Active Directory Authenication Not Working || Octopus Deploy

authentication

(Vivek Singh) #1

Active Directory Authenication Not Working || Octopus Deploy

Hi,

I am using octopus deploy version v2018.3.5 and Our requirement is that the user access
should only be granted access through active directory groups and not individual users.

I went with couple of post along with documentation at https://octopus.com/docs/administration/authentication-providers/active-directory-authentication
and implement following layout. Correct, If missed something :->

  1. Created one group at active directory named called “RSIN_APP_octo_admin”.

  2. Created one user called “octopus” and made it a member of “RSIN_APP_octo_admin” in active directory.

  3. User “octopus” can login on email as well as local enviroment machine using active directory credinitals.

  4. Then I have login on local enviroment machine via RDP using user “octopus” credinitals.

  5. Open octopus portal in google chrome and then went to Configuration -> Settings -> Active Directory

    **Parameter**										**Value**
    

    Active Directory Container CN=RSIN_APP_octo_admin,OU=Development,OU=Group,DC=india,DC=rsystems,DC=com

    Authentication Scheme IntegratedWindowsAuthentication
    Allow Forms Authentication For Domain Users Enabled
    Security Groups Enabled Enabled
    Allow Auto User Creation Enabled
    Is Enabled Enabled

  6. Then Went to Team -> Octopus Administrators -> Members -> Add Active Directory Group and then added “RSIN_APP_octo_admin”.

  7. Open up the octopus portal in browser using google chrome.

  8. Used “Sign in With a domian account” which triggered a pop-up and then i have put credinitals alike :
    Username : domian\octopus
    Password : xxxxxxxxxxxxxx

  9. Check logs under c:\octopus\logs\octopusserver.txt, at the very bottom of file i see the error alike :

First Error : Using user “octopus”

An exception was thrown while trying to establish a principal for the current request
System.ArgumentException: A principal identifiable by ‘octopus’ was not found in 'IND-DEL’
** at Octopus.Node.Extensibility.Authentication.DirectoryServices.DirectoryServices.DirectoryServicesCredentialValidator.GetOrCreateUser(String username, CancellationToken cancellationToken)**
** at Octopus.Node.Extensibility.Authentication.DirectoryServices.DirectoryServices.DirectoryServicesUserCreationFromPrincipal.GetOrCreateUser(IPrincipal principal, CancellationToken cancellationToken)**
** at System.Linq.Enumerable.WhereSelectArrayIterator2.MoveNext()** ** at System.Linq.Enumerable.FirstOrDefault[TSource](IEnumerable1 source, Func2 predicate)** ** at Octopus.Server.Web.Infrastructure.Authentication.ExternalPrincipalRequestAuthenticator.TryAuthenticateRequest(NancyContext context)** ** at System.Linq.Enumerable.WhereSelectArrayIterator2.MoveNext()**
** at System.Linq.Enumerable.FirstOrDefault[TSource](IEnumerable1 source, Func2 predicate)**
** at Octopus.Server.Web.Infrastructure.Authentication.OctopusPrincipalEstablisher.EstablishPrincipalForRequest(NancyContext context)**

  1. Then I have tried with domain administrator account called “vivek.singh2” and made him a group member of “RSIN_APP_octo_admin” group as well as
    “octopus Administrators”.

