox/ws-axis-user/200609.mbox/%3C451C2D7B.2030007@vivisimo.com%3E (need to set a domain for NTLM auth?) 20100115-080631.249 WARNING [Apache:SEVERE] Credentials cannot be used for NTLM authentication: org.apache.commons.httpclient.UsernamePasswordCredentials org.apache.commons.httpclient.auth.InvalidCredentialsException: Credentials cannot be used for NTLM authentication: org.apache.commons.httpclient.UsernamePasswordCredentials at org.apache.commons.httpclient.auth.NTLMScheme.authenticate(NTLMScheme.java:331) at org.apache.commons.httpclient.HttpMethodDirector.authenticateProxy(HttpMethodDirector.java:319) at org.apache.commons.httpclient.HttpMethodDirector.executeConnect(HttpMethodDirector.java:490) at org.apache.commons.httpclient.HttpMethodDirector.executeWithRetry(HttpMethodDirector.java:390) at org.apache.commons.httpclient.HttpMethodDirector.executeMethod(HttpMethodDirector.java:170) at org.apache.commons.httpclient.HttpClient.executeMethod(HttpClient.java:396) at org.apache.commons.httpclient.HttpClient.executeMethod(HttpClient.java:324) at z.hkz.a(Z:17) at z.hnp.a(Z:331) at z.hnp.a(Z:186) at z.egk.a(Z:387) at z.egk.r(Z:317) at z.egk.c(Z:86) at z.ub.a(Z:59) at z.dyk.b(Z:265) at z.dyk.a(Z:141) at z.dyk.a(Z:125) at z.dyk.b(Z:85) at z.adb.d(Z:69) at z.hmv.a(Z:32) at z.ccm.a(Z:159) at z.ccm.j(Z:102) at z.ejy.a(Z:114) at z.ejy.a(Z:858) at z.hjy.a(Z:74) at z.hjy.a(Z:48) at z.cp.d(Z:77) at z.cp.e(Z:26) at z.clk.run(Z:258) at z.fdy.run(Z:303) at java.lang.Thread.runUnknown Source at z.goo.run(Z:12) ========================================================================================== 20100115-080631.264 FINE >> "CONNECT SERVER_REMOVED.COM:443 HTTP/1.1" 20100115-080631.264 FINE >> "User-Agent: Jakarta Commons-HttpClient/3.0[\r][\n]" 20100115-080631.264 FINE >> "Proxy-Connection: Keep-Alive[\r][\n]" 20100115-080631.264 FINE >> "Host: SERVER_REMOVED.com[\r][\n]" 20100115-080631.264 FINE >> "[\r][\n]" 20100115-080631.374 FINE << "HTTP/1.1 407 Proxy Authentication Required[\r][\n]" 20100115-080631.374 FINE << "Proxy-Authenticate: NTLM[\r][\n]" 20100115-080631.374 FINE << "Proxy-Authenticate: BASIC realm="REMOVED"[\r][\n]" 20100115-080631.374 FINE << "Cache-Control: no-cache[\r][\n]" 20100115-080631.374 FINE << "Pragma: no-cache[\r][\n]" 20100115-080631.374 FINE << "Content-Type: text/html; charset=utf-8[\r][\n]" 20100115-080631.374 FINE << "Proxy-Connection: close[\r][\n]" 20100115-080631.374 FINE << "Set-Cookie: BCSI-CS394D0C17=2; Path=/[\r][\n]" 20100115-080631.374 FINE << "Connection: close[\r][\n]" 20100115-080631.374 FINE << "Content-Length: 810[\r][\n]" 20100115-080631.374 INFO HLI: proxy auth required 20100115-080631.405 INFO z.ctn@19b4e60 failed with exception z.hdi: server responded [407 Proxy Authentication Required] at z.egk.a(Z:399) at z.egk.r(Z:317) at z.egk.c(Z:86) at z.ub.a(Z:59) at z.dyk.b(Z:265) at z.dyk.a(Z:141) at z.dyk.a(Z:125) at z.dyk.b(Z:85) at z.adb.d(Z:69) at z.hmv.a(Z:32) at z.ccm.a(Z:159) at z.ccm.j(Z:102) at z.ejy.a(Z:114) at z.ejy.a(Z:858) at z.hjy.a(Z:74) at z.hjy.a(Z:48) at z.cp.d(Z:77) at z.cp.e(Z:26) at z.clk.run(Z:258) at z.fdy.run(Z:303) at java.lang.Thread.runUnknown Source at z.goo.run(Z:12) ========================================================================================== 20100115-080631.405 FINE << "<HTML><HEAD>[\n]" 20100115-080631.405 FINE << "<TITLE>Access Denied</TITLE>[\n]" 20100115-080631.405 FINE << "</HEAD>[\n]" 20100115-080631.405 FINE << "<BODY>[\n]" 20100115-080631.405 FINE << "<FONT face="Helvetica">[\n]" 20100115-080631.405 FINE << "<big><strong></strong></big><BR>[\n]" 20100115-080631.405 FINE << "</FONT>[\n]" 20100115-080631.405 FINE << "<blockquote>[\n]" 20100115-080631.405 FINE << "<TABLE border=0 cellPadding=1 width="80%">[\n]" 20100115-080631.405 FINE << "<TR><TD>[\n]" 20100115-080631.405 FINE << "<FONT face="Helvetica">[\n]" 20100115-080631.405 FINE << "<big>Access Denied (authentication_failed)</big>[\n]" 20100115-080631.405 FINE << "<BR>[\n]" 20100115-080631.405 FINE << "<BR>[\n]" 20100115-080631.405 FINE << "</FONT>[\n]" 20100115-080631.405 FINE << "</TD></TR>[\n]" 20100115-080631.405 FINE << "<TR><TD>[\n]" 20100115-080631.405 FINE << "<FONT face="Helvetica">[\n]" 20100115-080631.405 FINE << "Your credentials could not be authenticated: "Credentials required.". You will not be permitted access until your credentials can be verified.[\n]" 20100115-080631.405 FINE << "</FONT>[\n]" 20100115-080631.405 FINE << "</TD></TR>[\n]" 20100115-080631.405 FINE << "<TR><TD>[\n]" 20100115-080631.405 FINE << "<FONT face="Helvetica">[\n]" 20100115-080631.405 FINE << "This is typically caused by an incorrect username and/or password, but could also be caused by network problems.[\n]" 20100115-080631.405 FINE << "</FONT>[\n]" 20100115-080631.405 FINE << "</TD></TR>[\n]" 20100115-080631.405 FINE << "<TR><TD>[\n]" 20100115-080631.405 FINE << "<FONT face="Helvetica" SIZE=2>[\n]" 20100115-080631.405 FINE << "<BR>[\n]" 20100115-080631.405 FINE << "For assistance, contact your network support team.[\n]" 20100115-080631.405 FINE << "</FONT>[\n]" 20100115-080631.405 FINE << "</TD></TR>[\n]" 20100115-080631.405 FINE << "</TABLE>[\n]" 20100115-080631.405 FINE << "</blockquote>[\n]" 20100115-080631.405 FINE << "</FONT>[\n]" 20100115-080631.405 FINE << "</BODY></HTML>[\n]" 20100115-080631.405 INFO updateIssues unsuccessful
Hide
Permalink
Igor Sereda added a comment -
Sam, thanks for the info!

