Single Sign On fails when SMBv1 is disabled
The content on this page relates to third party products which are not supported by Atlassian. Consequently, Atlassian can not guarantee providing any support for these solutions.
Please be aware that this material is provided for your information only and using it is done so at your own risk.
問題
When JIRA or Confluence is using a third party add-on such as Tech Time Easy SSO which in turn uses jespa to provide the underlying NTLM authentication, jespa stops working when SMBv1 is disabled on the network. The following error appears in the jespa.log
file:
2017-10-05 16:25:30: jcifs.smb.SmbException: Failed to connect: 0.0.0.0<00>/10.0.0.1
jcifs.util.transport.TransportException
java.net.SocketException: Connection reset
at java.net.SocketInputStream.read(Unknown Source)
at java.net.SocketInputStream.read(Unknown Source)
at jcifs.util.transport.Transport.readn(Transport.java:29)
at jcifs.smb.SmbTransport.peekKey(SmbTransport.java:388)
at jcifs.smb.SmbTransport.negotiate(SmbTransport.java:288)
at jcifs.smb.SmbTransport.doConnect(SmbTransport.java:319)
at jcifs.util.transport.Transport.run(Transport.java:241)
at java.lang.Thread.run(Unknown Source)
at jcifs.util.transport.Transport.run(Transport.java:258)
at java.lang.Thread.run(Unknown Source)
2017-10-05 16:25:30: at jcifs.smb.SmbTransport.connect(SmbTransport.java:309)
2017-10-05 16:25:30: at jcifs.smb.SmbTree.treeConnect(SmbTree.java:156)
2017-10-05 16:25:30: at jcifs.smb.SmbFile.doConnect(SmbFile.java:911)
2017-10-05 16:25:30: at jcifs.smb.SmbFile.connect(SmbFile.java:954)
2017-10-05 16:25:30: at jcifs.smb.SmbFile.connect0(SmbFile.java:880)
2017-10-05 16:25:30: at jcifs.smb.SmbFileInputStream.<init>(SmbFileInputStream.java:76)
2017-10-05 16:25:30: at jcifs.smb.TransactNamedPipeInputStream.<init>(TransactNamedPipeInputStream.java:38)
2017-10-05 16:25:30: at jcifs.smb.SmbNamedPipe.getNamedPipeInputStream(SmbNamedPipe.java:166)
2017-10-05 16:25:30: at jcifs.dcerpc.DcerpcPipeHandle.doSendFragment(DcerpcPipeHandle.java:66)
2017-10-05 16:25:30: at jcifs.dcerpc.DcerpcHandle.sendrecv(DcerpcHandle.java:190)
2017-10-05 16:25:30: at jcifs.dcerpc.DcerpcHandle.bind(DcerpcHandle.java:126)
2017-10-05 16:25:30: at jespa.ntlm.Netlogon.connect(Netlogon.java:275)
2017-10-05 16:25:30: at jespa.ntlm.Netlogon.getDomainTrusts0(Netlogon.java:448)
2017-10-05 16:25:30: at jespa.ntlm.Netlogon.getDomainTrusts(Netlogon.java:530)
2017-10-05 16:25:30: at jespa.ntlm.Netlogon.getDomainTrust(Netlogon.java:579)
2017-10-05 16:25:30: at jespa.ntlm.NtlmSecurityProvider.getDomain(NtlmSecurityProvider.java:1559)
2017-10-05 16:25:30: at jespa.ntlm.NtlmSecurityProvider.getProperty(NtlmSecurityProvider.java:433)
2017-10-05 16:25:30: at jespa.security.Properties.getProperty(Properties.java:215)
2017-10-05 16:25:30: at jespa.ntlm.NtlmSecurityProvider.acceptSecContext(NtlmSecurityProvider.java:1129)
2017-10-05 16:25:30: at jespa.http.HttpSecurityService.doFilter(HttpSecurityService.java:1388)
2017-10-05 16:25:30: at sun.reflect.GeneratedMethodAccessor594.invoke(Unknown Source)
2017-10-05 16:25:30: at sun.reflect.DelegatingMethodAccessorImpl.invoke(Unknown Source)
2017-10-05 16:25:30: at java.lang.reflect.Method.invoke(Unknown Source)
2017-10-05 16:25:30: at org.techtime.jira.plugins.easysso.integration.filtering.JespaComponent.invokeMethod(JespaComponent.java:629)
2017-10-05 16:25:30: at org.techtime.jira.plugins.easysso.integration.filtering.JespaComponent.doFilter(JespaComponent.java:584)
2017-10-05 16:25:30: at org.techtime.jira.plugins.easysso.logic.FullyEnabledStrategy.doNTLMFiltering(FullyEnabledStrategy.java:55)
2017-10-05 16:25:30: at org.techtime.jira.plugins.easysso.interfaces.JespaFilter.doFilter(JespaFilter.java:27)
...
Background of JIRA, Easy SSO and Jespa
- Techtime Easy SSO does not distribute jespa due to licensing reasons
- For Jira, the Jespa Zip file is however installed through JIRA Administration » Add-ons » EasySSO » Upload Jespa
- This installs
ioplex-jespa.jar<randomnumbers>.tmp
into$JIRA_INSTALL
/temp
原因
From the jespa release notes:
1.2.0 March 24, 2017
With the release of 1.2.0, Jespa now uses TCP transport and not SMB for MSRPC communication (such as with the NETLOGON and LSA services of domain controllers). If SMB1 is disabled in the target environment, Jespa versions prior to 1.2.0 will yield an error like the following:
NETLOGON: Connecting DCERPC handle to ncacn_np:192.168.10.20[\PIPE\NETLOGON] with identity mega.corp\jespa1$ jcifs.smb.SmbException: Failed to connect: 0.0.0.0<00>/192.168.10.20 jcifs.util.transport.TransportException java.net.SocketException: Connection reset at java.net.SocketInputStream.read(SocketInputStream.java:196)
Unfortinately, it's not easy to identify the version of Jespa that is installed but extracting out the ioplex-jespa.jar<randomnumbers>.tmp, you can identify the date stamps of the contained classes. If the Class files are older than March 24, 2017 - it is likely you are running a version of Jespa older than 1.2.0.
ソリューション
Update Jespa to at least v1.2.0.
For JIRA, navigate to JIRA Administration » Add-ons » EasySSO » Upload Jespa and upload the latest Jespa-<version>.zip file downloaded from https://www.ioplex.com/.
Restart JIRA for the changes to take effect. With SMBv1 disabled, as per Jespa release notes, jespa.log
show will show the following when it is working:
NETLOGON: Connecting DCERPC handle to ncacn_ip_tcp:192.168.10.20[netlogon] with identity mega.corp\jespa1$
DcerpcTcpHandle: soTimeout=60000,connTimeout=30000
NETLOGON: Bind successful