We authenticate against AD and everything was working fine until we upgraded from 2.3.6 to 2.4.5. The server worked fine immediately after the upgrade which we performed yesterday however this morning users are greeted with the message You must be logged in to perform this action. Please provide a valid API key or log in again. and the following is appearing in the logs:
System.DirectoryServices.AccountManagement.PrincipalOperationException: An error (1301) occurred while enumerating the groups. The group's SID could not be resolved.
at System.DirectoryServices.AccountManagement.SidList.TranslateSids(String target, IntPtr[] pSids)
at System.DirectoryServices.AccountManagement.SidList..ctor(SID_AND_ATTR[] sidAndAttr)
at System.DirectoryServices.AccountManagement.AuthZSet..ctor(Byte[] userSid, NetCred credentials, ContextOptions contextOptions, String flatUserAuthority, StoreCtx userStoreCtx, Object userCtxBase)
at System.DirectoryServices.AccountManagement.ADStoreCtx.GetGroupsMemberOfAZ(Principal p)
at System.DirectoryServices.AccountManagement.UserPrincipal.GetAuthorizationGroupsHelper()
at Octopus.Server.Web.Infrastructure.Authentication.ActiveDirectoryMembership.GetMemberExternalSecurityGroupIds(String username) in y:\work\db516cd4dfb6f424\source\Octopus.Server\Web\Infrastructure\Authentication\ActiveDirectoryMembership.cs:line 101
at Octopus.Server.Web.Infrastructure.Authentication.OctopusPrincipalCache.LoadAndCache(IDocumentSession session, User user, String cacheKey, String establishedWith) in y:\work\db516cd4dfb6f424\source\Octopus.Server\Web\Infrastructure\Authentication\OctopusPrincipalCache.cs:line 117
at Octopus.Server.Web.Infrastructure.Authentication.OctopusPrincipalCache.GetPrincipal(IDocumentSession session, Guid identificationToken) in y:\work\db516cd4dfb6f424\source\Octopus.Server\Web\Infrastructure\Authentication\OctopusPrincipalCache.cs:line 86
at Octopus.Server.Web.Infrastructure.Authentication.OctopusPrincipalEstablisher.GetPresentedUserIdentity(NancyContext context) in y:\work\db516cd4dfb6f424\source\Octopus.Server\Web\Infrastructure\Authentication\OctopusPrincipalEstablisher.cs:line 102
at Octopus.Server.Web.Infrastructure.Authentication.OctopusPrincipalEstablisher.EstablishPrincipalForRequest(NancyContext context) in y:\work\db516cd4dfb6f424\source\Octopus.Server\Web\Infrastructure\Authentication\OctopusPrincipalEstablisher.cs:line 43
Any idea what’s causing this?
Does the account that Octopus run under need any more permissions on AD than it did previously? Is there a setting we need to adjust? Is there some old cached permissions data that needs flushing?
Any help greatly appreciated. Thanks.