Follow

Cannot authenticate with Domain Account to ProfileUnity console installed on 2008R2 with 2012R2 Domain Controllers

Product: ProfileUnity-FlexApp

Product Version: 6.5+

Expires on: 365 days from publish date

Updated: April 27, 2016

 

Problem:

When I try to login with domain account to ProfileUnity console. I get an error message:

"User was denied access"

 

Symptoms:

ProfileUnity console log (prou.log) shows

 

2016-03-21 14:54:40 [28] DEBUG - System.DirectoryServices.AccountManagement.PrincipalOperationException: A referral was returned from the server.
 ---> System.DirectoryServices.DirectoryServicesCOMException: A referral was returned from the server.

   at System.DirectoryServices.DirectoryEntry.Bind(Boolean throwIfFail)
   at System.DirectoryServices.DirectoryEntry.Bind()
   at System.DirectoryServices.DirectoryEntry.get_SchemaEntry()
   at System.DirectoryServices.AccountManagement.ADStoreCtx.IsContainer(DirectoryEntry de)
   at System.DirectoryServices.AccountManagement.ADStoreCtx..ctor(DirectoryEntry ctxBase, Boolean ownCtxBase, String username, String password, ContextOptions options)
   at System.DirectoryServices.AccountManagement.PrincipalContext.CreateContextFromDirectoryEntry(DirectoryEntry entry)
   at System.DirectoryServices.AccountManagement.PrincipalContext.DoLDAPDirectoryInit()
   --- End of inner exception stack trace ---
   at System.DirectoryServices.AccountManagement.PrincipalContext.DoLDAPDirectoryInit()
   at System.DirectoryServices.AccountManagement.PrincipalContext.DoDomainInit()
   at System.DirectoryServices.AccountManagement.PrincipalContext.Initialize()
   at System.DirectoryServices.AccountManagement.PrincipalContext.get_QueryCtx()
   at System.DirectoryServices.AccountManagement.Principal.FindByIdentityWithTypeHelper(PrincipalContext context, Type principalType, Nullable`1 identityType, String identityValue, DateTime refDate)
   at System.DirectoryServices.AccountManagement.Principal.FindByIdentityWithType(PrincipalContext context, Type principalType, IdentityType identityType, String identityValue)
   at System.DirectoryServices.AccountManagement.UserPrincipal.FindByIdentity(PrincipalContext context, IdentityType identityType, String identityValue)
   at ProfileUnity.WindowsManagement.Security.Credentials.WindowsCredentialValidationService.InternalGetGroups3(PrincipalContext ctx, IWindowsCredentials windowsCredentials, IDictionary`2& groups)
2016-03-21 14:54:40 [28] DEBUG - Third Credential Validation Attempt Completed 57
2016-03-21 14:54:40 [28] INFO  - DirectorySearcher Created
2016-03-21 14:54:40 [28] DEBUG - Logged on user distinguished name: CN=user,OU=TrustedUsers,DC=domain,DC=ad,DC=local
2016-03-21 14:54:40 [28] INFO  - Failed using LDAP to get user groups.
System.DirectoryServices.DirectoryServicesCOMException (0x8007202B): A referral was returned from the server.

   at System.DirectoryServices.DirectoryEntry.Bind(Boolean throwIfFail)
   at System.DirectoryServices.DirectoryEntry.Bind()
   at System.DirectoryServices.DirectoryEntry.get_AdsObject()
   at System.DirectoryServices.PropertyValueCollection.PopulateList()
   at System.DirectoryServices.PropertyValueCollection..ctor(DirectoryEntry entry, String propertyName)
   at System.DirectoryServices.PropertyCollection.get_Item(String propertyName)
   at ProfileUnity.WindowsManagement.Security.Credentials.WindowsCredentialValidationService.GetGroupsViaLdap(IWindowsCredentials windowsCredentials, IDictionary`2& groups)
2016-03-21 14:54:40 [28] DEBUG - Fourth Credential Validation Attempt Completed 247
2016-03-21 14:54:40 [28] ERROR - System.UnauthorizedAccessException: User was denied access.
   at ProfileUnity.WindowsManagement.Security.Credentials.WindowsCredentialValidationService.ValidateUser(IWindowsCredentials& windowsCredentials, String[] validGroups)
   at ProfileUnity.WindowsManagement.Security.Authentication.AuthenticationManager.Authenticate(String username, SecureString password)
   at ProfileUnity.WindowsManagement.Security.Authentication.AuthenticationManager.Authenticate(Stream contents)
   at ProfileUnity.Web.Modules.Main.LoginModule.PostAuthenticate()
2016-03-21 14:54:40 [28] ERROR - WebMessage Error: User was denied access.
2016-03-21 14:55:31 [31] INFO  - Authenticating user domain\user
2016-03-21 14:55:31 [31] DEBUG - PrincipalContext Completed 4
2016-03-21 14:55:31 [31] DEBUG - System.Security.Authentication.AuthenticationException: Logon failure: unknown user name or bad password.
 ---> System.DirectoryServices.DirectoryServicesCOMException: Logon failure: unknown user name or bad password.

