Active Directorybreaking change in version 2020.2

OctopusSchaff · 4 March 2021 23:53

The notes for Version 2020.2 have this statement:

This version also introduced a breaking change for users of Active Directory authentication using Kerberos, there is now a requirement to use host machine SPNs rather than user SPNs. This requirement means that High Availability features can only be used with NTLM based authentication when using Active Directory integration with H/A

I am having a hard time understanding if this applies to my installation. Here are my questions:

there is now a requirement to use host machine SPNs rather than user SPNs.

I think I might have a vague understanding what a host machine SPN is. (Basically, it is a certificate for a machine, used to trust that it is the machine is the machine that it says it is, right?) But I have not seen anywhere in Octopus deploy where such a thing is configured. (I am running 2019.12.1)

Does this mean that I can’t do integrated security any more? Do all my users need to have host machine SPNs registered and somehow linked in Octopus deploy?

Most importantly, once I upgrade, will all my users be locked out from deployments until I get them a machine SPN?

This requirement means that High Availability features can only be used with NTLM based authentication when using Active Directory integration with H/A

Does this mean that this breaking change does not apply if I don’t have an H/A setup? Or just that there is now a limitation to NTLM due to this breaking change.

Also, I assume from this text that this limitation for to only supporting NTLM is just for H/A installations?

I am struggling to understand what this breaking change means and what I would need to do to keep Octopus Deploy Integrated Windows Security working, and deploying correctly, after I upgrade to the latest version.

Can I get some more details on this breaking change?

jeremy.miller · 5 March 2021 15:57

Hi @OctopusSchaff,

Thanks for reaching out.

To better get a handle on your setup, I have a couple of quick questions. Is Octopus running as a domain account? If it is, are you using something like a load balancer to route traffic to the nodes?

Please let me know.

Best,
Jeremy

OctopusSchaff · 5 March 2021 16:53

Thank you for responding to my question! Here are the answers to your questions:

Is Octopus running as a domain account?

No. It runs under the Local System account.

Are you using something like a load balancer to route traffic to the nodes?

No, we are not using a load balancer right now.

jeremy.miller · 5 March 2021 17:56

Hi @OctopusSchaff,

Thanks for all of the information. You will be unaffected by the change. There is more information on what is allowed here: Active Directory authentication - Octopus Deploy

Please let me know if you have any other questions or concerns.

Best,
Jeremy

Saran · 30 March 2021 10:06

Hi,

I have the same setup but the Octopus server is running under the domain account. No-load balancer to route traffic.

Does changing the service account to a Local System account enough? Doesnt the Octopus server need a domain account?

thanks
Saravana

paul.calvert · 30 March 2021 10:21

Hi Saravana,

Thanks for getting in touch!

This breaking change was only related to multi-node, high availability Octopus environments.
If you’re not using a load balancer then I am assuming that you are only running a single Octopus server?
If so, this change shouldn’t affect you or require any specific changes.

Regards,
Paul

Saran · 30 March 2021 13:46

Thanks, Paul for your reply.

Yes, ours is a single node server.

jeremy.miller · 5 April 2021 13:57

Hi @Saran,

Please let us know if you have any other questions or concerns.

Best,
Jeremy

Saran · 5 April 2021 14:20

Hi Jeremey,

I do have one clarification, but may be off this security topic in this thread.

I need to migrate from V20186.7 to V2020.6

As part of this, I need migrate to SQL 2017. Does the installation takes care of any new DB object for SQL2017 or is there any manual step involved?

jeremy.miller · 5 April 2021 14:41

Hi @Saran,

If you upgrade your SQL Server version then upgrade your Octopus Instance, everything should be handled automatically with the upgrade scripts. Are you following the upgrade guide? Is it possible to run everything in a test environment first to make sure everything goes off without a hitch?

Here is the section on upgrading in our documentation: Upgrading Octopus - Octopus Deploy

Please let me know if you have any questions.

Best,
Jeremy

system · 6 May 2021 14:41

This topic was automatically closed 31 days after the last reply. New replies are no longer allowed.