How do I enable Jenkins admin user when using Active Directory login

I have recently switched to using AD login on my Jenkins instance but I notice Jenkins has restricted the functionalities I can access including the Manage Jenkins view

I can no longer login with the admin user after this re-configuration since it returns incorrect password from the Active Directory.

Did I miss something else in configuring AD authentication ? If so what because the guide I followed was straight-forward and has no mention of using the built-in database users. I am not sure either if my permissions will be linked to my AD group ( my AD user is not in Admin group).

I am also not sure on whether Jenkins continues supporting login with the admin user after you have enabled AD authentication.

You can disable security to regain access and try again - Disable Access Control

I don’t think AD plugin does anything permission wise by default. If you goto /configureSecurity/ (before you disable security above) you can see your current security setup. There’s one section for “Security Realm” where you would setup AD, and another one “Authorization” below that setting up permissions. Depending on what you had before, it may be that only “admin” could do anything, but you can easily set it to " Logged-in users can do anything" or one of the matrix ones to have more finegrain control. I think There’s another option in there for AD if you install the AD plugin.

I am able to access the menus after reconfig. However when I attempt to set " Logged-in users can do anything" I get an error which I am still investigating.

I would like to re-enable AD login if this works too.

If you examine the Active Directory plugin, it now has an option for a “Fall-back” user:

  • Since the version 2.5 of the AD plugin, you can define a user to fall back in case there is a communication issue between Jenkins and the AD server.
  • On this way, this admin user can be used to continue administering Jenkins in case of communication issues, where usually you were following the link Disable security.
  • The password of this user is automatically synced with the Jenkins Internal Database by this feature. In order to configure this new feature you should enable Use Jenkins Internal Database in the AD configuration under Manage Jenkins → Configure Global Security and specify a SINGLE user by its username.

This feature DOES NOT synchronize users in the Active Directory server and the Jenkins Internal Database. It ONLY allows you to have a SINGLE fallback user who must be previously created in Jenkins side

That’s probably what you want to do for your admin user.

You could also install a user-based authorization, like Role-based Authorization Strategy and assign specific users Admin privileges. There’s lots of info on RBAC strategies in combination with or via other plugins.

I should also point out that wherever possible we always disable the “admin”, “guest” and any other defaults accounts and assign those roles to to specific user or service accounts. That provides a measure of security that an attacker can’t get get brute-force access via the default accounts.