Jenkins proxy 407 error

java apache jenkins proxy ntlm

18,590

Solution 1

We had this issue a rather long time with our Jenkins behind our company's proxy. The other day they changed the order of authentication schemes our proxy desires. This was the day our Jenkins stopped connecting to the internet.

Obviously Jenkins is not able to connect via a proxy that requires NTML authentication. This was what lead me to issue an improvement for Jenkins to extend the proxy configuration screen. During the work on the extension I discovered that Jenkins does not make use of all proxy related system properties, therefore it cannot work with NTLM.

As such the answer for a proxy that allows only NTLM authentication is: it will not work via the Jenkins UI.

But if your proxy allows other authentication schemes, you can follow our workaround, it is rather simple: add the java system property -Dhttp.auth.preference="basic" to your Jenkins startup script or to that one of your container.

This will force the underlying libraries and Java mechanisms Jenkins makes use of to connect to your proxy using basic authentication, not NTLM.

Solution 2

for Java JDK8 and above, Oracle has disabled basic auth tunnelling for Basic authentication. If you want to use Basic mode again (security will be compromised), execute Jenkins adding this parameter to your JAVA_OPTS variable

    "-Djdk.http.auth.tunneling.disabledSchemes="

default value is

    "-Djdk.http.auth.tunneling.disabledSchemes=Basic",

as Basic scheme is DISABLED by default, it will return HTTP 407 error even if your credentials were OK.

more on link https://issues.jenkins-ci.org/browse/JENKINS-48775 Thanks to Israel Romero Fiji

Solution 3

The below solution worked for me for the 407 problem in Windows 7 machine.

1. Stop Jenkins from Windows Services
2. Goto Services.msc > Jenkins > Right Click > Properties > Logon > This account and type in your username and password
3. Click Apply and Ok
3. Start Jenkins

Solution 4

I was getting this error while running jenkins with jetty server on jdk 8.

To resolve issue follow below steps:

Step 1:

Open URL https://updates.jenkins.io/ in browser

Step 2:

To export the Intermediate certificate:

Internet Explorer -> Tools -> Internet Options -> Content -> Certificates -> Go to Trusted Root Certification Authorities Tab and find out the DST Root CA X3 certificate. Then Export the Certificate: Select Certificate -> Export -> DER encoded Binary Format -> Save save the certificate as jenkins.cer (for me it was saved to C:\jenkins\jenkins.cer

( From Firefox -> Tools -> Options -> Advanced -> Encryption -> View Certificates )

Step 3: create keystore with name cacertskeystore

JAVA_HOME\bin\keytool -keystore C:\jenkins\cacertskeystore -genkey -alias cacerts

Step 4:

Add jenkins.cer to cacertskeystore using below command

JAVA_HOME\bin\keytool -import -trustcacerts -Keystore C:\jenkins\cacertskeystore -alias jenkins -file C:\jenkins\jenkins.cer

Step 5: Start jetty server with below command JAVA_HOME\bin\java -DJENKINS_HOME=C:/jenkins/home -Djavax.net.ssl.trustStore=C:/jenkins/cacertskeystore -Djavax.net.ssl.trustStorePassword=password-provided-while-creating-keystore -jar jenkins.war --httpPort=8080--httpListenAddress=localhost

Solution 5

I found this question while affected by bug: https://issues.jenkins-ci.org/browse/JENKINS-48775

The temporary workaround is to open the Jenkins script console and type ProxyConfiguration.open(new java.net.URL("http://jenkins.io")).content

Since it's an http url, and not an https url, it will refresh some caches and make the plugin manager work with the proxy settings, at least for some time. See the bug report for more details.

View more solutions

18,590

Ilves

Updated on September 15, 2022

Comments

Ilves over 1 year

I'm running Jenkins CI inside a corporate network which uses a proxy for internet access.

I tried to configure proxy details in Plugins->Advanced, but even though the credentials are correct (yeah, I checked it a bunch of times), it cannot validate "Test URL" even on http://google.com and returns

Failed to connect to http://google.com (code 407).

Strangely, Jenkins is still able to download plugins itself (whoa!), but totally unable to connect to any HTTP resource. The message that outputs from the console is:

←[0mApr 16, 2015 1:58:56 PM org.apache.commons.httpclient.HttpMethodDirector pro cessProxyAuthChallenge INFO: Failure authenticating with NTLM @proxyrye.asg.com:80 Apr 16, 2015 2:09:09 PM org.apache.commons.httpclient.HttpMethodDirector execute WithRetry INFO: I/O exception (java.net.ConnectException) caught when processing request: Connection timed out: connect Apr 16, 2015 2:09:09 PM org.apache.commons.httpclient.HttpMethodDirector execute WithRetry INFO: Retrying request Apr 16, 2015 2:09:10 PM org.apache.commons.httpclient.auth.AuthChallengeProcesso r selectAuthScheme INFO: ntlm authentication scheme selected ←[31mApr 16, 2015 2:09:10 PM org.apache.commons.httpclient.HttpMethodDirector au thenticate SEVERE: Credentials cannot be used for NTLM authentication: org.apache.commons.h ttpclient.UsernamePasswordCredentials org.apache.commons.httpclient.auth.InvalidCredentialsException: Credentials cann ot be used for NTLM authentication: org.apache.commons.httpclient.UsernamePasswo rdCredentials at org.apache.commons.httpclient.auth.NTLMScheme.authenticate(NTLMScheme .java:332)
Ilves almost 9 years

Unfortunately not that easy. I have tried both to provide and not provide domain name before a username - still to no avail.
Scott Cowan over 7 years

I also was not able to authenticate with my domain\user.
Marek Adamek over 7 years

Thank you so much!
Shishdem over 4 years

This works, but when Jenkins restarts (and in some other cases) it needs to be redone. Therefore I do support this as a workaround, but not as a solution.
Tuan almost 4 years

Great! Thank you.