Topic
Unable to resolve AD users. The following error was recorded in HostServer logs whenever trying to resolve an AD user.
"Error","IdentityService","64005","ResolvingException","IdentityService.ProviderCacheIdentity:RoleProvider.GetUser","64005 Failed to resolve 'K2:DOMAIN\User': A referral was returned from the server."
Instructions
A referral is sent by an AD server when it does not have the information requested itself, but know that another server have the information. It usually appears in trust environment where a Domain Controller (DC) can refer to a DC in trusted domain.
When adding a domain to a Nintex Automation (K2 Five) environment, the common practice is to add a LDAP path like this:
LDAP:\\DC=CONTOSO,DC=COM
This LDAP path only specifies the domain or base path, so when Nintex Automation tries to use this LDAP path to connect to the domain, it relies on some sort of automatic lookup to connect to a DC server. When the DC server returned by the automatic lookup does not have information of a user, but knows another DC server that has that information, it returns a referral message.
If you have added multiple domains into the environment, the issue may come from only one specific domain instead of all domains. In such scenario, it is important to figure out which domain is throwing the referral error.
Here are the steps to troubleshoot the issue:
- Try testing the domain one by one to identify the domain throwing the referral error. You can create a AD Service2 service instance to test one domain, and generate a User SmartObject. Use the User SmartObject to test retrieving a user from each domain.
- Once identifying the domain throwing the referral error, you can try specifying a specific DC server to connect to by modifying the LDAP path to include the DC server. You can test this with an AD Service2 service instance first to determine if it worked.
For example:
LDAP://DCServer01.contoso.com/DC=CONTOSO,DC=COM
- Once you have identified a DC server that can search for users, you need to update the LDAP path in the existing AD Service2 instance you are using, and in K2 Management > Users > Nintex Automation > Domains. You need to restart the K2 service if you have updated the LDAP in the Domains page on K2 Management.
