[JENKINS-75237] Saving the security configuration form changes the Active Directory password in config.xml

[jenkins-infra-bot]

When saving the security configuration, the already encrypted Active Directory password of the Jenkins config.xml was re-encrypted. As a result, the account could no longer connect to the domain and all users no longer had access to the Jenkins Server. In addition, a port was added to the address.
We had to import a backup to be able to use Jenkins again.

---

Originally reported by tea_steffen, imported from: Saving the security configuration form changes the Active Directory password in config.xml

• assignee: fbelzunc
• status: Open
• priority: Minor
• component(s): active-directory-plugin
• resolution: Unresolved
• votes: 0
• watchers: 3
• imported: 2025-12-07

Raw content of original issue

When saving the security configuration, the already encrypted Active Directory password of the Jenkins config.xml was re-encrypted. As a result, the account could no longer connect to the domain and all users no longer had access to the Jenkins Server. In addition, a port was added to the address.
We had to import a backup to be able to use Jenkins again.

• environment: Jenkins Version 2.479.3 running on Debian Bookworm.

4 attachments

• Bild (2).png

  

• config.xml.orginal
• config.xml.save_change_in_group
• config.xml.save_no_change_in_group

[jenkins-infra-bot]

danielbeck:

• Original comment link
• Raw content of original comment:

  When saving a configuration form, not just actual changes, but everything is saved. Based on the description, this looks like a problem in the unspecified security realm configuration form. Without more details, it's impossible to help you; it's however very unlikely that matrix-auth is the culprit, it's just what motivated you saving the configuration.
  
  Given https://en.wikipedia.org/wiki/Bronco_(disambiguation) reveals no useful technology-related terms: Please note that you're reporting this issue to the Jenkins project. This is not an issue tracker internal to your organization.
  

When saving a configuration form, not just actual changes, but everything is saved. Based on the description, this looks like a problem in the unspecified security realm configuration form. Without more details, it's impossible to help you; it's however very unlikely that matrix-auth is the culprit, it's just what motivated you saving the configuration.

Given https://en.wikipedia.org/wiki/Bronco_(disambiguation) reveals no useful technology-related terms: Please note that you're reporting this issue to the Jenkins project. This is not an issue tracker internal to your organization.

[jenkins-infra-bot]

danielbeck:

• Original comment link
• Raw content of original comment:

  While there may be a bug here, it's extremely unlikely to be in matrix-auth, so closing this issue.
  

While there may be a bug here, it's extremely unlikely to be in matrix-auth, so closing this issue.

[jenkins-infra-bot]

tea_steffen:

• Original comment link
• Raw content of original comment:

  Bronco is the name of our Jenkins server, I changed it in the text shortly after it was created.
  Where should we put the bug if not on matrix-auth?
  

Bronco is the name of our Jenkins server, I changed it in the text shortly after it was created.
Where should we put the bug if not on matrix-auth?

[jenkins-infra-bot]

danielbeck:

• Original comment link
• Raw content of original comment:

   Where should we put the bug if not on matrix-auth?
  I don't know, you haven't provided enough information yet. As I mentioned in my first comment, it's not even clear what your security realm is. The screenshot indicates there's a problem with the current configuration already before you submit the form.
  
  I suggest you find someone to assist you with narrowing down the cause of this problem if you don't know how to do that yourself. The forum at community.jenkins.io or Gitter/Matrix chat might be good locations to get started.
  

 Where should we put the bug if not on matrix-auth?

I don't know, you haven't provided enough information yet. As I mentioned in my first comment, it's not even clear what your security realm is. The screenshot indicates there's a problem with the current configuration already before you submit the form.

I suggest you find someone to assist you with narrowing down the cause of this problem if you don't know how to do that yourself. The forum at community.jenkins.io or Gitter/Matrix chat might be good locations to get started.

[jenkins-infra-bot]

tea_steffen:

• Original comment link
• Raw content of original comment:

  It's as simple as it sounds, as soon as I add a group to the matrix, all groups lose their access.
  By saving and reloading this page, you can see the error in the image. 
  Before adding a new group there was of course no error.
  If you then log out, you cannot log in again. Neither can any other user.
  
  Reason for this:
  In the Jenkins config.xml not only the added group is added, but also the encrypted password, which establishes the communication with the domain, is changed. As a result, access is lost for all user groups.
  
  Workaround for us:
  Add groups manually in config.xml. Do not use the matrix-auth.
  

It's as simple as it sounds, as soon as I add a group to the matrix, all groups lose their access.
By saving and reloading this page, you can see the error in the image. 
Before adding a new group there was of course no error.
If you then log out, you cannot log in again. Neither can any other user.

Reason for this:
In the Jenkins config.xml not only the added group is added, but also the encrypted password, which establishes the communication with the domain, is changed. As a result, access is lost for all user groups.

Workaround for us:
Add groups manually in config.xml. Do not use the matrix-auth.

[jenkins-infra-bot]

danielbeck:

• Original comment link
• Raw content of original comment:

  It's as simple as it sounds, as soon as I add a group to the matrix, all groups lose their access.
  By saving and reloading this page, you can see the error in the image. 
  Before adding a new group there was of course no error.
  If you then log out, you cannot log in again. Neither can any other user.
  Could you confirm that the same problem does not occur when you don't change groups, but still save/submit the configuration form?
  
  What is the config.xml content
  
  	
  before submission
  	
  after submission (no changes)
  	
  after submission (add a group)
  
  
  
  ?
  

It's as simple as it sounds, as soon as I add a group to the matrix, all groups lose their access.
By saving and reloading this page, you can see the error in the image. 
Before adding a new group there was of course no error.
If you then log out, you cannot log in again. Neither can any other user.

Could you confirm that the same problem does not occur when you don't change groups, but still save/submit the configuration form?

What is the config.xml content

• before submission
• after submission (no changes)
• after submission (add a group)

?

[jenkins-infra-bot]

tea_steffen:

• Original comment link
• Raw content of original comment:

  We have just tried it, the problem also occurs if you change and save any other thing under ‘Manage Security’. (Without change for groups)
  
  I will add the changes in config.xml to the attachments. (Slightly adapted for reasons of confidentiality)
  
  	
  config.xml.orginal, before any change
  	
  config.xml.save_change_in_group after changing a group and saving
  	
  config.xml.save_no_change_in_group after another change (not a group) and a saving
  
  
  
  In the meantime we updated to Jenkins Version 2.492.1, this didn't change the behaviour.
  
  Could you send the bug to the right place?
  

We have just tried it, the problem also occurs if you change and save any other thing under ‘Manage Security’. (Without change for groups)

I will add the changes in config.xml to the attachments. (Slightly adapted for reasons of confidentiality)

• config.xml.orginal, before any change
• config.xml.save_change_in_group after changing a group and saving
• config.xml.save_no_change_in_group after another change (not a group) and a saving

In the meantime we updated to Jenkins Version 2.492.1, this didn't change the behaviour.

Could you send the bug to the right place?

[jenkins-infra-bot]

danielbeck:

• Original comment link
• Raw content of original comment:

  Could you send the bug to the right place?
  The right place is kinda unknown. Best guess is something's wrong with Active Directory, so rewrote this issue accordingly.
  

Could you send the bug to the right place?

The right place is kinda unknown. Best guess is something's wrong with Active Directory, so rewrote this issue accordingly.