|
1 | 1 | --- |
2 | 2 | layout: src/layouts/Default.astro |
3 | 3 | pubDate: 2023-01-01 |
4 | | -modDate: 2023-10-04 |
| 4 | +modDate: 2026-03-05 |
5 | 5 | title: Troubleshooting Active Directory integration |
6 | 6 | description: Information on troubleshooting common Active Directory integration issues. |
7 | 7 | navOrder: 30 |
@@ -201,3 +201,29 @@ To resolve this issue, open Active Directory Administrative Center for the domai |
201 | 201 | Octopus Server `2020.1.x` has a known issue with users signing in across domains. The underlying cause relates to server moving from .NET Framework (HttpListener) to .NET Core (HttpSys). For more information about the issue, see this [GitHub issue](https://github.com/OctopusDeploy/Issues/issues/6265). For configuration guidelines and troubleshooting integrated authentication, see our [Active Directory authentication](/docs/security/authentication/active-directory) guide. |
202 | 202 |
|
203 | 203 | For users on a different domain to the domain the Octopus Server is a member of, the workaround is to use forms authentication instead of the `Sign in with a domain account` button. As of `2020.1.7` the server will detect this issue when users attempt to sign in across domains, and it will provide guidance to those users who are impacted. |
| 204 | + |
| 205 | +## Sign in with a domain account fails with no clear error |
| 206 | + |
| 207 | +When using HTTP.sys (Kernel Mode), certain server-side errors may not be surfaced in the response. Instead, you may see a generic 500 error or the message: |
| 208 | + |
| 209 | +> An error occurred with Windows authentication, possibly due to a known issue, please try using forms authentication. |
| 210 | +
|
| 211 | +This can make the root cause difficult to diagnose. A useful diagnostic step is to temporarily switch to Kestrel (User Mode), which surfaces the full error response: |
| 212 | + |
| 213 | +```bash |
| 214 | +Octopus.Server.exe service --stop |
| 215 | +Octopus.Server.exe configure --webServer=Kestrel |
| 216 | +Octopus.Server.exe service --start |
| 217 | +``` |
| 218 | + |
| 219 | +Reproduce the sign-in failure and note the error message returned. Once you have identified and resolved the underlying issue, you can switch back to HTTP.sys if desired. See [GitHub issue #9835](https://github.com/OctopusDeploy/Issues/issues/9835) for more detail. |
| 220 | + |
| 221 | +## Maximum Session Duration breaks Active Directory SSO |
| 222 | + |
| 223 | +Setting the **Maximum Session Duration** to a low value (for example, `3600` seconds) can prevent users from signing in via the **Sign in with a domain account** button. The underlying error is: |
| 224 | + |
| 225 | +> Expiration cannot exceed maximum session duration |
| 226 | +
|
| 227 | +When using HTTP.sys, this error is not surfaced directly (see the section above), making it particularly difficult to diagnose. |
| 228 | + |
| 229 | +To resolve this, increase the Maximum Session Duration in **Configuration ➜ Settings ➜ Server** to a value greater than or equal to the session expiry configured in your environment. See [GitHub issue #9836](https://github.com/OctopusDeploy/Issues/issues/9836) for more detail. |
0 commit comments