**Second Error : Using user “vivek.singh2” **

System.ArgumentException: A principal identifiable by ‘Vivek.Singh2’ was not found in 'IND-DEL’
** at Octopus.Node.Extensibility.Authentication.DirectoryServices.DirectoryServices.DirectoryServicesCredentialValidator.GetOrCreateUser(String username, CancellationToken cancellationToken)**
** at Octopus.Node.Extensibility.Authentication.DirectoryServices.DirectoryServices.DirectoryServicesUserCreationFromPrincipal.GetOrCreateUser(IPrincipal principal, CancellationToken cancellationToken)**
** at System.Linq.Enumerable.WhereSelectArrayIterator2.MoveNext()** ** at System.Linq.Enumerable.FirstOrDefault[TSource](IEnumerable1 source, Func2 predicate)** ** at Octopus.Server.Web.Infrastructure.Authentication.ExternalPrincipalRequestAuthenticator.TryAuthenticateRequest(NancyContext context)** ** at System.Linq.Enumerable.WhereSelectArrayIterator2.MoveNext()**
** at System.Linq.Enumerable.FirstOrDefault[TSource](IEnumerable1 source, Func2 predicate)**
** at Octopus.Server.Web.Infrastructure.Authentication.OctopusPrincipalEstablisher.EstablishPrincipalForRequest(NancyContext context)**

  1. Most Important Part is, If I choose below Parameter’s then user is able to login and automatically a new user is created.

       **Parameter**						             **Value**
    

Active Directory Container None
Authentication Scheme Ntlm
Allow Forms Authentication For Domain Users Enabled
Security Groups Enabled Enabled
Allow Auto User Creation Enabled
Is Enabled Enabled

Note: I hope i have given enough information to understand my requirement and problem.
If someone can help me out asap, that would be great.


(Shannon Lewis) #3

Hi Vivek,

Thanks for getting in touch. I think the issue is related to the container value you had set. The common name (CN) there looks like the group name, is that correct? The container is used to constrain where the searches are based in Active Directory, so if you constrain down to the group then it won’t be able to see the users (they’d be siblings in the tree, I think). So if you do need to constrain the search, the Development OU might be the level you need, then Octopus would be able to see the user and groups in that OU.

The other thing is the Authentication Scheme. I think having it set to IntegratedWindowsAuthentication might be why you were seeing the popup, Ntlm is the default and won’t do the popup unless the machine you’re accessing from isn’t actually on the domain.

Hope that helps.

Regards
Shannon


(Vivek Singh) #4

Hi @Shannon_Lewis,

Thanks for the pronto reply. I would like to give you some info :->

  1. I have asked AD admin to create a group “RSIN_APP_octo_admin” and create one user “octopus” and make it the member of it as well as the group owner and administrator. So that , the user “octopus” can delete, modify , create tasks. Also i have requested him to provide AD Container of group “RSIN_APP_octo_admin”.

  2. So , he provide me the container info like :->

AD Container = CN=RSIN_APP_octo_admin,OU=Development,OU=Group,DC=india,DC=rsystems,DC=com

where CN = Group-name
OU = Development Categories.
DC = Domain Name “india.rsystems.com

  1. When I have login as an user “octopus” then i am able to see those groups and able to add them as well. However not able to authenticate.

  2. Yes, All the environment is on same domain that is the reason i am using "IntegratedWindowsAuthentication ".

  3. However, i have also used ntlm with full AD container path, still it doesn’t work.

  4. Would like to me provide something else like octopus server logs e.g. Or at AD level you want to suggest me something for test so that i can ask my AD admin for that.

Thanks for your help. Appreciated.

Regards
Vivek Singh


(Shannon Lewis) #5

Hi Vivek,

We’ve been able to reproduce the behavior you are seeing by creating a group within an OU and then setting the Octopus AD container value to the full Common Name of the group itself (which is what it looks like you were given).

When configured like this, all queries are constrained to the group itself as the “container”, which means all you’ll ever be able to get back is the group itself (users are members of a group, not children of it in the tree). So what you need is to be 1 level higher in the tree to be able to see the groups and the users. This just means removing CN=RSIN_APP_octo_admin, from the beginning of the container setting.

Regards
Shannon


(Vivek Singh) #6

hi @Shannon_Lewis.

Thanks for your great help and support so far. " IF YOU WOULD LIKE T SUGGEST THE BEST WAY TO INTEGRATE AD AND OCOTPUS PLEASE DO SUGGEST , AS IT IS ACTUALLY A VERY ISSUE FOR US TO ALLOW USER’S TO JUMP ON IT AND WE NEED TO IT FIX IT ASAP. PLZ HELP".

