Create
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Sign up Log in
Product Q&A
See all
Community resources
Top groups
Explore all groups
Community resources
Learn
Community resources
Events
Community resources

Un-licenses AD users can no longer send emails to Portal.

Jeff Melies
Jeff Melies December 27, 2022

We recently changed from using only an Internal User Directory to an Active Directory User Directory, now we have users that are emailing a Service Portal but not all the emails are being processed, some are showing an error in the logs that read:

username : A user with that username already exists.

Our setup:
In AD our team has our own OU (lets call it A-Team), inside of that OU we have another OU for only our groups (lets call that A-Groups), and we have a single group called jira-users.
So our User Directory looks like:
- Base DN: DC=someorg.net
- Additional User DN: OU=Users  (We need all active users available to our user select lists)
- Additional Group DN: OU=A-Team,OU=A-Groups

This is working well for provisioning users.
The problem lies when we have active employees email JSM (obviously all employees are in AD and have been brought down to Jira).

Look at these scenarios:

  1. If the employee is in AD, has a Jira license, has never logged into Jira the email is refused (username : A user with that username already exists.)
  2. If the employee is in AD, has a Jira license, has logged into Jira once the email is processed as expected.
  3. If the employee is in AD, does not have a Jira license, and has never logged into Jira the email is refused (username : A user with that username already exists.)

We need every employee to be able to email the Portal and create issues, can anyone tell me where we made our mistake?  
Also, the only names that are appearing in our User Select List are employees that have logged in, the other users that are in AD but not jira-users group are not appearing in the select list.

 

 

Comment
Watch
Like Be the first to like this
1787 views

3 comments

Comment

Log in or Sign up to comment
Joseph Chung Yin
Joseph Chung Yin
Community Leader
Community Leader
Community Leaders are connectors, ambassadors, and mentors. On the online community, they serve as thought leaders, product experts, and moderators.
Become a leader
December 27, 2022

@Jeff Melies -

In your DC env, what is your JSM project's  "Customer Permissions" configuration setup as?

In addition, the error message is indicating the users already have an account in your env.  Does your previous internal users directory already have the same users accounts defined?

Please advise.

Best, Joseph Chung Yin

Jira/JSM Functional Lead, Global Infrastructure Applications Team

Viasat Inc.

Like
Reply
Jeff Melies
Jeff Melies December 27, 2022

Thank you for the quick response Joseph.

The Customer permissions setting are: Anyone can email the service project or raise a request in the portal
For your second question, the users used to exist in the Internal directory but have been deleted so that the AD User Directory user would be used.  This might not be the case in all instances because we onboard new users daily, but even these users appear in the AD User Directory either with or without a license......however they will not be able to email the JSM portal now (I say 'now' because now they appear in a user directory) because they get the error displayed above, until they log into Jira once then the email will process as usual.

Like
Joseph Chung Yin
Joseph Chung Yin
Community Leader
Community Leader
Community Leaders are connectors, ambassadors, and mentors. On the online community, they serve as thought leaders, product experts, and moderators.
Become a leader
December 27, 2022

@Jeff Melies -

So, all of your users (JSM customers) are also Jira users?  Your AD group have been setup in your JSM projects with the ServiceDesk Customers role?

Lastly, take a look at the following documentation in regards to directory setup - https://confluence.atlassian.com/adminjiraserver/migrating-users-between-user-directories-938847059.html

Best, Joseph

Like
Jeff Melies
Jeff Melies December 28, 2022

No Joseph not every user within jira-users owns a JSM license, and not every customer is a Jira user. 

  • We have JSM customers that don't have licenses and are located in the Internal user directory (both employees and non-employees) that use the portal.
  • We have employees that have a Jira license, in AD User Directory that use the Portal.
  • We also have employees that are in jira-users and service-desk-agents groups, in the AD User Directory that use the Portal. 

We are only a couple weeks into the new AD User Directory.  Currently only 2 groups are in AD (jira-users & confluence-users) all other user groups are handled by the Jira Administrators within Jira until we get these few kinks worked out then we will start moving more into AD.

Like
Joseph Chung Yin
Joseph Chung Yin
Community Leader
Community Leader
Community Leaders are connectors, ambassadors, and mentors. On the online community, they serve as thought leaders, product experts, and moderators.
Become a leader
December 28, 2022

@Jeff Melies -

Sorry for not making my ask clearer.  Access to JSM (as customers) doesn't require licenses for both Jira Software/JSM agents.  So, all "customers" can access JSM via the portal UI and create issues in JSM projects if it is configured.  On the other hand, access to Jira software application does required a full Jira license.

Can you take a look at your Jira administration > Applications > Jira Service Management > Email requests setup?  What do you have for "Customer account creation" configured as?

Best, Joseph

Like
Jeff Melies
Jeff Melies December 28, 2022

Sorry that took so long to get back with you, to answer your question:
Yes, both agents and customers can create new customers only if the service project allows public signup

Like
Jeff Melies
Jeff Melies December 28, 2022

Something else that I find puzzling is, when I look at the 'Mail Audit Logs' for this project and locate a user that has the error "username : A user with that username already exists.", then go into the project -> People the user is listed, I can also click the username (link) and it will take me to the Jira 'ViewProfile' page for the user.  So I don't understand why this user can't send an email to the Portal any longer and have it processed.

Like
Charles Pikscher
Charles Pikscher
Contributor
December 27, 2022

What is the order of directories in the User Directories screen?  AD should be above internal so it is used if the same user name exists in both directories.

Like Wim Abts likes this
Reply
Jeff Melies
Jeff Melies December 28, 2022

Thank you for chiming in Charles, I did have the AD directory below the Internal and have changed them around so that the AD is at the top now.

I was to the understanding that we wanted the internal at the top, but either way there are no duplicates between them, I used the API endpoints from this document to verify.

(During migration of the AD User directory if the user existed in both, we added the AD user into the same groups as the Internal user, then removed the Internal user.)

Like
Jeff Melies
Jeff Melies December 28, 2022

Lets take a look at these two users:
twoUsers.png

  • User 1 will get an error when they email our JSM Portal saying (username : A user with that username already exists), even if we add this user to the jira-users group.
  • User 2 sends the same email to the JSM Portal and it'll get processed as expected because they have logged in at least once.
  • If a user doesn't exist in the Internal or AD user directory, the email gets processed as expected and a user will be created in the Internal User directory.
Like
Reply
groups-icon
Data Center
TAGS
AUG Leaders

Atlassian Community Events

    See all events