none
MDS SQL 2016 Can't edit permissions for selected group in Manage Groups RRS feed

  • Question

  • We have installed MDS 2016 and can assign permissions to users but when we try to edit a groups permission the system just hangs.

    We can add both AD and local groups but cannot grant any rights to the groups.

    Has anyone else had this issue and how do we resolve it?

    We are using SQL 2016 SP1 CU05

    Tuesday, October 17, 2017 11:41 AM

Answers

  • The only solution I've found so far is to kill MDS's worker process in IIS if page isn't loading.

    There's a bug in Equals method implementation of SecurityPrincipalBase class (which is a base class for User and Group classes) - it[method] casts its parameter to User type instead of SecurityPrincipalBase, for Groups this results in null value and method returns false. As a result when page tries to cache Group in ConcurrentDictionary:
     1. if ConcurrentDictionary doesn't have value, Group is cached just fine - that's why first load of a page works fine
     2. if there's a value in cache (ConcurrentDictionary)
        2.1 ConcurrentDictionary takes current value (comparisonValue) and calls TryUpdate
        2.2
    TryUpdate compares (calls SecurityPrincipalBase.Equal) comparisonValue with stored value to make sure that it hasn't changed, but SecurityPrincipalBase.Equal says that Group-s are different every time.
        2.3 
    ConcurrentDictionary repeats steps 2.1 and 2.2 until comparisonValue and stored value are equal which never happens - thread remains in an infinite loop and only recycle of the worker process helps.
    Wednesday, January 3, 2018 5:26 PM

All replies

  • I have the same issue.

    I am using an SQL Server 2016 SP1 CU4 Developer Edition Azure VM from the gallery.  MDS was configured.

    Azure VM is not domain joined.

    Created a local group and added local users in it.

    Added group successfully in Master Data Manager->Manage Groups.

    Edit group properties and click Functions.  The site never responds.

    Easy repro.

    [Edited: added MDS log]

    Error found in MDS log:

    10/17/2017 18:30:26,8e50ed0a-680d-4e62-8a8d-22d7b789fe5c,/MDS/,Start,"Service started successfully,  Assembly version: 13.0.0.0, file version: 13.0.4446.0 ((SQL16_SP1_QFE-CU).170716-1734)"
    10/17/2017 18:30:26,8e50ed0a-680d-4e62-8a8d-22d7b789fe5c,/MDS/,Error,"ApiContractVersion: 8000"
    10/17/2017 18:30:48,fb3c43cf-8648-4e7f-a723-79cc01f73897,/MDS/security/common/PrincipalSelector.aspx?PTID=1,Error,"Error creating DirectorySearcher : System.DirectoryServices.ActiveDirectory.ActiveDirectoryOperationException: Current security context is not associated with an Active Directory domain or forest.
       at System.DirectoryServices.ActiveDirectory.DirectoryContext.GetLoggedOnDomain()
       at System.DirectoryServices.ActiveDirectory.DirectoryContext.IsContextValid(DirectoryContext context, DirectoryContextType contextType)
       at System.DirectoryServices.ActiveDirectory.DirectoryContext.isRootDomain()
       at System.DirectoryServices.ActiveDirectory.Forest.GetForest(DirectoryContext context)
       at Microsoft.MasterDataServices.Core.Security.PrincipalInfo.GetDirectorySearcher(String domain)"
    10/17/2017 18:30:48,fb3c43cf-8648-4e7f-a723-79cc01f73897,/MDS/security/common/PrincipalSelector.aspx?PTID=1,Error,"No directory searcher was obtained for domain "


    Business Intelligence Consultant in Quebec, Canada


    Tuesday, October 17, 2017 7:00 PM
  • Same issue here.  Is it possible that a Microsoft update could be the culprit?
    Thursday, November 2, 2017 9:21 PM
  • Same issue in SQL Server 2017 RTM
    Saturday, November 4, 2017 3:21 PM
  • Hi there!

    Same problem here. I read at https://social.msdn.microsoft.com/Forums/sqlserver/en-US/661a888d-7978-44ca-a6dc-789e1675669e/mds-2016-cu4-web-interface-unable-to-access-to-users-and-groups-security-parameters?forum=sqlmds that the data cache should be updated at the MDS homepage (bottom left part of the screen) and sometimes it works on editing the Groups' permissions. It seems like a bug, as it only works if you go directly to the tab you want to have access to, that is, the pencil on the top doesn't seem to work.

    I am currently using SQL Server 2017 RC1.

    So, I clicked Users and Groups Permissions > Manage Groups > Click on the arrow on the left side of the Group (already had one created on the Active Directory) > Edit > Models. It doesn't work all the times for me, and didn't save all the changes I did, but I manage to see the attributes permissions I have altered and save them afterwards.

    Hope this helps.

    Cheers!

    Fil




    • Proposed as answer by FilLobo Friday, November 24, 2017 12:07 PM
    • Edited by FilLobo Friday, November 24, 2017 12:07 PM
    Friday, November 24, 2017 11:56 AM
  • The only solution I've found so far is to kill MDS's worker process in IIS if page isn't loading.

    There's a bug in Equals method implementation of SecurityPrincipalBase class (which is a base class for User and Group classes) - it[method] casts its parameter to User type instead of SecurityPrincipalBase, for Groups this results in null value and method returns false. As a result when page tries to cache Group in ConcurrentDictionary:
     1. if ConcurrentDictionary doesn't have value, Group is cached just fine - that's why first load of a page works fine
     2. if there's a value in cache (ConcurrentDictionary)
        2.1 ConcurrentDictionary takes current value (comparisonValue) and calls TryUpdate
        2.2
    TryUpdate compares (calls SecurityPrincipalBase.Equal) comparisonValue with stored value to make sure that it hasn't changed, but SecurityPrincipalBase.Equal says that Group-s are different every time.
        2.3 
    ConcurrentDictionary repeats steps 2.1 and 2.2 until comparisonValue and stored value are equal which never happens - thread remains in an infinite loop and only recycle of the worker process helps.
    Wednesday, January 3, 2018 5:26 PM
  • Has Microsoft released a fix for this yet?  It is really frustrating not being able to edit Active Directory in 'Manage Groups' in SQL Server Master Data Services 2016 Security.  The browser just keeps spinning.  Under a rare occasion it does work, however is Microsoft looking into a fix to make it work consistently?
    Tuesday, May 1, 2018 10:31 PM
  • Upgrade DBMS from SQL Server 2016 SP1 CU5 to SQLServer2016 SP1 CU6 should fix that Problem.
    Wednesday, May 9, 2018 3:42 PM
  • Using SQL Server 2017, AND still a problem.  Are there any published T-SQL commands we can use to bypass the web interface?
    Wednesday, May 1, 2019 9:14 PM