Crowd user authentication fails with 'Directory 'X' is not functional during authentication' error

Still need help?

The Atlassian Community is here for you.

Ask the community

Problem

Users are unable to authenticate and the following appears in the atlassian-crowd.log:

2013-07-11 18:22:14,227 http-8495-5 ERROR [crowd.manager.application.ApplicationServiceGeneric] Directory 'example directory' is not functional during authentication of 'example user'. Skipped. 
2016-07-14 18:51:14,893 http-bio-80-exec-22 ERROR anonymous 1130x260x2 zvck2 10.14.149.99 /login.jsp [jira.security.login.JiraSeraphAuthenticator] Error occurred while trying to authenticate user 'example user'.
com.atlassian.crowd.exception.runtime.OperationFailedException
	at com.atlassian.crowd.embedded.core.CrowdServiceImpl.convertOperationFailedException(CrowdServiceImpl.java:922)
	at com.atlassian.crowd.embedded.core.CrowdServiceImpl.authenticate(CrowdServiceImpl.java:81)
	at com.atlassian.crowd.embedded.core.DelegatingCrowdService.authenticate(DelegatingCrowdService.java:37)
	at com.atlassian.crowd.embedded.core.FilteredCrowdServiceImpl.authenticate(FilteredCrowdServiceImpl.java:51)
	at com.atlassian.jira.security.login.JiraSeraphAuthenticator.crowdServiceAuthenticate(JiraSeraphAuthenticator.java:91)
	at com.atlassian.jira.security.login.JiraSeraphAuthenticator.authenticate(JiraSeraphAuthenticator.java:55)
	...
Caused by: org.springframework.ldap.PartialResultException: nested exception is javax.naming.PartialResultException [Root exception is javax.naming.CommunicationException: ExampleDNS.come.ad:389 [Root exception is java.net.ConnectException: Connection timed out: connect]]
	at org.springframework.ldap.support.LdapUtils.convertLdapException(LdapUtils.java:216)
	at org.springframework.ldap.core.LdapTemplate.search(LdapTemplate.java:385)
	at org.springframework.ldap.core.LdapTemplate.search(LdapTemplate.java:309)
	at com.atlassian.crowd.directory.ldap.SpringLdapTemplateWrapper$4.timedCall(SpringLdapTemplateWrapper.java:198)
	at com.atlassian.crowd.directory.ldap.SpringLdapTemplateWrapper$4.timedCall(SpringLdapTemplateWrapper.java:195)
	at com.atlassian.crowd.directory.ldap.SpringLdapTemplateWrapper.invokeWithContextClassLoader(SpringLdapTemplateWrapper.java:89)
	at com.atlassian.crowd.directory.ldap.SpringLdapTemplateWrapper.search(SpringLdapTemplateWrapper.java:195)
	at com.atlassian.crowd.directory.SpringLDAPConnector.pageSearchResults(SpringLDAPConnector.java:405)
	at com.atlassian.crowd.directory.SpringLDAPConnector.searchEntitiesWithRequestControls(SpringLDAPConnector.java:476)
	at com.atlassian.crowd.directory.SpringLDAPConnector.searchEntities(SpringLDAPConnector.java:459)
	at com.atlassian.crowd.directory.SpringLDAPConnector.searchUserObjects(SpringLDAPConnector.java:679)
	at com.atlassian.crowd.directory.SpringLDAPConnector.findUserWithAttributesByName(SpringLDAPConnector.java:628)
	at com.atlassian.crowd.directory.SpringLDAPConnector.findUserByName(SpringLDAPConnector.java:614)
	at com.atlassian.crowd.directory.SpringLDAPConnector.authenticate(SpringLDAPConnector.java:1098)
	at com.atlassian.crowd.directory.DelegatedAuthenticationDirectory.authenticateAndUpdateOrCreate(DelegatedAuthenticationDirectory.java:216)
	at com.atlassian.crowd.directory.DelegatedAuthenticationDirectory.authenticate(DelegatedAuthenticationDirectory.java:186)
	at com.atlassian.crowd.manager.directory.DirectoryManagerGeneric.authenticateUser(DirectoryManagerGeneric.java:283)
	at com.atlassian.crowd.manager.application.ApplicationServiceGeneric.authenticateUser(ApplicationServiceGeneric.java:194)
	at com.atlassian.crowd.embedded.core.CrowdServiceImpl.authenticate(CrowdServiceImpl.java:69)
	... 94 more
Caused by: javax.naming.PartialResultException [Root exception is javax.naming.CommunicationException: ExampleDNS.come.ad:389 [Root exception is java.net.ConnectException: Connection timed out: connect]]
	at com.sun.jndi.ldap.AbstractLdapNamingEnumeration.hasMoreImpl(AbstractLdapNamingEnumeration.java:237)
	at com.sun.jndi.ldap.AbstractLdapNamingEnumeration.hasMore(AbstractLdapNamingEnumeration.java:189)
	at org.springframework.ldap.core.LdapTemplate.search(LdapTemplate.java:365)
	... 112 more
Caused by: javax.naming.CommunicationException: DomainDnsZones.corp.ad.cginet:389 [Root exception is java.net.ConnectException: Connection timed out: connect]
	at com.sun.jndi.ldap.LdapReferralException.getReferralContext(LdapReferralException.java:150)
	at com.sun.jndi.ldap.AbstractLdapNamingEnumeration.hasMoreReferrals(AbstractLdapNamingEnumeration.java:325)
	at com.sun.jndi.ldap.AbstractLdapNamingEnumeration.hasMoreImpl(AbstractLdapNamingEnumeration.java:227)
	... 114 more
Caused by: java.net.ConnectException: Connection timed out: connect
	at java.net.DualStackPlainSocketImpl.connect0(Native Method)
	at java.net.DualStackPlainSocketImpl.socketConnect(DualStackPlainSocketImpl.java:79)
	at java.net.AbstractPlainSocketImpl.doConnect(AbstractPlainSocketImpl.java:345)
	at java.net.AbstractPlainSocketImpl.connectToAddress(AbstractPlainSocketImpl.java:206)
	at java.net.AbstractPlainSocketImpl.connect(AbstractPlainSocketImpl.java:188)
	at java.net.SocksSocketImpl.connect(SocksSocketImpl.java:392)

Cause

This occurs when a OperationFailedException is thrown when attempting to authenticate as a user. This typically is thrown when executing an operation on the remote directory failed for some reason. For example:

  1. General network errors (e.g.: unable to route to the server due to DNS, firewall, slow network speeds)
  2. The external user directory is offline
  3. The external user directory is unreachable
  4. LDAP errors
  5. Intermittent timeouts, which can result in sporadic occurrence.

Resolution

  1. Double check the external user directory and ensure it is online.
  2. Ping the external user directory using the URL defined in Crowd and ensure Crowd can resolve it. If not, then work with your network team to correct the path. As a temporary measure, the IP address of the server housing the external user directory can be used.
  3. If the issue persists, add the DEBUG log level for the crowd.manager.application.ApplicationServiceGeneric package (see Logging and Profiling for detailed instructions on how to do that), and check the logs for any errors, exceptions or otherwise.
  4. If you're still unable to resolve the problem, contact support with the log folder with increased log levels (from #3) after the issue occurs.
  5. Set the timeout to a large number as per Setting Properties and Options on Startup:

    -Dcom.sun.jndi.ldap.connect.timeout=50000

    (info) More information about the connect timeout can be found in Oracle's Setting Timeout for Ldap Operations documentation.

Last modified on Jul 29, 2021

Was this helpful?

Yes
No
Provide feedback about this article
Powered by Confluence and Scroll Viewport.