Logging out intermittently from Crowd Administration Console

Related content

Still need help?

The Atlassian Community is here for you.

Ask the community

Platform Notice: Data Center - This article applies to Atlassian products on the Data Center platform.

Note that this knowledge base article was created for the Data Center version of the product. Data Center knowledge base articles for non-Data Center-specific features may also work for Server versions of the product, however they have not been tested. Support for Server* products ended on February 15th 2024. If you are running a Server product, you can visit the Atlassian Server end of support announcement to review your migration options.

*Except Fisheye and Crucible

Summary

Users logged in Crowd Administration Console are intermittently logged out.

Diagnosis

After setting the DEBUG level for class com.atlassian.crowd, you can observe in the log that Crowd does not recognise the auth token as valid:



2023-11-03 03:50:59,619 http-nio-8095-exec-56 DEBUG [integration.http.util.CrowdHttpTokenHelperImpl] Unable to find a valid Crowd token.
2023-11-03 03:50:59,619 http-nio-8095-exec-47 DEBUG [integration.http.util.CrowdHttpTokenHelperImpl] Checking for a SSO token that will need to be verified by Crowd.
2023-11-03 03:50:59,619 http-nio-8095-exec-47 DEBUG [integration.http.util.CrowdHttpTokenHelperImpl] No request attribute token could be found, now checking the browser submitted cookies.
2023-11-03 03:50:59,619 http-nio-8095-exec-47 DEBUG [integration.http.util.CrowdHttpTokenHelperImpl] Cookie name/value: JSESSIONID / D9D45FADB5DEC98BE537BD3785181D78
2023-11-03 03:50:59,619 http-nio-8095-exec-47 DEBUG [integration.http.util.CrowdHttpTokenHelperImpl] Cookie name/value: crowd.rememberme.token / Mjg2MDY1MDQ6M2ViMDdhZTRhNWI4ZTViNjQ3ZDUyN2JhZGExYmRlY2M1NTQ5ODdiNDo4MTU3N2MzZDZmNDk5MDAxNzI4YzhkNmIxOTY2OTJlMzMyMjFhMDc2
...
...
2023-11-03 03:50:59,619 http-nio-8095-exec-47 DEBUG [integration.http.util.CrowdHttpTokenHelperImpl] Unable to find a valid Crowd token.
2023-11-03 03:50:59,622 http-nio-8095-exec-30 INFO [atlassian.crowd.service.TransactionalRememberMeService] Refreshing the remember-me token for series '3eb07ae4a5b8e5b647d527bada1bdecc554987b4' for user 'admin' & directory-id '111111'
2023-11-03 03:50:59,622 http-nio-8095-exec-30 DEBUG [crowd.dao.rememberme.CrowdRememberMeTokenDAOHibernate] Saving object: InternalCrowdRememberMeToken{id=null, token=d9979aa6d6da461a40275919c931ca56053898f6, username=admin, directoryId=111111, createdTime=2023-11-03T03:42:49.966523, usedTime=null, series=3eb07ae4a5b8e5b647d527bada1bdecc554987b4, remoteAddress=null}
...
...
2023-11-03 03:50:59,625 http-nio-8095-exec-38 DEBUG [atlassian.crowd.service.TransactionalRememberMeService] Failed to claim token for series '3eb07ae4a5b8e5b647d527bada1bdecc554987b4'
2023-11-03 03:50:59,626 http-nio-8095-exec-30 DEBUG [crowd.integration.springsecurity.CrowdAuthenticationProvider] Processing a CrowdRememberMeAuthentication
2023-11-03 03:50:59,639 http-nio-8095-exec-44 DEBUG [directory.ldap.monitoring.ExecutionInfoNameClassPairCallbackHandler] The operation returned 0 results


Observing the previous entry in the log, you can notice that the SSO Cookie value is correct but Crowd marks it as "The token keys don't match":

