AD Permission - User Set Up and Authentication

(Oliver Witney) #1

Hi,

I have set up Octopus for deployment and going to be rolling it out to other developers and support teams. However I want to make sure I have set permissions and authentication up correctly.

I have run the Active Directory authentication config command.
I have Teams set up (so dev access, dev support access etc.)
I have myself as a user

How am I meant to add users from my AD domain to authorise users? I currently have 2 users, myself and a colleague. I have myself down as my AD username without domain, I then have the other user as DOMAIN\username. I am not sure which is correct.

I also am being asked to log in a lot. I changed my password and got asked to login. And this morning I again have been asked to login. I would expect Octopus to see I am logged into my domain on my PC and automatically log me in, not ask for a password at any point.

In the AD authentication guide it states “By default, Octopus issues an NTLM challenge to the browser, but you can configure Octopus to use other authentication schemes using the command line:”, so I wasn’t expecting it to ever ask for my password.

Can anyone let me know the full process for this?

(Lawrence Wilson) #2

Hi Oliver,
Thanks for reaching out, I’m sorry to hear you’re running into problems assigning users to teams in Octopus Deploy as well as getting the browser to use your Windows credentials to login to the Octopus portal.

One way to add users from your Active Directory Domain into Octopus Deploy teams is by using group membership in Active Directory. You may find our External Groups and Roles page helpful in setting that up. If you have any further questions regarding that please feel free to ask and I’ll be happy to assist you further.

With regards to being asked to login a lot, could you please tell me what type of login prompt you are seeing? Are you seeing the credentials dialog box popup, or are you seeing the Octopus Deploy login form too frequently?

If you seeing the dialog box popup this is quite often caused by the octopus server not being recognised as on the local intranet sites list.

If you are seeing the octopus portal login form too frequently, this is due to our default settings for forms authentication and auto-user login. A potential fix could be to setting the two properties to allowFormsAuthenticationForDomainUsers=false and autoLoginEnabled=true in the Octopus Server. For more information you can refer to our authentication providers page.

If the Octopus Deploy server and its users are on the same domain, it is sufficient to provide a simple username in this field. If the server and its users are on different domains, or many domains are in use, the DOMAIN\user username format must be provided for users who are not a member of the domain the server is in. So, in your case where you have yourself and a colleague, if you just have a single Active Directory domain then both ways of logging in will be sufficient.

I hope this has been informative for you, I would love to hear how you go setting up Active Directory authentication.

Kind Regards,
Lawrence.

(Oliver Witney) #3

Hi Lawrence,

Thank you for our input. Can I confirm the below screenshot, showing a dialog box, would (likely) be resolved when the site is trusted?

[cid:image001.png@01D30A01.E7577570]

I have set the 2 other configurations like you have suggested.

I have requested my company’s service desk administrators to add our build server site to the list of trusted sites.

Thanks,

Olly

(Lawrence Wilson) #4

Hi Oliver,
That’s right, the dialog box in your screenshot indicates that the Octopus portal isn’t trusted by your browsers. However, the trusted sites list is slightly different to the local intranet sites list in that Internet Explorer by default will still prompt you even if the site you’re visiting is in the trusted sites list. This behaviour is intended to protect a client from accidentally sending credentials over the Internet unencrypted if the site isn’t using HTTPS.

I would recommend adding the site to local intranet sites where ever possible, especially if you’re accessing it locally. But if you still need to ensure Internet Explorer doesn’t ask for those credentials in a trusted sites zone, you would also need to change the property: User Authentication > Login > “Automatic login with current user name and password” in the security settings

(Oliver Witney) #5

Hi Lawrence,

My service desk team added to local intranet and now it is no longer asking me for my login details.

Thank you very much for your help and fast responses.

Kind regards,

Olly

(Lawrence Wilson) #6

Hey Oliver,
I’m glad to hear it’s all working. have a great day!

Regards,
Lawrence.

(system) closed #7