Jira stops authenticating Active Directory users with highestCommittedUSN error
Platform Notice: Data Center - This article applies to Atlassian products on the Data Center platform.
Note that this knowledge base article was created for the Data Center version of the product. Data Center knowledge base articles for non-Data Center-specific features may also work for Server versions of the product, however they have not been tested. Support for Server* products ended on February 15th 2024. If you are running a Server product, you can visit the Atlassian Server end of support announcement to review your migration options.
*Except Fisheye and Crucible
Problem
JIRA integrated with Active Directory stops authenticating users after a while. The following appears in the atlassian-jira.log:
2017-03-30 13:25:13,161 scheduler_Worker-9 INFO [atlassian.crowd.directory.DbCachingRemoteDirectory] synchronisation for directory [ 3964929 ] starting
2017-03-30 13:25:13,163 scheduler_Worker-9 INFO [atlassian.crowd.directory.DbCachingRemoteDirectory] failed synchronisation complete for directory [ 3964929 ] in [ 2ms ]
2017-03-30 13:25:13,171 scheduler_Worker-9 ERROR [atlassian.crowd.directory.DbCachingDirectoryPoller] Error occurred while refreshing the cache for directory [ 3964929 ].
com.atlassian.crowd.exception.OperationFailedException: Error looking up attributes for highestCommittedUSN
at com.atlassian.crowd.directory.MicrosoftActiveDirectory.fetchHighestCommittedUSN(MicrosoftActiveDirectory.java:847)
at com.atlassian.crowd.directory.ldap.cache.UsnChangedCacheRefresher.synchroniseChanges(UsnChangedCacheRefresher.java:80)
at com.atlassian.crowd.directory.DbCachingRemoteDirectory.synchroniseCache(DbCachingRemoteDirectory.java:993)
...
Caused by: org.springframework.ldap.AuthenticationException: [LDAP: error code 49 - 80090308: LdapErr: DSID-0C0903D9, comment: AcceptSecurityContext error, data 775, v2580 ]; nested exception is javax.naming.AuthenticationException: [LDAP: error code 49 - 80090308: LdapErr: DSID-0C0903D9, comment: AcceptSecurityContext error, data 775, v2580 ]
at org.springframework.ldap.support.LdapUtils.convertLdapException(LdapUtils.java:182)
at org.springframework.ldap.core.support.AbstractContextSource.createContext(AbstractContextSource.java:266)
at org.springframework.ldap.core.support.AbstractContextSource.getContext(AbstractContextSource.java:106)
...
... 20 more
Caused by: javax.naming.AuthenticationException: [LDAP: error code 49 - 80090308: LdapErr: DSID-0C0903D9, comment: AcceptSecurityContext error, data 775, v2580 ]
at com.sun.jndi.ldap.LdapCtx.mapErrorCode(LdapCtx.java:3135)
at com.sun.jndi.ldap.LdapCtx.processReturnCode(LdapCtx.java:3081)
at com.sun.jndi.ldap.LdapCtx.processReturnCode(LdapCtx.java:2883)
....
... 30 moreConfluence integrated with Active Directory stops authenticating and User directory Synchronization getting failed and following logs in the atlassian-confluence.log:
2020-10-27 14:08:44,183 ERROR [Caesium-1-3] [atlassian.crowd.directory.DbCachingDirectoryPoller] pollChanges Error occurred while refreshing the cache for directory [ 57835521 ].
com.atlassian.crowd.exception.OperationFailedException: No highestCommittedUSN attribute found for AD root
at com.atlassian.crowd.directory.MicrosoftActiveDirectory.fetchHighestCommittedUSN(MicrosoftActiveDirectory.java:700)
at com.atlassian.crowd.directory.ldap.cache.UsnChangedCacheRefresher.synchroniseAll(UsnChangedCacheRefresher.java:148)
at com.atlassian.crowd.directory.DbCachingRemoteDirectory.synchroniseCache(DbCachingRemoteDirectory.java:978)
at com.atlassian.crowd.manager.directory.DirectorySynchroniserImpl.synchronise(DirectorySynchroniserImpl.java:67)
Cause
Active Directory Clustering is not supported by Crowd or Embedded Crowd. See CWD-2783 - Detect Active Directory server to handle usnChanged attribute correctly.
Resolution 1
Change the LDAP server to point to one server.
Resolution 2
Just change the Active User directory to switch from "Microsoft Active Directory" to "Generic Directory Server" and click on synchronize