We self host Octo (v2019.9.4 LTS) and the “Synchronize external security groups” fails for any user who has AD membership in groups from multiple domains. For our organization I am in groups from three domains, but we only want the sync to use our main domain.
Octo doesn’t therefore have access setup to the “other” domains. So when it comes across a group from the non-privileged domains it crashes with the error.
Information about the domain could not be retrieved (1355). System.DirectoryServices.AccountManagement.PrincipalOperationException: Information about the domain could not be retrieved (1355).
at System.DirectoryServices.AccountManagement.Utils.GetDcName(String computerName, String domainName, String siteName, Int32 flags)
at System.DirectoryServices.AccountManagement.SDSCache.GetContext(String name, NetCred credentials, ContextOptions contextOptions)
at System.DirectoryServices.AccountManagement.ADStoreCtx.GetAsPrincipal(Object storeObject, Object discriminant)
at System.DirectoryServices.AccountManagement.ADUtils.SearchResultAsPrincipal(SearchResult sr, ADStoreCtx storeCtx, Object discriminant)
at System.DirectoryServices.AccountManagement.ADDNLinkedAttrSet.get_CurrentAsPrincipal()
at System.DirectoryServices.AccountManagement.FindResultEnumerator1.get_Current() at Octopus.Server.Extensibility.Authentication.DirectoryServices.DirectoryServices.DirectoryServicesExternalSecurityGroupLocator.ReadGroups(IEnumerable
1 groupPrincipals, ICollection1 groups, CancellationToken cancellationToken) at Octopus.Server.Extensibility.Authentication.DirectoryServices.DirectoryServices.DirectoryServicesExternalSecurityGroupLocator.ReadUserGroups(Principal principal, ICollection
1 groups, CancellationToken cancellationToken)
at Octopus.Server.Extensibility.Authentication.DirectoryServices.DirectoryServices.DirectoryServicesExternalSecurityGroupLocator.GetGroupIdsForUser(String samAccountName, CancellationToken cancellationToken)
Octopus.Server version 2019.9.4 (2019.9.4+Branch.tags-2019.9.4.Sha.e745662d7a1c43db42e0a2b6944af4dc6f5df2fa)
I am looking for a way to configure it to skip that group for the lookup and keep moving on to the next group for that user instead of not processing additional groups for that user. Or some other way to specifically name groups to not lookup. Our current work around is to assign users to team and Octo groups manually, but that is not sustainable as our team sizes increase.