AD group membership is ignored when creating new users

Hi All,

We are experiencing an issue with adding new users to Octopus Deploy 3. New users can log in but they do not pick up the permissions/roles they should have according to the groups they are a member of in AD. The group is defined as a security group. All other members of the group get correct permissions when they log in.

We have had AD integrated authentication and authorisation working as expected for some time. The issue seems to have started when we upgraded from Octopus 2.

The logs don’t seem to show any related errors.

Any help on where to start to look would be extremely useful.

Cheers

Chris

Hi Chris,

Thanks for reaching out.

Please let me know If I got this right:

  • You have an Octopus team with a set of permissions
  • This Octopus Team doesn’t have single users added, but an AD group instead.
  • All members of that AD group are getting the right permissions provided be the Octopus Team, except for some new ones.

Is that correct?

Also please let us know:

  • The exact version of Octopus 3 that you are using.
  • Are these new users from the same domain as the other users in that AD group. For example: The Octopus server is in the NY domain, the AD group is from the NY domain and all the users in it are also originally from the NY domain. Are these new users that cannot login also part of the NY domain?

Best regards,
Dalmiro

Hi Dalmiro,

Thanks for looking into this for us.

Your assumptions are almost completely correct.

· We have an octopus team with a set of permissions

· The octopus team has a few standard users and an AD group (the standard users probably do not need to appear in this group as they are also in the AD group)

· Existing members of the team and users added directly to the octopus team get the required permissions. New members of the AD group do not get any permissions.

· All AD users can log in to octopus with default permissions.

Additional Details as requested:

· Octopus server version: 3.3.12

· AD structure: We have several interconnected domains with trust relationships. However all users, groups, domain controllers, octopus servers etc are all members of and authenticate from the same domain.

I hope this helps you find a resolution.

Cheers

Chris Nicel
Senior Systems Engineer
15below ltd : 15below Australia pty. ltd.

t: +44 1273 764230
e: chris.nicel@15below.commailto:chris.nicel@15below.com
w: 15below.comhttp://www.15below.com/
[*] @15below_travelhttps://twitter.com/#!/15below_travel

image001.png

HI Dalmiro,

Further to the information below. We have already planned an upgrade to 3.3.16 tomorrow morning. Hopefully this will correct the issue although there are no release notes suggesting any bug fixes related to AD integration.

Do you know of anything that may have been updated that could help us out here? Or is everything mentioned in the release notes?

Cheers

Chris Nicel
Senior Systems Engineer
15below ltd : 15below Australia pty. ltd.

t: +44 1273 764230
e: chris.nicel@15below.commailto:chris.nicel@15below.com
w: 15below.comhttp://www.15below.com/
[*] @15below_travelhttps://twitter.com/#!/15below_travel

From: Chris Nicel
Sent: Wednesday, 01 June 2016 12:24
To: ‘Dalmiro Grañas’ tender2+d942b6d01d@tenderapp.com
Subject: RE: AD group membership is ignored when creating new users [Problems #46103]

Hi Dalmiro,

Thanks for looking into this for us.

Your assumptions are almost completely correct.

· We have an octopus team with a set of permissions

· The octopus team has a few standard users and an AD group (the standard users probably do not need to appear in this group as they are also in the AD group)

· Existing members of the team and users added directly to the octopus team get the required permissions. New members of the AD group do not get any permissions.

· All AD users can log in to octopus with default permissions.

Additional Details as requested:

· Octopus server version: 3.3.12

· AD structure: We have several interconnected domains with trust relationships. However all users, groups, domain controllers, octopus servers etc are all members of and authenticate from the same domain.

I hope this helps you find a resolution.

Cheers

Chris Nicel
Senior Systems Engineer
15below ltd : 15below Australia pty. ltd.

t: +44 1273 764230
e: chris.nicel@15below.commailto:chris.nicel@15below.com
w: 15below.comhttp://www.15below.com/
[*] @15below_travelhttps://twitter.com/#!/15below_travel

image001.png

Hi Chris,

Could you follow the steps of the “Troubleshooting Permissions” section of the below doc, and check if these users (1 or 2) that are not getting the right permissions show as part of the Octopus team?

If that doesn’t show anything obvious, we might have to schedule a call for this.

Thanks,
Dalmiro

Hi Dalmiro,

I created a test user in AD and checked the following with the test permissions option on the teams page:

· User can log into Octopus

· User has default “Everyone” permission.

· Added user to AD group Development which is a member of an Octopus Team DEV.

o User can still log in

o User still only receives “Everyone” permission.

· Removed user from AD group development and added to AD group QA (member of QA Octopus team)

o User can still log in

o User still only receives “Everyone” permission.

· Removed user from all AD groups and added to DEV Octopus team

o User can still log in

o User receives DEV team permissions.

We may need to schedule that call…

We have moved our upgrade plan to Wednesday of next week (8th of June). It is likely we should wait until after the upgrade so we can test again to see if it is any different.

Are there any server logs that I can send to you that may show relevant information? I can perform some more testing and grab the logs straight afterwards so anything untoward may show up. Perhaps we can enable more verbose logging?

Cheers

Chris Nicel
Senior Systems Engineer
15below ltd : 15below Australia pty. ltd.

t: +44 1273 764230
e: chris.nicel@15below.commailto:chris.nicel@15below.com
w: 15below.comhttp://www.15below.com/
[*] @15below_travelhttps://twitter.com/#!/15below_travel

image001.png

Hi Chris,

The last thing I think you can try is to reset your Octopus server. It sounds as if Octopus keeps using the cached version of the AD group. Resetting the server would force Octopus to fetch the AD group data once again.

Let me know if that works, and if it doesn’t I’ll send you the link to schedule a call.

Regards,
Dalmiro

Hi Dalmiro,

Can you elaborate on “reset the octopus server”. Do you mean restart the service? Or perhaps the host machine? Or do you mean remove configuration and start again?

Cheers

Chris

On 3 Jun 2016 18:34, Dalmiro Grañas tender2+d942b6d01d@tenderapp.com wrote:

Hi Chris,

Only restart the service. You can do it from the Octopus Manager with the “Restart” button, or from services.msc.

Cheers,
Dalmiro

Hi Dalmiro,

Thanks for the advice. I will try it first thing Monday.

Have a great weekend.

Cheers

Chris

On 3 Jun 2016 19:31, Dalmiro Grañas tender2+d942b6d01d@tenderapp.com wrote: