Sonarqube integration with Active Directory - Failed to load ADAL4J Java library for performing ActiveDirectoryPassword authentication

SonarQube version: SonarQube 7.9.2
Database: AzureSQL
Connectivity : Active Directory

Scenario: Upgrading SonarQube from version 6.7.5 to 7.9.2; All the previous config [sonar.properties, wrapper.conf] were taken from the previous version. AzureSQL AD integration is working on the current version 7.9.2.

Any help would be highly appreciable.

Unable to establish the connectivity. the following errors/exceptions :

2021.02.12 23:23:16 WARN  web[][o.a.c.l.WebappClassLoaderBase] The web application [ROOT] appears to have started a thread named [elasticsearch[_client_][[timer]]] but has failed to stop it. This is very likely to create a memory leak. Stack trace of thread:
 java.base@11.0.9/java.lang.Thread.sleep(Native Method)
 app//org.elasticsearch.threadpool.ThreadPool$CachedTimeThread.run(ThreadPool.java:574)
2021.02.12 23:23:16 WARN  web[][o.a.c.l.WebappClassLoaderBase] The web application [ROOT] appears to have started a thread named [elasticsearch[_client_][transport_worker][T#1]] but has failed to stop it. This is very likely to create a memory leak. Stack trace of thread:
 java.base@11.0.9/sun.nio.ch.WindowsSelectorImpl$SubSelector.poll0(Native Method)
 java.base@11.0.9/sun.nio.ch.WindowsSelectorImpl$SubSelector.poll(WindowsSelectorImpl.java:357)
 java.base@11.0.9/sun.nio.ch.WindowsSelectorImpl.doSelect(WindowsSelectorImpl.java:182)
 java.base@11.0.9/sun.nio.ch.SelectorImpl.lockAndDoSelect(SelectorImpl.java:124)
 java.base@11.0.9/sun.nio.ch.SelectorImpl.select(SelectorImpl.java:136)
 app//io.netty.channel.nio.SelectedSelectionKeySetSelector.select(SelectedSelectionKeySetSelector.java:62)
 app//io.netty.channel.nio.NioEventLoop.select(NioEventLoop.java:765)
 app//io.netty.channel.nio.NioEventLoop.run(NioEventLoop.java:413)
 app//io.netty.util.concurrent.SingleThreadEventExecutor$5.run(SingleThreadEventExecutor.java:909)
 java.base@11.0.9/java.lang.Thread.run(Thread.java:834)
2021.02.12 23:23:16 WARN  web[][o.a.c.l.WebappClassLoaderBase] The web application [ROOT] appears to have started a thread named [elasticsearch[_client_][generic][T#1]] but has failed to stop it. This is very likely to create a memory leak. Stack trace of thread:
 java.base@11.0.9/jdk.internal.misc.Unsafe.park(Native Method)
 java.base@11.0.9/java.util.concurrent.locks.LockSupport.park(LockSupport.java:194)
 java.base@11.0.9/java.util.concurrent.LinkedTransferQueue.awaitMatch(LinkedTransferQueue.java:743)
 java.base@11.0.9/java.util.concurrent.LinkedTransferQueue.xfer(LinkedTransferQueue.java:684)
 java.base@11.0.9/java.util.concurrent.LinkedTransferQueue.take(LinkedTransferQueue.java:1366)
 java.base@11.0.9/java.util.concurrent.ThreadPoolExecutor.getTask(ThreadPoolExecutor.java:1054)
 java.base@11.0.9/java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1114)
 java.base@11.0.9/java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:628)
 java.base@11.0.9/java.lang.Thread.run(Thread.java:834)
2021.02.12 23:23:16 WARN  web[][o.a.c.l.WebappClassLoaderBase] The web application [ROOT] appears to have started a thread named [elasticsearch[_client_][transport_worker][T#4]] but has failed to stop it. This is very likely to create a memory leak. Stack trace of thread:
 java.base@11.0.9/sun.nio.ch.WindowsSelectorImpl$SubSelector.poll0(Native Method)
 java.base@11.0.9/sun.nio.ch.WindowsSelectorImpl$SubSelector.poll(WindowsSelectorImpl.java:357)
 java.base@11.0.9/sun.nio.ch.WindowsSelectorImpl.doSelect(WindowsSelectorImpl.java:182)
