Logging out intermittently from Crowd Administration Console

Platform Notice: Data Center Only - This article only applies to Atlassian products on the Data Center platform.

Note that this KB was created for the Data Center version of the product. Data Center KBs for non-Data-Center-specific features may also work for Server versions of the product, however they have not been tested. Support for Server* products ended on February 15th 2024. If you are running a Server product, you can visit the Atlassian Server end of support announcement to review your migration options.

*Except Fisheye and Crucible

Summary

Users logged in Crowd Administration Console are intermittently logged out.

Diagnosis

After setting the DEBUG level for class com.atlassian.crowd, you can observe in the log that Crowd does not recognise the auth token as valid:

1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 2023-11-03 03:50:59,619 http-nio-8095-exec-56 DEBUG [integration.http.util.CrowdHttpTokenHelperImpl] Unable to find a valid Crowd token. 2023-11-03 03:50:59,619 http-nio-8095-exec-47 DEBUG [integration.http.util.CrowdHttpTokenHelperImpl] Checking for a SSO token that will need to be verified by Crowd. 2023-11-03 03:50:59,619 http-nio-8095-exec-47 DEBUG [integration.http.util.CrowdHttpTokenHelperImpl] No request attribute token could be found, now checking the browser submitted cookies. 2023-11-03 03:50:59,619 http-nio-8095-exec-47 DEBUG [integration.http.util.CrowdHttpTokenHelperImpl] Cookie name/value: JSESSIONID / D9D45FADB5DEC98BE537BD3785181D78 2023-11-03 03:50:59,619 http-nio-8095-exec-47 DEBUG [integration.http.util.CrowdHttpTokenHelperImpl] Cookie name/value: crowd.rememberme.token / Mjg2MDY1MDQ6M2ViMDdhZTRhNWI4ZTViNjQ3ZDUyN2JhZGExYmRlY2M1NTQ5ODdiNDo4MTU3N2MzZDZmNDk5MDAxNzI4YzhkNmIxOTY2OTJlMzMyMjFhMDc2 ... ... 2023-11-03 03:50:59,619 http-nio-8095-exec-47 DEBUG [integration.http.util.CrowdHttpTokenHelperImpl] Unable to find a valid Crowd token. 2023-11-03 03:50:59,622 http-nio-8095-exec-30 INFO [atlassian.crowd.service.TransactionalRememberMeService] Refreshing the remember-me token for series '3eb07ae4a5b8e5b647d527bada1bdecc554987b4' for user 'admin' & directory-id '111111' 2023-11-03 03:50:59,622 http-nio-8095-exec-30 DEBUG [crowd.dao.rememberme.CrowdRememberMeTokenDAOHibernate] Saving object: InternalCrowdRememberMeToken{id=null, token=d9979aa6d6da461a40275919c931ca56053898f6, username=admin, directoryId=111111, createdTime=2023-11-03T03:42:49.966523, usedTime=null, series=3eb07ae4a5b8e5b647d527bada1bdecc554987b4, remoteAddress=null} ... ... 2023-11-03 03:50:59,625 http-nio-8095-exec-38 DEBUG [atlassian.crowd.service.TransactionalRememberMeService] Failed to claim token for series '3eb07ae4a5b8e5b647d527bada1bdecc554987b4' 2023-11-03 03:50:59,626 http-nio-8095-exec-30 DEBUG [crowd.integration.springsecurity.CrowdAuthenticationProvider] Processing a CrowdRememberMeAuthentication 2023-11-03 03:50:59,639 http-nio-8095-exec-44 DEBUG [directory.ldap.monitoring.ExecutionInfoNameClassPairCallbackHandler] The operation returned 0 results

Observing the previous entry in the log, you can notice that the SSO Cookie value is correct but Crowd marks it as "The token keys don't match":

1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 2023-11-03 03:49:45,658 http-nio-8095-exec-152 DEBUG [integration.http.util.CrowdHttpTokenHelperImpl] Cookie name/value: JSESSIONID / 0674188C6C21EC60CC0E7F056410E133 2023-11-03 03:49:45,658 http-nio-8095-exec-152 DEBUG [integration.http.util.CrowdHttpTokenHelperImpl] Cookie name/value: crowd.token_key / zmZrR92xm6IrSnKWUFbv9QAAAAAAAIABc29lLWFkbWlu 2023-11-03 03:49:45,658 http-nio-8095-exec-152 DEBUG [integration.http.util.CrowdHttpTokenHelperImpl] Accepting the SSO cookie value: zmZrR92xm6IrSnKWUFbv9QAAAAAAAIABc29lLWFkbWlu 2023-11-03 03:49:45,658 http-nio-8095-exec-152 DEBUG [integration.http.util.CrowdHttpTokenHelperImpl] Existing token value yet to be verified by Crowd: zmZrR92xm6IrSnKWUFbv9QAAAAAAAIABc29lLWFkbWlu 2023-11-03 03:49:45,658 http-nio-8095-exec-152 DEBUG [crowd.integration.springsecurity.CrowdAuthenticationProvider] Processing a CrowdSSOAuthenticationToken 2023-11-03 03:49:45,659 http-nio-8095-exec-152 DEBUG [crowd.manager.token.RecoveryModeAwareTokenAuthenticationManager] validateUserToken: zmZrR92xm6IrSnKWUFbv9QAAAAAAAIABc29lLWFkbWlu 2023-11-03 03:49:45,659 http-nio-8095-exec-312 DEBUG [crowd.manager.validation.ClientValidationManagerImpl] Client address: 10.100.0.1 2023-11-03 03:49:45,659 http-nio-8095-exec-152 DEBUG [crowd.manager.token.RecoveryModeAwareTokenAuthenticationManager] genericValidateToken 2023-11-03 03:49:45,660 http-nio-8095-exec-312 DEBUG [crowd.manager.token.RecoveryModeAwareTokenAuthenticationManager] genericValidateToken 2023-11-03 03:49:45,660 http-nio-8095-exec-152 DEBUG [crowd.manager.token.RecoveryModeAwareTokenAuthenticationManager] checking if the token is expired: 2023-11-03 03:49:45,660 http-nio-8095-exec-152 DEBUG [crowd.manager.token.RecoveryModeAwareTokenAuthenticationManager] now: Fri Nov 03 03:49:45 EDT 2023 2023-11-03 03:49:45,660 http-nio-8095-exec-152 DEBUG [crowd.manager.token.RecoveryModeAwareTokenAuthenticationManager] last accessed: Fri Nov 03 03:49:42 EDT 2023 2023-11-03 03:49:45,660 http-nio-8095-exec-152 DEBUG [crowd.manager.token.RecoveryModeAwareTokenAuthenticationManager] expiry time: Fri Nov 03 05:49:42 EDT 2023 2023-11-03 03:49:45,660 http-nio-8095-exec-152 DEBUG [crowd.manager.token.RecoveryModeAwareTokenAuthenticationManager] allowed session time (seconds): 7200 2023-11-03 03:49:45,661 http-nio-8095-exec-312 DEBUG [crowd.manager.token.RecoveryModeAwareTokenAuthenticationManager] checking if the token is expired: 2023-11-03 03:49:45,661 http-nio-8095-exec-312 DEBUG [crowd.manager.token.RecoveryModeAwareTokenAuthenticationManager] now: Fri Nov 03 03:49:45 EDT 2023 2023-11-03 03:49:45,661 http-nio-8095-exec-312 DEBUG [crowd.manager.token.RecoveryModeAwareTokenAuthenticationManager] last accessed: Fri Nov 03 03:49:42 EDT 2023 2023-11-03 03:49:45,661 http-nio-8095-exec-312 DEBUG [crowd.manager.token.RecoveryModeAwareTokenAuthenticationManager] expiry time: Fri Nov 03 03:50:42 EDT 2023 2023-11-03 03:49:45,661 http-nio-8095-exec-312 DEBUG [crowd.manager.token.RecoveryModeAwareTokenAuthenticationManager] allowed session time (seconds): 60 2023-11-03 03:49:45,661 http-nio-8095-exec-152 DEBUG [crowd.manager.token.RecoveryModeAwareTokenAuthenticationManager] includeIpAddressInValidationFactors: true 2023-11-03 03:49:45,661 http-nio-8095-exec-152 DEBUG [manager.token.factory.TokenKeyGeneratorImpl] Generating random hash for principal: admin 2023-11-03 03:49:45,662 http-nio-8095-exec-152 DEBUG [manager.token.factory.TokenKeyGeneratorImpl] Adding remote address of 10.100.0.0 2023-11-03 03:49:45,662 http-nio-8095-exec-152 DEBUG [manager.token.factory.TokenKeyGeneratorImpl] Adding Random-Number of ValidationFactor[Random-Number=8288645061651178569] 2023-11-03 03:49:45,662 http-nio-8095-exec-152 DEBUG [crowd.manager.token.RecoveryModeAwareTokenAuthenticationManager] Current Validation Factors: [ValidationFactor[remote_address=10.100.0.0]] 2023-11-03 03:49:45,662 http-nio-8095-exec-152 DEBUG [crowd.manager.token.RecoveryModeAwareTokenAuthenticationManager] comparing existing token Token{identifierHash='EB-JnHPUhM2eb04dytkbQg', lastAccessedTime=1698997782945, createdDate=2023-11-03 02:29:56.615, duration=null, name='admin', directoryId=111111} with a validation token SYw1Rt8jrDN0sR4Zi0qvngAAAAAAAIABc29lLWFkbWlu 2023-11-03 03:49:45,662 http-nio-8095-exec-152 DEBUG [crowd.manager.authentication.TokenAuthenticationManagerImpl$TokenValidationFailure] Existing token 'zmZrR92xm6IrSnKWUFbv9QAAAAAAAIABc29lLWFkbWlu' for user 'admin' does not match new token 'SYw1Rt8jrDN0sR4Zi0qvngAAAAAAAIABc29lLWFkbWlu' with validation factors 'ValidationFactor[remote_address=10.100.0.0]' 2023-11-03 03:49:45,662 http-nio-8095-exec-152 DEBUG [crowd.manager.token.RecoveryModeAwareTokenAuthenticationManager] The token keys don't match 2023-11-03 03:49:45,662 http-nio-8095-exec-312 DEBUG [crowd.manager.token.RecoveryModeAwareTokenAuthenticationManager] includeIpAddressInValidationFactors: true 2023-11-03 03:49:45,662 http-nio-8095-exec-312 DEBUG [manager.token.factory.TokenKeyGeneratorImpl] Generating random hash for principal: production-principal 2023-11-03 03:49:45,662 http-nio-8095-exec-312 DEBUG [manager.token.factory.TokenKeyGeneratorImpl] Adding Random-Number of ValidationFactor[Random-Number=1959884485844507132] 2023-11-03 03:49:45,662 http-nio-8095-exec-312 DEBUG [crowd.manager.token.RecoveryModeAwareTokenAuthenticationManager] Current Validation Factors: [] 2023-11-03 03:49:45,662 http-nio-8095-exec-312 DEBUG [crowd.manager.token.RecoveryModeAwareTokenAuthenticationManager] comparing existing token Token{identifierHash='pL1RlHUxBh0MyxXdcNGZzg', lastAccessedTime=1698997782129, createdDate=2023-11-01 03:05:08.564, duration=60, name='production-principal', directoryId=-1} with a validation token EGw1sFPhy8JuqxlP-s4PYP__________cHJvZC1zdGFzaA 2023-11-03 03:49:45,662 http-nio-8095-exec-312 DEBUG [crowd.manager.token.RecoveryModeAwareTokenAuthenticationManager] returning validated token, with updated last accessed time

