User unable to login with you do not have permission error

お困りですか?

アトラシアン コミュニティをご利用ください。

コミュニティに質問

プラットフォームについて: Server と Data Center のみ - この記事は、サーバーおよびデータセンター プラットフォームのアトラシアン製品にのみ適用されます。

問題

When a user tries to log in to error, the error message "You do not have a permission to log in. If you think this is incorrect, please contact your Jira application administrator." is displayed. Additionally, you may observe an error in the atlassian-jira-security.log stating:

USERNAME tried to login but they do not have USE permission or weren't found. Deleting remember me cookie.


ソリューション

Jira 6.4.x and earlier versions:

  1. Log in to your Jira application as a user with the 'Jira Administrators' global permission.
  2. Choose  > System. Select Global Permissions to open the Global Permissions page, which lists all Jira applications global permissions. You could also use the keyboard shortcut: g + g + start typing global permissions.
  3. Check whether the user (or a group that the user is in) has Global Permissions as "Jira applications Users". If the user, or a group that the user is in, does not have the "Jira applications" global permission, the user will not be able to log in and the above error will be displayed.

Jira 7.x and higher versions:

  1. Log in to your Jira application as a user with the 'Jira Administrators' global permission.
  2. Choose  > Applications > Application Access.   In Jira 7, the ability for users to login to the main Jira portal site is no longer managed in the global permissions section.  Instead this is controlled here on the application access page.  The concept is the same as previous versions of Jira.  User accounts still need to be members of the group that grant them access to either Jira Software, Jira Core, or Jira Service Management (for Agents) in order to login.  The difference here is largely in the location of this.
  3. Check whether the group that the user is in has Application Access to the appropriate Jira Application. If the group that the user is in, does not have the any application access, the user will not be able to log in and the above error will be displayed.


Further Troubleshooting

It may be possible there is an issue with Jira's ability to correctly resolve a renamed user - please try the troubleshooting steps in Jira Login fails with "User exists but has no unique key mapping". If this does not resolve the problem, the following steps can assist:


  1. Please set com.atlassian.jira.logincom.atlassian.jira.login.security to DEBUG in Administration > System > Troubleshooting and Support > Logging and Profiling.
  2. Have the user (attempt to) login.
  3. Set those log levels back to the WARN so they don't spam the logs.

How to Read Those Logs

When the extra debugging is enabled, more information will be written to atlassian-jira-security.log. This may contain information such as the following:

2014-07-25 17:34:55,755 http-bio-8080-exec-1 anonymous 1054x18749x1 18b3p1m 172.31.14.93,0:0:0:0:0:0:0:1 /rest/gadget/1.0/login login : 'captain.planet' tried to login but they do not have USE permission or weren't found. Deleting remember me cookie.
2014-07-25 17:34:55,769 http-bio-8080-exec-1 anonymous 1054x18749x1 18b3p1m 172.31.14.93,0:0:0:0:0:0:0:1 /rest/gadget/1.0/login The user 'captain.planet' has FAILED authentication.  Failure count equals 1
2014-07-25 17:34:55,770 http-bio-8080-exec-1 anonymous 1054x18749x1 18b3p1m 172.31.14.93,0:0:0:0:0:0:0:1 /rest/gadget/1.0/login Gadget login called with lastLoginResult : com.atlassian.jira.bc.security.login.LoginResultImpl@276896a0[reason=AUTHENTICATED_FAILED,loginInfo=com.atlassian.jira.bc.security.login.LoginInfoImpl@3a851475[lastLoginTime=1406072369469,previousLoginTime=1405985220323,loginCount=577,currentFailedLoginCount=1,totalFailedLoginCount=101,lastFailedLoginTime=1406273695756,elevatedSecurityCheckRequired=false,maxAuthenticationAttemptsAllowed=3],userName=captain.planet,deniedReasons=[]]

In this example, the user's password is incorrect when accessing Active Directory.

2014-07-25 17:34:27,731 http-bio-8080-exec-25 anonymous 1054x18680x1 18b3p1m 172.31.14.93,0:0:0:0:0:0:0:1 /rest/gadget/1.0/login The user 'captain.planet' is required to answer a CAPTCHA elevated security check.  Failure count equals 5
2014-07-25 17:34:27,734 http-bio-8080-exec-25 anonymous 1054x18680x1 18b3p1m 172.31.14.93,0:0:0:0:0:0:0:1 /rest/gadget/1.0/login Gadget login called with lastLoginResult : com.atlassian.jira.bc.security.login.LoginResultImpl@fe6b7cc[reason=AUTHENTICATION_DENIED,loginInfo=com.atlassian.jira.bc.security.login.LoginInfoImpl@6ce6b718[lastLoginTime=1406072369469,previousLoginTime=1405985220323,loginCount=577,currentFailedLoginCount=5,totalFailedLoginCount=100,lastFailedLoginTime=1406273667718,elevatedSecurityCheckRequired=true,maxAuthenticationAttemptsAllowed=3],userName=captain.planet,deniedReasons=[com.atlassian.jira.bc.security.login.CaptchaChallengeRequired@3e3ce520[reasonCode=CAPTCHA_CHALLENGE,reasonSpecificProperties={login-url=https://teamwonderland.example.com/login.jsp}]]]

In this example, they failed to enter the CAPTCHA.

The logs will show a reason, that may come with a reason code. They are as follows:

AUTHENTICATION_DENIED

The user is not allowed to even attempt a login.

  • Check if there is a reason code, for exampleCAPTCHA_CHALLENGE indicates they failed the CAPTCHA.
  • Check the account is active (in both Jira and Active Directory).

AUTHENTICATED_FAILED

The user could not be authenticated.

  • Check their login/password.
  • For LDAP users, this could happen when the user is created in Active Directory/LDAP with the setting to change the password on the first login and then the users login to Jira before logging into a different system or Windows and change their password. The resolution would be to request the user to login to another system and change their password or ensure they do not need to reset their password on next login.
  • In Active Directory, the LDAP server is not listed in the Log On To list for the particular user (User Properties > Account > Log On To...). When this option is set for an AD account, it populates the userWorkstations attribute.

    If a specific group of users are having this error consistently, it could be caused by the ldap.user.dn External LDAP users fail to authenticate to Jira server

AUTHORISATION_FAILED

The user could not be authorized.

  • Check they are members of the Jira applications Users Global Permission as per the above.

OK

The login was OK.

  • No action required

説明

When a user tries to log in to error, the error message "You do not have a permission to log in. If you think this is incorrect, please contact your Jira application administrator." is displayed. 

Additionally, you may observe an error in the atlassian-jira.log
製品Jira
プラットフォームサーバー
最終更新日 2020 年 11 月 23 日

この内容はお役に立ちましたか?

はい
いいえ
この記事についてのフィードバックを送信する
Powered by Confluence and Scroll Viewport.