Single Sign On fails when SMBv1 is disabled

複数製品に共通のナレッジ

このページの内容

お困りですか?

アトラシアン コミュニティをご利用ください。

コミュニティに質問


The content on this page relates to third party products which are not supported by Atlassian. Consequently, Atlassian can not guarantee providing any support for these solutions.

Please be aware that this material is provided for your information only and using it is done so at your own risk.


問題

When JIRA or Confluence is using a third party add-on such as Tech Time Easy SSO which in turn uses jespa to provide the underlying NTLM authentication, jespa stops working when SMBv1 is disabled on the network. The following error appears in the jespa.log file:

 

2017-10-05 16:25:30: jcifs.smb.SmbException: Failed to connect: 0.0.0.0<00>/10.0.0.1
jcifs.util.transport.TransportException
java.net.SocketException: Connection reset
    at java.net.SocketInputStream.read(Unknown Source)
    at java.net.SocketInputStream.read(Unknown Source)
    at jcifs.util.transport.Transport.readn(Transport.java:29)
    at jcifs.smb.SmbTransport.peekKey(SmbTransport.java:388)
    at jcifs.smb.SmbTransport.negotiate(SmbTransport.java:288)
    at jcifs.smb.SmbTransport.doConnect(SmbTransport.java:319)
    at jcifs.util.transport.Transport.run(Transport.java:241)
    at java.lang.Thread.run(Unknown Source)

    at jcifs.util.transport.Transport.run(Transport.java:258)
    at java.lang.Thread.run(Unknown Source)

2017-10-05 16:25:30:    at jcifs.smb.SmbTransport.connect(SmbTransport.java:309)
2017-10-05 16:25:30:    at jcifs.smb.SmbTree.treeConnect(SmbTree.java:156)
2017-10-05 16:25:30:    at jcifs.smb.SmbFile.doConnect(SmbFile.java:911)
2017-10-05 16:25:30:    at jcifs.smb.SmbFile.connect(SmbFile.java:954)
2017-10-05 16:25:30:    at jcifs.smb.SmbFile.connect0(SmbFile.java:880)
2017-10-05 16:25:30:    at jcifs.smb.SmbFileInputStream.<init>(SmbFileInputStream.java:76)
2017-10-05 16:25:30:    at jcifs.smb.TransactNamedPipeInputStream.<init>(TransactNamedPipeInputStream.java:38)
2017-10-05 16:25:30:    at jcifs.smb.SmbNamedPipe.getNamedPipeInputStream(SmbNamedPipe.java:166)
2017-10-05 16:25:30:    at jcifs.dcerpc.DcerpcPipeHandle.doSendFragment(DcerpcPipeHandle.java:66)
2017-10-05 16:25:30:    at jcifs.dcerpc.DcerpcHandle.sendrecv(DcerpcHandle.java:190)
2017-10-05 16:25:30:    at jcifs.dcerpc.DcerpcHandle.bind(DcerpcHandle.java:126)
2017-10-05 16:25:30:    at jespa.ntlm.Netlogon.connect(Netlogon.java:275)
2017-10-05 16:25:30:    at jespa.ntlm.Netlogon.getDomainTrusts0(Netlogon.java:448)
2017-10-05 16:25:30:    at jespa.ntlm.Netlogon.getDomainTrusts(Netlogon.java:530)
2017-10-05 16:25:30:    at jespa.ntlm.Netlogon.getDomainTrust(Netlogon.java:579)
2017-10-05 16:25:30:    at jespa.ntlm.NtlmSecurityProvider.getDomain(NtlmSecurityProvider.java:1559)
2017-10-05 16:25:30:    at jespa.ntlm.NtlmSecurityProvider.getProperty(NtlmSecurityProvider.java:433)
2017-10-05 16:25:30:    at jespa.security.Properties.getProperty(Properties.java:215)
2017-10-05 16:25:30:    at jespa.ntlm.NtlmSecurityProvider.acceptSecContext(NtlmSecurityProvider.java:1129)
2017-10-05 16:25:30:    at jespa.http.HttpSecurityService.doFilter(HttpSecurityService.java:1388)
2017-10-05 16:25:30:    at sun.reflect.GeneratedMethodAccessor594.invoke(Unknown Source)
2017-10-05 16:25:30:    at sun.reflect.DelegatingMethodAccessorImpl.invoke(Unknown Source)
2017-10-05 16:25:30:    at java.lang.reflect.Method.invoke(Unknown Source)
2017-10-05 16:25:30:    at org.techtime.jira.plugins.easysso.integration.filtering.JespaComponent.invokeMethod(JespaComponent.java:629)
2017-10-05 16:25:30:    at org.techtime.jira.plugins.easysso.integration.filtering.JespaComponent.doFilter(JespaComponent.java:584)
2017-10-05 16:25:30:    at org.techtime.jira.plugins.easysso.logic.FullyEnabledStrategy.doNTLMFiltering(FullyEnabledStrategy.java:55)
2017-10-05 16:25:30:    at org.techtime.jira.plugins.easysso.interfaces.JespaFilter.doFilter(JespaFilter.java:27)
...

 

Background of JIRA, Easy SSO and Jespa

  1. Techtime Easy SSO does not distribute jespa due to licensing reasons
  2. For Jira, the Jespa Zip file is however installed through JIRA Administration » Add-ons » EasySSO » Upload Jespa
  3. This installs ioplex-jespa.jar<randomnumbers>.tmp into $JIRA_INSTALL/temp

原因

From the jespa release notes:

1.2.0  March 24, 2017

With the release of 1.2.0, Jespa now uses TCP transport and not SMB for MSRPC communication (such as with the NETLOGON and LSA services of domain controllers). If SMB1 is disabled in the target environment, Jespa versions prior to 1.2.0 will yield an error like the following:

NETLOGON: Connecting DCERPC handle to ncacn_np:192.168.10.20[\PIPE\NETLOGON] with identity mega.corp\jespa1$
  jcifs.smb.SmbException: Failed to connect: 0.0.0.0<00>/192.168.10.20
  jcifs.util.transport.TransportException
  java.net.SocketException: Connection reset
    at java.net.SocketInputStream.read(SocketInputStream.java:196)

 

Unfortinately, it's not easy to identify the version of Jespa that is installed but extracting out the ioplex-jespa.jar<randomnumbers>.tmp, you can identify the date stamps of the contained classes. If the Class files are older than March 24, 2017 - it is likely you are running a version of Jespa older than 1.2.0.

ソリューション

Update Jespa to at least v1.2.0.

 

For JIRA, navigate to JIRA Administration » Add-ons » EasySSO » Upload Jespa and upload the latest Jespa-<version>.zip file downloaded from https://www.ioplex.com/.

Restart JIRA for the changes to take effect. With SMBv1 disabled, as per Jespa release notes, jespa.log show will show the following when it is working:

NETLOGON: Connecting DCERPC handle to ncacn_ip_tcp:192.168.10.20[netlogon] with identity mega.corp\jespa1$
DcerpcTcpHandle: soTimeout=60000,connTimeout=30000
NETLOGON: Bind successful

最終更新日 2018 年 11 月 2 日

この内容はお役に立ちましたか?

はい
いいえ
この記事についてのフィードバックを送信する
Powered by Confluence and Scroll Viewport.