The migrator cannot be used if the Jira Service instance is behind MFA

[Alexander-Hjelm]

Discussed in https://github.com/solidify/jira-azuredevops-migrator/discussions/583

^{Originally posted by **royc75** October 24, 2022} Hello I'm trying to use the tool on Jira server v8.20.12 which is using Microsoft MFA. I'm getting the following 403 upon authentication: ```

Encountered a "403 - Forbidden" error while loading this page.

Basic Authentication Failure - Reason : AUTHENTICATION_DENIED

Go to Jira home

``` I'm sure my credentials are correct. I tried every combination I could think about - My user name with and without the domain, my actual password as well as access token. Same access token works for example for Visual Studio code Jira add on. Any ideas are most welcome. Thanks Roy

[Alexander-Hjelm]

@[royc75, We don't support instances where you are running MFA on your Jira Server, AFAIK. The password should be your JIRA Token, and you need to have the JIRA Server open to REST API calls, otherwise it will not work :)

[royc75]

@Alexander-Hjelm REST is open, I've confirmed on the Jira instance.

VS Code Atlassian extension uses that as well and it works for me there despite MFA being enabled with the same details (token as password).

[royc75]

@Alexander-Hjelm I have also tried with Jira admin user which has got access to everything, same error still. If that solution doesn't support MFA fair enough but most organisations use it these days.

[Alexander-Hjelm]

Shouldn't matter. You can make REST API calls using username and the API token generated by the app. That will bypass the MFA.

-u is your full email and -p is the Jira access token you generated?

Check: https://github.com/solidify/jira-azuredevops-migrator/issues/535

[royc75]

Yes it is and as I said the exact same username and token works for other integrations but not for this one.

@Alexander-Hjelm Just tested with postman - Basic auth doesn't work, same 403, however using the token as a bearer token and I seem to get 200 OK back on /rest/api/3/field

Ah wait, it is taking me to the MS MFA login page :)

Yet again this seems to work just fine on VS Code but there I only set the personal access token it doesn't require the user

[Alexander-Hjelm]

Could be something funky with CAPTCHA on the JIRA server side.

I know that you can set an optional SecurityProtocol here: https://github.com/solidify/jira-azuredevops-migrator/blob/master/src/WorkItemMigrator/JiraExport/JiraServiceWrapper.cs#L28. But we have never had the need to. MFA usually isn't a problem. You could maybe play around with that and see if you can get it working.

[royc75]

Tried to X-Atlassian-Token if that's what you mean, no luck but thanks....

BTW, we are using on prem Jira if it makes any difference and I've set "using-jira-cloud": false in the config.

[Alexander-Hjelm]

No worries: We'll track this as a bug in case something fishy is going on, but can't say when we'll get back to it :)

In the meantime, a bypass solution could be to move a snapshot of your Jira Project to cloud with the Cloud Migration Assistant (https://confluence.atlassian.com/jirakb/how-to-migrate-a-project-from-jira-server-to-jira-cloud-779160760.html), and then use our tool to set up a migration job from Jira Cloud to ADO.

[royc75]

Thanks ! But we don't have Jira Cloud subscription :)

[Alexander-Hjelm]

They have a free jira cloud plan now, I think. Don't know if it's relevant for you, but still an option :) https://support.atlassian.com/jira-cloud-administration/docs/what-is-the-free-jira-cloud-plan/

[royc75]

Works with Jira cloud so must be our setup :-/

[Alexander-Hjelm]

@royc75, we have the option of authenticating via Oauth instead. Would such a solution work for you? and would it be possible for you to provide all the secrets and tokens as shown below:

[roycohen1]

@Alexander-Hjelm Afraid not, I'm not the master of my own domain in this organisation but thanks for the suggestion !

I'm still chasing the admins to advise as I believe it is due to policy / permissions in our Jira

[Alexander-Hjelm]

@royc75 Ok! Let me know if you figure something out! I'll try to look into the issue as best I can in the meantime.

[royc75]

@Alexander-Hjelm The Jira team has created a service account for me which bypass MFA for SSO and it now works ! Unrelated question and apologise for hijacking this discussion for it: Is there a way to migrate work items such that Jira sprints mirror ADO iterations ?

[Alexander-Hjelm]

@royc75 Ok, good to know! I'll recommend this as the first solution to try if anybody experiences the same problem again.

For the sprints, you will have to set the sprint-field property in your config, and add a SprintMapper. See this config for an example: https://github.com/solidify/jira-azuredevops-migrator/blob/master/docs/config.md

[royc75]

Thanks @Alexander-Hjelm I've got few other questions. Would it be possible to connect outside github please ?