Jira Authentication failed over LDAP with Deny logon from policy

Alin Ghita April 16, 2013

Hello everyone

I have a problem with users to authenticate in JIRA, if they have a policy setup in AD to authenticate only on own computers.
The users that have the ability to logon on all the computers in the domain have no problem logging into JIRA.
The others, cannot login at all in JIRA.

Here is the error line :
2013-04-09 12:30:38,058 http-bio-8080-exec-12 anonymous 750x8387x1 75mz6v 10.2.32.12 /rest/gadget/1.0/login login : 'xxx' tried to login but they do not have USE permission or weren't found. Deleting remember me cookie.
2013-04-09 12:30:38,064 http-bio-8080-exec-12 anonymous 750x8387x1 75mz6v 10.2.32.12 /rest/gadget/1.0/login The user 'xxx' has FAILED authentication. Failure count equals 4

Also, when testing over the AD : Test user can authenticate=Failed

It is not a group policy, it’s an internal policy that specifies for each user to be allowed to Log On only to the computer that he uses ( done via user configuration in Active Directory Users and Computers->Account->Log On To );

Microsoft Windows Server 2003 Active Directory (LDAP v3);

Example : There are users that work in the IT department, users created in AD, that can login to JIRA without problems. These users do not have this policy. The other users, from other departments, like Sales, are limited by the local policy to logon only on a designated workstation, cannot login in JIRA.

If the local policy is disabled for these users, they can login without problems in JIRA.
There is no problem for the Administrator account created in the Internal Directory.

First I thought if I grant the user from Sales (J1) the right to login to JiraServer it will solve the problem, but it seems it does not.

I also found another workaround, unfortunately not acceptable : give logon permission to user J1 to DC . If we give access to the user to logon to the domain controller than it will be able to login into Jira also.

So, I have 2 workarounds for this, both of them unacceptable till now. I have been adviced to ask here, on answers, as Atlassian canot reproduce this scenario :

As the ticket described, the standard protocol of LDAP does not read the "log on to..." information, and by missing this information, I believe it hits the limitation encountered by you. We have also tried to replicate the problem and try to find a workaround, but due to the nature of this problem with multiple third party configurations, we could not able to get a valid workaround to your case. Furthermore, as mentioned this is an out of scope support as you have determined that this issue is related to policy applied which all is configured on a third party applications.

Does anyone have run into the same problem before? Or anyone have any clues?

Thank you,

Alin Ghita

2 answers

1 vote
Alin Ghita April 17, 2013

Hi Septa,

thank you for your answer. I allready saw that page. I was hoping for someone to find a solution from 2008 until present.

I will leave this discussion open, maybe there is someone who did find a viable solution.

1 vote
Septa Cahyadiputra
Rising Star
Rising Star
Rising Stars are recognized for providing high-quality answers to other users. Rising Stars receive a certificate of achievement and are on the path to becoming Community Leaders.
April 17, 2013

Hi Alin,

It seems that you are encountered a known bug which is derived from Crowd here:

https://jira.atlassian.com/browse/CWD-904

Sorry for the bug and I hope this information clarify your doubts on this issue.

Suggest an answer

Log in or Sign up to answer