 java.base@11.0.9/sun.nio.ch.SelectorImpl.lockAndDoSelect(SelectorImpl.java:124)
 java.base@11.0.9/sun.nio.ch.SelectorImpl.select(SelectorImpl.java:136)
 app//io.netty.channel.nio.SelectedSelectionKeySetSelector.select(SelectedSelectionKeySetSelector.java:62)
 app//io.netty.channel.nio.NioEventLoop.select(NioEventLoop.java:765)
 app//io.netty.channel.nio.NioEventLoop.run(NioEventLoop.java:413)
 app//io.netty.util.concurrent.SingleThreadEventExecutor$5.run(SingleThreadEventExecutor.java:909)
 java.base@11.0.9/java.lang.Thread.run(Thread.java:834)
2021.02.12 23:23:17 INFO  web[][o.s.s.a.EmbeddedTomcat] HTTP connector enabled on port 80
2021.02.12 23:23:17 INFO  web[][o.s.p.ProcessEntryPoint] Hard stopping process
2021.02.12 23:29:01 INFO  web[][o.s.p.ProcessEntryPoint] Starting web
2021.02.12 23:29:02 INFO  web[][o.a.t.u.n.NioSelectorPool] Using a shared selector for servlet write/read
2021.02.12 23:29:03 INFO  web[][o.e.p.PluginsService] no modules loaded
2021.02.12 23:29:03 INFO  web[][o.e.p.PluginsService] loaded plugin [org.elasticsearch.join.ParentJoinPlugin]
2021.02.12 23:29:03 INFO  web[][o.e.p.PluginsService] loaded plugin [org.elasticsearch.percolator.PercolatorPlugin]
2021.02.12 23:29:03 INFO  web[][o.e.p.PluginsService] loaded plugin [org.elasticsearch.transport.Netty4Plugin]
2021.02.12 23:29:04 INFO  web[][o.s.s.e.EsClientProvider] Connected to local Elasticsearch: [127.0.0.1:9001]
2021.02.12 23:29:04 INFO  web[][o.s.s.p.LogServerVersion] SonarQube Server / 7.9.2.30863 / cd30425aa0b4e62c39b57c81d64be16e365f6d83
2021.02.12 23:29:04 INFO  web[][o.sonar.db.Database] Create JDBC data source for jdbc:sqlserver://XXXSERVER_NAMEXXX;database=XXXXXXDB_NAMEXXXXX;encrypt=true;trustServerCertificate=false;hostNameInCertificate=*.database.windows.net;loginTimeout=30;authentication=ActiveDirectoryPassword;
2021.02.12 23:29:05 ERROR web[][o.s.s.p.Platform] Web server startup failed
java.lang.IllegalStateException: Fail to connect to database
	at org.sonar.db.DefaultDatabase.start(DefaultDatabase.java:90)
	at org.sonar.core.platform.StartableCloseableSafeLifecyleStrategy.start(StartableCloseableSafeLifecyleStrategy.java:40)
	at org.picocontainer.injectors.AbstractInjectionFactory$LifecycleAdapter.start(AbstractInjectionFactory.java:84)
	at org.picocontainer.behaviors.AbstractBehavior.start(AbstractBehavior.java:169)
	at org.picocontainer.behaviors.Stored$RealComponentLifecycle.start(Stored.java:132)
	at org.picocontainer.behaviors.Stored.start(Stored.java:110)
	at org.picocontainer.DefaultPicoContainer.potentiallyStartAdapter(DefaultPicoContainer.java:1016)
	at org.picocontainer.DefaultPicoContainer.startAdapters(DefaultPicoContainer.java:1009)
	at org.picocontainer.DefaultPicoContainer.start(DefaultPicoContainer.java:767)
	at org.sonar.core.platform.ComponentContainer.startComponents(ComponentContainer.java:135)
	at org.sonar.server.platform.platformlevel.PlatformLevel.start(PlatformLevel.java:90)
	at org.sonar.server.platform.platformlevel.PlatformLevel1.start(PlatformLevel1.java:160)
	at org.sonar.server.platform.Platform.start(Platform.java:211)
	at org.sonar.server.platform.Platform.startLevel1Container(Platform.java:170)
	at org.sonar.server.platform.Platform.init(Platform.java:86)
	at org.sonar.server.platform.web.PlatformServletContextListener.contextInitialized(PlatformServletContextListener.java:43)
	at org.apache.catalina.core.StandardContext.listenerStart(StandardContext.java:4817)
	at org.apache.catalina.core.StandardContext.startInternal(StandardContext.java:5283)
	at org.apache.catalina.util.LifecycleBase.start(LifecycleBase.java:150)
