Remote Access to Secured Jenkins Server - jenkins

I have a Jenkins installation on a machine running Windows Server 2008. The Jenkins installation is secured using Jenkins own user database with matrix-based security authorization. Anonymous users don't have any access, except to register an account. I have set up an account and gave this account full access.
Now I'd like to trigger a build remotely from a different machine that hosts the repository. I believe this should be possible by accessing the following URL:
https://[username]:[user_api_token]#[address.of.jenkins]:8080/job/[project]/build?token=[project_api_token]
However, this does not seem to be working for me. When I access this site in a browser, Jenkins forwards to the login-page, and does not start the build.
What am I doing wrong? It seems to be an authentication problem, as I'm not logged in after opening the URL above. Furthermore, if I give anonymous users full access, the URL works.

Try invoking the build from a command-line program like curl:
curl http://[userid]:[user_token]#localhost:8080/job/[project]/build?token=[proj_token]
or
curl --user [userid]:[user_token] http://localhost:8080/job/[project]/build?token=[proj_token]
I think your issue could be browser related, embedding credentials within the URL (Firefox pops up a warning in my case telling me I'm about to login to Jenkins)

Related

Okta unable to access jenkins server

I integrated jenkins with Okta using SAML2.0 plugin.
Issue: When i click on jenkins app in the OKTA url it is redirecting request to https://jenkins.xxxx.com/samlLogout/ and displaying message "You are now logged out of Jenkins, however this has not logged you out of SAML".
I want to login to jenkins using OKTA Credentials but okta redirecting request to logout url and displaying the above message.
Please lemme know how can redirect request to jenkins home page(where my jobs are located)
You should first check jenkins.log. I had the same issue with Jenkins version 2.235.3 and saml plugin 1.1.6 . I was seeing below error in the logs.
SAMLException: Authentication issue instant is too old or in the future
As per https://support.cloudbees.com/hc/en-us/articles/115000087231-SAML-Authentication-issue-instant-is-too-old-or-in-the-future
Sync servers by Installing NTPD
a. Install NTPD in each of the machines is running services to integrate: IdP Provider as well as Jenkins in this case.
b. If you install the NTP service after IdP Provider/Jenkins has already been installed in your network, you should restart the IdP Provider/Jenkin service after NTP has been successfully installed.
Maximum authentication time
a. On the IdP side, decrease the time users are being retained to a value less than 24 days.
b. Delete browser cookies and login again.
Note: Deleting browser cookies may solve you problem temporary.
Just clearing the cookies did the job

How to resolve the issue in Jenkins

I am working on Jenkins by following below link and I am new to working on Jenkins.
https://blogs.msdn.microsoft.com/visualstudioalm/2016/05/27/continuous-deploymentdelivery-with-jenkins-and-vs-team-services/
Here I am facing the issue when I am installing the Jenkins its redirect to localhost URL and displaying the web page is like below figure and I am downloading the Jenkins from the below link. after redirect that its shows the Jenkins login and here I am informing before that I am not set the any logging details at any where in the Jenkins.
https://jenkins.io/
On Linux, default "admin" user password is available in /var/lib/jenkins/secrets/initialAdminPassword file.
I am not 100% sure about windows, you can check if secrets\initialAdminPassword file is available in Jenkins install directory. If yes, then try to login with credentials mentioned in this file

Why is Web Deploy using the wrong account?

I've verified that Web Deploy works (using NTLM authorization) when I fire it from Visual Studio on my local machine. Now I want my build server to auto-deploy (if appropriate) every night. I'm using Jenkins on the build server, and I've granted the account access in IIS on the remote machine. My parameters to MSBuild are as follows:
/p:DeployOnBuild=true
/p:Configuration=Debug
/p:Platform=x86
/p:PublishProfile=DEV
/p:AuthType=NTLM
/p:AllowUntrustedCertificate=True
/p:Username=
The DEV publish profile specifies my DEV server which uses a self-signed certificate thus necessitating an untrusted certificate. The NTLM and blank username should use the current user/account to connect.
However, the Jenkins' job's MSBuild step fails with this error
msdeploy error ERROR_USER_UNAUTHORIZED: Web deployment task failed. (Connected to the remote computer ("DEV-SERVER") using the Web Management Service, but could not authorize. Make sure that you are using the correct user name and password, that the site you are connecting to exists, and that the credentials represent a user who has permissions to access the site. Learn more at: http://go.microsoft.com/fwlink/?LinkId=221672#ERROR_USER_UNAUTHORIZED.)
When I look at the IIS logs on DEV-SERVER, I see the following:
2016-01-06 23:55:10 159.212.19.186 HEAD /msdeploy.axd site=MySite 8172 - 159.212.19.123 - 401 2 5 0
2016-01-06 23:55:10 159.212.19.186 HEAD /msdeploy.axd site=MySite 8172 CO\BUILD-SERVER$ 159.212.19.123 - 401 2 64 78
I was expecting to see CO\jenkins, the account Jenkins is running under, instead of CO\BUILD-SERVER$. (And what's with the $ on the end?) Am I correct in thinking the wrong account is being used? What do I need to do to get this working?
CO\BUILD-SERVER$ is the machine account of your build server.
If you have a slave running on that machine, is it running as a windows service? If so it's probably running as "System"
Also re Selenium tests, if the tests are running on the build server then the service may need to set to run interactively so that the tests can run against a UI.

