Skip to main content


 

Symptoms


Users in role not resolving
 

Diagnoses


We verified that users were present in the role via workspace, and attempted to verify role membership via the UMUser Get Role Users method. We returned no users from this. We then attempted to login as a user, in this case, yourself, to workspace to force the identity to be updated in the K2 Identity cache. We also found, after this, that the role had not resolved. We then investigated the K2 database, and saw the user account was disabled. This implies we were unable to resolve the user due to an issue communicating with LDAP.

We then checked the ADUM error log and found the following:

2015-07-27 11:38:51::769", "Error", "GetUser:", "A referral was returned from the server.
", " at System.DirectoryServices.DirectoryEntry.Bind(Boolean throwIfFail)
at System.DirectoryServices.DirectoryEntry.Bind()
at System.DirectoryServices.DirectoryEntry.get_AdsObject()
at System.DirectoryServices.DirectorySearcher.FindAll(Boolean findMoreThanOne)
at System.DirectoryServices.DirectorySearcher.FindOne()
at ADUM.K2UserManager2.GetUser(String Name)", "Additional Information: ", "ForeignSecurityPrincipals Resolve(k2qasvc)"
"2015-07-27 11:38:51::769", "Error", "GetUser:MemberOf in Cross Forest", "A referral was returned from the server.
", " at System.DirectoryServices.DirectoryEntry.Bind(Boolean throwIfFail)
at System.DirectoryServices.DirectoryEntry.Bind()
at System.DirectoryServices.DirectoryEntry.get_AdsObject()
at System.DirectoryServices.DirectorySearcher.FindAll(Boolean findMoreThanOne)
at System.DirectoryServices.DirectorySearcher.FindOne()
at ADUM.K2UserManager2.GetUser(String Name)", "Additional Information: ", "MemberOf Resolve(DENALLIXDomain Users)"

We verified our LDAP string as: LDAP://DC=DENALLIX,DC=LOCAL

Further, we then discovered via the use of the ADS tester tool, that we were able to resolve users from active directory via that tool and view properties. After a bit of discussion, we decided to look at the secondary domain.

 

Resolution

The issue here was caused by a second domain that was added to K2, which did not have the needed configuration done as far as trust and permissions. When K2 attempted to resolve a user, we also queried the second domain, to see if that user had any group membership/properties on that domain, which caused the error in question. We removed the second domain and the issue was resolved.




 
Be the first to reply!

Reply