	at org.apache.catalina.core.ContainerBase$StartChild.call(ContainerBase.java:1423)
	at org.apache.catalina.core.ContainerBase$StartChild.call(ContainerBase.java:1413)
	at java.base/java.util.concurrent.FutureTask.run(FutureTask.java:264)
	at java.base/java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1128)
	at java.base/java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:628)
	at java.base/java.lang.Thread.run(Thread.java:834)
Caused by: java.lang.IllegalStateException: Can not connect to database. Please check connectivity and settings (see the properties prefixed by 'sonar.jdbc.').
	at org.sonar.db.DefaultDatabase.checkConnection(DefaultDatabase.java:134)
	at org.sonar.db.DefaultDatabase.start(DefaultDatabase.java:87)
	... 24 common frames omitted
Caused by: java.sql.SQLException: Cannot create PoolableConnectionFactory (Failed to load ADAL4J Java library for performing ActiveDirectoryPassword authentication.)
	at org.apache.commons.dbcp2.BasicDataSource.createPoolableConnectionFactory(BasicDataSource.java:2385)
	at org.apache.commons.dbcp2.BasicDataSource.createDataSource(BasicDataSource.java:2110)
	at org.apache.commons.dbcp2.BasicDataSource.getConnection(BasicDataSource.java:1563)
	at org.sonar.db.profiling.NullConnectionInterceptor.getConnection(NullConnectionInterceptor.java:31)
	at org.sonar.db.profiling.ProfiledDataSource.getConnection(ProfiledDataSource.java:317)
	at org.sonar.db.DefaultDatabase.checkConnection(DefaultDatabase.java:131)
	... 25 common frames omitted
Caused by: com.microsoft.sqlserver.jdbc.SQLServerException: Failed to load ADAL4J Java library for performing ActiveDirectoryPassword authentication.
	at com.microsoft.sqlserver.jdbc.SQLServerConnection.validateAdalLibrary(SQLServerConnection.java:4233)
	at com.microsoft.sqlserver.jdbc.SQLServerConnection.getFedAuthToken(SQLServerConnection.java:4128)
	at com.microsoft.sqlserver.jdbc.SQLServerConnection.onFedAuthInfo(SQLServerConnection.java:4104)
	at com.microsoft.sqlserver.jdbc.SQLServerConnection.processFedAuthInfo(SQLServerConnection.java:4067)
	at com.microsoft.sqlserver.jdbc.TDSTokenHandler.onFedAuthInfo(tdsparser.java:264)
	at com.microsoft.sqlserver.jdbc.TDSParser.parse(tdsparser.java:100)
	at com.microsoft.sqlserver.jdbc.SQLServerConnection.sendLogon(SQLServerConnection.java:5036)
	at com.microsoft.sqlserver.jdbc.SQLServerConnection.logon(SQLServerConnection.java:3668)
	at com.microsoft.sqlserver.jdbc.SQLServerConnection$LogonCommand.doExecute(SQLServerConnection.java:3627)
	at com.microsoft.sqlserver.jdbc.TDSCommand.execute(IOBuffer.java:7194)
	at com.microsoft.sqlserver.jdbc.SQLServerConnection.executeCommand(SQLServerConnection.java:2935)
	at com.microsoft.sqlserver.jdbc.SQLServerConnection.connectHelper(SQLServerConnection.java:2456)
	at com.microsoft.sqlserver.jdbc.SQLServerConnection.login(SQLServerConnection.java:2103)
	at com.microsoft.sqlserver.jdbc.SQLServerConnection.connectInternal(SQLServerConnection.java:1950)
	at com.microsoft.sqlserver.jdbc.SQLServerConnection.connect(SQLServerConnection.java:1162)
	at com.microsoft.sqlserver.jdbc.SQLServerDriver.connect(SQLServerDriver.java:735)
	at org.apache.commons.dbcp2.DriverConnectionFactory.createConnection(DriverConnectionFactory.java:53)
	at org.apache.commons.dbcp2.PoolableConnectionFactory.makeObject(PoolableConnectionFactory.java:291)
	at org.apache.commons.dbcp2.BasicDataSource.validateConnectionFactory(BasicDataSource.java:2395)
	at org.apache.commons.dbcp2.BasicDataSource.createPoolableConnectionFactory(BasicDataSource.java:2381)
	... 30 common frames omitted

