Atlassian does not support and does not intend to provide the auto-login feature when the computer is in Windows Domain.
There are only 2 possible solutions:
- Use crowd or any LDAP connector that makes it possible to login using Domain username and password (you have to actually provide the username and password, but it’s always the domain credentials)
- Use ntlmauth4jira with jcifs plugin that might cause even more trouble (Starting from Windows Vista the default NTLM level is 5 and that means jcifs won’t work unless you change this value for each computer directly in windows registry files)
I’ve found a way how to use Apache Http Server NTLM authentication (mod_auth_sspi that works without any problem) to authenticate in Jira running inside Apache Tomcat. The steps below are for Jira 3.x, but I succesfully tested it with only a minor changes for jira 4.1. Unfortunatelly, 4.x was not used as a production system so I can not guarantee the whole functionality in every aspect.
- Install Apache Http Server and Apache Tomcat
- Install mod_auth_sspi to your Apache Http Server
- Install proxy_ajp_module to your Apache Http Server (should be included by default)
- Setup Apache Http Server to forward requests to Apache Tomcat via AJP connector
- Install Jira
- Build the attached Jira plugin using Atlassian SDK or download the jar directly
- Configure the attached Jira plugin and change default Jira config in edit-webapp
- Start Jira
Open conf/httpd.conf file in your Apache Http Server installation and add or uncomment the following LoadModule lines:
############################################ # NTLM section BEGIN LoadModule sspi_auth_module modules/mod_auth_sspi.so # NTLM section END
Open conf/httpd.conf in your Apache Http Server installation and add or uncomment the following LoadModule lines:
############################################ # Proxy to local tomcats LoadModule proxy_module modules/mod_proxy.so LoadModule proxy_ajp_module modules/mod_proxy_ajp.so LoadModule proxy_http_module modules/mod_proxy_http.so ProxyErrorOverride on
Forward Apache Http Server requests to Apache Tomcat
<Location /jira/browse> ProxyPass ajp://localhost:8009/jira/browse ProxyPassReverse ajp://localhost:8009/jira/browse AuthName "JIRA - Enter your domain name and password" AuthType SSPI SSPIAuth On SSPIAuthoritative On SSPIOfferBasic On SSPIOmitDomain on Require valid-user </Location> <Location /jira/secure> ProxyPass ajp://localhost:8009/jira/secure ProxyPassReverse ajp://localhost:8009/jira/secure AuthName "JIRA - Enter your domain name and password" AuthType SSPI SSPIAuth On SSPIAuthoritative On SSPIOfferBasic On SSPIOmitDomain on Require valid-user </Location> <Location /jira> ProxyPass ajp://localhost:8009/jira ProxyPassReverse ajp://localhost:8009/jira </Location>
Configure Apache Tomcat to receive AJP requests from Apache Http Server
Open conf/server.xml in Apache Tomcat directory and change the following:
- disable HTTP connector (comment out Connector element with protocol HTTP/1.1)
- enable AJP connector (uncomment Connector element with protocol AJP/1.3)
- add URIEncoding=”UTF-8″ parameter to AJP Connector (this will fix the issue with accent/national characters)
- add tomcatAuthentication=”false” parameter to AJP Connector (this will force Tomcat to read the username from AJP – the one provided by Http Server)
- add address=”127.0.0.1″ parameter to AJP Connector (this will force Tomcat to listen only on localhost)
The AJP section should look like this:
<Connector port="8009" address="127.0.0.1" protocol="AJP/1.3" redirectPort="8445" URIEncoding="UTF-8" connectionTimeout="5000" tomcatAuthentication="false" />
Configure the plugin and Jira
The plugin contains 3 different options to authenticate:
- using Apache Http Server SSPI module
- using jcifs library (copied from ntlmauth4jira plugin)
- using jespa library (under development, not finished)
We’ll use the Apache Http Server Authentication. Http Server sends the authenticated user via AJP to Tomcat. The domain is not included (SSPIOmitDomain on), if the user is not connected to domain a basic authorization is offered (SSPIOfferBasic On). We have configured Tomcat to receive requests only from localhost and to use the username provided via AJP.
NOTE: If you enable remote access to Tomcat (AJP or HTTP) the username can be changed by the request sender and Jira can be tricked this way to think that the user is not who he/she claims to be!
Now we have to set a new Filter in Jira edit-webapp/web.xml to tell Jira that the user is succesfully authenticated if username is provided via AJP. The filter also checks if the user is in required group in LDAP (Active Directory in this case). Add the following lines just above trustedapps Filter:
<filter> <filter-name>login_ntlm</filter-name> <filter-class>sk.lacike.ntlm.apache.jira.AJPLoginFilter</filter-class> <init-param> <param-name>configuration</param-name> <param-value>ntlm_ldap.properties</param-value> </init-param> </filter>
For jira 4.x you have to change the location, because the filters have been completely redesigned. I don’t exactly remember where it should be, I am pretty sure you’ll find out the correct position 🙂
ntlm_ldap.properties has to be copied into classes folder and the following lines have to be changed:
domains = [your-domain-here e.g. MYDOMAIN] stripDomain = true forceDomain = [your-domain-here e.g. MYDOMAIN] readonlyUser = true checkLDAP = false
domainController = [your-domain-controller-here e.g. domainserver.mydomain.local]
java.naming.security.authentication = simple java.naming.factory.initial = com.sun.jndi.ldap.LdapCtxFactory java.naming.referral = follow
java.naming.provider.url = [your-ldap-url-to-domain-controller e.g. ldap://domainserver.mydomain.local) searchBase = [your-search-base-where-users-are-stored, e.g. OU=employees,DC=mydomain,DC=local)
java.naming.security.principal = [full-dc-path-for-user, e.g. CN=atlassian,OU=systemaccounts,DC=mydomain,DC=local) java.naming.security.credentials = [dc-user-password, e.g. *****]
autoCreate = no
You can also set requiredJIRAGroup if you want authenticate only users with specific group.
The autoCreate=no readonlyUser=yes are usable when you have jira connected to LDAP via crowd – the user record is readonly for external jira user providers. If you don’t intend to use Crowd, just enable these options (set yo yes) and the user info will be retrieved from LDAP/DC automatically. Also, the user will be automatically created if it is found in LDAP.
If you have any trouble with jcifs (LDAP connectivity), just add the following lines:
jcifs.util.loglevel=3 jcifs.smb.client.useExtendedSecurity=true jcifs.smb.lmCompatibility=3 jcifs.lmCompatibility=3
The last step is to copy the compiled plugin into edit-webapp/lib directory also with jcifs and jespa jars.