Cannot make my AD configuration to work

Article ID:235932268
2 minute readKnowledge base

Symptoms

  • I am not able to log-in on Jenkins

  • AD groups are not recognized by Jenkins

  • In /whoAmI AD groups do not appear

Diagnosis/Treatment

  • Pre-conditions:

  • When configuring the ad plugin for first time the login does not work

  • Meanwhile we are testing the Authorization is Anyone can do anything. Notice that otherwise an incorrect configuration can make you not able to log-in anymore. https://www.jenkins.io/doc/book/security/securing-jenkins/

Simple Domain

The first thing to do is to keep the vanilla initial configuration and just change the Group Membership Lookup Strategy to Recursive Group Queries.

After this, copy/paste the Domain Name to Test Domain Name to finally hit Test test Domain to check if the configuration worked or not correctly.

ad-simple-domain.png

If this configuration does not work, it means that your AD set-up might not be correctly exposing the Global Catalog. You can test this by launching nslookup -q=SRV _gc._tcp.<DOMAIN>.

On the case below, the Domain Controller win-ldp4boh5mil.support-cloudbees.com is a member of the Domain support-cloudbees.com.

fbelzunc$ nslookup -q=SRV _gc._tcp.support-cloudbees.com
Server:     192.168.1.16
Address:        192.168.1.16#53

_gc._tcp.support-cloudbees.com  service = 0 100 3268 win-ldp4boh5mil.support-cloudbees.com.

In case that the Test is failing, try to specifically add a server as a Domain controller - see the example of the screenshot below. Then, again use Test Domain Name and Test Domain Controllers to check if the configuration works or not correctly.

ad-simple-domain-controller.png

Multiple Domains

For multiple domains, the only restriction is that the Bind DN user must exist on both domains with the same password. On Jenkins side you need to represent it with the displayeddName such as bindUser and NOT other representation types like CN=bindUser,DC=support-cloudbees,DC=com.

ad-multiple.png

If this configuration does not work, it means that your AD set-up might not be correctly exposing the Global Catalog. You can test this by launching nslookup -q=SRV _gc._tcp.<DOMAIN>.

On the case below, the Domain Controller win-ldp4boh5mil.support-cloudbees.com is a member of the Domain support-cloudbees.com.

fbelzunc$ nslookup -q=SRV _gc._tcp.support-cloudbees.com
Server:     192.168.1.16
Address:        192.168.1.16#53

_gc._tcp.support-cloudbees.com  service = 0 100 3268 win-ldp4boh5mil.support-cloudbees.com.

In case that the Test is failing, try to specifically add a server as a Domain controller - see the example of the screenshot below. Perform the test with both domains/domains controllers.

ad-multiple-domain-controller.png