Hi @azureforgemonitoring ,

As far as I know, Azure AD integration works on SonarQube for user login and group mapping.

It is likely the below exception comes from Azure MSSQL and not SonarQube:

Check on our official documentation how to establish connection with a MSSQL database here (via integrated security or SQL authentication).

You also say:

This is not recommended, as some properties may have changed, been deprecated or removed completely. I would recommend you to complete the new sonar.properties file, one property at a time, without completely copy/pasting the old sonar.properties file.

Also, any reason why you did not upgrade to the latest patched LTS which is 7.9.5 and not 7.9.2?

Best regards,
Daniel

Hi Daniel,
thanks for your reply.

Yes, that’s true, SQ works with the Azure AD. We have the previous version (6.7.5) working on that way. We are using the same jdbc connection/credentials, database didn’t change, reason why we don’t understand the issue!
We rely more for a problem with plugin used for AD integration (sonar-auth-aad-plugin) and the adal4j jar file library on the version 7.9.2.
Regarding the config files (sonar, wrapper) we’ve just dump the previous entries to the new config files. We didn’t copy all the file lines.
The reason why we didn’t patch to the 7.9.5 LTS version was client decision.

Regards.
AzureForgeMonitoring

Right, so it seems you are using a third party plugin to be able to connect to your DB using AD. I suggest you reach out to the maintainer of this plugin for support.

The official AD integration of SonarQube 7.9 LTS only supports AD for user login and group mapping.

We are sorry that you acknowledge also that might a problem on the aad auth plugin itself.
We were expecting that you point us to something such java version or jdbc driver used on SQ 7.9.2 version.
But for us is complete weird why doesn’t work. It’s a minor version between the plugins used for the SQ 6.7.5 and SQ 7.9.2 (sonar-auth-aad-plugin-1.2.0 vs sonar-auth-aad-plugin-1.0.0)

You mentioned that SonarQube 7.9 LTS only supports AD for user login and group mapping.That means between the version 6.7.5 and 7.9.5 they have removed some features regarding the AD integration ?
Thanks.

Hi,

We have not removed any features in terms of AD integration.

Connectivity to your Azure SQL DB via AD was enabled on SQ 6.7 by the third party plugin you relied on: sonar-auth-aad-plugin. This plugin is not maintained by SonarSource and therefore, you should reach out to its maintainer if you want to dig further into this specific plugin problem and attempt its resolution.

This is to say that the problem is not on SonarQube, but either on your Azure SQL server or this plugin.

What I can tell you is to check whether you can authenticate to your database via the officially supported methods described here (Integrated Security or SQL Authentication) by carefully following the steps in there.

Best regards,
Daniel

In addition,

Pay attention to the fact that SonarQube 6.7 relied on Microsoft SQL JDBC Driver 6.2 while SonarQube 7.9 relies on Microsoft SQL JDBC Driver 7.2.2 which you need to deploy as explained in the above document I shared with you.

I ignore if that may solve the problem already, but it is worth making sure you are on the new JDBC driver version and try again.

Hi,
thank you Daniel again for your considerations.

We have a Preprod environment with the version 7.9.2 installed that we can connect successfully, using SQL Authentication, to a cloned DB (copy of Prod DB), that resides on the same Azure SQL Server. We don’t want to change on the PROD env and change the way we are connecting to PROD DB (AD Auth > SQL Auth). We have test also on this PREPROD env the db authentication with the AD but didn’t work.

We think the best way is to try to reach out who’s maintaining the sonar-auth-aad-plugin. Can you help us what 's best way to reach them ? (via GitHub or doing a review here: Azure Active Directory (AAD) Authentication Plug-in for SonarQube | SonarQube™ Marketplace).

We’ve found someone complaining about a same behaviour: AAD authencation is not working when upgraded to SonarQube v7.9.1 LTS version - sonar-auth-aad

Kr.
.ruilucas

That’s indeed the best way. But I cannot help you with that: I would personally reach our via their official plugin page which seems to be this one here.

Cheers,
Daniel