We are using the Active Directory integration in our Octopus instance to be able to manage the teams and permissions based on Active Directory Groups, but seems that some AD Users are not being matched with their respective AD Groups.
We have an Active Directory Group called “MGT.Cloud-Team.ROL” (security group) which has four members on it:
I created a Octopus Team named “Cloud Team”, added that AD group as a member and assigned the “System administrator” role to it. However when the users John and Paul try to log in to Octopus Deploy, they are not able to perform the actions of a system administrator.
Testing the permissions using the feature ‘Configuration > Teams > Testing Permissions’ for both users (John and Paul) says that the users are members of the Everyone team only:
The user john@domain is a member of the following teams:
When the users Bruno and Matt (which both have Domain Admin rights in AD) try to log in to Octopus Deploy it works fine. Testing the permissions it shows the expected membership for both users:
The user bruno@domain is a member of the following
All the four users had the first authentication using the Active Directory credentials, but seems that it only works for some users. Would you be able to help me with this issue?
Thanks for getting in touch. We have had reports of issues like this if users are in a different domain to the Octopus Deploy server. To help me understand your environment,
- Are your users all in the same domain as each other?
- Are the users members of the same domain the Octopus server is a member of?
- Octopus Deploy server service account in that same domain?
Also, are the users using the forms (username/password) authentication or the link for the challenge? We’ve had reports that this can yield different results in some environments.
We’re currently investigating these cross domain issues and will hopefully have a fix on what’s causing them soon.
thanks for your contact.
Are your users all in the same domain as each other?
Yes, all the users are in the same domain and they are members of the same group.
Are the users members of the same domain the Octopus server is a member of?
Yes, they are in the same domain.
Octopus Deploy server service account in that same domain?
Yes, our Octopus instance is using a service account that is the same domain as the users, but in a different OU.
Our workstations are logged in a different domain, for this reason all the users had the first login using the forms (specifying DOMAIN\username).
I’m not sure if it could be something related to a cross domain issue because all the resources are located in the same domain.
Please let me know if you need any other information.
Thanks for the additional information, every little bit helps. I have created an issue for discussion that you can follow on GitHub. As you can probably imagine, the variations of configurations in AD is extensive, so out of that discussion we hope to better understand some more detail of the configurations that are causing difficulties.