External LDAP Directory users cannot log in in Jira with LDAP error code 49 data 775
Platform notice: Server and Data Center only. This article only applies to Atlassian products on the Server and Data Center platforms.
Support for Server* products ended on February 15th 2024. If you are running a Server product, you can visit the Atlassian Server end of support announcement to review your migration options.
*Except Fisheye and Crucible
Summary
Users that belong to external LDAP directories such as Crowd, Active Directory cannot log in to Jira.
The Browser says: Authentication failed.
Environment
Jira 7.x and 8.x
.
Diagnosis
The following error message is present in atlassian-jira.log:
2021-09-20 14:27:57,353-0400 http-nio-8080-exec-23 ERROR anonymous 867x269792x1 1nb81f1 10.10.50.50,0:0:0:0:0:0:0:1 /rest/gadget/1.0/login [c.a.c.manager.application.ApplicationServiceGeneric] Directory 'Active Directory server (10000)' is not functional during authentication of 'sample-user'. Skipped.
2021-09-20 14:27:57,400-0400 http-nio-8080-exec-23 ERROR anonymous 867x269792x1 1nb81f1 10.10.50.50,0:0:0:0:0:0:0:1 /rest/gadget/1.0/login [c.a.j.security.login.JiraSeraphAuthenticator] Error occurred while trying to authenticate user 'sample-user'.
com.atlassian.crowd.exception.runtime.OperationFailedException
Caused by: org.springframework.transaction.CannotCreateTransactionException: Could not create DirContext instance for transaction; nested exception is org.springframework.ldap.AuthenticationException: [LDAP: error code 49 - 80090308: LdapErr: DSID-0C090400, comment: AcceptSecurityContext error, data 775, v1db1]; nested exception is javax.naming.AuthenticationException: [LDAP: error code 49 - 80090308: LdapErr: DSID-0C090400, comment: AcceptSecurityContext error, data 775, v1db1]
Cause
The 775 data error means the LDAP account used to set up the Jira's LDAP directory is locked in the LDAP Server.
There could be other data codes besides 775. Please check the error code (in the example above, it's 775) and match it with the description in the following table:
525 | user not found |
52e | invalid credentials |
530 | not permitted to logon at this time |
531 | not permitted to logon at this workstation |
532 | password expired (remember to check the user set in osuser.xml also) |
533 | account disabled |
701 | account expired |
773 | user must reset password |
775 | user account locked |
In the example above, the error code is 775 (user account locked).
Solution
Since the issue is often originated from Active Directory, consult with the AD administrator to unlock the account.
Once the account has been unlocked, restart Jira and try to log in again.