2023-11-03 03:49:45,658 http-nio-8095-exec-152 DEBUG [integration.http.util.CrowdHttpTokenHelperImpl] Cookie name/value: JSESSIONID / 0674188C6C21EC60CC0E7F056410E133
2023-11-03 03:49:45,658 http-nio-8095-exec-152 DEBUG [integration.http.util.CrowdHttpTokenHelperImpl] Cookie name/value: crowd.token_key / zmZrR92xm6IrSnKWUFbv9QAAAAAAAIABc29lLWFkbWlu
2023-11-03 03:49:45,658 http-nio-8095-exec-152 DEBUG [integration.http.util.CrowdHttpTokenHelperImpl] Accepting the SSO cookie value: zmZrR92xm6IrSnKWUFbv9QAAAAAAAIABc29lLWFkbWlu
2023-11-03 03:49:45,658 http-nio-8095-exec-152 DEBUG [integration.http.util.CrowdHttpTokenHelperImpl] Existing token value yet to be verified by Crowd: zmZrR92xm6IrSnKWUFbv9QAAAAAAAIABc29lLWFkbWlu
2023-11-03 03:49:45,658 http-nio-8095-exec-152 DEBUG [crowd.integration.springsecurity.CrowdAuthenticationProvider] Processing a CrowdSSOAuthenticationToken
2023-11-03 03:49:45,659 http-nio-8095-exec-152 DEBUG [crowd.manager.token.RecoveryModeAwareTokenAuthenticationManager] validateUserToken: zmZrR92xm6IrSnKWUFbv9QAAAAAAAIABc29lLWFkbWlu
2023-11-03 03:49:45,659 http-nio-8095-exec-312 DEBUG [crowd.manager.validation.ClientValidationManagerImpl] Client address: 10.100.0.1
2023-11-03 03:49:45,659 http-nio-8095-exec-152 DEBUG [crowd.manager.token.RecoveryModeAwareTokenAuthenticationManager] genericValidateToken
2023-11-03 03:49:45,660 http-nio-8095-exec-312 DEBUG [crowd.manager.token.RecoveryModeAwareTokenAuthenticationManager] genericValidateToken
2023-11-03 03:49:45,660 http-nio-8095-exec-152 DEBUG [crowd.manager.token.RecoveryModeAwareTokenAuthenticationManager] checking if the token is expired:
2023-11-03 03:49:45,660 http-nio-8095-exec-152 DEBUG [crowd.manager.token.RecoveryModeAwareTokenAuthenticationManager] 	now: 			Fri Nov 03 03:49:45 EDT 2023
2023-11-03 03:49:45,660 http-nio-8095-exec-152 DEBUG [crowd.manager.token.RecoveryModeAwareTokenAuthenticationManager] 	last accessed: 	Fri Nov 03 03:49:42 EDT 2023
2023-11-03 03:49:45,660 http-nio-8095-exec-152 DEBUG [crowd.manager.token.RecoveryModeAwareTokenAuthenticationManager] 	expiry time: 	Fri Nov 03 05:49:42 EDT 2023
2023-11-03 03:49:45,660 http-nio-8095-exec-152 DEBUG [crowd.manager.token.RecoveryModeAwareTokenAuthenticationManager] 	allowed session time (seconds): 7200
2023-11-03 03:49:45,661 http-nio-8095-exec-312 DEBUG [crowd.manager.token.RecoveryModeAwareTokenAuthenticationManager] checking if the token is expired:
2023-11-03 03:49:45,661 http-nio-8095-exec-312 DEBUG [crowd.manager.token.RecoveryModeAwareTokenAuthenticationManager] 	now: 			Fri Nov 03 03:49:45 EDT 2023
2023-11-03 03:49:45,661 http-nio-8095-exec-312 DEBUG [crowd.manager.token.RecoveryModeAwareTokenAuthenticationManager] 	last accessed: 	Fri Nov 03 03:49:42 EDT 2023
2023-11-03 03:49:45,661 http-nio-8095-exec-312 DEBUG [crowd.manager.token.RecoveryModeAwareTokenAuthenticationManager] 	expiry time: 	Fri Nov 03 03:50:42 EDT 2023
2023-11-03 03:49:45,661 http-nio-8095-exec-312 DEBUG [crowd.manager.token.RecoveryModeAwareTokenAuthenticationManager] 	allowed session time (seconds): 60
2023-11-03 03:49:45,661 http-nio-8095-exec-152 DEBUG [crowd.manager.token.RecoveryModeAwareTokenAuthenticationManager] includeIpAddressInValidationFactors: true
2023-11-03 03:49:45,661 http-nio-8095-exec-152 DEBUG [manager.token.factory.TokenKeyGeneratorImpl] Generating random hash for principal: admin
2023-11-03 03:49:45,662 http-nio-8095-exec-152 DEBUG [manager.token.factory.TokenKeyGeneratorImpl] Adding remote address of 10.100.0.0
2023-11-03 03:49:45,662 http-nio-8095-exec-152 DEBUG [manager.token.factory.TokenKeyGeneratorImpl] Adding Random-Number of ValidationFactor[Random-Number=8288645061651178569]
2023-11-03 03:49:45,662 http-nio-8095-exec-152 DEBUG [crowd.manager.token.RecoveryModeAwareTokenAuthenticationManager] Current Validation Factors: [ValidationFactor[remote_address=10.100.0.0]]
2023-11-03 03:49:45,662 http-nio-8095-exec-152 DEBUG [crowd.manager.token.RecoveryModeAwareTokenAuthenticationManager] comparing existing token Token{identifierHash='EB-JnHPUhM2eb04dytkbQg', lastAccessedTime=1698997782945, createdDate=2023-11-03 02:29:56.615, duration=null, name='admin', directoryId=111111} with a validation token SYw1Rt8jrDN0sR4Zi0qvngAAAAAAAIABc29lLWFkbWlu
2023-11-03 03:49:45,662 http-nio-8095-exec-152 DEBUG [crowd.manager.authentication.TokenAuthenticationManagerImpl$TokenValidationFailure] Existing token 'zmZrR92xm6IrSnKWUFbv9QAAAAAAAIABc29lLWFkbWlu' for user 'admin' does not match new token 'SYw1Rt8jrDN0sR4Zi0qvngAAAAAAAIABc29lLWFkbWlu' with validation factors 'ValidationFactor[remote_address=10.100.0.0]'
2023-11-03 03:49:45,662 http-nio-8095-exec-152 DEBUG [crowd.manager.token.RecoveryModeAwareTokenAuthenticationManager] The token keys don't match
2023-11-03 03:49:45,662 http-nio-8095-exec-312 DEBUG [crowd.manager.token.RecoveryModeAwareTokenAuthenticationManager] includeIpAddressInValidationFactors: true
2023-11-03 03:49:45,662 http-nio-8095-exec-312 DEBUG [manager.token.factory.TokenKeyGeneratorImpl] Generating random hash for principal: production-principal
2023-11-03 03:49:45,662 http-nio-8095-exec-312 DEBUG [manager.token.factory.TokenKeyGeneratorImpl] Adding Random-Number of ValidationFactor[Random-Number=1959884485844507132]
2023-11-03 03:49:45,662 http-nio-8095-exec-312 DEBUG [crowd.manager.token.RecoveryModeAwareTokenAuthenticationManager] Current Validation Factors: []
2023-11-03 03:49:45,662 http-nio-8095-exec-312 DEBUG [crowd.manager.token.RecoveryModeAwareTokenAuthenticationManager] comparing existing token Token{identifierHash='pL1RlHUxBh0MyxXdcNGZzg', lastAccessedTime=1698997782129, createdDate=2023-11-01 03:05:08.564, duration=60, name='production-principal', directoryId=-1} with a validation token EGw1sFPhy8JuqxlP-s4PYP__________cHJvZC1zdGFzaA
2023-11-03 03:49:45,662 http-nio-8095-exec-312 DEBUG [crowd.manager.token.RecoveryModeAwareTokenAuthenticationManager] returning validated token, with updated last accessed time

