Crowd login fails when running two Crowd instances on the same domain

Still need help?

The Atlassian Community is here for you.

Ask the community

Platform Notice: Server and Data Center Only - This article only applies to Atlassian products on the server and data center platforms.

Problem

It is always a good practice to have a Production environment as well a Test/Staging/Dev environment. If you happen to have two Crowd instances running in the same domain crowd.example.com and crowd-dev.example.com you might notice that you are able to login to one instance but not the other.

The symptom of the issue will be that you login to Crowd Production and everything looks good, then you try to login to Crowd Dev and it keeps on redirecting back to the login page.

Diagnosis

Environment

  • Crowd Production:  crowd.example.com
  • Crowd Dev: crowd-dev.example.com

Diagnostic Steps

In order to investigate the issue, you will need to look at the following:

  1. HAR file to check whether the request is reaching the server or not
  2. Next step, double check in the response from the login action that you are getting a JSESSIONID and crowd.token.key cookie
  3. Try to login with wrong credentials and you should get an error Invalid Login this will verify that you are able to access the server and that Crowd server is working as intended
  4. Enable DEBUG Logging on Crowd 
    (warning) Please note that this logging is super noisy and it will quickly fill up your log files. Make sure to disable that once you identify the issue
    In the logs, you will notice the following cookies being sent by the browser:

    2017-11-08 13:49:45,544 http-bio-8095-exec-7 DEBUG [integration.http.util.CrowdHttpTokenHelperImpl] Cookie name/value: JSESSIONID / 28A6DF056DF1DBD3336BBA69DEBFBCBF
    2017-11-08 13:49:45,544 http-bio-8095-exec-7 DEBUG [integration.http.util.CrowdHttpTokenHelperImpl] Cookie name/value: crowd.token_key / DTMlYimNr0HHwyI8p0xmyA00
    2017-11-08 13:49:45,544 http-bio-8095-exec-7 DEBUG [integration.http.util.CrowdHttpTokenHelperImpl] Cookie name/value: crowd.token_key / nA6uRsJ4Li63eeb64atVDg00
    2017-11-08 13:49:45,544 http-bio-8095-exec-7 DEBUG [integration.http.util.CrowdHttpTokenHelperImpl] Cookie name/value: AWSALB / /eldlBkVmsHOtghOKOrvFAN6nObMEBCji2dXBvWo7EVY2P6e6lo1aj9yef4IEvP5XVdrqwC1480b+n3v9uutkmTL6ixPmeCKG2dBY5XcaZT6wQLMr/c8TLe/CKWD

Cause

As you can see the above logs show that you have two crowd.token_key cookies in your browser. The browser, in this case, will get confused as to which cookie to select since both Production and Dev instance belong to the domain example.com and that causes the redirection to the login page on the Dev instance

Resolution

You can resolve this problem using one of the below suggestions:

Resolution 1 - Change the crowd token cookie name

Since we have a duplicate cookie name belonging to the same domain, we will need to specify a different crowd token cookie for the Dev instance. To do that, please follow the below steps:

  1. Log in to the Dev instance using the IP and port http://1.2.3.4:8095/crowd
  2. Go to Settings -> General
  3. Change the SSO Cookie name from the default value crowd.token_key to crowd_dev.token_key or any other name that is different than the Production instance
  4. Update the settings 
  5. You should be able to login successfully to both Production and Dev instances without any problems

 

Resolution 2 - Move Dev instance to a different domain

You can also change the Crowd Dev domain to something other than example.com in order to avoid this issue. You could configure it to crowd.dev.example.com and that would not confuse the browser as the Crowd Dev domain is not dev.example.com

 

 

Last modified on Nov 8, 2017

Was this helpful?

Yes
No
Provide feedback about this article
Powered by Confluence and Scroll Viewport.