# AD login fails with: IDX10500: Signature validation failed. There are no security keys to use to validate the signature

#### Robert Sandru

08 Feb, 2018 07:54 AM

Greetings Octopus support,
I need some help to drill down into AD authentication problems we're currently facing on our production Octopus server.

Users receive the error message: IDX10500: Signature validation failed. There are no security keys to use to validate the signature when trying to log in to the server using the AD.

Some more data points:
- Octopus version 3.14.15926 - System has been running fine since several months - No recent updates / patches (problem started occurring a few hours back) - I can log in just fine using a local username / password

I am strongly suspecting something related to the AD configuration that was performed by our IT department but would need some instructions about what tools to use to diagnose and narrow down the issue.

Is there any possibility to have a deeper trace into the auth steps?

Thanks,
Robert

1. Support Staff Posted by Daniel Fischer on 09 Feb, 2018 05:54 AM

Hi Robert,

Thanks for getting in touch! We have not seen this one before, is it possible that this it is related to an expired certificate? It could explain the spontaneous breakage. Are you using SSL on your Octopus/AD server?

Could you confirm that your it is not an expired certificate causing problems here?

Hope that helps!

Best regards,
Daniel

2. Posted by Robert Sandru on 09 Feb, 2018 08:27 AM

Hi Daniel,
This is eluding me… We are using an SSL cert indeed but that’s not expired yet.

I did the following yesterday:

- Set up a new Azure AD app in the Azure Portal

- Set up our Octopus QA system to use new integration -> login works fine

- Set up our QA system to use the existing QA AD integration -> login works fine too (with no changes to GUIDs or anything)

At that point I suspected a restart would fix the issue and I bounced the service on Octopus production -> login issue fixed…

I can’t say if some transient network issue provoked that or if it’s due to an edge case bug somewhere in the code.

Summary: problem solved but root cause not identified.

If you’re interested in the log files I can send those to you.

Regards,
Robert

3. Support Staff Posted by Daniel Fischer on 12 Feb, 2018 02:09 AM

Hi Robert,

Thanks for the update and the additional information! Could you send through those logs you mention? I can not guarantee it will have the answer but I'm more than happy to take a look.

Let me know if you continue to see this issue down the track and I'll keep an eye out for any other instances of this in the mean time.

Best regards,
Daniel

4. Posted by allansson on 12 Feb, 2018 08:19 AM

Hi!

We are seeing the same problem. Every other month we need to restart our Octopus-server. I'm not an expert on AzureAD (and especially not your integration) but I think that the issue is related to AzureAD signing key rollover. Every once in a while AzureAD while change the keys used for signing security tokens, meaning clients also need to update the keys used for validating tokens.

Best regards,
Johan

5. Posted by Robert Sandru on 12 Feb, 2018 09:19 AM

Hi Daniel,
Let me know how you’d like me to share the logs with you as I can’t post them on the original thread given the sensitive nature of the contents.

Regards,
Robert

6. Support Staff Posted by Daniel Fischer on 13 Feb, 2018 02:07 AM

Hi Robert,

You can email us at support(at)octopus(dot)com. Just attach the log file to your email and mention my name. I'll see it. :)

Best regards,
Daniel

7. Posted by Matthew Hodgkin... on 15 Feb, 2018 12:16 PM

I would love an answer on this if you find out what is causing it.

We are seeing the same issue from time to time,

8. Posted by Robert Sandru on 15 Feb, 2018 12:19 PM

HI Matthew, sorry about not getting back to you earlier: I hit the busy wall and this went to my to do list.

I’ll fetch the logs and send those to you later today.

Kind regards,
Robert

9. Posted by Wouter in &#x27... on 20 Feb, 2018 10:33 AM

We have the same problem using GoogleApps authentication on our production Octopus server and the same error occurs on our test Octopus server that uses AzureAD as it's authentication.

The issue on our production server can be solved by importing the selfsigned cerificate we initially used when provisioning this instance in Januari 2017.
For some reason it stopped working in December 2017. The certificate is still valid.
The command we use to fix the issue is Import-PfxCertificate -FilePath path/to/pfx -CertStoreLocation Cert:\LocalMachine\My -Password \$secureString.

We initially thought this was an issue with GoogleApps and we were migrating to AzureAD for our other application so we thought we do the same with Octopus.
The documentation is straight forward on both the Azure side as the Octopus side. However we run in to the same issue:
ErrorMessage: "IDX10500: Signature validation failed. No security keys were provided to validate the signature."
This time we are unable to fix it by using the same method we use to fix this in prod.

- We run this on AWS ec2 with an RDS Instance
- We automatically tear down the ec2 infrastructure weekly and rebuild it.
- There is a ELB in front of the EC2 instance handling ssl
- The octopus deploy web portal runs on port 80
- using self signed certificates for the tentacles etc. importing them using path\to\Octopus.Server.exe -ArgumentList import-certificate command.

I have mailed support with logs and output but I have yet to receive answer.

10. Support Staff Posted by Daniel Fischer on 22 Feb, 2018 12:40 AM

Hi Everyone,

Just a heads up that we are looking into this. I'll post any relative non-sensitive information here when I update so the community can see. :)

Best regards,
Daniel

11. Support Staff Posted by Shannon Lewis on 05 Mar, 2018 08:11 AM

Hi everyone,

Another update, we managed to track down the cause of this issue and there's a fix on the way.

Regards
Shannon

Formatting help / Preview (switch to plain text) No formatting (switch to Markdown)

### »

#### Attached Files

You can attach files up to 10MB

If you don't have an account yet, we need to confirm you're human and not a machine trying to post spam.

# Keyboard shortcuts

### Generic

? Show this help Blurs the current field

### Comment Form

r Focus the comment reply box Submit the comment

You can use Command ⌘ instead of Control ^ on Mac

## Recent Discussions

 05 Dec, 2018 02:50 PM Octopus and Let's Encrypt with many sites 19 Nov, 2018 05:48 PM PowerShell Requirements 16 Nov, 2018 03:28 PM "Deploy a Release step" does not honour the Channel when selecting the release to use 12 Nov, 2018 04:24 PM Running a custom script using files in a package 15 Oct, 2018 11:32 AM Working around query timeouts?
 01 Oct, 2018 09:36 PM Azure Powershell Version Issue 26 Sep, 2018 12:48 PM Licenses - what is a machine? 26 Sep, 2018 09:42 AM Handling a tentacle reboot during a deployment 24 Sep, 2018 05:10 PM Octopus script Unable to locate the Extract location. 23 Aug, 2018 02:16 PM Tentacle cleanup when changing channels 23 Aug, 2018 08:08 AM "CreateProcess error=206, The filename or extension is too long" when running Octo.exe