Notice from this log that the remote IP changes from remote_address=10.100.0.1 to remote_address=10.100.0.0 during the Token Validation and the Token Generation moment. 

Cause

There is a Load Balancer/Proxy configured on top of Crowd and sometimes the request come from different IP addresses.

Crowd is configured with "Require consistent client IP address" enabled. This Authenticated sessions can be tied to the IP address they were created from. This means that an attempt to use that session from another machine will fail, which will force mobile clients to reauthenticate when their IP address changes. When disabled, any session can be used from any IP address.  You can read more about in Session configuration.

Solution

Ensure that your Load Balancer/Proxy is added as a Configuring Trusted Proxy Servers.

  1. Log in to the Crowd Administration Console.

  2. In the top navigation bar, clickGeneral Configuration > Trusted proxy servers.

  3. Add the IP address or the host name of the proxy server.

Besides, uncheck the "Require consistent client IP address", and clean the existing tokens that are cached which may be causing a conflict:

  1. Log in to the Crowd Administration Console.

  2. In the top navigation bar, click General Configuration > Session Configuration.

  3. Disabled the "Require consistent client IP address"

  4. Run the following SQL command to delete any existing tokens from the database for the admin user:

    1 DELETE FROM cwd_token WHERE entity_name = 'admin';

  5. Clear the browser cache, including cookies

  6. RestartCrowd

Updated on March 13, 2025
Platform
Data Center only
Product
Crowd Data Center
On this pageSummaryDiagnosisCauseSolution

Still need help?

The Atlassian Community is here for you.
Ask the Community