Confluence stops authenticating Active Directory users with highestCommittedUSN error

Platform Notice: Data Center Only - This article only applies to Atlassian products on the Data Center platform.

Note that this KB was created for the Data Center version of the product. Data Center KBs for non-Data-Center-specific features may also work for Server versions of the product, however they have not been tested. Support for Server* products ended on February 15th 2024. If you are running a Server product, you can visit the Atlassian Server end of support announcement to review your migration options.

*Except Fisheye and Crucible

Summary

Confluence integrated with Active Directory stops authenticating users after a few hours.

Similar to what is seen on Jira server stops authenticating Active Directory users with highestCommittedUSN error.

Environment

Server and Data Center.

Active Directory

Diagnosis

The following appears in the atlassian-confluence.log:

1 2 3 4 2020-11-02 17:37:35,650 ERROR [Caesium-1-2] [atlassian.crowd.directory.DbCachingRemoteDirectory] synchroniseCache Incremental synchronisation for directory [ 455321 ] was unexpectedly interrupted, falling back to a full synchronisation com.atlassian.crowd.exception.OperationFailedException: Error looking up attributes for highestCommittedUSN at com.atlassian.crowd.directory.MicrosoftActiveDirectory.fetchHighestCommittedUSN(MicrosoftActiveDirectory.java:703) at com.atlassian.crowd.directory.ldap.cache.UsnChangedCacheRefresher.synchroniseChanges(
1 2 3 Caused by: org.springframework.transaction.CannotCreateTransactionException: Could not create DirContext instance for transaction; nested exception is org.springframework.ldap.CommunicationException: statcan.ca:389; nested exception is javax.naming.CommunicationException: ldap.example:389 [Root exception is java.net.SocketTimeoutException: connect timed out] at org.springframework.transaction.compensating.support.AbstractCompensatingTransactionManagerDelegate.doBegin(AbstractCompensatingTransactionManagerDelegate.java:90) at org.springframework.ldap.transaction.compensating.manager.ContextSourceTransactionManager.doBegin(ContextSourceTransactionManager.java:123)

There no details on how the problem starts, Confluence seems to synchronise the users properly when it is started(full synchronisation) but the incremental synchronisation fails and the users are unable to login until the full synchronization is executed again.

Cause

Active Directory Clustering not is supported by Crowd or Embedded Crowd. See CWD-2783 - Detect Active Directory server to handle usnChanged attribute correctly.

Solution

Change the LDAP server to point to one server. If there are multiple LDAP domains, point the connection to a single Domain Controller and not to the domain name.

Updated on February 27, 2025
Platform
Data Center only
Product
Confluence Data Center
On this pageSummaryDiagnosisCauseSolution

Still need help?

The Atlassian Community is here for you.
Ask the Community