AD integrated Octopus admin account can't acces configuration when email address does not match UPN

Hello,

I am in the process of deploying Octopus Deploy server in our test environment. I have set Octopus Deploy to use AD integrated authentication. For this to work I have to set the following account properties (according to https://octopus.com/docs/administration/authentication-providers/troubleshooting-active-directory-integration)

• samAccountName (pre-Windows 2000 Logon Name)
• UPN (User Principal Name)
• Email Address

When I install and configure Octopus Deploy and the email address and the UPN of the AD account I specify as the admin account in Octopus Deploy are not exactly the same, the admin account cannot access the configuration page in Octopus deploy. The account can not even configure the dashboard. I receive the following error message: “You do not have permission to perform this action. Please contact your Octopus administrator. Missing permission: EnvironmentView”

The logging states that the account has been added to the Octopus Administrators team
2017-03-27 16:49:52.9716 1 INFO Creating user TNXT\administrator
2017-03-27 16:49:53.0497 1 INFO Adding user TNXT\administrator to the Octopus Administrators team
2017-03-27 16:49:53.0653 1 INFO Adding user TNXT\administrator to the Everyone team
2017-03-27 16:49:53.0810 1 INFO Done.

But when additional configurations are set the logging shows:

2017-03-27 21:59:10.4343 38 ERROR Unhandled exception from web server processing GET to http://localhost/{{ ‘~/images/directory_services_signin_buttons/microsoft-logo.svg’ | resolveLink }}: An operation was attempted on a nonexistent network connection
System.Net.HttpListenerException (0x80004005): An operation was attempted on a nonexistent network connection
at System.Net.HttpResponseStream.Write(Byte[] buffer, Int32 offset, Int32 size)
at System.IO.StreamWriter.Flush(Boolean flushStream, Boolean flushEncoder)
at System.IO.StreamWriter.Dispose(Boolean disposing)
at System.IO.StreamWriter.Close()
at Newtonsoft.Json.JsonWriter.System.IDisposable.Dispose()
at Nancy.Serialization.JsonNet.JsonNetSerializer.Serialize[TModel](String contentType, TModel model, Stream outputStream)
at Octopus.Server.Web.OctopusNancyHost.OutputWithDefaultTransferEncoding(Response nancyResponse, HttpListenerResponse response) in Z:\buildAgent\workDir\eec88466c176b607\source\Octopus.Server\Web\OctopusNancyHost.cs:line 359
at Octopus.Server.Web.OctopusNancyHost.ConvertNancyResponseToResponse(NancyContext nancyRequest, Response nancyResponse, HttpListenerResponse response) in Z:\buildAgent\workDir\eec88466c176b607\source\Octopus.Server\Web\OctopusNancyHost.cs:line 342
at Octopus.Server.Web.OctopusNancyHost.Process(HttpListenerContext ctx) in Z:\buildAgent\workDir\eec88466c176b607\source\Octopus.Server\Web\OctopusNancyHost.cs:line 454
2017-03-27 22:02:48.8335 37 WARN You do not have permission to perform this action. Please contact your Octopus administrator. Missing permission: EnvironmentView (administrator@tnxt.lab requesting http://localhost/api/environments/all 0f91c52d034640efb3e82db04c758be1)

When I set the UPN and the email address of the AD user exactly the same and then (re)install the Octopus Deploy server (process is automated, thus each time exactly the same) the account can access everything and additional configurations get set successful

In our environment the AD account do not (always) have the same email address and UPN configured.

In a situation where an Administrator account is able to configure the Octopus Deploy server (install and configuration went fine) and we add a new AD user to an AD group and that AD group has been added to Octopus Deploy Server with one of the roles, the user cannot do anything when logged on to the Octopus Deploy server when:

• Email address has not been set
  and / or
• Email address does not match the UPN

In order to correct this I first have to delete the user in Octopus Deploy (under Users). Then, in the AD account for that user, set the email address and make sure it is the same as the UPN.

