Some users are unable to login due to Active Directory 'follow referrals' configuration

Platform Notice: Data Center Only - This article only applies to Atlassian products on the Data Center platform.

Note that this KB was created for the Data Center version of the product. Data Center KBs for non-Data-Center-specific features may also work for Server versions of the product, however they have not been tested. Support for Server* products ended on February 15th 2024. If you are running a Server product, you can visit the Atlassian Server end of support announcement to review your migration options.

*Except Fisheye and Crucible

Summary

Symptoms

After a sync is attempted against Active Directory, some users are unable to login to Confluence. The following exception appears in the logs:

1 2 3 4 5 6 Caused by: javax.naming.CommunicationException: DomainDnsZones.example.com:389 [Root exception is java.net.ConnectException: Connection refused: connect] at com.sun.jndi.ldap.LdapReferralContext.<init>(LdapReferralContext.java:74) at com.sun.jndi.ldap.LdapReferralException.getReferralContext(LdapReferralException.java:132) at com.sun.jndi.ldap.LdapNamingEnumeration.hasMoreReferrals(LdapNamingEnumeration.java:339) at com.sun.jndi.ldap.LdapNamingEnumeration.hasMoreImpl(LdapNamingEnumeration.java:208) ... 19 more

Other root exceptions can be:

  • javax.naming.PartialResultException

  • java.net.UnknownHostException

Description

Active Directory servers are integrated with DNS, and modify entries in the DNS server. They refer to themselves in the root of their LDAP tree. If the JIRA (or Crowd, or Confluence) server is pointed to the root of the LDAP tree, and "follow referrals" is turned on (which is the default), then:

  1. Confluence will search for users.

  2. The AD server will respond with users and the referral that's in the root of the LDAP tree, because there could be more users over there.

  3. Confluence will follow the referral. This will result in:.

    1. A DNS lookup of the base DN ( dc=example,dc=com, which means a lookup for example.com)

    2. A connection to port 389 or 636 at example.com, which is back to the same server.

  4. Confluence will continue and read the rest of the objects in the domain as normal.

Diagnosis

To check if this is the case,

  1. Turn off 'Follow Referrals' in the 'Advanced Settings' section of your User Directory configuration.

  2. Connect to the root DN of your LDAP server.

  3. If no errors show in the logs, then it's a DNS error.

Cause

JIRA, Crowd or Confluence can't perform a DNS lookup on the referral in the AD server root. Problems like this are most commonly caused by the server that JIRA is running on not having the same DNS server as the Active Directory server.

Solution

Resolution

Fixing a DNS Configuration Issue

  1. Configure the server that Confluence is running on to use the DNS server that the Active Directory server is integrated with.

  2. Double check if the DNS server address has been change recently. Since DNS server record the Confluence information, please delete Confluence's address information from the DNS server to resolve the issue.

  3. If this is not possible, disable 'Follow Referrals'.

What are the implications of disabling 'Follow Referrals'?

  • If you only have one domain, there should be no adverse effects.

  • If you have multiple domains joined in a Forest, then any cross-domain memberships will not be resolved.

    • If you must have cross-domain memberships and you can't fix the DNS issues, then you can point Confluence at your Global Catalog. This is read-only, but it does contain all users, groups, and memberships from across your Forest. Talk to your AD admin for Global Catalog connection details.

Updated on April 2, 2025
Platform
Data Center only
Product
Confluence Data Center
On this pageSummaryDiagnosisCauseSolution

Still need help?

The Atlassian Community is here for you.
Ask the Community