Jenkins security II - Deny anonymous access but allow access via CLI

I previously asked how to get Jenkins to deny anonymous read access here: Jenkins security - hide all screens unless user is logged in. That solution worked great, except that it broke access to Jenkins via the CLI jar, despite the fact that we're using the CLI via an SSH key associated with a user - I guess that access doesn't constitute an "authentication". Is there a way to get the CLI to have read access, but not users using the front-end UI?
After some more experimentation, this looks to be a flat-out Jenkins bug - granting the Anonymous user Administrative rights is necessary to make access via the cli jar (with an SSH key) or via HTTP (with the user's API token) work.
When using the CLI, you can pass -jnlpCredentials or -auth parameter.
Found it through trial an error using this:
java -jar slave.jar --help
In your case, you'd use the -auth parameter to specify username:pass

Using MsDeploy to deploy Windows Services with preSync command

Is anyone successfully using MsDeploy for deploying windows services with a preSync runCommand? I've got it working using an Administrator account, but can't for the life of me get it working on a standard user account. Unfortunately I can't use integrated authentication (we're deploying to an external box), and the thought of our Administrator password sitting in plaintext in logs on our build server doesn't exactly make me feel too comfortable. For that matter, neither does any user credentials - but I can't see a way around that.
The command I'm using is this:
"tools/deploy/msdeploy.exe" -verb:sync
-preSync:runCommand="tools\Deploy\PreSyncCommand.cmd",waitInterval=30000
-source:dirPath="C:\BuiltSourcePath"
-dest:computerName=https://server:8172/msdeploy.axd?site=dummysitename,userName=service-deploy,password=service-deploy-pass,authType=basic,dirPath="C:\DeployPath\"
-allowUntrusted
with rules set up in IIS for the dummy site to allow the authentication for the service-deploy windows account, with contentPath and runCommand permissions (for the moment set to C:\ as it's not entirely clear whether this needs to be set to the temporary path that MsDeploy streams to, or the deployment path?). The service-deploy account also has full control of the target directory. I get the following back:
Performing '-preSync'...
Info: Using ID '7a7d34a1-b5d8-49f1-960a-31c9cf825868' for connections to the remote server.
Info: Using ID '4d0b910c-aca4-4640-84bd-3597d22d99d1' for connections to the remote server.
Info: Updating runCommand (C:\TeamCity\buildAgent\work\aec989676b349656\tools\De
ploy\PreSyncCommand.cmd).
Warning: Access is denied.
Warning: The process 'C:\Windows\system32\cmd.exe' (command line '/c "C:\Windows
\ServiceProfiles\LocalService\AppData\Local\Temp\giz2t0kb.0ay.cmd"') exited with
code '0x1'.
This happens even if the contents of PreSyncCommand.cmd is blank. The same command runs fine if I pass in Administrator credentials. I've tried using ProcessMonitor to check if anything's being denied access but can't see any - so I'm guessing it's still a MsDeploy authentication rule. There's nothing in WmSvc.log (debugging is enabled), nor in the event log.
Any ideas? Thanks!
Since you're using Web Deploy via WmSvc, you need to setup appropriate delegation rules on the destination server:
Within IIS Manager, open the "Management Service Delegation" feature. Add a new rule which at least specifies the runCommand provider. In the Run As section, choose Specific User and provide credentials for a local administrator account on that machine. This is the identity under which your runCommand scripts will be executed. Finally, the user which you're specifying for the destination dirPath provider needs to be added to the delegation rule.
That allows you to invoke a deployment using a non-privileged account, and yet have it executed on the target machine under administrative credentials.
More information on IIS feature delegation: http://learn.iis.net/page.aspx/516/configure-the-web-deployment-handler/

Resources