[JIRA] (JENKINS-39234) User identified as Tomcat's unix user id when using Kerberos SSO behind reverse proxy

[s.austermuehle@hse24.de (JIRA)]

Stephan Austermühle created an issue

Jenkins / JENKINS-39234 User identified as Tomcat's unix user id when using Kerberos SSO behind reverse proxy Issue Type: Bug Assignee: Tomas Westling Attachments: jenkins.conf Components: kerberos-sso-plugin Created: 2016/Oct/25 9:06 AM Environment: Jenkins 2.19.1 LTS Kerberos SSO plugin 1.3 Active Directory plugin 2.0 Nginx Plus 1.11.3 Oracle JDK 8u112 Labels: plugin kerberos authentication Priority: Major Reporter: Stephan Austermühle Jenkins, Active Directory connectivity, and Kerberos setup and working well (including Single Sign-On through Kerberos) when accessing Jenkins directly (http://servername.domain:8080). When accessing Jenkins through a reverse proxy (Nginx) running on the same host (performs SSL offloading) the user is identified as the Unix user that runs the Tomcat process instead of the actual user. In our case the Jenkins Tomcat runs as Unix user id 'tomcat', thus all logged in users are identified as 'tomcat'. Interestingly this happens only when accessing Jenkins through the reverse proxy. I'm attaching the Nginx configuration for reference. Add Comment

This message was sent by Atlassian JIRA (v7.1.7#71011-sha1:2526d7c)

[s.austermuehle@hse24.de (JIRA)]

Stephan Austermühle updated an issue

Jenkins / JENKINS-39234 User identified as Tomcat's unix user id when using Kerberos SSO behind reverse proxy

Change By: Stephan Austermühle

Jenkins, Active Directory connectivity, and Kerberos setup and working well (including Single Sign-On through Kerberos) when accessing Jenkins directly (http://servername.domain:8080). When accessing Jenkins through a reverse proxy (Nginx) running on the same host (performs SSL offloading) the user is identified as the Unix user that runs the Tomcat process instead of the actual user. In our case the Jenkins Tomcat runs as Unix user id 'tomcat', thus all logged in users are identified as 'tomcat'. Interestingly this happens only when accessing Jenkins through the reverse proxy.

With Kerberos SSO plugin disabled, login works well when accessing through the reverse proxy.

I'm attaching the Nginx configuration for reference.

Add Comment

[dirk.heinrichs@recommind.com (JIRA)]

Dirk Heinrichs commented on JENKINS-39234

Re: User identified as Tomcat's unix user id when using Kerberos SSO behind reverse proxy Just ran into this and got it solved by using all the "proxy_set_header" directives from this post. Ended up using this (quite simple) config snippet: location / { proxy_pass_request_headers on; proxy_set_header X-Real-IP $remote_addr; proxy_set_header Host $http_host; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; proxy_set_header X-Forwarded-Host $http_host; proxy_set_header X-Forwarded-Server $host; proxy_pass http://127.0.0.1:8080; } My originnal (non-working) version didn't set the "X-Forwarded-*" headers.

Add Comment

This message was sent by Atlassian Jira (v7.13.6#713006-sha1:cc4451f)

[dirk.heinrichs@recommind.com (JIRA)]

Dirk Heinrichs edited a comment on JENKINS-39234

Re: User identified as Tomcat's unix user id when using Kerberos SSO behind reverse proxy

Just ran into this and got it solved by using all the "proxy_set_header" directives from [this post|https://hub.alfresco.com/t5/alfresco-content-services-forum/nginx-reverse-proxy-with-kerberos-sso/td-p/57302].

Ended up using this (quite simple) config snippet:

{code:java}

location / {     proxy_pass_request_headers on;     proxy_set_header   X-Real-IP $remote_addr;     proxy_set_header   Host      $http_host;     proxy_set_header   X-Forwarded-For $proxy_add_x_forwarded_for;     proxy_set_header   X-Forwarded-Host $http_host;     proxy_set_header   X-Forwarded-Server $host;     proxy_pass         http://127.0.0.1:8080;

}{code} My originnal original (non-working) version didn't set the "X-Forwarded-*" headers.

Add Comment