However , I have tried same as suggested , still i am getting an error. Please check sequence screenshot.

image

PLEASE ALSO FIND THE ERROR LOG I DETAILS :

WARN An exception was thrown while trying to establish a principal for the current request
System.DirectoryServices.AccountManagement.PrincipalOperationException: An operations error occurred.
—> System.DirectoryServices.DirectoryServicesCOMException: An operations error occurred.

at System.DirectoryServices.DirectoryEntry.Bind(Boolean throwIfFail)
at System.DirectoryServices.DirectoryEntry.Bind()
at System.DirectoryServices.DirectoryEntry.get_SchemaEntry()
at System.DirectoryServices.AccountManagement.ADStoreCtx.IsContainer(DirectoryEntry de)
at System.DirectoryServices.AccountManagement.ADStoreCtx…ctor(DirectoryEntry ctxBase, Boolean ownCtxBase, String username, String password, ContextOptions options)
at System.DirectoryServices.AccountManagement.PrincipalContext.CreateContextFromDirectoryEntry(DirectoryEntry entry)
at System.DirectoryServices.AccountManagement.PrincipalContext.DoLDAPDirectoryInit()
— End of inner exception stack trace —
at System.DirectoryServices.AccountManagement.PrincipalContext.DoLDAPDirectoryInit()
at System.DirectoryServices.AccountManagement.PrincipalContext.DoDomainInit()
at System.DirectoryServices.AccountManagement.PrincipalContext.Initialize()
at System.DirectoryServices.AccountManagement.PrincipalContext.get_QueryCtx()
at System.DirectoryServices.AccountManagement.Principal.FindByIdentityWithTypeHelper(PrincipalContext context, Type principalType, Nullable1 identityType, String identityValue, DateTime refDate) at System.DirectoryServices.AccountManagement.Principal.FindByIdentityWithType(PrincipalContext context, Type principalType, String identityValue) at System.DirectoryServices.AccountManagement.UserPrincipal.FindByIdentity(PrincipalContext context, String identityValue) at Octopus.Node.Extensibility.Authentication.DirectoryServices.DirectoryServices.DirectoryServicesCredentialValidator.GetOrCreateUser(String username, CancellationToken cancellationToken) at Octopus.Node.Extensibility.Authentication.DirectoryServices.DirectoryServices.DirectoryServicesUserCreationFromPrincipal.GetOrCreateUser(IPrincipal principal, CancellationToken cancellationToken) at System.Linq.Enumerable.WhereSelectArrayIterator2.MoveNext()
at System.Linq.Enumerable.FirstOrDefault[TSource](IEnumerable1 source, Func2 predicate)
at Octopus.Server.Web.Infrastructure.Authentication.ExternalPrincipalRequestAuthenticator.TryAuthenticateRequest(NancyContext context)
at System.Linq.Enumerable.WhereSelectArrayIterator2.MoveNext() at System.Linq.Enumerable.FirstOrDefault[TSource](IEnumerable1 source, Func`2 predicate)
at Octopus.Server.Web.Infrastructure.Authentication.OctopusPrincipalEstablisher.EstablishPrincipalForRequest(NancyContext context)
2018-03-22 12:31:52.1196 5432 9 WARN An exception was thrown while trying to establish a principal for the current request
System.DirectoryServices.AccountManagement.PrincipalOperationException: An operations error occurred.
—> System.DirectoryServices.DirectoryServicesCOMException: An operations error occurred.