I was able to reproduce the problem, so nevermind about the logs. We'll work on this problem now.
Show
Igor Sereda added a comment - Sam, thanks for the info! I was able to reproduce the problem, so nevermind about the logs. We'll work on this problem now.
Hide
Permalink
Igor Sereda added a comment -
Workaround for JIRA servers accessible with http is to force JRE http executor by setting force.http.jre.executor command-line parameter to true.

(See http://kb.almworks.com/wiki/How_to_use_Deskzilla_command_line_options
or
http://wiki.almworks.com/x/iwYi
for instructions.)
Show
Igor Sereda added a comment - Workaround for JIRA servers accessible with http is to force JRE http executor by setting force.http.jre.executor command-line parameter to true. (See http://kb.almworks.com/wiki/How_to_use_Deskzilla_command_line_options or http://wiki.almworks.com/x/iwYi for instructions.)
Hide
Permalink
Sam Post added a comment -
I followed the steps in the URLs you sent, now my shortcut to the JIRA client is

"C:\Program Files\JIRA Client\bin\jiraclient.exe" -J-Dhttps.protocols=SSLv3 -J-Dforce.http.jre.executor=true

On startup it appears to synchronize, but when I try to upload or download changes it gets a different error. Shall I open a new ticket or can we continue to use this one?

There was a problem connecting to the remote server and reading a web page.
Please verify that you are online and you can reach the remote server through web browser.

Details:
https://abc.myserver.com/jira/browse/PROJECT-123?decorator=none&view=rss
connection failure
javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
Show
Sam Post added a comment - I followed the steps in the URLs you sent, now my shortcut to the JIRA client is "C:\Program Files\JIRA Client\bin\jiraclient.exe" -J-Dhttps.protocols=SSLv3 -J-Dforce.http.jre.executor=true On startup it appears to synchronize, but when I try to upload or download changes it gets a different error. Shall I open a new ticket or can we continue to use this one? There was a problem connecting to the remote server and reading a web page. Please verify that you are online and you can reach the remote server through web browser. Details: https://abc.myserver.com/jira/browse/PROJECT-123?decorator=none&view=rss connection failure javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
Hide
Permalink
Igor Sereda added a comment -
Ugh, I actually didn't mean to include https.protocols=SSLv3, you can drop that one.

This problem about certification path is a known problem when the HTTPS server certificate is self-signed or not trusted inherently AND when NTLM authentication is in place. The solution is described here: http://wiki.almworks.com/x/HgUi
Show
Igor Sereda added a comment - Ugh, I actually didn't mean to include https.protocols=SSLv3, you can drop that one. This problem about certification path is a known problem when the HTTPS server certificate is self-signed or not trusted inherently AND when NTLM authentication is in place. The solution is described here: http://wiki.almworks.com/x/HgUi
Hide
Permalink
Sam Post added a comment -
I can't follow that link, it asks me for a login. I try the login for JIRA.almworks.com and it rejects it. There is no signup link.

Can you describe the process or provide public link?
Show
Sam Post added a comment - I can't follow that link, it asks me for a login. I try the login for JIRA.almworks.com and it rejects it. There is no signup link. Can you describe the process or provide public link?
Hide
Permalink
Igor Sereda added a comment -
> I can't follow that link, it asks me for a login.

I'm sorry - that was some plug-in meddling with our Confluence. The link should work now, please try again.
Show
Igor Sereda added a comment - > I can't follow that link, it asks me for a login. I'm sorry - that was some plug-in meddling with our Confluence. The link should work now, please try again.

People

  • Assignee:
    Unassigned
    Reporter:
    Sam Post
Vote (0)
Watch (1)

Dates

  • Created:
    Updated:
    Resolved:

Time Tracking

Estimated:
Not Specified
Original Estimate - Not Specified
Remaining:
3h 49m
Time Spent - 4 hours, 9 minutes Remaining Estimate - 3 hours, 49 minutes
Logged:
4h 9m
Time Spent - 4 hours, 9 minutes Remaining Estimate - 3 hours, 49 minutes
Bug tracking and project tracking for software development powered by Atlassian JIRA (v4.4.3#663-r165197) | Report a problem