Crowd login fails when running two Crowd instances on the same domain
Platform Notice: Data Center Only - This article only applies to Atlassian products on the Data Center platform.
Note that this KB was created for the Data Center version of the product. Data Center KBs for non-Data-Center-specific features may also work for Server versions of the product, however they have not been tested. Support for Server* products ended on February 15th 2024. If you are running a Server product, you can visit the Atlassian Server end of support announcement to review your migration options.
*Except Fisheye and Crucible
Summary
Problem
It is always a good practice to have a Production environment as well a Test/Staging/Dev environment. If you happen to have two Crowd instances running in the same domain crowd.example.com and crowd-dev.example.com you might notice that you are able to login to one instance but not the other.
The symptom of the issue will be that you login to Crowd Production and everything looks good, then you try to login to Crowd Dev and it keeps on redirecting back to the login page.
Diagnosis
Environment
Crowd Production:
crowd.example.comCrowd Dev:
crowd-dev.example.com
Diagnostic Steps
In order to investigate the issue, you will need to look at the following:
HAR file to check whether the request is reaching the server or not
Next step, double check in the response from the login action that you are getting a
JSESSIONIDandcrowd.token.keycookieTry to login with wrong credentials and you should get an error Invalid Login this will verify that you are able to access the server and that Crowd server is working as intended
Enable DEBUG Logging on Crowd
⚠️ Please note that this logging is super noisy and it will quickly fill up your log files. Make sure to disable that once you identify the issue
In the logs, you will notice the following cookies being sent by the browser:
1 2 3 42017-11-08 13:49:45,544 http-bio-8095-exec-7 DEBUG [integration.http.util.CrowdHttpTokenHelperImpl] Cookie name/value: JSESSIONID / 28A6DF056DF1DBD3336BBA69DEBFBCBF 2017-11-08 13:49:45,544 http-bio-8095-exec-7 DEBUG [integration.http.util.CrowdHttpTokenHelperImpl] Cookie name/value: crowd.token_key / DTMlYimNr0HHwyI8p0xmyA00 2017-11-08 13:49:45,544 http-bio-8095-exec-7 DEBUG [integration.http.util.CrowdHttpTokenHelperImpl] Cookie name/value: crowd.token_key / nA6uRsJ4Li63eeb64atVDg00 2017-11-08 13:49:45,544 http-bio-8095-exec-7 DEBUG [integration.http.util.CrowdHttpTokenHelperImpl] Cookie name/value: AWSALB / /eldlBkVmsHOtghOKOrvFAN6nObMEBCji2dXBvWo7EVY2P6e6lo1aj9yef4IEvP5XVdrqwC1480b+n3v9uutkmTL6ixPmeCKG2dBY5XcaZT6wQLMr/c8TLe/CKWD
Cause
As you can see the above logs show that you have two crowd.token_key cookies in your browser. The browser, in this case, will get confused as to which cookie to select since both Production and Dev instance belong to the domain example.com and that causes the redirection to the login page on the Dev instance
Solution
Resolution
You can resolve this problem using one of the below suggestions:
Resolution 1 - Change the crowd token cookie name
Since we have a duplicate cookie name belonging to the same domain, we will need to specify a different crowd token cookie for the Dev instance. To do that, please follow the below steps:
Log in to the Dev instance using the IP and port http://1.2.3.4:8095/crowd
Go to Settings -> General
Change the SSO Cookie name from the default value
crowd.token_keytocrowd_dev.token_keyor any other name that is different than the Production instanceUpdate the settings
You should be able to login successfully to both Production and Dev instances without any problems
Resolution 2 - Move Dev instance to a different domain
You can also change the Crowd Dev domain to something other than example.com in order to avoid this issue. You could configure it to crowd.dev.example.com and that would not confuse the browser as the Crowd Dev domain is not dev.example.com
Was this helpful?