Active Directory users fail to logon intermittently

Related content

Still need help?

The Atlassian Community is here for you.

Ask the community

Platform notice: Server and Data Center only. This article only applies to Atlassian products on the Server and Data Center platforms.

Support for Server* products ended on February 15th 2024. If you are running a Server product, you can visit the Atlassian Server end of support announcement to review your migration options.

*Except Fisheye and Crucible



Problem

Users seeing intermittent authentication failures. A user's attempt to login to Jira using their AD Domain account credentials will fail. 


The following appears in the atlassian-jira.log

2018-01-26 14:10:52,581 http-nio-8080-exec-2 INFO vicknesh 850x72031x1 hd3fw 192.168.5.5 /secure/admin/WebSudoAuthenticate.jspa [c.a.c.directory.ldap.SpringLdapTemplateWrapper] Timed call for search with handler on DC=atlassian,DC=co,DC=uk took 21644ms
2018-01-26 14:10:52,582 http-nio-8080-exec-2 ERROR vicknesh 850x72031x1 hd3fw 192.168.5.5 /secure/admin/WebSudoAuthenticate.jspa [c.a.c.manager.application.ApplicationServiceGeneric] Directory 'Active Directory server' is not functional during authentication of 'vicknesh'. Skipped.
2018-01-26 14:10:52,583 http-nio-8080-exec-2 ERROR [o.a.c.c.C.[.[localhost].[/].[action]] Servlet.service() for servlet [action] in context with path [] threw exception [com.atlassian.crowd.exception.runtime.OperationFailedException] with root cause

Cause

Unknown

Workaround



Turning off "Follow Referrals (Allow the LDAP server to redirect requests to other servers.)" allows the login to work consistently. 


To turn off this option, follow the steps below:

  1. Access "User Directories" page in JIRA.
  2. Edit the user directory.
  3. Click on "Advanced Settings" and untick "Follow Referrals".
tip/resting Created with Sketch.

What are the implications of disabling 'Follow Referrals'?

  • If you only have one domain, there should be no adverse effects.
  • If you have multiple domains joined in a Forest, then any cross-domain memberships will not be resolved.
  • If you must have cross-domain memberships and you can't fix the DNS issues, then you can point JIRA at your Global Catalog. This is read-only, but it does contain all users, groups, and memberships from across your Forest. Talk to your AD admin for Global Catalog connection details.

Last modified on Oct 1, 2019

Was this helpful?

Yes
No
Provide feedback about this article

Related content

Powered by Confluence and Scroll Viewport.