Some errors may not get passed in the response when using HTTP.sys kernel mode auth

[donnybell]

Severity

No response

Version

Confirmed in 2025.4.10338

Latest Version

None

What happened?

Some errors may not get passed in the response when using HTTP.sys kernel mode auth.

Example:
When attempting to login to Octopus with the Sign in with a Domain SSO button, you may receive a 500 error. However, after enabling Octopus.Server.exe configure --webServer=Kestrel and leaving all other settings the same, the response will include an error, such as:

{
   "ErrorMessage": "There was a problem with your request.",
   "Errors": [
      "Expiration cannot exceed maximum session duration"
   ],
   "ParsedHelplinks": []
   "Details": {}
}

Reproduction

1. Setup an Octopus instance with AD using --webServer=httpsys and NTLM
2. Change the Maximum Session Duration to a small value such as 3600
3. Attempt to log in via the Sign in with a Domain SSO button
4. You should then get a 500 error instead of a 302 redirect
5. Stop the Octopus Server and enable --webServer=Kestrel
6. Start the Octopus Server, attempt to log in via the Sign in with a Domain SSO button, then you should see the error message

Workaround

Temporarily enabling Kestrel may reveal additional errors that aren't revealed when using httpsys.