AD Group Login fails

tslagtertslagter Posts: 17 Bronze 2
edited December 9, 2015 1:50PM in SQL Monitor Previous Versions
I've been testing SQL Monitor 5, and just tried changing to AD authentication. I set the service account and ran a test, then set the administrator account to "Domain Admins", a group I am a part of. I keep getting the error below. I tried fixing things by manually adding an explicit user into the ActiveDirectoryPrincipal table as indicated by the docs, but I get the same error.

#mkv: System.DirectoryServices.AccountManagement.PrincipalOperationException was thrown by method Authorisation on service AuthorisationService: System.DirectoryServices.AccountManagement.PrincipalOperationException: An error (1301) occurred while enumerating the groups. The group's SID could not be resolved. at System.DirectoryServices.AccountManagement.SidList.TranslateSids(String target, IntPtr[] pSids) at System.DirectoryServices.AccountManagement.SidList..ctor(SID_AND_ATTR[] sidAndAttr) at System.DirectoryServices.AccountManagement.AuthZSet..ctor(Byte[] userSid, NetCred credentials, ContextOptions contextOptions, String flatUserAuthority, StoreCtx userStoreCtx, Object userCtxBase) at System.DirectoryServices.AccountManagement.ADStoreCtx.GetGroupsMemberOfAZ(Principal p) at System.DirectoryServices.AccountManagement.UserPrincipal.GetAuthorizationGroupsHelper() at #cnve.#fnve.#0jBe(String ) at #cnve.#agBe.Authorisation(String )

Comments

  • Hi tslagter,

    It seems you could be running into the following issue, which will happen if you have SQL Monitor installed on a Windows Server 2008 / 2008 R2 / Win7 / Vista and your Domain Controller is Windows Server 2012 based. It's related to two new security principal SIDs which were introduced in Windows Server 2012. It should be fixed when you download and apply the hot fix from Microsoft onto your Windows Server 2008/2008 R2 / Win7 / Vista machine that has SQL Monitor installed upon it:

    https://support.microsoft.com/en-gb/kb/2830145

    Or alternatively, you can try installing SQL Monitor on a Windows Server 2012.

    Please let us know if this helps resolve the issue!

    Kind regards,
    Alex
    Product Support Engineer | Redgate Software

    Have you visited our Help Center?
  • tslagtertslagter Posts: 17 Bronze 2
    Thanks, this might be the problem. Unfortunately, we're running Win Server 2008 32-bit, and the hotfix is only for 64-bit. Can you tell me how to get SQL Monitor back to non-AD authentication?
  • Hi tslagter,

    You can reset the login method with this script on the data repository database
    UPDATE [RedGateMonitor].[settings].[KeyValuePairs]
    SET [RedGateMonitor].[settings].[KeyValuePairs].[KeyValue] = 0 
    WHERE [RedGateMonitor].[settings].[KeyValuePairs].[KeyName] = 'ActiveDirectory-Enabled'
    

    You may also need to restart the SQL monitor service.

    Kind regards,
    Alex
    Product Support Engineer | Redgate Software

    Have you visited our Help Center?
  • tslagtertslagter Posts: 17 Bronze 2
    Thanks, that worked.
  • Hi tslagter,

    Excellent! Please let us know if we can help with anything else!

    Kind regards,
    Alex
    Product Support Engineer | Redgate Software

    Have you visited our Help Center?
  • DonFergusonDonFerguson San Diego, CAPosts: 132 Silver 2
    We have discovered that AD accounts that have been migrated to a new domain and contain sid history don't work.
  • Hi Donman,

    We do have an issue raised for the migrated users with SID history with internal reference SRP-10151 (I see you have a call open related to this). For others on the forum this is different from the issue above that tslagter experienced.

    Thanks for sharing your info!

    Kind regards,
    Alex
    Product Support Engineer | Redgate Software

    Have you visited our Help Center?
Sign In or Register to comment.