0 votes

Hello, after upgrading to 2014.1 the web interface is throwing lots warnings pertaining to groups:

Failed to build a list of groups, in which user 'Some.Person@domain.local' is a member. Could not resolve the following SIDs to group names: S-1-5-21-839522115-764733703-1644491937-81658, S-1-5-21-839522115-764733703-1644491937-48116, S-1-5-21-839522115-764733703-1644491937-44274, S-1-5-21-839522115-764733703-1644491937-50924, S-1-5-21-839522115-764733703-1644491937-69607, S-1-5-21-839522115-764733703-1644491937-44512, S-1-5-21-839522115-764733703-1644491937-43470, S-1-5-21-839522115-764733703-1644491937-50634, S-1-5-21-839522115-764733703-1644491937-49538, S-1-5-21-839522115-764733703-1644491937-72829, S-1-5-21-839522115-764733703-1644491937-46713, S-1-5-21-839522115-764733703-1644491937-53108, S-1-5-21-839522115-764733703-1644491937-53875, S-1-5-21-839522115-764733703-1644491937-63335, S-1-5-21-839522115-764733703-1644491937-35161, S-1-5-21-839522115-764733703-1644491937-65624, S-1-5-21-839522115-764733703-1644491937-67917, S-1-5-21-839522115-764733703-1644491937-55607, S-1-5-21-839522115-764733703-1644491937-55086, S-1-5-21-839522115-764733703-1644491937-67118, S-1-5-21-839522115-764733703-1644491937-63273, S-1-5-21-839522115-764733703-1644491937-36110, S-1-5-21-839522115-764733703-1644491937-39945, S-1-5-21-839522115-764733703-1644491937-71177, S-1-5-21-839522115-764733703-1644491937-39936, S-1-5-21-839522115-764733703-1644491937-46694, S-1-5-21-839522115-764733703-1644491937-39485, S-1-5-21-839522115-764733703-1644491937-21232, S-1-5-21-839522115-764733703-1644491937-81853, S-1-5-21-839522115-764733703-1644491937-1145, S-1-5-21-839522115-764733703-1644491937-21338, S-1-5-21-839522115-764733703-1644491937-77626, S-1-5-21-839522115-764733703-1644491937-49966.
Access control rules defined for the Web Interface installed in 'C:\Program Files\Softerra\Adaxes 3\Web Interface\SelfService\' may function incorrectly.

Everything seems to working correctly thus far, but the Adaxes logs on the web server are getting very noisy with these warnings. :)

Has anyone else experienced this? Any ideas?

by (350 points)

1 Answer

0 votes
by (216k points)

Hello,

The issue occurs because you've allowed/denied access to the Web interface for Self-Service to certain groups (as described in this tutorial), and the user who is trying to logon to the Web Interface does not have sufficient permissions to view all or some of those groups. The permissions to view the groups must be granted by native AD security, not Adaxes Security Roles.

The thing is that when a user tries to log in to the Web Interface, Adaxes needs to check whether the user has sufficient permissions to access it. For this purpose, if any groups are specified on the Access Control tab (see step 4 of the above tutorial), Adaxes needs to check whether the user belongs to any of the specified groups, for which purpose Adaxes needs to resolve the SIDs of the groups. Adaxes resolves the group SIDs using the credentials of the user who is trying to log in, and thus the user should have sufficient permissions to view them.

The consequences of such errors are as follows:

  • If a user is a member of a group or groups that are allowed access to the Web Interface, but the groups cannot be resolved, the user will be denied access to the Web interface.
  • If a user is a member of a group or groups that are denied access to the Web Interface, but the groups cannot be resolved, the user will be allowed access to the Web interface.
0

I'm not sure that's it. In the case of the Self Service site, we allow only "Domain Users" and one other group. I've confirmed that the permissions are fine on both groups. Regardless, there are a lot of SIDs in that list whereas we've only specified two groups in the allow list.

I've also just logged in with my domain admin creds, and got the same error in event log.

Any other ideas?

0

Hello,

Sorry if my previous post mislead you. The error message means that it was not possible to resolve some of the groups in which the user who is trying to login is a member of. In case with your domain admin account, this means that it was not possible to resolve some groups that the account is a member of (including direct and indirect membership).

What you can do to troubleshoot is:

  1. Find all the groups that your domain admin account is a member of (including indirect membership).
  2. Locate the groups whose SIDs were specified in the error message when you tried to login to the Web interface with your domain admin account.
  3. Check whether you can view the groups in ADUC when logged in as your domain admin user account.
0

It looks like the SIDs aren't from our domain, but from another within the same forest. To resolve, I'll need to engage my counterpart in another organization.

What changed between 2013.1 and 2014.1? Looking at Event Log, these warnings were definitely not around before we upgraded. Is there away to stop it from looking at groups outside the domain that it resides in? Sifting through these groups in the other domain will take quite some time.

Thanks!

0

Hello,

The warning didn't appear in Event Logs before the upgrade because we've added it only in version 2014.1 for troubleshooting purposes.

Is there away to stop it from looking at groups outside the domain that it resides in? Sifting through these groups in the other domain will take quite some time.

No, however there is a way to avoid setting up access control rules for the Web Interface.

The thing is that in the Web Interface, users will be able to perform only the operations they have sufficient permissions for. The operations that users are allowed to perform are controlled with the help of Security Roles. You can adjust Security Roles in such a manner that users have access only to the operations they need, and nothing else. If Security Roles are adjusted appropriately, users won't be able to perform any operations that would not fit within the scope of their job role. In this case, you can allow access to the Web Interface to all users and groups, and the Web interface will not try to resolve the groups where that user who signs in is a member.

Related questions

0 votes
0 answers

Hi, we recently upgraded to version 2013.1. Everything was working fine. We have multiple websites and noticed, that on custom websites, newly created Active Directory filters do ... THE OU object does not exist". It is a know error? Thanks Regards, Andreas

asked May 30, 2013 by andreasaster (20 points)
0 votes
1 answer

We are in the process of updating our Active Directory Domain Controllers to server 2022 and the Domain/Forest function level. Our concern is that we still have Adaxes ... version of Windows server for our DCs and the Domain/Forest function level of 2016?

asked Oct 11, 2023 by sphoeinix (20 points)
0 votes
1 answer

Hi all, we switched from an exchange hybrid model to online only. So we turned off our on-prem exchange server. After some tries we faced the following problem: After ... Will Adaxes recognize that there is no on-prem anymore? Thank you for helping us!

asked Nov 16, 2022 by robin.christmann (160 points)
0 votes
1 answer

I'm moving from 2013.1 (on Server 2008 R2) to 2014.1 (on Server 2012 R2) and am going from a single server to 2 new servers and will shut down the 2013 ... be updated properly if their target object is moved or renamed. Would another reboot fix this possibly?

asked Aug 26, 2014 by danftasc (440 points)
0 votes
1 answer

Hi, I installed a new adaxes 2014.1 server and restore web interfaces from another server in 2013.2 When I uncheck Operations in Customize Operations windows, there is no ... fine on my 2 others Adaxes servers (in 2013.2) Thanks in advance Regards Sebastien

asked May 7, 2014 by smasset (740 points)
3,526 questions
3,217 answers
8,197 comments
547,625 users