Customers cannot log into the Service Desk Customer portal due to the error "your username and password are incorrect"
Platform notice: Server and Data Center only. This article only applies to Atlassian products on the Server and Data Center platforms.
Support for Server* products ended on February 15th 2024. If you are running a Server product, you can visit the Atlassian Server end of support announcement to review your migration options.
*Except Fisheye and Crucible
Symptoms
All local Jira Service Management customers and agents, including local admin accounts, are not able to log into Service Management at all. The following error is seen on-screen:
Sorry, your username and password are incorrect. Please try again.
The following generic authentication error appears in the atlassian-jira.log
:
2014-10-30 13:06:41,806 http-bio-9000-exec-3 anonymous 786x735516x1 1j5qh57 198.76.89.7,184.28.17.74,204.156.15.149,127.0.0.1 /servicedesk/customer/portal/13/user/login login : 'servicedeskcustomer' tried to login but they do not have USE permission or weren't found. Deleting remember me cookie.
Jira is configured to achieve SSO through Crowd. That is: <jira_install>/atlassian-jira/WEB-INF/classes/seraph-config.xml has the Crowd SSO authenticator enabled and the default Jira authenticator disabled :
<!-- CROWD:START - If enabling Crowd SSO integration uncomment the following SSOSeraphAuthenticator and comment out the JiraSeraphAuthenticator below -->
<authenticator class="com.atlassian.jira.security.login.SSOSeraphAuthenticator"/>
<!-- CROWD:END -->
<!-- CROWD:START - The authenticator below here will need to be commented out for Crowd SSO integration -->
<!--authenticator class="com.atlassian.jira.security.login.JiraSeraphAuthenticator"/-->
<!-- CROWD:END -->
Cause
When Jira is configured to achieve SSO through Crowd, only users from Crowd will be allowed to authenticate. Local Jira users, including administrators, will not be able to log in unless Crowd SSO is disabled.
Resolution
This problem cannot be resolved by having both Crowd SSO and the Jira local (internal) directory active at the same time. The only choices are to have Crowd SSO OR the Jira local (internal) directory, but not both.
To enable the Jira local (internal) directory, which will disable Crowd SSO:
Jira Service Management Customers WILL NOT count toward your Jira license in this scenario.
You will need to disable Crowd SSO to log in as a local user (or any other non-Crowd user, e.g. an LDAP account):
Shut down Jira.
Edit <jira_install>/atlassian-jira/WEB-INF/classes/seraph-config.xml
Uncomment the default Jira authenticator:
<authenticator class="com.atlassian.jira.security.login.JiraSeraphAuthenticator"/>
Comment out the Crowd SSO authenticator:
<!-- <authenticator class="com.atlassian.jira.security.login.SSOSeraphAuthenticator"/> -->
Start Jira back up
If you do not remember your local administrator username or password, please see the following documentation on how you can locate or reset its password via the database: Retrieving the JIRA Administrator
To enable Crowd SSO to allow Jira Service Management Customer's to login, which will disable the Jira local (internal) directory:
The Jira Service Management Customer's WILL COUNT toward your Crowd licensing which will entail additional licensing costs.
In Jira:
Make sure the connection to the crowd server has both read and write permission
Make sure the crowd server is the top most directory in the "Users Directory" section of Jira admin
In Crowd:
Make sure the directory associated with the Jira application has the option Allow all users from this directory to authenticate set to true. To do this:
Log into the Crowd application
Click on the Applications menu from the Top Bar Menu
Search for the Jira application and click on it
Locate the right directory, and click on the "X group" link in the Who can authenticate column
Tick the option Allow all users from this directory to authenticate and save the changes
This ensures that customers created through Jira Service Management are created properly in crowd and can authenticate even though they are in no groups.
Please note:
Users that have already been created in the local Jira directory will still be unable to log in while Crowd (SSO) is configured.
Sometimes, there is a short delay after creating a user where Crowd will not have synchronized it's directory with Jira. It is possible to manually force a sync in the admin UI. During this window, users will also be unable to log in.
This issue is related to this report:
- JSDSERVER-923 - JIRA + JSD 2.0 + Crowd (SSO) - Customers can't log in
- JSDSERVER-1244 - Create a Crowd SSO authenticator that will allow Customers to be authenticated from the local directory
- JRASERVER-42418 - Allow Internal users to login with SSO enabled