I’m sure you’ve had this before, judging from your very helpful documentation.
We have Octopus running on an AD joined windows VM running in Azure. We have a number of users setup that can login just fine using their AD accounts, using both the form, or by clicking the little integrated auth button.
The problem comes with it not find any groups. We also have a lot of errors in the logs saying it can’t find the users (shown below)
I’ve used the powershell scripts in the help & it coming up with almost the same error
Write-Output : Information about the domain could not be retrieved (1355).
Is there any advice you can offer on what I can look into? I have a suspicion that the network routing is preventing the server from contact or query the AD server. I’ve tried testing the DNS resolution & TCP connection, but they pass.
I should also mention, the server runs as system, the groups are in one branch of the AD forest (group.domain1.tld.net) & the users are in another (user.domain2.tld.net)
2023-06-13 01:15:54.3080 828 57 ERROR Active Directory search for “domain\user” failed.
System.DirectoryServices.ActiveDirectory.ActiveDirectoryServerDownException: The server is not operational.
—> System.Runtime.InteropServices.COMException (0x8007203A): The server is not operational.
at System.DirectoryServices.DirectoryEntry.Bind(Boolean throwIfFail)
at System.DirectoryServices.PropertyValueCollection.PopulateList()
at System.DirectoryServices.PropertyValueCollection…ctor(DirectoryEntry entry, String propertyName)
at System.DirectoryServices.PropertyCollection.get_Item(String propertyName)
at System.DirectoryServices.ActiveDirectory.PropertyManager.GetPropertyValue(DirectoryContext context, DirectoryEntry directoryEntry, String propertyName)
— End of inner exception stack trace —
at System.DirectoryServices.ActiveDirectory.PropertyManager.GetPropertyValue(DirectoryContext context, DirectoryEntry directoryEntry, String propertyName)
at System.DirectoryServices.ActiveDirectory.Forest.GetForest(DirectoryContext context)
at System.DirectoryServices.AccountManagement.ADStoreCtx.GetGroupsMemberOf(Principal p)
at System.DirectoryServices.AccountManagement.Principal.GetGroupsHelper()
at Octopus.Server.Extensibility.Authentication.DirectoryServices.DirectoryServices.UserPrincipalWrapper.GetGroups(CancellationToken cancellationToken)
at Octopus.Server.Extensibility.Authentication.DirectoryServices.DirectoryServices.DirectoryServicesExternalSecurityGroupLocator.GetGroupIdsForUser(String samAccountName, CancellationToken cancellationToken)
2023-06-13 01:15:54.3080 828 57 ERROR Couldn’t retrieve groups for user “user”
2023-06-13 01:15:54.3080 828 57 WARN Couldn’t retrieve groups for samAccountName “domain\user”
Thanks for reaching out to us today regarding your issue.
Octopus can sometimes report this error if the machine is not trusted by the domain.
Can you re-join the machine to the AD domain and see if that resolves the issue?
We do have some useful PowerShell scripts that can help troubleshoot the connection issues here
If you could run both the users script and groups script and let us know the result.
We tried adding a new user that was in domain3 (domain3.tld.net) using domain3\user & they couldn’t be located - LDAP server not found error. if I tried using domain1\user it found the user as expected.
The article you linked to mentions missing permissions for cross domain lookups. Might this be the issue?
Sorry it has taken a while to get back to you and sorry you are having so much trouble with this, unfortunately Octopus does use the scripts in the troubleshooting guide to connect to the LDAP or AD server in the domain Octopus is hosted on.
We do have a document I am sure you would have seen on Trusted Domains but I wanted to post it up just in case you had not seen it. That should give you some information about how Octopus can work with domain trusts but if the scripts in the troubleshooting guide don’t work when run outside of Octopus there is nothing really we can do to help I am afraid.
Since everyone’s networking and domain infrastructure are completely different we cant even really advise on how you would get this to work so it might be worth talking to Microsoft if you can and seeing if they can advise how to get a user from domain 3 to authenticate to the LDAP server.
Does domain three have a trust relationship with domain 1? From your latest comment it seems that the trust does not exist there if domain3 user is getting LDAP server not found (can the machine you are running the AD tasks on ping the LDAP / AD server)?
I am really sorry we cannot help you any further with this at the moment, there are a few articles on google I skimmed through relating to permissions for groups (as per one of our documents you alluded to here) but they tended to be about NTFS folder permissions and they were all one and two way trusts and usually you have something like this:
Domain A - Users and Groups
Domain B - Users and Groups
You then get Domain A to trust Domain B in either a one or two way relationship and domain B can either access resources in Domain A (Two way) or Domain A can access resources in Domain B but Domain B cannot access resources in Domain A (One way).
Personally I have never seen three domains in a forest but I have only worked on smaller networks, let me know once you get this working outside of Octopus and those troubleshooting scripts work and if you still cannot connect to the groups in Domain B via Octopus we can do some more digging.