Synchronize external security groups fails - cross domain groups

We self host Octo (v2019.9.4 LTS) and the “Synchronize external security groups” fails for any user who has AD membership in groups from multiple domains. For our organization I am in groups from three domains, but we only want the sync to use our main domain.

Octo doesn’t therefore have access setup to the “other” domains. So when it comes across a group from the non-privileged domains it crashes with the error.

Information about the domain could not be retrieved (1355). System.DirectoryServices.AccountManagement.PrincipalOperationException: Information about the domain could not be retrieved (1355).
at System.DirectoryServices.AccountManagement.Utils.GetDcName(String computerName, String domainName, String siteName, Int32 flags)
at System.DirectoryServices.AccountManagement.SDSCache.GetContext(String name, NetCred credentials, ContextOptions contextOptions)
at System.DirectoryServices.AccountManagement.ADStoreCtx.GetAsPrincipal(Object storeObject, Object discriminant)
at System.DirectoryServices.AccountManagement.ADUtils.SearchResultAsPrincipal(SearchResult sr, ADStoreCtx storeCtx, Object discriminant)
at System.DirectoryServices.AccountManagement.ADDNLinkedAttrSet.get_CurrentAsPrincipal()
at System.DirectoryServices.AccountManagement.FindResultEnumerator1.get_Current() at Octopus.Server.Extensibility.Authentication.DirectoryServices.DirectoryServices.DirectoryServicesExternalSecurityGroupLocator.ReadGroups(IEnumerable1 groupPrincipals, ICollection1 groups, CancellationToken cancellationToken) at Octopus.Server.Extensibility.Authentication.DirectoryServices.DirectoryServices.DirectoryServicesExternalSecurityGroupLocator.ReadUserGroups(Principal principal, ICollection1 groups, CancellationToken cancellationToken)
at Octopus.Server.Extensibility.Authentication.DirectoryServices.DirectoryServices.DirectoryServicesExternalSecurityGroupLocator.GetGroupIdsForUser(String samAccountName, CancellationToken cancellationToken)
Octopus.Server version 2019.9.4 (2019.9.4+Branch.tags-2019.9.4.Sha.e745662d7a1c43db42e0a2b6944af4dc6f5df2fa)

I am looking for a way to configure it to skip that group for the lookup and keep moving on to the next group for that user instead of not processing additional groups for that user. Or some other way to specifically name groups to not lookup. Our current work around is to assign users to team and Octo groups manually, but that is not sustainable as our team sizes increase.

Hi Tim,

Thanks for reaching out and I am sorry that you are facing this issue.

We have had this issue pop up in tha past. There is a solution to the issue, but it’s not in relation to skipping the look-up process. It has to do with adding the “Read Member of” permissions between the domains. Check out this article here for all the info: https://octopus.com/docs/administration/authentication/active-directory-authentication/troubleshooting-active-directory-integration#domain-groups-not-loading-across-multiple-domains

As you might’ve noticed, this has since broken in the latest versions of Octopus Server due to the move to .NET Core. https://octopus.com/docs/administration/authentication/active-directory-authentication/troubleshooting-active-directory-integration#Integrated

So stick to your 2019.9.4 LTS version for the moment and see how you go implementing the “Read Member of” permissions between domains. I have also raised this as an issue: https://github.com/OctopusDeploy/Issues/issues/6322

I really hope this helps, but please reach out if you are still having problems.

Regards,

Dane.