   at System.DirectoryServices.DirectoryEntry.Bind(Boolean throwIfFail)
   at System.DirectoryServices.DirectoryEntry.Bind()
   at System.DirectoryServices.DirectoryEntry.get_SchemaEntry()
   at System.DirectoryServices.AccountManagement.ADStoreCtx.IsContainer(DirectoryEntry de)
   at System.DirectoryServices.AccountManagement.ADStoreCtx..ctor(DirectoryEntry ctxBase, Boolean ownCtxBase, String username, String password, ContextOptions options)
   at System.DirectoryServices.AccountManagement.PrincipalContext.CreateContextFromDirectoryEntry(DirectoryEntry entry)
   at System.DirectoryServices.AccountManagement.PrincipalContext.DoLDAPDirectoryInit()
   --- End of inner exception stack trace ---
   at System.DirectoryServices.AccountManagement.PrincipalContext.DoLDAPDirectoryInit()
   at System.DirectoryServices.AccountManagement.PrincipalContext.DoDomainInit()
   at System.DirectoryServices.AccountManagement.PrincipalContext.Initialize()
   at System.DirectoryServices.AccountManagement.PrincipalContext.get_QueryCtx()
   at System.DirectoryServices.AccountManagement.Principal.FindByIdentityWithTypeHelper(PrincipalContext context, Type principalType, Nullable`1 identityType, String identityValue, DateTime refDate)
   at System.DirectoryServices.AccountManagement.Principal.FindByIdentityWithType(PrincipalContext context, Type principalType, IdentityType identityType, String identityValue)
   at System.DirectoryServices.AccountManagement.UserPrincipal.FindByIdentity(PrincipalContext context, IdentityType identityType, String identityValue)
   at ProfileUnity.WindowsManagement.Security.Credentials.WindowsCredentialValidationService.InternalGetGroups1(PrincipalContext ctx, IWindowsCredentials windowsCredentials, IDictionary`2& groups)

 

Possible Resolution(s):

Cause: This issue occurs because SID S-1-18-1 and SID S-1-18-2 cannot be resolved on the computers.

Note In Windows Server 2012, two new security principal SIDs are introduced to differentiate between proof of possession and Service-for-User-to-Self (S4U2Self) protocol transitions .

KB2830145 is making changed to parent component Such as the following :

•amd64_microsoft-windows-ncrypt-dll_31bf3856ad364e35_0.0.0.0_none_ddd6e6c2f223bc0f

•amd64_microsoft-windows-lsa_31bf3856ad364e35_0.0.0.0_none_26431bf35d52e5a2

•amd64_microsoft-windows-security-schannel_31bf3856ad364e35_0.0.0.0_none_a20edc3f55ca842d

•And much more.

the complete component store is being re-evaluated to set the correct component dependencies and hence the Component store is REVERSE INDEXING the packages related to the files this KB is changing.

This is because KB2830145 has binaries which are from 2013, hence the changes from 2013 till date is being re-evaluated (The reason for taking a long time to install).

Resolution: We are not able to install the update KB 2830145, We need to download and install KB 3097966.

We followed below steps to resolve the issue

Install KB3097966 as this contains all the binaries from KB2830145 and installing the LDR version of KB3097966 will address the vulnerabilities of KB283014.

o Download KB3097966 on the C Drive.

o Open an Elevated command prompt.

o md C:\expandmsu

o md C:\expandcab

o Expand -f:* C:\Windows6.1-KB3097966-x64.msu C:\expandmsu

o Expand -f:* C:\expandmsu\Windows6.1-KB3097966-x64.cab C:\expandcab

o pkgmgr /ip /m:C:\expandcab\update-bf.mum

Restart the Windows 2008 R2 server where ProfileUnity console is installed.

 

https://support.microsoft.com/en-in/kb/2830145

https://support.microsoft.com/en-in/kb/3097966 (https://support.microsoft.com/en-in/kb/2830145)

 

 

 

 

 

 

Was this article helpful?
0 out of 0 found this helpful
Have more questions? Submit a request

0 Comments

Article is closed for comments.