I am having a similar issue as described http://help.octopusdeploy.com/discussions/problems/21802-authorization-using-active-directory-groups-doesnt-seem-to-work. The users are added manually by Create user and are indeed members of the AD security group. But they lack the permissions which the team should have. Could you help me?
Hi,
Thanks for reaching out! Brief explanation of how users work in Octopus so you can fully understand what is going on:
Octops has 2 main authentication methods:
A) Username/Password
B) Active Directory
When you create a user from Create User, you are creating a user for the method A in the Octopus database. Even if this user has the exact same data as a user in your AD domain, It’ll still be an A-Method user, and wont be tied to Active Directory.
So how do I create a B-Method user in Octopus so users can login with their AD credentials? - Simply have them log into the Octopus portal (without creating a user from create user) using their Domain\Username credentials. Once an AD user logs in for the first time, Octopus will automatically create a B-Method user into its database that will be mapped to the Active Directory user.
So what should I do now? - Delete the users that you manually created using create User (which are A-Method users) and then ask your AD users to log straight into Octopus using their ad credentials in the format Domain\Username (which will automatically create for them a B-Method user)
Let me know how that goes,
Dalmiro
Hey Dalmiro,
I played with this today and I think I made some progress.
I looked up the SQL database of Octopus and I saw that when the user is created manually (the A-Method you mention) it is not assigned any SecurityGroupIds. But when it is automatically created (using the B-Method you mentioned) it is assigned just a single SecurityGroupId. Our users are members of more than one groups (I use net user my-user-name /domain to determine that). So when they are created via the B-Method they get just one security group ID which is correct but not enough. Because it is not the expected one and the permissions are not granted. I tried updating the SQL table manually with the correct security group ID. Which worked for a moment (I had to restart the service). But the issue is that either periodically or when a user logs-in the security group ID is overwritten with the unwanted one.
I contacted our IT department to make sure that the group is indeed a security group. I do want to grant permissions by Active Directory groups instead of manually adding users (including removing old ones and adding new). What should I do in order to resolve that? I think the question is why the user gets assigned just a single security group ID!
Hi,
Kudos for the accurate troubleshooting! So yeah every a certain amount of time Octopus asks AD to which security groups do these user belong to and updates those values in SQL.
Do keep in mind that Octopus can only work with the domain where the VM hosting Octopus is sitting on. So if your VM is on Domain1, your users and the security groups they belong to should be on Domain1. If the users are in groups on a trusted domain (lets say Domain2), those wont get carried over.
Thanks,
Dalmiro
Hey Dalmiro, thanks for the feedback. I checked and the machine that is hosting Octopus is on a domain in which users have the same security groups. I am working with my IT department in order to check whether the problem is with our infrastructure.