LDAP support

Hi Ollie/Joel

We’re refactoring the ldap sync code to remove the use of linq so we can actually see where the error is occuring, and adding more error handling and logging. We’re also going to log when the unauthorised error occurs so we can see a) who continua thinks you are and b) what permissions you have. We should have another build in an hour or two.

Joel

Any chance you can provide remote access to your server so I can see what is happening (since you are ‘local’ to us)? If so either give me a call on 0262827488 or email support@finalbuilder.com

Hi Olli

I have uploaded build 1111. We rewrote the ldap sync method so that it doesn't use linq, and we handle exceptions inside the interations now (and log them), so even when this error occurs it should continue syncing.We're still investigating the actual cause of the error, there doesn't seem to be a whole lot of information out there about the error.

32-bit Continua Server Installer

64-bit Continua Server Installer

Oh, I fogot to mention that it should still log any ldap sync errors to the windows evenlog.

Hi,

 We installed the build 1111 and did some testing.

 With the setup in stage 3 of my previous message, the result was identical for the login attempt. Redirection to the unauthenticated -page and no errors output to the event log.

With the setup in stage 1 (empty groupsContainer -attribute) the result from a login attempt was the same (redirect to the unauntenticated -page). There was the following error emitted to the event log:

Could not synchronize with Ldap domain 'qpr.com' and groups container . Getting all ldap groups
Sync status : While trying to resolve a cross-store reference, the target principal could not be found in the domain indicated by the principal's SID.
Synchronization will be attempted again in 30 minutes.
Stack Trace :
   at System.DirectoryServices.AccountManagement.ADStoreCtx.ResolveCrossStoreRefToPrincipal(Object o)
   at System.DirectoryServices.AccountManagement.ADUtils.DirectoryEntryAsPrincipal(DirectoryEntry de, ADStoreCtx storeCtx)
   at System.DirectoryServices.AccountManagement.ADDNLinkedAttrSet.get_CurrentAsPrincipal()
   at System.DirectoryServices.AccountManagement.FindResultEnumerator`1.get_Current()
   at Continua.Membership.Ldap.LdapGroup.GetMembersWithInheritanceGroups(GroupPrincipal group, Boolean includeInheritedGroupName)
   at Continua.Membership.Ldap.LdapGroup.RetrieveAll()
   at Continua.Membership.Ldap.LdapSynchronizer.Execute()

It’s failing while iterating through the groups. We’re doing more refactoring/logging/error handling work again to try and narrow down the problem. FWIW, you probably don’t need the container, unless your domain admins have separated the groups into containers and your continua admin users group is in a specific container.

Hi,

 According our ICT people we do have groups seggregated to a own organization unit, so I'd expect therefore that we actually need the container.

The more intresting question is now therefore why the Continua does not give any errors from the LDAP/AD sync, suggesting that the sync does work, but still won't allow us to log in.

Hi Olli

I have uploaded build 1124, which has more logging and exception handling.

32-bit Continua Server Installer

64-bit Continua Server Installer

I suspect when you specify a container, continua is not finding the admin group or any other groups that cause the error. Dave added more checks today so that it will log to the eventlog if the admin group is not found or if the admin group is empty. 

Hello,

 We tested with the build 1124 and the results were:

With an empty groupsContainer -attribute the following exceptions were emitted to the system event log:

 Error while retrieving group membership. Status: Iterating through group members. Message: Exception: PrincipalOperationException
Message: While trying to resolve a cross-store reference, the target principal could not be found in the domain indicated by the principal's SID.
Stack Trace:    at System.DirectoryServices.AccountManagement.ADStoreCtx.ResolveCrossStoreRefToPrincipal(Object o)
   at System.DirectoryServices.AccountManagement.ADUtils.DirectoryEntryAsPrincipal(DirectoryEntry de, ADStoreCtx storeCtx)
   at System.DirectoryServices.AccountManagement.ADDNLinkedAttrSet.get_CurrentAsPrincipal()
   at System.DirectoryServices.AccountManagement.FindResultEnumerator`1.get_Current()
   at Continua.Membership.Ldap.LdapGroup.GetMembersWithInheritanceGroups(GroupPrincipal group, Boolean includeInheritedGroupName)