Is this “as designed” or is this a bug in the AD authentication implementation within Octopus Deploy?
Any way to solve this, except for making sure email address and UPN are the same?

thank you

Arjan

Hi Arjan,

Thanks for getting in touch. I’ll do a quick overview of what’s happening during the login process for Active Directory and then what I think is happening in your scenario.

When the user logs in via the Active Directory provider, we attempt to locate an existing user record from the database by first attempting to locate any records with a username that matches the user’s UPN. If that fails we attempt to locate any records where the ExternalId matches the user’s samAccountName. If that fails we attempt to locate any records where the email matches the user’s email address. If none of those yield a result we assume the user is someone we haven’t seen before and we create a new record for them (where username = UPN, email = email and extenalId = samAccountName).

So we have no requirement that the UPN is the same as the Email address, it may just appear that way at the moment.

From the log you provided, you’re setup script is running the Octopus admin command with a username parameter of TNXT\administrator, is that correct? When setting up an admin user for AD it looks like there’s a nuance to the configuration that’s not documented clearly enough. If you specify the username in non-UPN format and don’t also specify the email address then the search process described above won’t find the user. If you also specify the email parameter to the admin command then the search should locate the user correctly. Alternatively, if you specify the username in UPN format then the search should also locate the user correctly, whether the email is also specified or not. This rule applies for creating users in advance through the Octopus Deploy UI too.

So in summary, could you try using UPN format for the usernames of the users you are creating and see if that resolves the issue? I will also look at an update to our documentation to help make this clearer.

Regarding the Unhandled exception from web server processing GET to http://localhost/... error, I believe this is an IE11 issue that occurs during the page loads in some environments. It occurs because the browser requests an image before the Angular code has finished executing to do the url resolve. Once it does finish, it resolves the url and the image appears. So the user doesn’t really notice anything but this error appears in the server log. We are trying to track down why this is happening.

Regards
Shannon

Shannon,

Thank you for your reply. I read your reply and tried different installation options. Only when I use the following command (part of a set of commands), my admin user works fine even when I have configured a different email address (other than the UPN) or no email address at all:
Octopus.Server.exe admin --instance “OctopusServer” --username “administrator@TNXT.LAB” --email “administrator@TNXT.LAB”

With this setup it is also possible to add an AD account to an AD group and then add the AD group to one of the roles in Octopus Deploy. The AD account does not need an email address or does not need the email address to be the same as the UPN. This did not work when I installed Octopus Deploy with an admin account that had the same email address and the UPN. These settings somehow seem to be related to the initial problem. So in short: configuring Octopus Deploy to use AD authentication requires the user name to be an UPN otherwise things go south when adding other AD users direct or indirect (using an AD group) to Octopus Deploy roles.

For now this problem seems to be solved although the documentation and the scripts that are shown in Octopus Deploy do not mention this requirement.

Test1:
Install with command: Octopus.Server.exe admin --instance “OctopusServer” --username “TNXT\administrator” --email "administrator@TNXT.LAB"
Log:
Loading plugins from: K:\Program Files\Octopus Deploy\Octopus\BuiltInExtensions
Loading BuiltIn extension: AzureAD (2.0.4.0)
Loading BuiltIn extension: Directory Services (2.0.9.0)
Loading BuiltIn extension: GoogleApps (2.0.4.0)
Loading BuiltIn extension: Guest (2.0.1.0)
Loading BuiltIn extension: UsernamePassword (2.0.1.0)
Octopus Deploy: Server version 3.11.13 (3.11.13+Branch.master.Sha.4cdb0dad094da0c6f66da70036a9994cc1b778cb) instance OctopusServer
Environment Information:
OperatingSystem: Microsoft Windows NT 6.2.9200.0
OsBitVersion: x64
Is64BitProcess: True
CurrentUser: TNXT\administrator
MachineName: TNXT-OCTO01
ProcessorCount: 4
CurrentDirectory: Z:\OctopusDeploy_1.00
TempDirectory: C:\Users\administrator.TNXT\AppData\Local\Temp\3
HostProcessName: Octopus.Server
Creating or modifying administrator 'TNXT\administrator’
Fetching list of already executed scripts.
Fetching list of already executed scripts.
Beginning database upgrade
Fetching list of already executed scripts.
No new scripts need to be executed - completing.
Beginning database upgrade
Executing SQL Server script 'Octopus.Core.UpgradeScriptsRepeatable.Script0000 - Refresh Views.sql’
Upgrade successful
Creating default Octopus Server certificate
Creating default upgrade availability
Creating default upgrade mode configuration
Creating default schedule configuration
Creating default SMTP configuration
Creating default project group
Creating default features configuration
Creating default server configuration
Creating user TNXT\administrator
Adding user TNXT\administrator to the Octopus Administrators team
Adding user TNXT\administrator to the Everyone team
Done.