Notice from this log that the remote IP changes from remote_address=10.100.0.1 to remote_address=10.100.0.0 during the Token Validation and the Token Generation moment. 

Cause

There is a Load Balancer/Proxy configured on top of Crowd and sometimes the request come from different IP addresses.

Crowd is configured with "Require consistent client IP address" enabled. This Authenticated sessions can be tied to the IP address they were created from. This means that an attempt to use that session from another machine will fail, which will force mobile clients to reauthenticate when their IP address changes. When disabled, any session can be used from any IP address.  You can read more about in Session configuration

Solution

Ensure that your Load Balancer/Proxy is added as a Trusted Proxy.

  1. Log in to the Crowd Administration Console.
  2. In the top navigation bar, click General Configuration  > Trusted proxy servers.
  3. Add the IP address or the host name of the proxy server.

Besides, uncheck the "Require consistent client IP address", and clean the existing tokens that are cached which may be causing a conflict:

  1. Log in to the Crowd Administration Console.
  2. In the top navigation bar, click General Configuration  > Session Configuration.
  3. Disabled the "Require consistent client IP address"

  4. Run the following SQL command to delete any existing tokens from the database for the admin user:

    DELETE FROM cwd_token WHERE entity_name = 'admin';
  5. Clear the browser cache, including cookies
  6. Restart Crowd


Last modified on Dec 13, 2023

Was this helpful?

Yes
No
Provide feedback about this article

Related content

Powered by Confluence and Scroll Viewport.