Allow Login from multiple domains

Hi Team,

We are on Octopus 2019.12.0 which is currently integrated with AD Group “Old” (Fully qualified name - old.foobargrp.net). Users login Octopus with their AD group credentials. The Octopus Server and Tentacle services are running with a service account of this group - Old/FooBar-svc-account.

We are migrating to AD Group “New” (Fully qualified name - new.foobargrp.net) during which old users will co-exist in both domains whereas new joiners are directly onboarding to new AD Group. Eventually all will be moved to new group. I am told that a two-way trust exists between these domains - so theoretically this should work out of the box.

However, currently old users use Octopus by logging from old domain, whereas new joiners cannot as the Octopus throws exception when trying to login from new domain.

Logs from inside Octopus Web UI > Configuration > Diagnostics
Principal ‘jaintaj@old.foobargrp.net’ (Domain: ‘’) could not be logged on via WIN32: 0x00000775. System.ComponentModel.Win32Exception (0x80004005): The referenced account is currently locked out and may not be logged on to
September 21st 2021 15:27:01Error
Unhandled error on request: http://fuid-octopus.old.foobargrp.net:8086/api/users/login 8474d1f371fc4f1e9ffc26f7d6f22c4d by : There is no such object on the server.
System.DirectoryServices.AccountManagement.PrincipalOperationException: There is no such object on the server.
—> System.DirectoryServices.DirectoryServicesCOMException: There is no such object on the server.

at System.DirectoryServices.DirectoryEntry.Bind(Boolean throwIfFail)
at System.DirectoryServices.DirectoryEntry.Bind()
at System.DirectoryServices.DirectoryEntry.get_SchemaEntry()
at System.DirectoryServices.AccountManagement.ADStoreCtx.IsContainer(DirectoryEntry de)
at System.DirectoryServices.AccountManagement.ADStoreCtx…ctor(DirectoryEntry ctxBase, Boolean ownCtxBase, String username, String password, ContextOptions options)
at System.DirectoryServices.AccountManagement.PrincipalContext.CreateContextFromDirectoryEntry(DirectoryEntry entry)
at System.DirectoryServices.AccountManagement.PrincipalContext.DoLDAPDirectoryInit()
— End of inner exception stack trace —
at System.DirectoryServices.AccountManagement.PrincipalContext.DoLDAPDirectoryInit()
at System.DirectoryServices.AccountManagement.PrincipalContext.DoDomainInit()
at System.DirectoryServices.AccountManagement.PrincipalContext.Initialize()
at System.DirectoryServices.AccountManagement.PrincipalContext.get_QueryCtx()
at System.DirectoryServices.AccountManagement.Principal.FindByIdentityWithTypeHelper(PrincipalContext context, Type principalType, Nullable1 identityType, String identityValue, DateTime refDate) at System.DirectoryServices.AccountManagement.Principal.FindByIdentityWithType(PrincipalContext context, Type principalType, String identityValue) at System.DirectoryServices.AccountManagement.UserPrincipal.FindByIdentity(PrincipalContext context, String identityValue) at Octopus.Server.Extensibility.Authentication.DirectoryServices.DirectoryServices.DirectoryServicesService.ValidateCredentials(String username, String password, CancellationToken cancellationToken) at Octopus.Server.Extensibility.Authentication.DirectoryServices.DirectoryServices.DirectoryServicesCredentialValidator.ValidateCredentials(String username, String password, CancellationToken cancellationToken) at Octopus.Server.Web.Api.Actions.Users.UserLoginAction.Execute() in C:\buildAgent\work\abb2fbfce959a439\source\Octopus.Server\Web\Api\Actions\Users\UserLoginAction.cs:line 44 at Octopus.Server.Web.Infrastructure.Api.CustomResponder1.ExecuteRegistered() in C:\buildAgent\work\abb2fbfce959a439\source\Octopus.Server\Web\Infrastructure\Api\CustomResponder.cs:line 336
at Octopus.Server.Web.Infrastructure.Api.CustomResponder1.Respond(TDescriptor options, NancyContext context) in C:\buildAgent\work\abb2fbfce959a439\source\Octopus.Server\Web\Infrastructure\Api\CustomResponder.cs:line 297 at Octopus.Server.Web.Infrastructure.OctopusNancyModule.<>c__DisplayClass14_0.<get_Routes>b__1(Object o, CancellationToken x) in C:\buildAgent\work\abb2fbfce959a439\source\Octopus.Server\Web\Infrastructure\OctopusNancyModule.cs:line 125 at Nancy.Routing.Route1.d__7.MoveNext()
— End of stack trace from previous location where exception was thrown —
at System.Runtime.ExceptionServices.ExceptionDispatchInfo.Throw()
at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task)
at Nancy.Routing.DefaultRouteInvoker.d__2.MoveNext()
— End of stack trace from previous location where exception was thrown —
at System.Runtime.ExceptionServices.ExceptionDispatchInfo.Throw()
at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task)
at Nancy.Routing.DefaultRequestDispatcher.d__5.MoveNext()
— End of stack trace from previous location where exception was thrown —
at System.Runtime.ExceptionServices.ExceptionDispatchInfo.Throw()
at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task)
at Nancy.NancyEngine.d__22.MoveNext()

