Error after upgrading 2.3.6 -> 2.4.5: An error (1301) occurred while enumerating the groups. The group's SID could not be resolved

Tom_Rathbone · 16 May 2014 09:08

We authenticate against AD and everything was working fine until we upgraded from 2.3.6 to 2.4.5. The server worked fine immediately after the upgrade which we performed yesterday however this morning users are greeted with the message You must be logged in to perform this action. Please provide a valid API key or log in again. and the following is appearing in the logs:

System.DirectoryServices.AccountManagement.PrincipalOperationException: An error (1301) occurred while enumerating the groups.  The group's SID could not be resolved.
   at System.DirectoryServices.AccountManagement.SidList.TranslateSids(String target, IntPtr[] pSids)
   at System.DirectoryServices.AccountManagement.SidList..ctor(SID_AND_ATTR[] sidAndAttr)
   at System.DirectoryServices.AccountManagement.AuthZSet..ctor(Byte[] userSid, NetCred credentials, ContextOptions contextOptions, String flatUserAuthority, StoreCtx userStoreCtx, Object userCtxBase)
   at System.DirectoryServices.AccountManagement.ADStoreCtx.GetGroupsMemberOfAZ(Principal p)
   at System.DirectoryServices.AccountManagement.UserPrincipal.GetAuthorizationGroupsHelper()
   at Octopus.Server.Web.Infrastructure.Authentication.ActiveDirectoryMembership.GetMemberExternalSecurityGroupIds(String username) in y:\work\db516cd4dfb6f424\source\Octopus.Server\Web\Infrastructure\Authentication\ActiveDirectoryMembership.cs:line 101
   at Octopus.Server.Web.Infrastructure.Authentication.OctopusPrincipalCache.LoadAndCache(IDocumentSession session, User user, String cacheKey, String establishedWith) in y:\work\db516cd4dfb6f424\source\Octopus.Server\Web\Infrastructure\Authentication\OctopusPrincipalCache.cs:line 117
   at Octopus.Server.Web.Infrastructure.Authentication.OctopusPrincipalCache.GetPrincipal(IDocumentSession session, Guid identificationToken) in y:\work\db516cd4dfb6f424\source\Octopus.Server\Web\Infrastructure\Authentication\OctopusPrincipalCache.cs:line 86
   at Octopus.Server.Web.Infrastructure.Authentication.OctopusPrincipalEstablisher.GetPresentedUserIdentity(NancyContext context) in y:\work\db516cd4dfb6f424\source\Octopus.Server\Web\Infrastructure\Authentication\OctopusPrincipalEstablisher.cs:line 102
   at Octopus.Server.Web.Infrastructure.Authentication.OctopusPrincipalEstablisher.EstablishPrincipalForRequest(NancyContext context) in y:\work\db516cd4dfb6f424\source\Octopus.Server\Web\Infrastructure\Authentication\OctopusPrincipalEstablisher.cs:line 43

Any idea what’s causing this?

Does the account that Octopus run under need any more permissions on AD than it did previously? Is there a setting we need to adjust? Is there some old cached permissions data that needs flushing?

Any help greatly appreciated. Thanks.

Tom_Rathbone · 16 May 2014 14:04

Fixed.

Turns out the instance was connecting to a Windows Server 2012 hosted Domain Controller for the first time and hitting the bug mentioned in this knowledge base article:

http://support.microsoft.com/kb/2830145

Applying the hotfix to the machine that runs Octopus fixed the issue.

T.

Paul_Stovell · 18 May 2014 09:26

Hi Tom,

Glad this is resolved and thanks for sharing the solution!

Paul