AD login fails with: IDX10500: Signature validation failed. There are no security keys to use to validate the signature

Robert Sandru's Avatar

Robert Sandru

08 Feb, 2018 07:54 AM

Greetings Octopus support,
I need some help to drill down into AD authentication problems we're currently facing on our production Octopus server.

Users receive the error message: IDX10500: Signature validation failed. There are no security keys to use to validate the signature when trying to log in to the server using the AD.

Some more data points:
- Octopus version 3.14.15926 - System has been running fine since several months - No recent updates / patches (problem started occurring a few hours back) - I can log in just fine using a local username / password

I am strongly suspecting something related to the AD configuration that was performed by our IT department but would need some instructions about what tools to use to diagnose and narrow down the issue.

Is there any possibility to have a deeper trace into the auth steps?

Thanks,
Robert

  1. Support Staff 1 Posted by Daniel Fischer on 09 Feb, 2018 05:54 AM

    Daniel Fischer's Avatar

    Hi Robert,

    Thanks for getting in touch! We have not seen this one before, is it possible that this it is related to an expired certificate? It could explain the spontaneous breakage. Are you using SSL on your Octopus/AD server?

    Could you confirm that your it is not an expired certificate causing problems here?

    Hope that helps!

    Best regards,
    Daniel

  2. 2 Posted by Robert Sandru on 09 Feb, 2018 08:27 AM

    Robert Sandru's Avatar

    Hi Daniel,
    This is eluding me… We are using an SSL cert indeed but that’s not expired yet.

    I did the following yesterday:

    - Set up a new Azure AD app in the Azure Portal

    - Set up our Octopus QA system to use new integration -> login works fine

    - Set up our QA system to use the existing QA AD integration -> login works fine too (with no changes to GUIDs or anything)

    At that point I suspected a restart would fix the issue and I bounced the service on Octopus production -> login issue fixed…

    I can’t say if some transient network issue provoked that or if it’s due to an edge case bug somewhere in the code.

    Summary: problem solved but root cause not identified.

    If you’re interested in the log files I can send those to you.

    Regards,
    Robert

  3. Support Staff 3 Posted by Daniel Fischer on 12 Feb, 2018 02:09 AM

    Daniel Fischer's Avatar

    Hi Robert,

    Thanks for the update and the additional information! Could you send through those logs you mention? I can not guarantee it will have the answer but I'm more than happy to take a look.

    Let me know if you continue to see this issue down the track and I'll keep an eye out for any other instances of this in the mean time.

    Best regards,
    Daniel

  4. 4 Posted by allansson on 12 Feb, 2018 08:19 AM

    allansson's Avatar

    Hi!

    We are seeing the same problem. Every other month we need to restart our Octopus-server. I'm not an expert on AzureAD (and especially not your integration) but I think that the issue is related to AzureAD signing key rollover. Every once in a while AzureAD while change the keys used for signing security tokens, meaning clients also need to update the keys used for validating tokens.

    More information about this can be found here: https://docs.microsoft.com/en-us/azure/active-directory/develop/active-directory-signing-key-rollover

    Best regards,
    Johan

  5. 5 Posted by Robert Sandru on 12 Feb, 2018 09:19 AM

    Robert Sandru's Avatar

    Hi Daniel,
    Let me know how you’d like me to share the logs with you as I can’t post them on the original thread given the sensitive nature of the contents.

    Regards,
    Robert

  6. Support Staff 6 Posted by Daniel Fischer on 13 Feb, 2018 02:07 AM

    Daniel Fischer's Avatar

    Hi Robert,

    You can email us at support(at)octopus(dot)com. Just attach the log file to your email and mention my name. I'll see it. :)

    Best regards,
    Daniel

  7. 7 Posted by Matthew Hodgkin... on 15 Feb, 2018 12:16 PM

    Matthew Hodgkins's Avatar

    I would love an answer on this if you find out what is causing it.

    We are seeing the same issue from time to time,

  8. 8 Posted by Robert Sandru on 15 Feb, 2018 12:19 PM

    Robert Sandru's Avatar

    HI Matthew, sorry about not getting back to you earlier: I hit the busy wall and this went to my to do list.

    I’ll fetch the logs and send those to you later today.

    Kind regards,
    Robert

  9. 9 Posted by Wouter in &#x27... on 20 Feb, 2018 10:33 AM

    Wouter in 't Veld's Avatar

    We have the same problem using GoogleApps authentication on our production Octopus server and the same error occurs on our test Octopus server that uses AzureAD as it's authentication.

    The issue on our production server can be solved by importing the selfsigned cerificate we initially used when provisioning this instance in Januari 2017.
    For some reason it stopped working in December 2017. The certificate is still valid.
    The command we use to fix the issue is `Import-PfxCertificate -FilePath path/to/pfx -CertStoreLocation Cert:\LocalMachine\My -Password $secureString`.

    We initially thought this was an issue with GoogleApps and we were migrating to AzureAD for our other application so we thought we do the same with Octopus.
    The documentation is straight forward on both the Azure side as the Octopus side. However we run in to the same issue:
    `ErrorMessage: "IDX10500: Signature validation failed. No security keys were provided to validate the signature."`
    This time we are unable to fix it by using the same method we use to fix this in prod.

    Some additional information.
    - We run this on AWS ec2 with an RDS Instance
    - We automatically tear down the ec2 infrastructure weekly and rebuild it.
    - There is a ELB in front of the EC2 instance handling ssl
    - The octopus deploy web portal runs on port 80
    - using self signed certificates for the tentacles etc. importing them using `path\to\Octopus.Server.exe -ArgumentList import-certificate` command.

    I have mailed support with logs and output but I have yet to receive answer.

Reply to this discussion

Internal reply

Formatting help / Preview (switch to plain text) No formatting (switch to Markdown)

Attaching KB article:

»

Attached Files

You can attach files up to 10MB

If you don't have an account yet, we need to confirm you're human and not a machine trying to post spam.

Keyboard shortcuts

Generic

? Show this help
ESC Blurs the current field

Comment Form

r Focus the comment reply box
^ + ↩ Submit the comment

You can use Command ⌘ instead of Control ^ on Mac