Active Directorybreaking change in version 2020.2

The notes for Version 2020.2 have this statement:

This version also introduced a breaking change for users of Active Directory authentication using Kerberos, there is now a requirement to use host machine SPNs rather than user SPNs. This requirement means that High Availability features can only be used with NTLM based authentication when using Active Directory integration with H/A

I am having a hard time understanding if this applies to my installation. Here are my questions:

there is now a requirement to use host machine SPNs rather than user SPNs.

I think I might have a vague understanding what a host machine SPN is. (Basically, it is a certificate for a machine, used to trust that it is the machine is the machine that it says it is, right?) But I have not seen anywhere in Octopus deploy where such a thing is configured. (I am running 2019.12.1)

Does this mean that I can’t do integrated security any more? Do all my users need to have host machine SPNs registered and somehow linked in Octopus deploy?

Most importantly, once I upgrade, will all my users be locked out from deployments until I get them a machine SPN?

This requirement means that High Availability features can only be used with NTLM based authentication when using Active Directory integration with H/A

Does this mean that this breaking change does not apply if I don’t have an H/A setup? Or just that there is now a limitation to NTLM due to this breaking change.

Also, I assume from this text that this limitation for to only supporting NTLM is just for H/A installations?

I am struggling to understand what this breaking change means and what I would need to do to keep Octopus Deploy Integrated Windows Security working, and deploying correctly, after I upgrade to the latest version.

Can I get some more details on this breaking change?

Hi @OctopusSchaff,

Thanks for reaching out.

To better get a handle on your setup, I have a couple of quick questions. Is Octopus running as a domain account? If it is, are you using something like a load balancer to route traffic to the nodes?

Please let me know.

Best,
Jeremy

Thank you for responding to my question! Here are the answers to your questions:

Is Octopus running as a domain account?

No. It runs under the Local System account.

Are you using something like a load balancer to route traffic to the nodes?

No, we are not using a load balancer right now.

Hi @OctopusSchaff,

Thanks for all of the information. You will be unaffected by the change. There is more information on what is allowed here: Active Directory authentication - Octopus Deploy

Please let me know if you have any other questions or concerns.

Best,
Jeremy

Hi,

I have the same setup but the Octopus server is running under the domain account. No-load balancer to route traffic.

Does changing the service account to a Local System account enough? Doesnt the Octopus server need a domain account?

thanks
Saravana

Hi Saravana,

Thanks for getting in touch!

This breaking change was only related to multi-node, high availability Octopus environments.
If you’re not using a load balancer then I am assuming that you are only running a single Octopus server?
If so, this change shouldn’t affect you or require any specific changes.

Regards,
Paul

Thanks, Paul for your reply.

Yes, ours is a single node server.

Hi @Saran,

Please let us know if you have any other questions or concerns.

Best,
Jeremy

Hi Jeremey,

I do have one clarification, but may be off this security topic in this thread.

I need to migrate from V20186.7 to V2020.6

As part of this, I need migrate to SQL 2017. Does the installation takes care of any new DB object for SQL2017 or is there any manual step involved?

Hi @Saran,

If you upgrade your SQL Server version then upgrade your Octopus Instance, everything should be handled automatically with the upgrade scripts. Are you following the upgrade guide? Is it possible to run everything in a test environment first to make sure everything goes off without a hitch?

Here is the section on upgrading in our documentation: Upgrading Octopus - Octopus Deploy

Please let me know if you have any questions.

Best,
Jeremy