Running v2020.2.16, we are attempting toget Windows Domain Authentication configured and are having issues with the users being recognized over a trust. I have reviewed…
…and tried a few permutations of the configuration suggested but I have been unable to get authentication to work for any user in the trusted domain.
We have two domains, example.com and subdomain.example.com. Our goal is to use users which are authenticated in the example.com domain as the login accounts for the Octopus server. The groups would be managed in the subdomain.example.com domain and users from example.com would be added to the groups.
The server lives in subdomain.example.com and the Active Directory settings are anbled to use that domain. The Octopus service is running under an example.com user account as per documentaion it is required to be in a domain that is trusted by both domains.
I cannot get users to user@example.com to authorize for this domain. Here’s waht happens…
Invalid username or password. UPN format may not be supported for your domain configuration.
If I use example.com\user, it gets weird and it add the user@subdomain.example.com as a user. I don’t understand this behavior as it appears to be incorrect.
I had a chat with one of our engineers and he gave me some information regarding your scenario.
When you are saying you are using example.com\username, are you using the NTdomain, or the DNS domain? It is required to use the NTDomain or you will have issues.
It might be worth noting, but the NTDomain can only contain alpha-numerics, no dashes or punctuation. I don’t think this is your issue, but I wanted to mention it just in case.
Please let me know if that resolves the issue for you or if you were already using the NTDomain.
Could you also please try just putting in the username with no domain and see what happens? Also, you’re using the Sign in as a domain account button, correct?
Is the service account that runs the Octopus Server a member of the domain, or the subdomain? I believe it will need to be a member of the domain for the Active Directory integration to function correctly.
Which type of auth did you choose in your Active Directory settings within Octopus? Negotiate?
Have you tried the SPN workaround in the GH issue you linked above? You said you tried the suggested configuration but wanted to be sure this is what you meant.
Are you able to run setspn -L <server> to list them out so we can get an idea of what they look like? If you need to private message me the results to keep them uncensored please feel free to do so.
Please let me know if you have any questions about the above.