Comments (14)
When this exception occurs, you should see that LDAPCP attempts to get group membership using a different method (with a LDAP query).
If that fallback goes well, you should see a message like this:
"[LDAPCP] Domain {1} returned {2} groups for user {3}. Lookup took {4}ms on LDAP server '{5}'"
Do you see it?
from ldapcp.
I was too euphoric about my solution..
I could reproduce the error by powershell and after the AD guy gave me the permissions the error vanished from powershell. The error is still there in the solution. My guess was that your solution and my powershell console use different assembly versions.
I see the fallback. This one works fine.
My main problem still exists: I can't get the groups recoursively. My user is in group A and group A is in group B. I give group B access to the site but the user won't get permission. I see in the logs that group B is not listed.
Is it a known limitation that I can only give permission to a group that the user belongs directly to?
from ldapcp.
The PrincipalOperationException exception is thrown because of a bug in .NET (in System.DirectoryServices.AccountManagement.dll).
It is expected to be fixed in both.NET 4.6.2 and .NET 4.7.1, which should ship with the January 2018 updates of .NET.
Once the fix is installed, nested groups should work fine.
Until then, all user membership operations which get this exception will fallback to LDAP query, which does not get the nested groups, as you noticed.
Technically it's possible to update LDAPCP to get nested groups but it would be quite a big work to do (e.g. handle special cases like when group is not in the same domain).
from ldapcp.
Hallo @Yvand
Do you have any news on this one?
Is the bug fix already released? Do you have planned to build against the new framework-version soon?
Thank you very much
Kai
from ldapcp.
Hello @kurky91, yes, fix is now available, but not easy to find.
The key description is "TokenGroupSet now supports unresolvable SIDs by returning a principal with the original SID"
Here are the links:
- Windows Server 2008: https://support.microsoft.com/en-us/help/4054981
- Windows Server 2012: https://support.microsoft.com/en-us/help/4054979
- Windows Server 2012 R2: https://support.microsoft.com/en-us/help/4054980
- Regarding Windows Server 2016, it should be fixed by https://support.microsoft.com/en-us/help/4057142 but I'mm not sure since the description is missing...
As soon as you install one of the fix above, the issue should be fixed, LDAPCP does not need to be recompiled or updated.
from ldapcp.
Hello @Yvand
The problem still persists on Windows Server 2016. I just updated to .NET Framework 4.7.2.
The server has the newest Update installed: https://support.microsoft.com/en-us/help/4480977
In this particular environment, I have deployed a fork of your LDAPCP to read claims and save them to UPS. I could do code changes.
Do you have a suggestion?
Thank you very, veeery much
from ldapcp.
Hello @kurky91
After you installed the .NET update, what is the error recorded in ULS logs?
Can you confirm if you can reproduce it using this script (to run on SharePoint server):
Add-Type -AssemblyName System.DirectoryServices.AccountManagement
$username = read-host -prompt "Enter a username"
$ct = [System.DirectoryServices.AccountManagement.ContextType]::Domain
$user = [System.DirectoryServices.AccountManagement.UserPrincipal]::FindByIdentity($ct, $username)
$groups = $user.GetAuthorizationGroups()
foreach($g in $groups) {
$g.SamAccountName
}
from ldapcp.
Hello @Yvand
Yes, I can reproduce the error with your script.
from ldapcp.
Hello @Yvand
Do you think the error is not solvable at the moment?
If so.. then we keep our workaround inplace: a script that resolves all the groups and adds those groups seperately.
Thank you
Kai
from ldapcp.
hi @kurky91 sorry for my late reply
Can you check the version of "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\clr.dll" on the SharePoint server?
You very likely face a .NET bug that was fixed some time ago, can you update .NET to latest version and run the PowerShell script again?
from ldapcp.
Thanks for your reply, @Yvand
I think this DLL is as new as possible, right?
from ldapcp.
Hello @Yvand - Can you give us any update on this topic?
from ldapcp.
Hi @mathiasstocker this issue was closed a long time ago and I missed to follow up with the new comments.
Do you also reproduce the issue when you run the PowerShell script I provided here?
If so, it is a bug in .NET framework that is normally fixed, but somehow you still repro it.
In LDAPCP, you can avoid it by not checking the box "Use .NET API" in "Augmentation" section in LDAPCP global config page. This will fallback to a simple LDAP query instead of using .NET helpers, but the drawback is that it does not get nested groups.
from ldapcp.
I reopen this oooooold issue because I'm confident that I fixed it in ab7131c
It happened because the code was executed as the impersonated account IUSR, which got an access denied.
The fix is to execute this code as the application pool account
from ldapcp.
Related Issues (20)
- Customization in LDAP solution HOT 3
- Replay LDAP query test returned user account result but people picker doesn't return this user account HOT 8
- Target Audience not working for LDAPCP groups added to sharepoint groups HOT 6
- LDAPCP on a non-ADFS federated setup HOT 2
- Domain groups can't be added after resolving it in people picker HOT 5
- LDAPCP on a farm with Windows / Kerberos authentication HOT 2
- need to remove the users with (role) prefix HOT 2
- Using Custom LDAPCP wsp and standard LDAPCP wsp HOT 9
- LDAP Filter for Two Classes HOT 4
- Augmentation does not work with Nintex Workflow and Other third party HOT 4
- Searching by Name on samAccountName HOT 2
- User Can't receive emails HOT 2
- EntraCP claimprovider issue HOT 4
- [LDAPCPSE] After adding a LDAPS connection as second option, going to global config page will error out HOT 21
- LDAPCPSE An item with LDAP newAttribute 'userPrincipalName' and LDAP class 'user' already exists for the object type 'User' HOT 10
- LDAPCP Second Edition - MaxSearchResultsCount. HOT 3
- [LDAPCPSE] question about search result windows size in peoplepicker HOT 4
- Filter on Active user by default HOT 5
- Unable to Connect to LDAP for the following reason: Unknow error (0x80005000) HOT 8
- Security regrading the package HOT 3
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from ldapcp.