Jira Authentication failed over LDAP with Deny logon from policy

Hello everyone

I have a problem with users to authenticate in JIRA, if they have a policy setup in AD to authenticate only on own computers.
The users that have the ability to logon on all the computers in the domain have no problem logging into JIRA.
The others, cannot login at all in JIRA.

Here is the error line :
2013-04-09 12:30:38,058 http-bio-8080-exec-12 anonymous 750x8387x1 75mz6v /rest/gadget/1.0/login login : 'xxx' tried to login but they do not have USE permission or weren't found. Deleting remember me cookie.
2013-04-09 12:30:38,064 http-bio-8080-exec-12 anonymous 750x8387x1 75mz6v /rest/gadget/1.0/login The user 'xxx' has FAILED authentication. Failure count equals 4

Also, when testing over the AD : Test user can authenticate=Failed

It is not a group policy, it’s an internal policy that specifies for each user to be allowed to Log On only to the computer that he uses ( done via user configuration in Active Directory Users and Computers->Account->Log On To );

Microsoft Windows Server 2003 Active Directory (LDAP v3);

Example : There are users that work in the IT department, users created in AD, that can login to JIRA without problems. These users do not have this policy. The other users, from other departments, like Sales, are limited by the local policy to logon only on a designated workstation, cannot login in JIRA.

If the local policy is disabled for these users, they can login without problems in JIRA.
There is no problem for the Administrator account created in the Internal Directory.

First I thought if I grant the user from Sales (J1) the right to login to JiraServer it will solve the problem, but it seems it does not.

I also found another workaround, unfortunately not acceptable : give logon permission to user J1 to DC . If we give access to the user to logon to the domain controller than it will be able to login into Jira also.

So, I have 2 workarounds for this, both of them unacceptable till now. I have been adviced to ask here, on answers, as Atlassian canot reproduce this scenario :

As the ticket described, the standard protocol of LDAP does not read the "log on to..." information, and by missing this information, I believe it hits the limitation encountered by you. We have also tried to replicate the problem and try to find a workaround, but due to the nature of this problem with multiple third party configurations, we could not able to get a valid workaround to your case. Furthermore, as mentioned this is an out of scope support as you have determined that this issue is related to policy applied which all is configured on a third party applications.

Does anyone have run into the same problem before? Or anyone have any clues?

Thank you,

Alin Ghita

2 answers

Hi Alin,

It seems that you are encountered a known bug which is derived from Crowd here:


Sorry for the bug and I hope this information clarify your doubts on this issue.

Hi Septa,

thank you for your answer. I allready saw that page. I was hoping for someone to find a solution from 2008 until present.

I will leave this discussion open, maybe there is someone who did find a viable solution.

Suggest an answer

Log in or Sign up to answer
Community showcase
Published Jan 08, 2019 in Jira

How to Jira for designers

I’m a designer on the Jira team. For a long time, I’ve fielded questions from other designers about how they should be using Jira Software with their design team. I’ve also heard feedback from other ...

1,098 views 4 9
Read article

Atlassian User Groups

Connect with like-minded Atlassian users at free events near you!

Find a group

Connect with like-minded Atlassian users at free events near you!

Find my local user group

Unfortunately there are no AUG chapters near you at the moment.

Start an AUG

You're one step closer to meeting fellow Atlassian users at your local meet up. Learn more about AUGs

Groups near you