Cannot login with users in Domain X when Octopus box is joined to Domain Y

mario.anton's Avatar

mario.anton

08 Aug, 2017 08:06 AM

When enabling Active Directory authentication in Octopus, a user from Domain X is given, however, when trying to login, logs are looking for the user in Domain Y.

There is one way trust which lets Users in Domain X to login Domain Y.

Is there a way to tell Octopus to look in another domain other than the one belongs to the box it was installed?

Thanks in advance

  1. 1 Posted by mario.anton on 08 Aug, 2017 08:23 AM

    mario.anton's Avatar

    the case would be similar to: https://octopus.com/docs/administration/authentication-providers/moving-active-directory-domains

    However, i am not moving from domain.

  2. 2 Posted by mario.anton on 08 Aug, 2017 11:24 AM

    mario.anton's Avatar

    So i finally found what is going on in here.
    I need to get users logged in from Domain X.
    According to OD , i need to add AD group in the given Team to get that done, however, since i cannot login with a user from Domain X, cannot search on Domain X for a user to set member of ....

    The user name or password is incorrect.

    System.Runtime.InteropServices.COMException
       at System.DirectoryServices.DirectoryEntry.Bind(Boolean throwIfFail)
       at System.DirectoryServices.DirectoryEntry.Bind()
       at System.DirectoryServices.DirectoryEntry.get_AdsObject()
       at System.DirectoryServices.PropertyValueCollection.PopulateList()
       at System.DirectoryServices.PropertyValueCollection..ctor(DirectoryEntry entry, String propertyName)
       at System.DirectoryServices.PropertyCollection.get_Item(String propertyName)
       at System.DirectoryServices.AccountManagement.PrincipalContext.DoLDAPDirectoryInitNoContainer()
       at System.DirectoryServices.AccountManagement.PrincipalContext.DoDomainInit()
       at System.DirectoryServices.AccountManagement.PrincipalContext.Initialize()
       at System.DirectoryServices.AccountManagement.PrincipalContext.ContextForType(Type t)
       at System.DirectoryServices.AccountManagement.Principal.set_Name(String value)
       at Octopus.Server.Extensibility.Authentication.DirectoryServices.DirectoryServices.DirectoryServicesExternalSecurityGroupLocator.FindGroups(String name)
       at Octopus.Server.Extensibility.Authentication.DirectoryServices.Web.ListSecurityGroupsAction.Execute(NancyContext context, IResponseFormatter response)
       at Octopus.Server.Extensibility.Extensions.Infrastructure.Web.Api.WhenEnabledActionInvoker`2.Execute(NancyContext context, IResponseFormatter response)
       at Nancy.Routing.Route.<>c__DisplayClass4.<Wrap>b__3(Object parameters, CancellationToken context)

  3. 3 Posted by mario.anton on 08 Aug, 2017 12:29 PM

    mario.anton's Avatar

    So, after bit more of investigation i am noticiing that adding group membership from upper trusted domain should do,.... but it doesnt.

    When logging using forms using domainX\user i get the odserver getting no users like that one from domainY.

  4. 4 Posted by mario.anton on 08 Aug, 2017 01:33 PM

    mario.anton's Avatar

    2017-08-08 13:32:22.4571 5708 22 ERROR Unhandled error on request: http:/OD/api/users/login 517a236c47b64cc8a02429dba1143f38 by <anonymous> : The user name or password is incorrect.

    Stuck in here.

  5. Support Staff 5 Posted by Lawrence Wilson on 09 Aug, 2017 12:28 PM

    Lawrence Wilson's Avatar

    Hi mario.anton,
    Thanks for reaching out, I'm sorry to hear you're having issues searching Active Directory trusted domains for users and groups in Octopus.

    Could you please tell me what user account the Octopus server service is running under? Specifically if it is a domain user and also if it is a member of Domain X or Domain Y.

    One option which comes to mind when troubleshooting this issue is to confirm that the Octopus service RunAs account has permissions to read the users and groups in Domain Y. Can you please refer to our PowerShell script at the Troubleshooting Active Directory document and run the PowerShell script to confirm that your account has the privileges required?

    One other handy resource could be found at our Domain Groups not loading across multiple domains section which talks about granting specific permissions at the domain level for reading uses and groups.

    I hope this has been of some help, I would love to hear from you if you have any further questions.

    Kind Regards,
    Lawrence.

  6. 6 Posted by mario.anton on 09 Aug, 2017 12:30 PM

    mario.anton's Avatar

    HI Lawrence, finally been sorted running the service with a User belonging to the domain i want to gather groups from. thanks

  7. Support Staff 7 Posted by Lawrence Wilson on 09 Aug, 2017 11:10 PM

    Lawrence Wilson's Avatar

    Hey Mario,
    I'm glad to hear it it's all sorted! happy deployments.

    Regards,
    Lawrence.

Reply to this discussion

Internal reply

Formatting help / Preview (switch to plain text) No formatting (switch to Markdown)

Attaching KB article:

»

Attached Files

You can attach files up to 10MB

If you don't have an account yet, we need to confirm you're human and not a machine trying to post spam.

Keyboard shortcuts

Generic

? Show this help
ESC Blurs the current field

Comment Form

r Focus the comment reply box
^ + ↩ Submit the comment

You can use Command ⌘ instead of Control ^ on Mac