at System.DirectoryServices.DirectoryEntry.Bind(Boolean throwIfFail)
at System.DirectoryServices.DirectoryEntry.Bind()
at System.DirectoryServices.DirectoryEntry.get_SchemaEntry()
at System.DirectoryServices.AccountManagement.ADStoreCtx.IsContainer(DirectoryEntry de)
at System.DirectoryServices.AccountManagement.ADStoreCtx…ctor(DirectoryEntry ctxBase, Boolean ownCtxBase, String username, String password, ContextOptions options)
at System.DirectoryServices.AccountManagement.PrincipalContext.CreateContextFromDirectoryEntry(DirectoryEntry entry)
at System.DirectoryServices.AccountManagement.PrincipalContext.DoLDAPDirectoryInit()
— End of inner exception stack trace —
at System.DirectoryServices.AccountManagement.PrincipalContext.DoLDAPDirectoryInit()
at System.DirectoryServices.AccountManagement.PrincipalContext.DoDomainInit()
at System.DirectoryServices.AccountManagement.PrincipalContext.Initialize()
at System.DirectoryServices.AccountManagement.PrincipalContext.get_QueryCtx()
at System.DirectoryServices.AccountManagement.Principal.FindByIdentityWithTypeHelper(PrincipalContext context, Type principalType, Nullable1 identityType, String identityValue, DateTime refDate) at System.DirectoryServices.AccountManagement.Principal.FindByIdentityWithType(PrincipalContext context, Type principalType, String identityValue) at System.DirectoryServices.AccountManagement.UserPrincipal.FindByIdentity(PrincipalContext context, String identityValue) at Octopus.Node.Extensibility.Authentication.DirectoryServices.DirectoryServices.DirectoryServicesCredentialValidator.GetOrCreateUser(String username, CancellationToken cancellationToken) at Octopus.Node.Extensibility.Authentication.DirectoryServices.DirectoryServices.DirectoryServicesUserCreationFromPrincipal.GetOrCreateUser(IPrincipal principal, CancellationToken cancellationToken) at System.Linq.Enumerable.WhereSelectArrayIterator2.MoveNext()
at System.Linq.Enumerable.FirstOrDefault[TSource](IEnumerable1 source, Func2 predicate)
at Octopus.Server.Web.Infrastructure.Authentication.ExternalPrincipalRequestAuthenticator.TryAuthenticateRequest(NancyContext context)
at System.Linq.Enumerable.WhereSelectArrayIterator2.MoveNext() at System.Linq.Enumerable.FirstOrDefault[TSource](IEnumerable1 source, Func2 predicate) at Octopus.Server.Web.Infrastructure.Authentication.OctopusPrincipalEstablisher.EstablishPrincipalForRequest(NancyContext context) 2018-03-22 12:34:56.9026 5432 25 INFO Updating config for DirectoryServicesConfiguration, with id authentication-directoryservices 2018-03-22 12:41:35.1849 5432 49 WARN An exception was thrown while trying to establish a principal for the current request System.ArgumentException: A principal identifiable by 'octopus' was not found in 'IND-DEL' at Octopus.Node.Extensibility.Authentication.DirectoryServices.DirectoryServices.DirectoryServicesCredentialValidator.GetOrCreateUser(String username, CancellationToken cancellationToken) at Octopus.Node.Extensibility.Authentication.DirectoryServices.DirectoryServices.DirectoryServicesUserCreationFromPrincipal.GetOrCreateUser(IPrincipal principal, CancellationToken cancellationToken) at System.Linq.Enumerable.WhereSelectArrayIterator2.MoveNext()
at System.Linq.Enumerable.FirstOrDefault[TSource](IEnumerable1 source, Func2 predicate)
at Octopus.Server.Web.Infrastructure.Authentication.ExternalPrincipalRequestAuthenticator.TryAuthenticateRequest(NancyContext context)
at System.Linq.Enumerable.WhereSelectArrayIterator2.MoveNext() at System.Linq.Enumerable.FirstOrDefault[TSource](IEnumerable1 source, Func`2 predicate)
at Octopus.Server.Web.Infrastructure.Authentication.OctopusPrincipalEstablisher.EstablishPrincipalForRequest(NancyContext context)


(Shannon Lewis) #7

I think I can see two issues there. One is the account the service is running as, I’d normally run that as a domain user (low permissions, but enough to query the domain). I think this could explain the reason it can’t find the other octopus user.

