OD - AD groups

Lucas · 16 February 2017 21:02

Hello,
I have OD 3.8.8 in domain A, user accounts are in domain B. Groups are in domain A and once added to Octopus Deploy they do not work. There is no option for me to create usernames in domain A.

Is this known issue? Is there any configuration, workaround I can apply?

Kenneth_Bates · 17 February 2017 01:22

Hi Lucas,

Thanks for reaching out! To help us with troubleshooting, could I confirm some further details to make sure that my understanding of your environment and requirements is correct?

Is the server running as a service account user from domain A? Issues with the user would often be the case, but not always.
Is there a trust between the domains, and are the users from domain B members of the groups in domain A?
You mentioned that you’ve added the groups from domain A to Octopus but they aren’t working. Are the users getting an error when they log in or is the group membership just not behaving as expected?

I look forward to hearing back!

Kenny

Lucas · 17 February 2017 01:29

Hi Kenneth, I’m trying to get confirmation on what kind of trusts there are between two domains.

As for the remaining questions:
Service Account from domain A is running OD service on both servers.
When I say they aren’t working, the result is that user can log in, but the AD security group that is assigned to the, let’s say OD System Administrators team, seems to have no impact on the users within that AD group so they still can log in, but they have pretty much no rights to do anything.

Kenneth_Bates · 20 February 2017 01:42

Hi Lucas,

Thanks for the extra information. Since your users from domain B are able to log in while using a service account from domain A, I suspect the trusts are alright.

If Octopus fails to load Groups from AD, it won’t fail the login of the user. Could you send us through your Server Logs (located in C:\Octopus\Logs in standard installations)? That will provide more details as to why the Groups are failing to load. If your logs are sensitive, you can mark this thread as private

If no errors are reported in your logs, we’d like to see if any Security Group Ids are getting populated in your database. You can get this information by running the following SQL queries (replacing in a Team name that has Groups in it for the Team table query). Could you include the results?

SELECT * FROM dbo.[User] WHERE 'ExternalId' IS NOT NULL;
SELECT * FROM dbo.[Team] WHERE Name = 'YourTeam';

Kind regards,

Kenny