 

and

Error while retrieving group membership. Status: Iterating through group members. Message: Exception: PrincipalOperationException
Message: While trying to resolve a cross-store reference, the SID of the target principal could not be resolved.  The error code is 1332.
Stack Trace:    at System.DirectoryServices.AccountManagement.ADStoreCtx.ResolveCrossStoreRefToPrincipal(Object o)
   at System.DirectoryServices.AccountManagement.ADUtils.DirectoryEntryAsPrincipal(DirectoryEntry de, ADStoreCtx storeCtx)
   at System.DirectoryServices.AccountManagement.ADDNLinkedAttrSet.get_CurrentAsPrincipal()
   at System.DirectoryServices.AccountManagement.FindResultEnumerator`1.get_Current()
   at Continua.Membership.Ldap.LdapGroup.GetMembersWithInheritanceGroups(GroupPrincipal group, Boolean includeInheritedGroupName)

 When the groupsContainer attribute was populated with the correct data there were no exceptions emitted, but still the login failed with same symptoms as before.

 

Apparently the forum didn’t like the formatted exception output. Here are the exceptions entirely:

Error while retrieving group membership. Status: Iterating through group members. Message: Exception: PrincipalOperationException
Message: While trying to resolve a cross-store reference, the SID of the target principal could not be resolved.  The error code is 1332.
Stack Trace:    at System.DirectoryServices.AccountManagement.ADStoreCtx.ResolveCrossStoreRefToPrincipal(Object o)
   at System.DirectoryServices.AccountManagement.ADUtils.DirectoryEntryAsPrincipal(DirectoryEntry de, ADStoreCtx storeCtx)
   at System.DirectoryServices.AccountManagement.ADDNLinkedAttrSet.get_CurrentAsPrincipal()
   at System.DirectoryServices.AccountManagement.FindResultEnumerator1.get_Current()<br><p>&nbsp;&nbsp; at Continua.Membership.Ldap.LdapGroup.GetMembersWithInheritanceGroups(GroupPrincipal group, Boolean includeInheritedGroupName)</p><p>&nbsp;</p><p>&nbsp;Error while retrieving group membership. Status: Iterating through group members. Message: Exception: PrincipalOperationException<br>Message: While trying to resolve a cross-store reference, the target principal could not be found in the domain indicated by the principal's SID.<br>Stack Trace:&nbsp;&nbsp;&nbsp; at System.DirectoryServices.AccountManagement.ADStoreCtx.ResolveCrossStoreRefToPrincipal(Object o)<br>&nbsp;&nbsp; at System.DirectoryServices.AccountManagement.ADUtils.DirectoryEntryAsPrincipal(DirectoryEntry de, ADStoreCtx storeCtx)<br>&nbsp;&nbsp; at System.DirectoryServices.AccountManagement.ADDNLinkedAttrSet.get_CurrentAsPrincipal()<br>&nbsp;&nbsp; at System.DirectoryServices.AccountManagement.FindResultEnumerator1.get_Current()
   at Continua.Membership.Ldap.LdapGroup.GetMembersWithInheritanceGroups(GroupPrincipal group, Boolean includeInheritedGroupName)

 

Hi Ollie,

Thanks for the exception report. This has helped us to identify the line of code when the exception is occurring. It appears that a member of one of the groups on your domain has an invalid SID and this is causing an exception to be thrown when iterating through the groups members. 

I have changed the code so that it will continue to iterate through the other members of the group when this error occurs. It will also log a message showing the name of the group and a list of all the member groups and users which were successfully retrieved. This may help to to identify which member has an invalid SID.

 I've uploaded a new build with these changes:

• 32-bit Continua Server Installer
• 64-bit Continua Server Installer

Regarding the issue when you specify a group container, can you confirm that the group defined as the administratorsGroup is located under the OU specified for groupContainer and that the user failing to log in is a member of this group?

Hi,

Yes, that is exactly the case.

Hi,

 When testing the build 1133 without the groupsContainer -attribute the following 3 exceptions were emitted to the system event log:

 Error adding group members to user and group member lists. Principal name: null. Message: Exception: PrincipalOperationException
Message: While trying to resolve a cross-store reference, the target principal could not be found in the domain indicated by the principal's SID.
Stack Trace:    at System.DirectoryServices.AccountManagement.ADStoreCtx.ResolveCrossStoreRefToPrincipal(Object o)
   at System.DirectoryServices.AccountManagement.ADUtils.DirectoryEntryAsPrincipal(DirectoryEntry de, ADStoreCtx storeCtx)
   at System.DirectoryServices.AccountManagement.ADDNLinkedAttrSet.get_CurrentAsPrincipal()
   at System.DirectoryServices.AccountManagement.FindResultEnumerator`1.get_Current()
   at Continua.Membership.Ldap.LdapGroup.GetMembersWithInheritanceGroups(GroupPrincipal group, Boolean includeInheritedGroupName)