How do you suggest we approach this situation and make sure that the transition is seamless from Octopus POV?

Cheers,

Nikhil Agrawal
Devops Lead, UK based Investment Bank

Hi Nikhil,

Thanks for reaching out and for all of the information.

We actually have a helpful KB that applies directly to your situation.

Can you please give it a look and run the tests and let me know how they go? They should help narrow down what’s causing this. How does Active Directory authentication work in Octopus Deploy?

Here is another troubleshooting script: Troubleshooting Active Directory integration - Octopus Deploy

Best,
Jeremy

1 Like

Hi @jeremy.miller,

Thanks for reaching back.

The AD setting is configured in Configuration > Settings > Active Directory as

Active Directory Container - OU=User Environment,FC=old,DC=foobargrp,DC=net
Authentication Scheme - IntegratedWindowsAuthentication
Allow Forms Authentication for Domain Users - Enabled
Security Groups Enabled - Enabled
Allow Auto User Creation - Enabled
Is Enabled - Enabled

Also, while going through the documentation, there was a mention of LDAP integration in 2021.2 Octopus as one of the service providers. Would a switch from AD to LDAP help in this scenario or not? For that, we would need to update & so wanted to evaluate the risk-reward ratio.

Thanks,
Nik

Hey Nik,

You’re very welcome.

I spoke with our solutions team and they said there will be no benefit in this specific case to using LDAP. The functionality is the same, and they also said this should work but might take some configuring and troubleshooting.

They reiterated that the scripts I linked are the best way to troubleshoot this.

Regarding your setup you outlined, the Active Directory Container will limit it to that OU, are the new users in that OU?

Please let me know how the test scripts go.

Best,
Jeremy

Hi Jeremy,

We are testing the troubleshooting scripts and will share our findings shortly.

  1. In parallel, could you confirm that Octopus supports multiple domain as there is a single AD page? For multiple domains, shouldn’t there be additional page/section to capture those domain values.

  2. We came upon this ticket where a user had similar usecase to ours and it worked for them.
    Multiple Domains to Access Octopus - #4 by Lawrence_Wilson

    The images have escaped from ticket so can’t ascertain the settings - Would it be possible to get them back pls?

Thanks,
Nik

Hey Nik,

  1. There is no way to configure connecting to 2 domains within Octopus, but if your domains are in a two way trust, your setup should work. One of our solutions team members has a lab environment with your scenario in mind and confirmed it works.

  2. I am asking to see if we can get these screenshots restored but am unsure as of now.

Please let me know how the tests go or if you have other questions. I will get back to you regarding the screenshots.

Best,
Jeremy

Hi Nik,

One of my colleagues was able to recover them for you.

image

image

image

image

This topic was automatically closed 31 days after the last reply. New replies are no longer allowed.