Second is the prompt for credentials. I notice you’re accessing via IP address. If you use the “Sign in as a domain account” button we rely in the authentication challenge in the browser. The default settings for the browsers though will usually only allow integrated security in the local intranet zone. So my guess is that you’ll need to add the IP address to that zone in the browser internet settings -> security tab.

Regards
Shannon


(Vivek Singh) #8

HI @Shannon_Lewis.

Thanks for the update.

  1. Well i have assign a domain user as Log-On user ad guided

  2. I have used active directory container as you have guided , however, i have google chrome browser,
    then
    i have put everything like username: ind-del\octopus which “domain\user” .

    Case 1: If i put wrong password , then it is used ask me correct password
    Case 2: If i put correct password , then it is accepting it but redirect back to login page.

  3. It means it is accepting password but authenticate doesn’t got to login page. Also no error logs is registering up.

Note:

  1. If You can suggest me the best to implement AD integration to octopus and i will follow it to implement it. Plz if you can

  2. Re-Deploy Ocotopus using domain account , so will it work then ?

Regards
Vivek


(Vivek Singh) #9

Hi @Shannon_Lewis

An Update : Octopus Refresh

Case-1 :

  1. I have download and installed latest version of octopus using domain account called “rgadmin”
    and also i have used login way to use active directory while installing which i feel very easy to do it.

  2. After installation is completed, i have directly open the browser and then choose option
    " Sign using domain account " and then put username\password of “rgadmin” who is the domian
    account member as well as octopus local admin.

  3. Add Groups which i have defined earlier in emails which is “RSIN_APP_octo_admin”.

  4. Again Modify the settings for AD under setting as guided by you e.g.

    " AD Container Name = OU=Development,OU=Group,DC=india,DC=rsystems,DC=com"

  5. However, this time too same errors if i try to login from another user called “octopus” who is the
    member of group “CN=RSIN_APP_octo_admin”

Case-2 :

  1. If i have choose default setting for active directory , i mean default value’s
    e.g like NO AD Container and other stuffs , and authentication machinist is NTLM
    and login with user called “octopus” then i see different types of error message in logs.

    Where it says :

2018-03-22 20:00:28.2180 5984 14 INFO Synchronizing external security groups for 1 user. Loading users took 0.01s.
2018-03-22 20:00:32.1721 5984 4 INFO Reader took 352ms (47ms until the first record) in transaction ‘SynchronizeCommunityActionTemplatesTaskController’: SELECT * FROM dbo.[CommunityActionTemplate] ORDER BY [Id]
2018-03-22 20:00:37.5145 5984 14 INFO 1 user was updated to match their external security groups. Processing users took 9.29s.
2018-03-22 20:01:03.5371 5984 10 INFO A principal identifiable by ‘octopus@india.rsystems.com’ was not found in ‘Noida-dc01.india.rsystems.com’ where “Noida-dc01.india.rsystems.com” is my primary DNS url.

However,

I i try to login with default admin account or the domain account i have used for deployment then i able to login.

So My Question to you is ,

  1. Do we really need to define container to get AD integration to be working. ?
  2. Are we really doing something wrong in steps for AD integration.
  3. You can suggest me the way to implement the things so that i can pass it to AD Admin people’s.

And last , off-course, thanks for all of your great support so far.

Regards
Vivek


(Shannon Lewis) #10

Hi Vivek,

Regarding the octopus user you are trying to log in with, they are a member of the group but are they also a member of the Development OU? If not then the container value will be stopping you from seeing them and you’ll have to move it further up the tree until you are at a point that contains both the group and the user.

In answer to your questions

  1. The container is not a requirement for AD integration, it is just a lever that you can use to restrict to only allowing users from a particular OU, for example, to access Octopus. If you make it blank then you shouldn’t have any query issues, you could then look at making it more restricted if you really need to.