 Error adding group members to user and group member lists. Principal name: null. Message: Exception: PrincipalOperationException
Message: While trying to resolve a cross-store reference, the SID of the target principal could not be resolved.  The error code is 1332.
Stack Trace:    at System.DirectoryServices.AccountManagement.ADStoreCtx.ResolveCrossStoreRefToPrincipal(Object o)
   at System.DirectoryServices.AccountManagement.ADUtils.DirectoryEntryAsPrincipal(DirectoryEntry de, ADStoreCtx storeCtx)
   at System.DirectoryServices.AccountManagement.ADDNLinkedAttrSet.get_CurrentAsPrincipal()
   at System.DirectoryServices.AccountManagement.FindResultEnumerator`1.get_Current()
   at Continua.Membership.Ldap.LdapGroup.GetMembersWithInheritanceGroups(GroupPrincipal group, Boolean includeInheritedGroupName)

Error adding group members to user and group member lists. Principal name: null. Message: Exception: PrincipalOperationException
Message: While trying to resolve a cross-store reference, the SID of the target principal could not be resolved.  The error code is 1332.
Stack Trace:    at System.DirectoryServices.AccountManagement.ADStoreCtx.ResolveCrossStoreRefToPrincipal(Object o)
   at System.DirectoryServices.AccountManagement.ADUtils.DirectoryEntryAsPrincipal(DirectoryEntry de, ADStoreCtx storeCtx)
   at System.DirectoryServices.AccountManagement.ADDNLinkedAttrSet.get_CurrentAsPrincipal()
   at System.DirectoryServices.AccountManagement.FindResultEnumerator`1.get_Current()
   at Continua.Membership.Ldap.LdapGroup.GetMembersWithInheritanceGroups(GroupPrincipal group, Boolean includeInheritedGroupName) 

 

Login to the system was still not successfull with the same issue as previously (redirect to the unauthenticated page with message "The page you requested required permissions that you do not have, you can choose to login with an account that has the necessary permissions or go home."

Behaviour when the groupsContainer -attribute is supplied is unaltered, so we're still totally unable to use the system since upgrading to build containing the new LDAP implementation.

Hi Ollie

Are you able to provide us with remote access to the server to help diagnose the issue?

Probably via for example with GoToMeeting. I’ll have to check internally. Do you have any additional debugging steps to be undertaken, or other items to be checked.

Hi Olli

Ok, here's something we can try. Stop the server service, and the edit the Continua.Server.Service.exe.config file , uncomment this line and change the level to Debug.

Then start Continua.Diagnostics.exe, and then restart the service. Now attempt to login and watch what is displayed on the diagnostics console. It will scroll pretty quick as a lot of debug logging occurs at the moment. You should see something like this :

[5:12:08 PM] [Membership] Authenticating user with user name of 'vincent'.
[5:12:08 PM] [Membership] Authentication Mode is Forms
[5:12:08 PM] [Membership] User is vincent
[5:12:08 PM] [Membership] Authenticating
[5:12:08 PM] [Membership] Authenticated : True

It will have a few more entries because you are using ldap mode. 

Hi Ollie,

I have put together a console application that runs through the LDAP membership functionallity. You can download it from http://downloads.finalbuilder.com/d…aptest.zip

You can run this as administrator at a command prompt with the following syntax:
 

LdapTest.exe -log -fqdn office.company.local -administratorGroup “Continua Administrators” [-groupsContainer “OU=continua,DC=office,DC=company,DC=local”]

where “office.company.local” is replaced by your domain and “Continua Administrators” by a group containing your users. Omit the -groupsContainer for the first run then run again with the group container you were using previously.

The program will run through each group, checking access to its members, outputting status information to the console and pausing when an error occurs. 

Make sure you use the -log option to write the output to ldaptest#.log. If you can then send the log files to support@finalbuilder.com, we’ll look through and see if we can find a clue to the cause of the issues. I understand that the files may contain sensitive information, so you may wish to search and replace some text as necessary or just provide copy sections where errors are logged.

Here's the syntax again displayed correctly:

Unfortunately the utility reports “Unknown argument: qpr.com” when executed with our domain name as the -fqdn -parameter.

Looks like a bug reading the parameters. Can you try putting the -log parameter at the end? Otherwise I’ll take another look at this tomorrow. E.g. Ldaptest.exe -fqdn qpr.com -administratorGroup “continua administrators” -log.