This is not only in Crowd but in our other Atlassian products, too. I can't authenticate via our LDAP; getting very vague errors. Is there a way to restore a local administrator account or otherwise get into crowd through a back door, so I can test or fix the configuration? I have full access to the server and the database.
Hello @Trevor Wood
Maybe problem with your user directory configuration. Here is an example for configuring user directories in Jira https://confluence.atlassian.com/adminjiraserver/configuring-user-directories-938847049.html
Were you able to authenticate before? If so, check for all the recent changes in the environment.
Thank you for the reply!
Yes, this configuration was working. The only thing we know changed is the previous cert on the server expired, but we thought it was replaced properly. The web-facing side of things does show the updated cert.
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
Under User Directory setting, there is a test option. Have you tried the test to see if that works? Can you paste the logs if you see any error? On which Atlassian product did the previous cert got expired and you renewed it?
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
Unfortunately, I can't get that far, since the User Directories page is behind authentication and I can't authenticate. We have a CentOS server which has crowd, bamboo, confluence, jira, and bitbucket running on it. The db is on another server running MySQL. The LDAP I'm trying to authenticate from is Active Directory.
Crowd log excerpt:
2022-02-08 14:44:04,690 http-nio-8095-exec-6 ERROR [jdbc.batch.internal.BatchingBatch] HHH000315: Exception executing batch [java.sql.BatchUpdateException: Duplicate entry '[redacted]' for key 'uk_token_id_hash'], SQL: insert into cwd_token (directory_id, entity_name, random_number, identifier_hash, random_hash, created_date, last_accessed_date, last_accessed_time, duration, id) values (?, ?, ?, ?, ?, ?, ?, ?, ?, ?)
2022-02-08 14:44:04,691 http-nio-8095-exec-6 ERROR [engine.jdbc.spi.SqlExceptionHelper] Duplicate entry '[redacted]' for key 'uk_token_id_hash'
2022-02-08 14:44:05,597 http-nio-8095-exec-7 ERROR [crowd.manager.application.ApplicationServiceGeneric] Directory '[redacted]' is not functional during authentication of '[redacted]'. Skipped.
Here's a line from the jira log:
atlassian-jira.log:2022-02-08 14:44:05,687-0500 http-nio-8080-exec-1 ERROR anonymous 883x26x1 69m0nt 172.17.0.21,127.0.0.1 /rest/gadget/1.0/login [c.a.j.security.login.JiraSeraphAuthenticator] Error occurred while trying to authenticate user...
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
You can use the local admin account(non-AD) of Jira or other products to login and explore the settings.
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
Admin account worked! Still having trouble but at least i can get to the User Directories area. For the test, most turned green, but this was an error at the bottom:
Test user can authenticate : Failed
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
Good news that you are able to login with your admin account. I know this PKIX error. This is because your products are missing the intermediate(chain) certificate in the JDK cacerts file. Importing the chain certificate to the JDKs cacerts file will fix the issue.
Refer this link https://confluence.atlassian.com/kb/unable-to-connect-to-ssl-services-due-to-pkix-path-building-failed-error-779355358.html
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
We are back up and connected. I believe it started working after we ran 'update-ca-trust extract' with the intermediate and chain certs in the anchors directory. Had to do a restart of each app.
I guess the cacerts file that java used was not updated when we first updated the certs.
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.