  2. I don’t think you’re doing anything particularly wrong, AD implementations can be complicated and integrating can then be fiddly in complex scenarios.

  3. Regarding the Case 2 from your previous message, where it would accept the password but then loop you back to the login page. This can sometimes be because happen if the browser doesn’t accept the authentication cookie we send back. It would probably be worth making sure sessions cookies aren’t being blocked. It could come back again to the security zone, so it might be worth accessing the machine by name rather than IP and getting the network admins to make sure that machine is listed in the Local Intranet zone, using Group Policies or something like that.

Regards
Shannon


(Vivek Singh) #11

Hi,

Following points of observation :

1. Point A : Yes , both user called “octopus” and " octopus server" along with group name “RSIN_APP_octo_admin” are same OU which is “Development”.

2. Point B : As you have guided, that , i have remove active directory container and choose default settings. The only twist is that , i have enabled option “Allow Auto User Creation” and authentication scheme " IntegratedWindowsAuthentication" than assign group name “RSIN_APP_octo_admin” to “octopus administrator” and went on by restarting the services. It looks, everything is working fine, user’s now able to login using their domain access and because they were member off AD group “RSIN_APP_octo_admin” now they can see everything at octopus.

image

However, In fact, i have tried to login from another user who is not the member of group but then that user is able to login , the twist is that that newly automatic created user does not have enough permission to perform anything at octopus because i haven’t add them in ad group. Well, the point of explanation over is, I wish to do not allow automatic user creation then in that case i know i need to disable the “Allow Auto User Creation” setting.

  1. Believed To Be A Bug : If I disable “Allow Auto User Creation” setting in AD authentication section,
    than whenever i used to open octopus portal and choose sign in with domain account , the page is always redirected to itself. In fact, if i put username\password manually then it is saying the message that “User could not be located and auto user creation is not enabled” .

    image

4. Point C : I have follow the following document link at :
https://octopus.com/docs/administration/authentication-providers/auto-user-creation
Also, I have assign octopus server a URl or DNS name to access it along with i have enabled that
website under “Local Intranet Zone” using group policy as guided.

NEED HELP ON THIS

I wish to keep disable “Allow Auto User Creation” setting in AD authentication section" while keep other settings as it is.And if that work’s , still i will be happy with AD integration part. "As if now it is not working in octopus version which is I am using at moment while writing up this post is
Octopus v2018.3.6

image


(Shannon Lewis) #12

Hi Vivek,

That message is exactly what we’d expect to see if AD has authenticated the username/password but then we don’t recognize that user in Octopus. When you disable auto user creation it will not allow login for someone it doesn’t recognize. So the question is why doesn’t it recognize them?

Could you check the user details in Octopus itself for the “octopus” user? If the username is “octopus”, and you’re not crossing domain boundaries, then we should see that as the right user.

To be extra sure, could you also see if there are any entries listed under that users Logins? If they don’t have any, you should be able to add one via a dialog that will let you do a search in AD. This will store the user’s exact SAMAccountName, UPN, and email address and we can successfully locate the user on login.

If you are still having trouble at that point, could you try using a forms login and view the network traffic from the Developer tools in Chrome to the login API endpoint? Specifically what I want to check is that the data being posted with the request looks like it contains the correct username and password, and that the response contains data and cookies.

Regards
Shannon


(Vivek Singh) #13

Hi,

Thanks for the suggestion. Yes it is working , though having said that , Still AD Container issue persists.
Secondly, i have keep enable “Allow User Creation” upon first login for AD user’s and the only problem is that need to share every time octopus details to only specific group of people. I hope near future, octopus development team will more focus about AD integration mechanism. Actually , it is very important to work on this kinda issues because it does provide flexibility to adding user at octopus.

So far , you have helped me a lot , i really , thank you for what you have done yet. I owe you men.

If something comes up on way , will get back again . Till that time have a nice time.

Regards
Vivek