How does Active Directory authentication work in Octopus Deploy?

external-auth
active-directory
security-config
(Bob Walker) #1

I want to use Active Directory authentication, how exactly does Octopus interact with Active Directory? Can I assign an Active Directory team to a team in Octopus Deploy? Can I configure cross-domain trusts? If so, how will Octopus pick those up?

(Bob Walker) unlisted #2
(Bob Walker) #3

Octopus uses .dlls provided by Microsoft to interact with Active Directory. Specifically:

  • System.DirectoryServices.AccountManagement
  • System.DirectoryServices
  • System.DirectoryServices.ActiveDirectory

The code will use the method LogonUser() when a user logs into Octopus Deploy via AD via forms authentication.

Assuming the login is successful, the code will use the System.DirectoryServices.AccountManagement.UserPrincipal object to query group membership. The code will first run the method GetAuthorizationGroups. GetAuthorizationGroups is preferred because it does a recursive search and returns security groups only. It will not return distribution groups (which would be ignored if they were returned). If that call is successful then Octopus will stop looking for additional groups.

If GetAuthorizationGroups fails (for a variety of reasons) then Octopus will run GetGroups. GetGroups only returns groups a user is a direct member of which includes distribution groups.

When a cross-domain trust is configured the methods, GetAuthorizationGroups and GetGroups, will include groups in those trusted domains the user is a member of.

You might see instances a user’s groups appear to be missing in Octopus Deploy. In the vast majority of the cases we have seen the cause to be a missing configuration within Active Directory itself. Our recommendation is to take Octopus out of the equation. We have provided some PowerShell scripts which uses the same .dlls and methods as Octopus Deploy. Run those scripts as the same user account the Octopus Deploy service runs as. Once those scripts start returning the expected groups for the user then the chances are very good Octopus Deploy will see those groups as well.

(Bob Walker) listed #4