The notes for Version 2020.2 have this statement:
This version also introduced a breaking change for users of Active Directory authentication using Kerberos, there is now a requirement to use host machine SPNs rather than user SPNs. This requirement means that High Availability features can only be used with NTLM based authentication when using Active Directory integration with H/A
I am having a hard time understanding if this applies to my installation. Here are my questions:
there is now a requirement to use host machine SPNs rather than user SPNs.
I think I might have a vague understanding what a host machine SPN is. (Basically, it is a certificate for a machine, used to trust that it is the machine is the machine that it says it is, right?) But I have not seen anywhere in Octopus deploy where such a thing is configured. (I am running 2019.12.1)
Does this mean that I can’t do integrated security any more? Do all my users need to have host machine SPNs registered and somehow linked in Octopus deploy?
Most importantly, once I upgrade, will all my users be locked out from deployments until I get them a machine SPN?
This requirement means that High Availability features can only be used with NTLM based authentication when using Active Directory integration with H/A
Does this mean that this breaking change does not apply if I don’t have an H/A setup? Or just that there is now a limitation to NTLM due to this breaking change.
Also, I assume from this text that this limitation for to only supporting NTLM is just for H/A installations?
I am struggling to understand what this breaking change means and what I would need to do to keep Octopus Deploy Integrated Windows Security working, and deploying correctly, after I upgrade to the latest version.
Can I get some more details on this breaking change?