Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[HELP] Group membership lookup error #253

Open
severinscheidegger-fl opened this issue Feb 6, 2025 · 5 comments
Open

[HELP] Group membership lookup error #253

severinscheidegger-fl opened this issue Feb 6, 2025 · 5 comments
Assignees
@ryannewington
Labels
help

Comments

@severinscheidegger-fl
Copy link

severinscheidegger-fl commented Feb 6, 2025
edited
Loading

Group membership lookup error

Good Day

I have installed the AMS on my server but having a problem with the Active Directory Domain Permissions. Under the three groups (Windows Authorization Access Group, etc) it sais Group membership lookup error. I double checked, that the gMSA is in each required group. The necessary ports are open on the AMS server as well as on the DC. Restarting the AMS Service also didn't help. I've set up the Service Account with the provided Script from the Installation Instructions and i've waited 10 Hours. What could be the Problem.

2025-02-06 11:02:32.3188|ERROR|Lithnet.AccessManager.Server.UI.ActiveDirectoryDomainPermissionViewModel|Group membership lookup error
System.Runtime.InteropServices.COMException (0x8007200A): Das angegebene Verzeichnisdienstattribut bzw. der angegebene Verzeichnisdienstwert ist nicht vorhanden. Translation: The specified directory service attribute or value does not exist
at System.DirectoryServices.DirectoryEntry.Bind(Boolean throwIfFail)
at System.DirectoryServices.DirectoryEntry.get_SchemaEntry()
at System.DirectoryServices.AccountManagement.ADStoreCtx.IsContainer(DirectoryEntry de)
at System.DirectoryServices.AccountManagement.ADStoreCtx..ctor(DirectoryEntry ctxBase, Boolean ownCtxBase, String username, String password, ContextOptions options)
at System.DirectoryServices.AccountManagement.PrincipalContext.CreateContextFromDirectoryEntry(DirectoryEntry entry)
at System.DirectoryServices.AccountManagement.PrincipalContext.DoLDAPDirectoryInitNoContainer()
at System.DirectoryServices.AccountManagement.PrincipalContext.DoDomainInit()
at System.DirectoryServices.AccountManagement.PrincipalContext.Initialize()
at System.DirectoryServices.AccountManagement.PrincipalContext.get_QueryCtx()
at System.DirectoryServices.AccountManagement.Principal.FindByIdentityWithTypeHelper(PrincipalContext context, Type principalType, Nullable`1 identityType, String identityValue, DateTime refDate)
at System.DirectoryServices.AccountManagement.Principal.FindByIdentityWithType(PrincipalContext context, Type principalType, IdentityType identityType, String identityValue)
at System.DirectoryServices.AccountManagement.GroupPrincipal.FindByIdentity(PrincipalContext context, IdentityType identityType, String identityValue)
at Lithnet.AccessManager.Server.UI.ActiveDirectoryDomainPermissionViewModel.GroupExists(SecurityIdentifier groupSid) in D:\a\1\s\src\Lithnet.AccessManager\Lithnet.AccessManager.Server.UI\ViewModels\ObjectWrapperViewModels\ActiveDirectoryDomainPermissionViewModel.cs:line 213
at Lithnet.AccessManager.Server.UI.ActiveDirectoryDomainPermissionViewModel.CheckP2kCaStatus() in D:\a\1\s\src\Lithnet.AccessManager\Lithnet.AccessManager.Server.UI\ViewModels\ObjectWrapperViewModels\ActiveDirectoryDomainPermissionViewModel.cs:line 181
@severinscheidegger-fl severinscheidegger-fl changed the title [HELP] [HELP] Group membership lookup error Feb 6, 2025
@ryannewington
Copy link
Member

@severinscheidegger-fl it sounds like there are some changes made in the AD to the default permissions. Have you done any domain hardening activities?

It's trying to bind to the directory to read the membership of the pre-windows 2000 compatible access group, (perhaps even the schema), and being told it that something about that doesnt exist.

Note this check is running as the account you are running the UI as, so if you don't have permission to read these objects and attributes, then this could be causing the issue

@ryannewington ryannewington self-assigned this Feb 6, 2025
@severinscheidegger-fl
Copy link
Author

Hi @ryannewington

Thanks a lot for your reply. You were right, I was logging in as a non-DomainAdmin to the UI and as soon as i logged in as a Domain Admin, the checks were Green. Is it standard practice to log in as a domain admin, or should other users/admins normally be able to have permission to read these objects too? And is that affecting only the ability to see the checkmarks green, since the rest is being run as the Service account, or could it cause deeper functionality issues?

Thanks and Regards, Severin

@ryannewington
Copy link
Member

Hi Severin

If you add yourself to the pre windows 2000 compatible access group, it should work. You don't need to be domain admin.

However it is just a helper screen. As long as the service account is in those groups, that is all that is needed for proper operation.

@stale Stale
Copy link

stale bot commented Feb 14, 2025

This issue has been automatically marked as stale because it has not had recent activity. It will be closed in 7 days if no further activity occurs.

@stale stale bot added the stale label Feb 14, 2025
@Sev-dev-1990
Copy link

Hi Ryan,

I see. Thanks a lot.

Regards, Severin

@stale stale bot removed the stale label Feb 15, 2025
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@ryannewington ryannewington

Labels
help
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@ryannewington @Sev-dev-1990 @severinscheidegger-fl