AD Authentication – Kestrel Kernel Mode: “Sign in with Domain” Requires Octopus Display Names Match AD SAM or UPN

[Clare-Octopus]

Severity

Not blocking users as can just change the display name but if a customer has lots of users to change this may be cumbersome.

Version

2024.4.7147 and 2026.1.11242 - Not Applicable to Octopus Cloud

Latest Version

I could reproduce the problem in the latest build

What happened?

If an Octopus user's account Display Name does not match either the SAM Account Name or the UPN of the linked AD account, as shown in Active Directory, users will get an error similar to the one below when the Octopus server is set to use Kestrel Authentication Mode and you try to sign in to Octopus using the Sign in with domain button.

{
  "ErrorMessage": "There was a problem with your request.",
  "Errors": [
    "A principal identifiable by '<displaynamevalue>' was not found in '<nameofdomain>'"
  ],
  "ParsedHelpLinks": [],
  "Details": {}

Non-working configuration:

To get this working for users the Octopus User account Display Name needs to match either the Sam Account Name or UPN of the linked AD account, so in the example screenshot above the display name could either be one of the two below:

Karosa
Karosa@octo.domain

Switching the Kernal mode to httpsys will work with differing display names so Kestrel seems to be a lot more selective with its need to match Octopus user attributes to their AD ones.

Reproduction

1. Have an Octopus instance set up to use Active Directory Authentication.
2. Ensure the Octopus server is using httpsys Kernel Mode - this is used as the default.
3. Have a user account with the display name the same as the AD Sam Account Name or UPN with Octopus permissions to edit Octopus user accounts.
4. Create a new user account in Octopus and link that to an AD account, ensure the user account in Octopus has a different display name to its AD Sam Account Name or UPN.
5. Try signing in with the domain button with the new user account created in step 4 - this should work fine and allow the user to logon.
6. Switch the Octopus server kernel mode to Kestrel and restart the Octopus server service.
7. Clear the cookies and cache on the browser to ensure new logon tokens are generated and try logging in with the same user account we created in step 4. See the error regarding the principal identifiable was not found.
8. Logon to the Octopus server using the account from step 3, which should allow you to logon since its got the same display name as one of the AD Attributes.
9. Change the display name of the account we created in Step 4 to match either the SAM Account Name or UPN of the linked AD account.
10. Clear the cookies and cache on the browser again and logon with the account from step 4. Note you can now logon.

Error and Stacktrace

{
  "ErrorMessage": "There was a problem with your request.",
  "Errors": [
    "A principal identifiable by '<displaynamevalue>' was not found in '<nameofdomain>'"
  ],
  "ParsedHelpLinks": [],
  "Details": {}

More Information

Customer Ticket (Internal) - https://octopuscd.zendesk.com/agent/tickets/185403
RnD thread (Internal) - https://octopusdeploy.slack.com/archives/CNHBHV2BX/p1773854321840099

Workaround

To get this working for users the Octopus user accounts Display Name needs to match either the Sam Account Name or UPN, so in the example screenshot from the description on this issue, the display name could either be one of the two below:

Karosa
Karosa@octo.domain

All user account display names will need to match one of the AD attributes mentioned to allow them to log on with the domain button.

Users should be able to logon via the forms section if that is enabled, display names dont need to match in this configuration.