Warnings and Errors After 2014.1 Upgrade

Question

Hello, after upgrading to 2014.1 the web interface is throwing lots warnings pertaining to groups:

Failed to build a list of groups, in which user 'Some.Person@domain.local' is a member. Could not resolve the following SIDs to group names: S-1-5-21-839522115-764733703-1644491937-81658, S-1-5-21-839522115-764733703-1644491937-48116, S-1-5-21-839522115-764733703-1644491937-44274, S-1-5-21-839522115-764733703-1644491937-50924, S-1-5-21-839522115-764733703-1644491937-69607, S-1-5-21-839522115-764733703-1644491937-44512, S-1-5-21-839522115-764733703-1644491937-43470, S-1-5-21-839522115-764733703-1644491937-50634, S-1-5-21-839522115-764733703-1644491937-49538, S-1-5-21-839522115-764733703-1644491937-72829, S-1-5-21-839522115-764733703-1644491937-46713, S-1-5-21-839522115-764733703-1644491937-53108, S-1-5-21-839522115-764733703-1644491937-53875, S-1-5-21-839522115-764733703-1644491937-63335, S-1-5-21-839522115-764733703-1644491937-35161, S-1-5-21-839522115-764733703-1644491937-65624, S-1-5-21-839522115-764733703-1644491937-67917, S-1-5-21-839522115-764733703-1644491937-55607, S-1-5-21-839522115-764733703-1644491937-55086, S-1-5-21-839522115-764733703-1644491937-67118, S-1-5-21-839522115-764733703-1644491937-63273, S-1-5-21-839522115-764733703-1644491937-36110, S-1-5-21-839522115-764733703-1644491937-39945, S-1-5-21-839522115-764733703-1644491937-71177, S-1-5-21-839522115-764733703-1644491937-39936, S-1-5-21-839522115-764733703-1644491937-46694, S-1-5-21-839522115-764733703-1644491937-39485, S-1-5-21-839522115-764733703-1644491937-21232, S-1-5-21-839522115-764733703-1644491937-81853, S-1-5-21-839522115-764733703-1644491937-1145, S-1-5-21-839522115-764733703-1644491937-21338, S-1-5-21-839522115-764733703-1644491937-77626, S-1-5-21-839522115-764733703-1644491937-49966.
Access control rules defined for the Web Interface installed in 'C:\Program Files\Softerra\Adaxes 3\Web Interface\SelfService\' may function incorrectly.

Everything seems to working correctly thus far, but the Adaxes logs on the web server are getting very noisy with these warnings. :)

Has anyone else experienced this? Any ideas?

Answer 1

Hello,

The issue occurs because you've allowed/denied access to the Web interface for Self-Service to certain groups (as described in this tutorial), and the user who is trying to logon to the Web Interface does not have sufficient permissions to view all or some of those groups. The permissions to view the groups must be granted by native AD security, not Adaxes Security Roles.

The thing is that when a user tries to log in to the Web Interface, Adaxes needs to check whether the user has sufficient permissions to access it. For this purpose, if any groups are specified on the Access Control tab (see step 4 of the above tutorial), Adaxes needs to check whether the user belongs to any of the specified groups, for which purpose Adaxes needs to resolve the SIDs of the groups. Adaxes resolves the group SIDs using the credentials of the user who is trying to log in, and thus the user should have sufficient permissions to view them.

The consequences of such errors are as follows:

• If a user is a member of a group or groups that are allowed access to the Web Interface, but the groups cannot be resolved, the user will be denied access to the Web interface.
• If a user is a member of a group or groups that are denied access to the Web Interface, but the groups cannot be resolved, the user will be allowed access to the Web interface.

Comments

I'm not sure that's it. In the case of the Self Service site, we allow only "Domain Users" and one other group. I've confirmed that the permissions are fine on both groups. Regardless, there are a lot of SIDs in that list whereas we've only specified two groups in the allow list.

I've also just logged in with my domain admin creds, and got the same error in event log.

Any other ideas?

---

Hello,

Sorry if my previous post mislead you. The error message means that it was not possible to resolve some of the groups in which the user who is trying to login is a member of. In case with your domain admin account, this means that it was not possible to resolve some groups that the account is a member of (including direct and indirect membership).

What you can do to troubleshoot is:

1. Find all the groups that your domain admin account is a member of (including indirect membership).
2. Locate the groups whose SIDs were specified in the error message when you tried to login to the Web interface with your domain admin account.
3. Check whether you can view the groups in ADUC when logged in as your domain admin user account.

---

It looks like the SIDs aren't from our domain, but from another within the same forest. To resolve, I'll need to engage my counterpart in another organization.

What changed between 2013.1 and 2014.1? Looking at Event Log, these warnings were definitely not around before we upgraded. Is there away to stop it from looking at groups outside the domain that it resides in? Sifting through these groups in the other domain will take quite some time.

Thanks!

---

Hello,

The warning didn't appear in Event Logs before the upgrade because we've added it only in version 2014.1 for troubleshooting purposes.

Is there away to stop it from looking at groups outside the domain that it resides in? Sifting through these groups in the other domain will take quite some time.

No, however there is a way to avoid setting up access control rules for the Web Interface.

The thing is that in the Web Interface, users will be able to perform only the operations they have sufficient permissions for. The operations that users are allowed to perform are controlled with the help of Security Roles. You can adjust Security Roles in such a manner that users have access only to the operations they need, and nothing else. If Security Roles are adjusted appropriately, users won't be able to perform any operations that would not fit within the scope of their job role. In this case, you can allow access to the Web Interface to all users and groups, and the Web interface will not try to resolve the groups where that user who signs in is a member.