Add Active Directory Group lookup fails (SSL Bindings and virtual directory)

After the initial install I updated the server bindings to listen on standard SSL, bound to a virtual directory of our dev webserver. This works fine and we can access Octopus via: https://dev-server.domain/octopus

However, in the Team configuration settings, if I try to add an Active Directory Group as a team member, the lookup when clicking the “Search” button fails. The error returned is:

There was a problem with your request.
Unhandled error when communicating with the Octopus Deploy server. The server returned a status of: 404
SyntaxError: Unexpected token < in JSON at position 0

Looking at the network traffic made using the Chrome inspector, I can see that the URL requested is:

GET https://dev-server.domain/api/externalgroups/directoryServices?name=Group%20Name

From Octopus.min.js?v=3.5.1:149

This URL is returning a 404, as it doesn’t include the virtual directory name. IE, the code is expecting the API endpoint to be under the server root, not the virtual folder root.

Chrome formatted the code and I followed it back to where the requested path is resolved into the full URL. The problem seems to come in these lines:

    if (!path)
                    throw "The link does not exist";
                path.startsWith("~/") ? (path = path.substring(1, path.length),
                path = baseUri + path) : path = rootUri + path;

The requested path passed into this code doesn’t start with a “~”, just a plain “/” so the second branch is taken. Inspecting the variables I could see that baseUri had the correct uri, including our “/octopus” virtual path. rootUri only had the root server uri in it.

From what I can see therefore it looks like

  1. The path passed into the resolver should be starting with a ~ to indicate a relative path
  2. The path passed into the resolver should start with /octopus (ie the virtual root is included already).

While debugging it seemed that in other situations, while clicking around the app, that option #2 seemed to happen elsewhere.

Does anyone have a workaround for this the meantime, or is my analysis incorrect?

I have tried:

  • Updating the bindings and removing HTTP entirely (at one point we had both)
  • Restarting the service
  • Clearing my browser cache and reloading the app

I have managed to workaround the problem (albeit in a very rough and ready way) to add the AD group I need for now. I inserting a breakpoint and manually edited the API URL before the AJAX call so that it hits the correct endpoint. This allowed the correct data to be returned to the frontend and I was then able to select and add the group. However this is far from a long term solution!

Many thanks,



Thanks for reaching out! which version of Octopus are you running? we believe this should have been fixed in 3.5.2 after we shipped this fix:

Are you running a version older than 3.5.2? If that is the case, try to upgrade to at least that version and let me know if that works.


Hi Dalmiro,

Yes, we are running 3.5.1, though we’ve only had it installed for about 15 days! Thanks for the update, we’ll look at upgrading when we get a chance.

On that subject, is there a docs page for performing an upgrade on an “offline” (non-internet-connected) octopus server instance – or do you just run the installer?}



Hi Alexander,

Just running the MSI installer should do. There’s no network interaction involved in the upgrade other than the connection with the SQL DB.


Hi Alexander,

I have confirmed this as a bug (we did fix a number of API path issues in 3.5.2 but this one got missed) and have published a patch to the Directory Services authentication provider (, which you can install using the instructions outlined in the release. Also note that there is a 2.0 version of the extension, which is for use in a version of Octopus Deploy server that will ship very soon. I’ve merged this fix into that version too, you’ll just have to make sure you delete the patched version from the CustomExtensions folder once you upgrade server to that new release. If you don’t you’ll get an exception during startup on the server.