Crowd user authentication fails with 'Directory 'X' is not functional during authentication' error

Platform Notice: Data Center Only - This article only applies to Atlassian products on the Data Center platform.

Note that this KB was created for the Data Center version of the product. Data Center KBs for non-Data-Center-specific features may also work for Server versions of the product, however they have not been tested. Support for Server* products ended on February 15th 2024. If you are running a Server product, you can visit the Atlassian Server end of support announcement to review your migration options.

*Except Fisheye and Crucible

Scenario 1

Users are unable to authenticate and the following appears in the atlassian-crowd.log:

1 2013-07-11 18:22:14,227 http-8495-5 ERROR [crowd.manager.application.ApplicationServiceGeneric] Directory 'example directory' is not functional during authentication of 'example user'. Skipped.
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 2016-07-14 18:51:14,893 http-bio-80-exec-22 ERROR anonymous 1130x260x2 zvck2 10.14.149.99 /login.jsp [jira.security.login.JiraSeraphAuthenticator] Error occurred while trying to authenticate user 'example user'. com.atlassian.crowd.exception.runtime.OperationFailedException at com.atlassian.crowd.embedded.core.CrowdServiceImpl.convertOperationFailedException(CrowdServiceImpl.java:922) at com.atlassian.crowd.embedded.core.CrowdServiceImpl.authenticate(CrowdServiceImpl.java:81) at com.atlassian.crowd.embedded.core.DelegatingCrowdService.authenticate(DelegatingCrowdService.java:37) at com.atlassian.crowd.embedded.core.FilteredCrowdServiceImpl.authenticate(FilteredCrowdServiceImpl.java:51) at com.atlassian.jira.security.login.JiraSeraphAuthenticator.crowdServiceAuthenticate(JiraSeraphAuthenticator.java:91) at com.atlassian.jira.security.login.JiraSeraphAuthenticator.authenticate(JiraSeraphAuthenticator.java:55) ... Caused by: org.springframework.ldap.PartialResultException: nested exception is javax.naming.PartialResultException [Root exception is javax.naming.CommunicationException: ExampleDNS.come.ad:389 [Root exception is java.net.ConnectException: Connection timed out: connect]] at org.springframework.ldap.support.LdapUtils.convertLdapException(LdapUtils.java:216) at org.springframework.ldap.core.LdapTemplate.search(LdapTemplate.java:385) at org.springframework.ldap.core.LdapTemplate.search(LdapTemplate.java:309) at com.atlassian.crowd.directory.ldap.SpringLdapTemplateWrapper$4.timedCall(SpringLdapTemplateWrapper.java:198) at com.atlassian.crowd.directory.ldap.SpringLdapTemplateWrapper$4.timedCall(SpringLdapTemplateWrapper.java:195) at com.atlassian.crowd.directory.ldap.SpringLdapTemplateWrapper.invokeWithContextClassLoader(SpringLdapTemplateWrapper.java:89) at com.atlassian.crowd.directory.ldap.SpringLdapTemplateWrapper.search(SpringLdapTemplateWrapper.java:195) at com.atlassian.crowd.directory.SpringLDAPConnector.pageSearchResults(SpringLDAPConnector.java:405) at com.atlassian.crowd.directory.SpringLDAPConnector.searchEntitiesWithRequestControls(SpringLDAPConnector.java:476) at com.atlassian.crowd.directory.SpringLDAPConnector.searchEntities(SpringLDAPConnector.java:459) at com.atlassian.crowd.directory.SpringLDAPConnector.searchUserObjects(SpringLDAPConnector.java:679) at com.atlassian.crowd.directory.SpringLDAPConnector.findUserWithAttributesByName(SpringLDAPConnector.java:628) at com.atlassian.crowd.directory.SpringLDAPConnector.findUserByName(SpringLDAPConnector.java:614) at com.atlassian.crowd.directory.SpringLDAPConnector.authenticate(SpringLDAPConnector.java:1098) at com.atlassian.crowd.directory.DelegatedAuthenticationDirectory.authenticateAndUpdateOrCreate(DelegatedAuthenticationDirectory.java:216) at com.atlassian.crowd.directory.DelegatedAuthenticationDirectory.authenticate(DelegatedAuthenticationDirectory.java:186) at com.atlassian.crowd.manager.directory.DirectoryManagerGeneric.authenticateUser(DirectoryManagerGeneric.java:283) at com.atlassian.crowd.manager.application.ApplicationServiceGeneric.authenticateUser(ApplicationServiceGeneric.java:194) at com.atlassian.crowd.embedded.core.CrowdServiceImpl.authenticate(CrowdServiceImpl.java:69) ... 94 more Caused by: javax.naming.PartialResultException [Root exception is javax.naming.CommunicationException: ExampleDNS.come.ad:389 [Root exception is java.net.ConnectException: Connection timed out: connect]] at com.sun.jndi.ldap.AbstractLdapNamingEnumeration.hasMoreImpl(AbstractLdapNamingEnumeration.java:237) at com.sun.jndi.ldap.AbstractLdapNamingEnumeration.hasMore(AbstractLdapNamingEnumeration.java:189) at org.springframework.ldap.core.LdapTemplate.search(LdapTemplate.java:365) ... 112 more Caused by: javax.naming.CommunicationException: DomainDnsZones.corp.ad.cginet:389 [Root exception is java.net.ConnectException: Connection timed out: connect] at com.sun.jndi.ldap.LdapReferralException.getReferralContext(LdapReferralException.java:150) at com.sun.jndi.ldap.AbstractLdapNamingEnumeration.hasMoreReferrals(AbstractLdapNamingEnumeration.java:325) at com.sun.jndi.ldap.AbstractLdapNamingEnumeration.hasMoreImpl(AbstractLdapNamingEnumeration.java:227) ... 114 more Caused by: java.net.ConnectException: Connection timed out: connect at java.net.DualStackPlainSocketImpl.connect0(Native Method) at java.net.DualStackPlainSocketImpl.socketConnect(DualStackPlainSocketImpl.java:79) at java.net.AbstractPlainSocketImpl.doConnect(AbstractPlainSocketImpl.java:345) at java.net.AbstractPlainSocketImpl.connectToAddress(AbstractPlainSocketImpl.java:206) at java.net.AbstractPlainSocketImpl.connect(AbstractPlainSocketImpl.java:188) at java.net.SocksSocketImpl.connect(SocksSocketImpl.java:392)

