Git Server 6.2.1 on Windows Server 2016 / IIS 10 Active Directory Admin issue

[cally725]

Hi,

I was using GIT Server 5.0.1 without any problem on the same server and try to upgrade to GIT Server 6.2.1 now I can logon using Active Directory but it does not display my name and does not see me as Admin. So I cannot Create a new Repo.

I have the following configuration:

<add key="AuthenticationProvider" value="Cookies" />
<!--<add key="AuthenticationProvider" value="Windows" />-->
<!--<add key="AuthenticationProvider" value="Federation" />-->

<!--<add key="MembershipService" value="Internal" />-->
<add key="ImportWindowsAuthUsersAsAdmin" value="false" />

<add key="MembershipService" value="ActiveDirectory" />
<add key="ActiveDirectoryDefaultDomain" value="exfo.com" />
<add key="ActiveDirectoryBackendPath" value="~\App_Data\ADBackend" />
<add key="ActiveDirectoryMemberGroupName" value="SPMOCDI01_Git_Users" />
<add key="ActiveDirectoryTeamMapping" value="Software=SPMOCDI01_Git_Users" />
<add key="ActiveDirectoryRoleMapping" value="Administrator=SPMOCDI01_Git_Admins" />

Any idea ?

Thanks

[willdean]

There is definitely some problem with admins on some AD configurations in the current version which we have not been able to get to the bottom of.

Could you please go to /home/diagnostics (you need to do that on the server itself, you can't do it remotely) and post the results here.

You could also have a look in app_data\logs at the latest log and see if there's anything helpful in there.

There has been some other work about AD admin problems on #706 which you might want to look through.

[cally725]

I have a Windows installation so the /home/diagnostics directory does not exist. Here is the log file in App_Data

log-20170710.txt

[willdean]

Thanks for the log. http://<your server/home/diagnostics is a page of info that is generated dynamically - it's not a directory.

[cally725]

Ha ok thanks for the info!!

Here is the log info: HomeDiagnostic.txt

[willdean]

@cally725 Would you mind trying the version from here:

https://ci.appveyor.com/api/buildjobs/p50rt74umb0lxdu7/artifacts/bonobo-git-server-9362483-f7601420526ad05e548a32bb5c9b3389dd6bd2cf.zip

[willdean]

@cally725 Also make sure you do have some users that are in the group SPMOCDI01_Git_Users - the admins need to be in that group AND the admin group.

[cally725]

Ok I will try the new server.

I am pretty sure that the SPMOCDI01 user and admin setup is good because if I use the GIT server 5.01 it is working fine

[cally725]

Ok just installed your new server, with same result, here is the home diag info HomeDiag.txt

[willdean]

@cally725 OK - the logs show that there are a bunch of failures trying to talk to some domain servers (e.g SPBGDCL02.exfo.com) - there is different behaviour to earlier versions around searching for multiple domain servers, and this seems to cause people some problems - you may find that new version is helpful.

There have been many changes since 5.01 both in terms of code and of personnel, and not of that has been of the highest quality, so we're still trying to get things improved. Unfortunately AD is very difficult to test (even a simple setup) and there are many possible complex setups, so unfortunately we do rather rely on help from users with this.

That you had a setup which did work and now doesn't should be very helpful, if you can stick with us on sending logs.

[cally725]

Sure I'am available to help with the debugging :-)

[cally725]

I will put back the version 5.01 and send you the home diag info

[willdean]

@cally725 There's no diagnostic info in 5.01, nor much useful logging

[cally725]

Oupsss with the version 5.01 the /home/diagnoistics page does not seems to be available. Neither the App_Data\logs directory ?

[cally725]

Ha OK :-(

[willdean]

@cally725 I've just pushed a change to PR #706 (which is where that new version you just tried comes from) when that's finished building you'll be able to try the result of that build which might help.

[cally725]

Ok Thanks let me know...

[willdean]

Sorry for the delay, it's now at https://ci.appveyor.com/api/buildjobs/6ugl6qoampu240y0/artifacts/bonobo-git-server-9615063-6bfc5aea74bb47f3cdc60f0ac517fc275e1a100d.zip

[cally725]

Ok let me try.,..

[cally725]

Ok just try it, same behavior, here is the /home/diag log

HomeDiag.txt

[larshg]

Maybe we need to search for userprinciple with the upn name if available - and not just the 'IdentityType.SamAccountName' ?

Because it currently doesn't find the users on the supplied domain?

@cally725 do you know if the users shouldn't have the 'samaccountname'?

[cally725]

More info on my groups, in case it can help:

GroupNames.txt

[cally725]

and I am chrall1

[larshg]

Somehow de look for christian.ally etc?

[cally725]

Yes I know and it should probably look for christian.ally@exfo.com to get chrall1 mapping ?

[larshg]

Yes, ør just look for chrall1 which I think is your samaccountname :-)

[cally725]

The AD server config must be good because it is working fine with Git Server 5.01 and it is not working with Git Server 6.2.1.606 ? So there seems to be something in the GIT server that is not working for AD ?

[larshg]

Yes, there is a bug. I have asked @willdean to do some chances. We will have to wait for him.

[cally725]

Yes sure... no problem!

[willdean]

@cally725 It's building now on #706

[willdean]

@cally725 Please try the version at https://ci.appveyor.com/api/buildjobs/sstb0kpxw7qb5jvo/artifacts/bonobo-git-server-9617784-1fa5821d3a637beceb31d3fb03660cea080497e1.zip

[cally725]

Ok just try it, same behavior, here is the /home/diag log

HomeDiag.txt

[larshg]

@cally725 can you set the logging to verbose for serenity log in webconfig and run again?

[cally725]

do you mean this ? add key="serilog:minimum-level" value="Verbose"

[larshg]

Yes

[cally725]

New log file with Verbose on HomeDiag.txt

[willdean]

@larshg When it's doing the new get-by-UPN, should it pass in the full name (e.g. alex.gagne@exfo.com) rather than the stripped name alex.gagne ?

[cally725]

It is also weird that my name christian.ally@exfo.com does not appear in the list of trial ?

[larshg]

I would believe both should work, but normally it is the complete form. However de ask for it in update user. Not sure if it is stripped somehow...

[willdean]

@larshg I've just pushed a change to use the full name when doing a UPN lookup

[larshg]

@cally725 the dianostic only tales a limited part of the full log. If you look in this tour name should be there :-)

[cally725]

Indeed :-)

[larshg]

@willdean cool - lets ser if this makes it work ;-)

[cally725]

I need to leave for the day, I will try it tomorrow morning...

[willdean]

@cally725 No prob - thanks for your help - new version is at https://ci.appveyor.com/api/buildjobs/5qq0y27dxi2273qk/artifacts/bonobo-git-server-9619407-9ba0ec9eea7dd155a66cfa034fa1a62587ff9940.zip when you're ready.

[cally725]

Ho! Ho! I think we have a Winner :-)

Version 6.2.1.608 is working now.

Here is the log file

HomDiag.txt

Thanks you so much!!

[larshg]

@cally725 thats great to hear! Thanks for helping with tests.

[cally725]

Should I use this debug version on my production site or should I wait for a new official version ?

[willdean]

@cally725 The 'debug' version should be fine - it's been built using the same process as an 'official' version, and it's not a lot different to 6.2.1.

I am trying to see if we can get anyone else to try this set of changes too before we merge them.