Can't log in with domain credentials after upgrade

Hello,

I upgraded Octopus to the latest version (Octopus.2019.5.6) and I can no longer log in.

We have domain authentication enabled. When I log in using correct credentials I receive the following error:

No fallback name was provided

In addition, if I log in with an invalid username, it correctly tells me “Username not found”

Here is the full call stack from the error log:

2019-06-10 10:43:27.0216   5944      6  WARN  The user name (UPN) could not be determined for principal - falling back to NT-style 'sailcloud\'
2019-06-10 10:43:27.0216   5944      6 ERROR  Unhandled error on request: http://172.18.5.1:8282/api/users/login 7f96b2c70e3e4c4fa36a95fe513faa07 by <anonymous> : No fallback name was provided
System.InvalidOperationException: No fallback name was provided
   at Octopus.Server.Extensibility.Authentication.DirectoryServices.DirectoryServices.DirectoryServicesObjectNameNormalizer.ValidatedUserPrincipalName(String userPrincipalName, String fallbackUsername, String fallbackDomain)
   at Octopus.Server.Extensibility.Authentication.DirectoryServices.DirectoryServices.DirectoryServicesCredentialValidator.GetOrCreateUser(UserValidationResult principal, String fallbackUsername, String fallbackDomain, CancellationToken cancellationToken)
   at Octopus.Server.Extensibility.Authentication.DirectoryServices.DirectoryServices.DirectoryServicesCredentialValidator.ValidateCredentials(String username, String password, CancellationToken cancellationToken)
   at Octopus.Server.Web.Api.Actions.Users.UserLoginAction.Execute()
   at Octopus.Server.Web.Infrastructure.Api.Responder`1.ExecuteRegistered()
   at Octopus.Server.Web.Infrastructure.Api.Responder`1.Respond(TDescriptor options, NancyContext context)
   at Octopus.Server.Web.Infrastructure.OctopusNancyModule.<>c__DisplayClass14_0.<get_Routes>b__1(Object o, CancellationToken x)
   at Nancy.Routing.Route`1.<Invoke>d__7.MoveNext()
--- End of stack trace from previous location where exception was thrown ---
   at System.Runtime.ExceptionServices.ExceptionDispatchInfo.Throw()
   at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task)
   at Nancy.Routing.DefaultRouteInvoker.<Invoke>d__2.MoveNext()
--- End of stack trace from previous location where exception was thrown ---
   at System.Runtime.ExceptionServices.ExceptionDispatchInfo.Throw()
   at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task)
   at Nancy.Routing.DefaultRequestDispatcher.<Dispatch>d__5.MoveNext()
--- End of stack trace from previous location where exception was thrown ---
   at System.Runtime.ExceptionServices.ExceptionDispatchInfo.Throw()
   at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task)
   at Nancy.NancyEngine.<InvokeRequestLifeCycle>d__22.MoveNext()

Hi Sean,

Just a quick reply. I apologise if you received notification of a different reply (I’ve deleted it). I accidentally pasted a support response to your question. I’ll follow-up with your question shortly. :slight_smile:

Thanks

Rob

Hi Sean,

Thanks for the question and I’m sorry again for the accidentally reply. Anyways, this is an interesting issue. We made an update to our Active Directory code in Octopus 2019.5.1 to in order to support a new scenarios but it’s quite unrelated to the issue you’re seeing. I traced through the code and spoke to my teammate who wrote it and and it’s been working well for years. So we’ll have to dig deeper. :slight_smile:

The specific error you’re seeing is when Octopus cannot retrieve your user principle name (UPN) from active directory for your user account. My colleague suggested some questions to help isolate the issue.

  • Has the user account that the Octopus Server ‘windows service’ changed?
  • Does this user account still have permission to query active directory details? Specifically user principal names?
  • Is this affecting just you or your team or broader?
  • Did your Octopus upgrade go smoothly?
  • Did this problem happen immediately after the upgrade?
  • Do you have a complicated Active Directory setup? Single domain or multiple domains etc? Can you describe it as much as possible.

Finally, I’d love to see the verbose log output of your failed login attempt. There is some extra logging in this area that could help us figure out and resolve the issue. Our docs cover how to do this. I’d suggest turning it off as soon as you’ve run the test as this can produce a large amount of log data very quickly.

Looking forward to your reply.

Thanks

Rob