none
Issue with GroupPrincipal.GetMembers() : 'An error (1301) occurred while enumerating the groups. The group's SID could not be resolved' RRS feed

  • Question

  • Hi All,

    I am retrieving all the group members including the nested groups using GroupPrincipal.GetMembers().contains(userPrincipal) and its working fine and all the domain users are able login successfully in my application.

    Issue comes when one of the user got deleted from the domain and its generate the Orphan SID then all the users are not able to login in to my custom application and its throwing the error as "An error (1301) occurred while enumerating the groups.  The group's SID could not be resolved" at the GroupPrincipal.GetMembers().contains(userPrincipal) statement.

    Find the complete description for the issue below:

    1. We have two domains such as domain-A and domain-B
    2. There is one way (Non transitive trust) between Domain-A and Domain-B Domains.
    3.  We have 4 users were created in the Domain-A.
    4. We have created a group named as "GroupDev" under the Domain-B domain.
    5. All the 4 users (user1, abhay, anwar, ashish) have been added to the "GroupDev" group
    6. Now all the users are able to login in to my custom application successfully, no issue in login.
    7. Now one of the user get deleted and it generates the Orphan SID (ex: user1 is deleted from the domain-A).
    8. Then all others users (user1, abhay, anwar, ashish)are not able to login in my custom application.

    I found that GroupPrincipal.GetMembers(true).contains(userPrincipal) statement is throwing the above error.

    Please can you assist me to solve the issue?

    Thanks,

    Anwar

    • Edited by anwarpasha Wednesday, October 19, 2016 2:52 PM
    Wednesday, October 19, 2016 2:41 PM

All replies

  • Hi Anwar,

    >>7: Now one of the user get deleted and it generates the Orphan SID (ex: user1 is deleted from the domain-A).

    >>8: Then all others users (user1, abhay, anwar, ashish)are not able to login in my custom application.

    How about add a new user in your group?

    Based on your error information, I've searched more. And I found someone solved by the following reason.

    This problem is caused by the fact that Microsoft introduced two new security identifiers (SIDs) in Windows Server 2012. Older systems (e.g. Windows 7, Windows 2008 R2) working in a domain environment controlled by Windows 2012 machine cannot resolve the SIDs in question. This can result in unauthorized access

    Microsoft has published a hotfix for this problem which is available on their websitealong with detailed description. Please downloadand install the hotfix to avoid security issues and try again.

    Best regards,

    Kristin


    We are trying to better understand customer views on social support experience, so your participation in this interview project would be greatly appreciated if you have time. Thanks for helping make community forums a great place.
    Click HERE to participate the survey.


    • Edited by Kristin Xie Thursday, October 20, 2016 7:27 AM
    Thursday, October 20, 2016 7:25 AM
  • Hi Kristin,

    Thanks for the response,

    As per your suggestion I go through it and seems the hotfix is for the windows Server 2008 R2 not for the 2012.

    In my case all the domain controllers are running on the Windows 2012 R 2 server

    Please can you let us know, is there any hotfix available for Windows server 2012 as well?

    Thanks,

    Anwar

    Friday, October 21, 2016 1:08 PM
  • Hi Anwar

    >>Please can you let us know, is there any hotfix available for Windows server 2012 as well?

    For Windows server 2012, I think this bug should be fixed. I would suggest you check your Windows server 2012 updates to the latest.

     I am sorry, I am not good at Active Directory, and I cannot reproduce your issue, So it is hard to locate where the issue is. How about add a new user in your group?  I wonder if you meet a setting problem. I also suggest you to ask your company IT for better help.

    Best regards,

    Kristin


    MSDN Community Support
    Please remember to click "Mark as Answer" the responses that resolved your issue, and to click "Unmark as Answer" if not. This can be beneficial to other community members reading this thread. If you have any compliments or complaints to MSDN Support, feel free to contact MSDNFSF@microsoft.com.

    Tuesday, October 25, 2016 2:06 AM
  • Hi Kristin,

    Thanks for the response,

    Yes we could be able to add user in the group without any issues.

    Now, Is there any idea to solve the above issue?

    Thanks,

    Anwar

    Thursday, October 27, 2016 6:22 AM
  • Hi Anwar,

    >>There is one way (Non transitive trust) between Domain-A and Domain-B Domains.

    Trust is to make a domain user access to another domain of resources must exist in the authentication pipeline. If domain A trusts domain B, the domain controller of domain A replicates the user account of domain B to its own Active Directory, so that resources in domain A can be allocated to users in domain B. But not to say that A domain users can log in B domain.

    Best regards,

    Kristin


    MSDN Community Support
    Please remember to click "Mark as Answer" the responses that resolved your issue, and to click "Unmark as Answer" if not. This can be beneficial to other community members reading this thread. If you have any compliments or complaints to MSDN Support, feel free to contact MSDNFSF@microsoft.com.


    • Edited by Kristin Xie Thursday, October 27, 2016 9:09 AM
    Thursday, October 27, 2016 9:09 AM