Fix Jira Login Issues from userWorkstations Attribute in Active Directory

Platform Notice: Data Center Only - This article only applies to Atlassian products on the Data Center platform.

Note that this KB was created for the Data Center version of the product. Data Center KBs for non-Data-Center-specific features may also work for Server versions of the product, however they have not been tested. Support for Server* products ended on February 15th 2024. If you are running a Server product, you can visit the Atlassian Server end of support announcement to review your migration options.

*Except Fisheye and Crucible

Summary

User can't log in to Jira and sees an "invalid username or password" error even though they're submitting the correct credentials.

The following appears in the atlassian-jira.log:

2014-01-21 11:10:56,188 WARN [http-8090-3] [atlassian.confluence.user.JIRAAuthenticator] authenticate OperationFailedException caught while authenticating user <USER>. You may need to disable the 'Follow Referrals' option in your LDAP configuration. com.atlassian.crowd.exception.runtime.OperationFailedException at com.atlassian.crowd.embedded.core.CrowdServiceImpl.convertOperationFailedException(CrowdServiceImpl.java:915) at com.atlassian.crowd.embedded.core.CrowdServiceImpl.authenticate(CrowdServiceImpl.java:80) at sun.reflect.GeneratedMethodAccessor938.invoke(Unknown Source) at sun.reflect.DelegatingMethodAccessorImpl.invoke(Unknown Source) at java.lang.reflect.Method.invoke(Unknown Source) Caused by: javax.naming.PartialResultException [Root exception is javax.naming.CommunicationException: ldapserver.com:389 [Root exception is java.net.SocketTimeoutException: connect timed out]] at com.sun.jndi.ldap.LdapNamingEnumeration.hasMoreImpl(Unknown Source) at com.sun.jndi.ldap.LdapNamingEnumeration.hasMoreReferrals(Unknown Source) at com.sun.jndi.ldap.LdapNamingEnumeration.hasMoreImpl(Unknown Source) at com.sun.jndi.ldap.LdapNamingEnumeration.hasMoreReferrals(Unknown Source) at com.sun.jndi.ldap.LdapNamingEnumeration.hasMoreImpl(Unknown Source) at com.sun.jndi.ldap.LdapNamingEnumeration.hasMore(Unknown Source) at org.springframework.ldap.core.LdapTemplate.search(LdapTemplate.java:295) ... 147 more Caused by: javax.naming.CommunicationException: ldapserver.com:389 [Root exception is java.net.SocketTimeoutException: connect timed out] at com.sun.jndi.ldap.LdapReferralContext.<init>(Unknown Source) at com.sun.jndi.ldap.LdapReferralException.getReferralContext(Unknown Source) at com.sun.jndi.ldap.LdapNamingEnumeration.hasMoreReferrals(Unknown Source) ... 154 more Caused by: java.net.SocketTimeoutException: connect timed out at java.net.PlainSocketImpl.socketConnect(Native Method) at java.net.AbstractPlainSocketImpl.doConnect(Unknown Source) at java.net.AbstractPlainSocketImpl.connectToAddress(Unknown Source) at java.net.AbstractPlainSocketImpl.connect(Unknown Source) at java.net.SocksSocketImpl.connect(Unknown Source) at java.net.Socket.connect(Unknown Source) at sun.reflect.GeneratedMethodAccessor1872.invoke(Unknown Source) at sun.reflect.DelegatingMethodAccessorImpl.invoke(Unknown Source) at java.lang.reflect.Method.invoke(Unknown Source) at com.sun.jndi.ldap.Connection.createSocket(Unknown Source) at com.sun.jndi.ldap.Connection.<init>(Unknown Source) at com.sun.jndi.ldap.LdapClient.<init>(Unknown Source) at com.sun.jndi.ldap.LdapClientFactory.createPooledConnection(Unknown Source) at com.sun.jndi.ldap.pool.Connections.<init>(Unknown Source) at com.sun.jndi.ldap.pool.Pool.getPooledConnection(Unknown Source) at com.sun.jndi.ldap.LdapPoolManager.getLdapClient(Unknown Source) at com.sun.jndi.ldap.LdapClient.getInstance(Unknown Source) at com.sun.jndi.ldap.LdapCtx.connect(Unknown Source) at com.sun.jndi.ldap.LdapCtx.<init>(Unknown Source) at com.sun.jndi.ldap.LdapCtxFactory.getUsingURL(Unknown Source) at com.sun.jndi.ldap.LdapCtxFactory.getLdapCtxInstance(Unknown Source) at com.sun.jndi.url.ldap.ldapURLContextFactory.getObjectInstance(Unknown Source) at javax.naming.spi.NamingManager.getURLObject(Unknown Source) at javax.naming.spi.NamingManager.processURL(Unknown Source) at javax.naming.spi.NamingManager.processURLAddrs(Unknown Source) at javax.naming.spi.NamingManager.getObjectInstance(Unknown Source) ... 157 more

Diagnosis

Perform an Authentication Test on the directory (go to Admin > User Directories, edit the properties of the directory and select Save and Test). You will see this error in the output:

Test user can authenticate : Failed Account with name <USER> failed to authenticate: [LDAP: error code 49 - 80090308: LdapErr: DSID-0C090334, comment: AcceptSecurityContext error, data 531, vece\u0000]; nested exception is javax.naming.AuthenticationException: [LDAP: error code 49 - 80090308: LdapErr: DSID-0C090334, comment: AcceptSecurityContext error, data 531, vece\u0000]

NB: The error contains data 531 - this code means the user is not permitted to log on from this workstation.

LDap

Cause

The userWorkstations attribute in Active Directory is used to limit the machines from which a user can log on, by DNS or NetBIOS name. Jira's hostname must be in the list for the user to be able to log in to JIRA using their AD credentials.

See this MSDN article for more information.

Solution

Add Jira's hostname to the "userWorkstations" attribute for all JIRA users in Active Directory.

LDAP server host may also be required to be added.

Updated on June 23, 2025
Platform
Data Center only
Product
Jira Software Data Center
On this pageSummaryDiagnosisCauseSolution

Still need help?

The Atlassian Community is here for you.
Ask the Community