Active Directory auth issues after upgrade

(Jacob Misel) #1

We recently upgraded our Octopus Server to 2019.9.10 LTS from version 2018.9.0.

After the upgrade, we were unable to use the feature “Sign in with a domain account”. We had no issues with this feature before our upgrade.

Any guidance or insight would be greatly appreciated.

Thank you,

Jacob

The error that we are getting in our logs is …

An exception was thrown while trying to establish a principal for the current request System.DirectoryServices.AccountManagement.PrincipalOperationException: An invalid dn syntax has been specified.

 ---> System.DirectoryServices.DirectoryServicesCOMException: An invalid dn syntax has been specified.



   at System.DirectoryServices.DirectoryEntry.Bind(Boolean throwIfFail)

   at System.DirectoryServices.DirectoryEntry.Bind()

   at System.DirectoryServices.DirectoryEntry.get_SchemaEntry()

   at System.DirectoryServices.AccountManagement.ADStoreCtx.IsContainer(DirectoryEntry de)

   at System.DirectoryServices.AccountManagement.ADStoreCtx..ctor(DirectoryEntry ctxBase, Boolean ownCtxBase, String username, String password, ContextOptions options)

   at System.DirectoryServices.AccountManagement.PrincipalContext.CreateContextFromDirectoryEntry(DirectoryEntry entry)

   at System.DirectoryServices.AccountManagement.PrincipalContext.DoLDAPDirectoryInit()

   --- End of inner exception stack trace ---

   at System.DirectoryServices.AccountManagement.PrincipalContext.DoLDAPDirectoryInit()

   at System.DirectoryServices.AccountManagement.PrincipalContext.DoDomainInit()

   at System.DirectoryServices.AccountManagement.PrincipalContext.Initialize()

   at System.DirectoryServices.AccountManagement.PrincipalContext.get_QueryCtx()

   at System.DirectoryServices.AccountManagement.Principal.FindByIdentityWithTypeHelper(PrincipalContext context, Type principalType, Nullable`1 identityType, String identityValue, DateTime refDate)

   at System.DirectoryServices.AccountManagement.Principal.FindByIdentityWithType(PrincipalContext context, Type principalType, String identityValue)

   at System.DirectoryServices.AccountManagement.UserPrincipal.FindByIdentity(PrincipalContext context, String identityValue)

   at Octopus.Server.Extensibility.Authentication.DirectoryServices.DirectoryServices.DirectoryServicesService.FindByIdentity(String username)

   at Octopus.Server.Extensibility.Authentication.DirectoryServices.DirectoryServices.DirectoryServicesCredentialValidator.GetOrCreateUser(String username, CancellationToken cancellationToken)

   at Octopus.Server.Extensibility.Authentication.DirectoryServices.DirectoryServices.DirectoryServicesUserCreationFromPrincipal.GetOrCreateUser(IPrincipal principal, CancellationToken cancellationToken)

   at System.Linq.Enumerable.WhereSelectArrayIterator`2.MoveNext()

   at System.Linq.Enumerable.FirstOrDefault[TSource](IEnumerable`1 source, Func`2 predicate)

   at Octopus.Server.Web.Infrastructure.Authentication.ExternalPrincipalRequestAuthenticator.TryAuthenticateRequest(NancyContext context) in C:\buildAgent\work\abb2fbfce959a439\source\Octopus.Server\Web\Infrastructure\Authentication\ExternalPrincipalRequestAuthenticator.cs:line 41

   at System.Linq.Enumerable.WhereSelectArrayIterator`2.MoveNext()

   at System.Linq.Enumerable.FirstOrDefault[TSource](IEnumerable`1 source, Func`2 predicate)

   at Octopus.Server.Web.Infrastructure.Authentication.UserAuthenticator.AuthenticateRequest(NancyContext context) in C:\buildAgent\work\abb2fbfce959a439\source\Octopus.Server\Web\Infrastructure\Authentication\UserAuthenticator.cs:line 41

My configuration - (note I have used the powershell script to verify I can query my AD domain)

(Shannon Lewis) #3

Hi Jacob,

Thanks for getting in touch and sorry to hear you’re having trouble with the logins. Would you be able to double check which user the Octopus service is running as? We’ve seen cases where it somehow gets changed during an upgrade and ends up as LocalSystem, which then doesn’t have the right permissions into AD.

You mentioned you ran the troubleshooting scripts, was that as your user or the same one the Octopus service is running as?

Also, do you see similar issues using the forms authentication rather than using the “Sign in with a domain account” button?

Regards
Shannon

(Jacob Misel) #4

It appears it was running under the LocalSystem user. I updated it to be an admin user who does have access to query AD and still had no luck after the Restart of the Octopus Server. The forms authentication has been working with our AD credentials since the upgrade. The sign in with domain account is still not working even after the change in the services user.

(Jacob Misel) #5

Looks like it was an issue with the Active Directory Container. We had specified the container along the lines or myCompany.com and we changed the settings to “DC=myCompany,DC=com” and it ended up working.

Looks like the app user was reverted back, so that was probably an issue we would of ran into as well. I appreciate the help.

(Shannon Lewis) #6

No problems, glad you got to the bottom of it.