Result:Installation succeeds, but since the email address field in the AD User object is not entered, the user cannot do anything in Octopus Deploy (though the user can login)
If I repeat the installation with an AD account that has the same email address as UPN, the installation also succeeds (same logging) but the admin account can configure Octopus Deploy. Things go south when adding additional AD users to Octopus Deploy (using AD groups and / or Octopus Deploy roles)

Test2:
Install with command: Octopus.Server.exe admin --instance “OctopusServer” --username “administrator” --email "administrator@TNXT.LAB"
Log:
Error: When not specifying a password an AD based account is assumed, which must be specified in either domain\username or username@domain format

Result: Octopus deploy does not work

Test3:

Install with command: Octopus.Server.exe admin --instance “OctopusServer” --username “administrator@TNXT.LAB” --email "administrator@TNXT.LAB"
Log:
Loading plugins from: K:\Program Files\Octopus Deploy\Octopus\BuiltInExtensions
Loading BuiltIn extension: AzureAD (2.0.4.0)
Loading BuiltIn extension: Directory Services (2.0.9.0)
Loading BuiltIn extension: GoogleApps (2.0.4.0)
Loading BuiltIn extension: Guest (2.0.1.0)
Loading BuiltIn extension: UsernamePassword (2.0.1.0)
Octopus Deploy: Server version 3.11.13 (3.11.13+Branch.master.Sha.4cdb0dad094da0c6f66da70036a9994cc1b778cb) instance OctopusServer
Environment Information:
OperatingSystem: Microsoft Windows NT 6.2.9200.0
OsBitVersion: x64
Is64BitProcess: True
CurrentUser: TNXT\administrator
MachineName: TNXT-OCTO01
ProcessorCount: 4
CurrentDirectory: Z:\OctopusDeploy_1.00
TempDirectory: C:\Users\administrator.TNXT\AppData\Local\Temp\2
HostProcessName: Octopus.Server
Creating or modifying administrator 'administrator@TNXT.LAB’
Fetching list of already executed scripts.
Fetching list of already executed scripts.
Beginning database upgrade
Fetching list of already executed scripts.
No new scripts need to be executed - completing.
Beginning database upgrade
Executing SQL Server script 'Octopus.Core.UpgradeScriptsRepeatable.Script0000 - Refresh Views.sql’
Upgrade successful
Creating default Octopus Server certificate
Creating default upgrade availability
Creating default upgrade mode configuration
Creating default schedule configuration
Creating default SMTP configuration
Creating default project group
Creating default features configuration
Creating default server configuration
Creating user administrator@TNXT.LAB
Adding user administrator@TNXT.LAB to the Octopus Administrators team
Adding user administrator@TNXT.LAB to the Everyone team
Done.

Result: Administrator can login and configure Octopus Deploy

I tried at least three installation commands. All tests, used commands and log can be found in the next section:

Shannon, I also found a similar problem another user raised on GitHub

Hi Arjan,

Yes, that looks like the same issue. We had added some validation previously but had not picked up this exact scenario. I’m working on updates to the documentation at the moment and will also make an update to the code to validate that usernames are in UPN format if you haven’t specified an email address. You can track that GitHub issue if you’re interested in knowing when it gets released.

Hopefully that will help others and sorry for the inconvenience caused.

Regards
Shannon