We have an Octopus Deploy installation with same setup and issue as described in similar case that we are not able to solve:
http://help.octopusdeploy.com/discussions/problems/22661-unable-to-log-on-from-second-domain
We are currently using version: 3.2.5
To summarize, Octopus Server is installed at SERVERDOMAIN, and the users are trying to login from OFFICEDOMAIN.
There is one-way trust from SERVERDOMAIN to OFFICEDOMAIN, that is OFFICEDOMAIN is the trusted Domain.
When we try to login with a user from OFFICEDOMAIN using: ‘OFFICEDOMAIN\user.name’, we get error: Logon failure: unknown user name or bad password. We have created a group in SERVERDOMAIN containing groups and single users from OFFICEDOMAIN
Octopus Server is running under a domain account from SERVERDOMAIN.
Hi Frank,
I’m sorry you’re experiencing Active Directory authentication problems. These can be a little tricky to diagnose.
As a first step, could you check the Octopus Server logs, and ensure there are no relevant errors in there.
The second thing that is worth verifying is that the Account that the Octopus Deploy Windows Service is executing under has permission to query the AD domain your users are in. By default Octopus Deploy will run as the “Local System” account on the server, you may need to change this to a domain account.
If you let me know the results of those checks, we’ll proceed from there.
Regards,
Michael
The request says that the Octopus Server is running with domain account in SERVERDOMAIN.
The way I see it, this depends on how Octopus Deploy Server is querying AD:
-If Octopus Server is querying OFFICEDOMAIN AD, it will not work (due to one way trust)
-If Octopus server is querying the SERVERDOMAIN AD it will work (due to how ADs are set up).
The way domains and AD’s are set up in this scenario are fairly common so it would be great if Octopus would support it.
You could maybe do a compensation/fallback solution where you do the AD query to the domain of the Octopus server system user (SERVERDOMAIN) if the query fail to the domain of the end user (OFFICEDOMAIN). Because the AD of SERVERDOMAIN can somtimes be able to handle the request properly even though the user is from another domain (OFFICEDOMAIN).
Hi Michael, and thanks for your reply.
For the second part.
Yes we are already using a domain account for Octopus Server. But our setup is a one-way trust where SERVERDOMAIN is the trusting domain and OFFICEDOMAIN is the trusted domain. From our understanding, the Domain user in SERVERDOMAIN do not need access to DC in OFFICEDOMAIN in order for the trust to work. The authentication request to verify the user will normally be sendt from the DC in trusting DOMAIN.
Could you clarify if Octopus Deploy is working for one-way trust domains? Also what kind of permissions do you excpect that the Octopus service user must have in the trusted domain?
For the first part. I have added part of the error log:
2016-01-07 09:46:11.9107 107 ERROR Unhandled error on request: http:///Octopus/api/users/login by : Logon failure: unknown user name or bad password.
System.Runtime.InteropServices.COMException (0x8007052E): Logon failure: unknown user name or bad password.
Thanks & Regards, Frank
Hi Frank,
I wish I had nice clean answer for you, but it may take a little trial and error to determine the issue.
Hakon’s response above may be correct. When you attempt to login with OFFICEDOMAIN\user.name we attempt to find the user in OFFICEDOMAIN. Which in your setup may not work.
A couple of things that might be worth trying:
- Try running the Octopus service as user in the OFFICEDOMAIN?
- Try logging in with a user in SERVERDOMAIN
The service account should only need to permission to query AD.