Scenario 2

In Jira application, random users will be getting "504 Gateway Time-out" error message. If JIRA is running on DC environments, a specific node is unable to reach the LDAP server, the user will get the same 504 error message after the load balancer redirects the user to this problematic node.

In the atlassian-jira.log, we can see the following errors flooding around:

1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 2023-07-06 10:30:17,219+0000 http-nio-8081-exec-15 ERROR - [c.a.j.web.servlet.InternalServerErrorServlet] Cannot render the 500 page for error 74e82f7f-eaa5-4114-96ca-4cbdc45e6436 com.google.common.util.concurrent.UncheckedExecutionException: com.atlassian.crowd.exception.runtime.OperationFailedException at com.google.common.cache.LocalCache$Segment.get(LocalCache.java:2050) at com.google.common.cache.LocalCache.get(LocalCache.java:3952) ... Caused by: org.springframework.transaction.CannotCreateTransactionException: Could not create DirContext instance for transaction; nested exception is org.springframework.ldap.CommunicationException: ldap.domain.name:636; nested exception is javax.naming.CommunicationException: ldap.domain.name:636 [Root exception is java.net.ConnectException: Connection timed out] at org.springframework.transaction.compensating.support.AbstractCompensatingTransactionManagerDelegate.doBegin(AbstractCompensatingTransactionManagerDelegate.java:90) ... Caused by: java.net.ConnectException: Connection timed out at java.net.PlainSocketImpl.socketConnect(Native Method) at java.net.AbstractPlainSocketImpl.doConnect(AbstractPlainSocketImpl.java:350) at java.net.AbstractPlainSocketImpl.connectToAddress(AbstractPlainSocketImpl.java:206) at java.net.AbstractPlainSocketImpl.connect(AbstractPlainSocketImpl.java:188) at java.net.SocksSocketImpl.connect(SocksSocketImpl.java:392) at sun.security.ssl.SSLSocketImpl.connect(SSLSocketImpl.java:668) at sun.security.ssl.SSLSocketImpl.<init>(SSLSocketImpl.java:427) at sun.security.ssl.SSLSocketFactoryImpl.createSocket(SSLSocketFactoryImpl.java:88) at com.atlassian.crowd.directory.ssl.LdapHostnameVerificationSSLSocketFactory.createSocket(LdapHostnameVerificationSSLSocketFactory.java:78) ... 2 filtered at java.lang.reflect.Method.invoke(Method.java:498) at com.sun.jndi.ldap.Connection.createSocket(Connection.java:328) at com.sun.jndi.ldap.Connection.<init>(Connection.java:203)

Cause

This occurs when a OperationFailedException is thrown when attempting to authenticate as a user. This typically is thrown when executing an operation on the remote directory failed for some reason. For example:

  1. General network errors (e.g.: unable to route to the ldap server due to DNS, firewall, slow network speeds)

  2. The external user directory is offline

  3. The external user directory is unreachable

  4. LDAP errors

  5. Intermittent timeouts, which can result in sporadic occurrence.

Resolution

  1. Double-check the external user directory and ensure it is online.

  2. Test the network connection to the external user directory (e.g ldap server domain) using the URL defined in Crowd and ensure Crowd can resolve it.

    1 2 Ping ldap.domain.name/ip-address Telnet ldap.domain.name/ip-address port

    1. ⚠️ If not, then work with your network team to correct the path. As a temporary measure, the IP address of the server housing the external user directory can be used.

  3. If the issue persists, add the DEBUG log level for the com.atlassian.crowd.manager.application.ApplicationServiceGeneric package (see Logging and Profiling for detailed instructions on how to do that), and check the logs for any errors, exceptions or otherwise.

  4. If you're still unable to resolve the problem, contact support with the log folder with increased log levels (from #3) after the issue occurs.

  5. Set the timeout to a large number as per Setting Properties and Options on Startup:

    1 -Dcom.sun.jndi.ldap.connect.timeout=50000

    ℹ️ More information about the connect timeout can be found in Oracle's Setting Timeout for Ldap Operations documentation.

Updated on April 8, 2025
Platform
Data Center only
Product
Crowd Data Center
On this pageScenario 1Scenario 2CauseResolution

Still need help?

The Atlassian Community is here for you.
Ask the Community