Some or all identity references could not be translated.

D

Darko Bazulj

Hi,

what I try to do:

create user/group in AD(works fine).
set permissions on folder for created user/group(problems)

If I try that I get the following error:

System.Security.Principal.IdentityNotMappedException: Some or all identity
references could not be translated.
at
System.Security.Principal.NTAccount.Translate(IdentityReferenceCollection
sourceAccounts, Type targetType, Boolean forceSuccess)
at System.Security.Principal.NTAccount.Translate(Type targetType)
at
System.Security.AccessControl.CommonObjectSecurity.ModifyAccess(AccessControlModification
modification, AccessRule rule, Boolean& modified)
at
System.Security.AccessControl.ObjectSecurity.ModifyAccessRule(AccessControlModification
modification, AccessRule rule, Boolean& modified)

If I try set permissions for same user/group about 30 seconds after creation
everything went fine.

CODE:

Dim identity As NTAccount

identity = New NTAccount(strUserName)

Dim dInfo As New DirectoryInfo(strFolderName)
Dim dSecurity As DirectorySecurity =
dInfo.GetAccessControl(AccessControlSections.Access)

dSecurity.AddAccessRule(New FileSystemAccessRule(identity, _
rights, _
iFlags, _
pFlags, _
acType))

dInfo.SetAccessControl(dSecurity)

Can someone help, suggest something??
 
J

Joe Kaplan

Don't use an NTAccount for the IdentityReference. Instead, use a
SecurityIdentifier type and build that based on reading the objectSid
attribute of the user or group you created previously. That way, you don't
have to worry about any replication lag causing the name translation to fail
since there is no name translation involved when you use the SID directly.

Joe K.
 
D

Darko Bazulj

Hi Joe,

it works now :))
Thank you for help.

Can you suggest me something about AD.

what I do:

create OU and then create user.
But I sometimes recive error, like there is no OU which I just created but
OU is there

strDNSADDomain=
I was put just domain(domain.loc) but I then recived error frequently.
Then I put full DC name(ad1.domain.loc) but mistakes were reduce but
nevertheless knows happen.

Can you suggest something??


Code:
----------

create user:

Dim ctx As New PrincipalContext(ContextType.Domain, strDNSADDomain,
strOU)

Dim user As New UserPrincipal(ctx)

user.SamAccountName = strSamAccountName
If Not String.IsNullOrEmpty(strDescription) Then user.Description =
strDescription
user.SetPassword(strPassword)
user.Enabled = True
user.PasswordNeverExpires = True

If Not String.IsNullOrEmpty(strUPN) Then user.UserPrincipalName =
strUPN

user.Save()

user.Dispose()
ctx.Dispose()

create OU:

Dim objAD As DirectoryEntry
Dim objOU As DirectoryEntry

strOU = "OU=" + strOU

objAD = New DirectoryEntry(strPath)

objOU = objAD.Children.Add(strOU, "OrganizationalUnit")
If Not String.IsNullOrEmpty(strDescription) Then
objOU.Properties("description").Add(strDescription)
If Not String.IsNullOrEmpty(struPNSuffix) Then
objOU.Properties("uPNSuffixes").Add(struPNSuffix)
objOU.CommitChanges()

objOU.Dispose()
objAD.Dispose()

Error:
-------

There is no such object on the server. -- at
System.DirectoryServices.AccountManagement.PrincipalContext.DoLDAPDirectoryInit()
at
System.DirectoryServices.AccountManagement.PrincipalContext.DoDomainInit()
at System.DirectoryServices.AccountManagement.PrincipalContext.Initialize()
at
System.DirectoryServices.AccountManagement.PrincipalContext.ContextForType(Type
t) at
System.DirectoryServices.AccountManagement.Principal.GetStoreCtxToUse() at
System.DirectoryServices.AccountManagement.Principal.set_SamAccountName(String
value) at serviceprovisioning.ActiveDirectory.CreateUser(String
strSamAccountName, String strPassword, String strOU, String strDescription,
String strUPN, String strDNSADDomain)


----------------------------------------------
#example if someone else have similar problems.

Dim identity As NTAccount

identity = New NTAccount(strUserName)

Dim sid As SecurityIdentifier =
DirectCast(identity.Translate(GetType(SecurityIdentifier)),
SecurityIdentifier)

Dim dInfo As New DirectoryInfo(strFolderName)
Dim dSecurity As DirectorySecurity =
dInfo.GetAccessControl(AccessControlSections.Access)

dSecurity.AddAccessRule(New FileSystemAccessRule(sid, _
rights, _
iFlags, _
pFlags, _
acType))

dInfo.SetAccessControl(dSecurity)
 
J

Joe Kaplan

I didn't quite follow what you were saying here. You do need to make sure
you are working off of the same server though. Could that be the problem?
Please try to explain again.

Joe K.
 
D

Darko Bazulj

Hi Joe,

I will try to explain better.

First I create OU then inside that OU I create otheres OUs, users and
groups.
But sometimes I get error "There is no such object on the server", like
there is no OU which I just created.
To create users and groups I use
"System.DirectoryServices.AccountManagement" class.
http://msdn.microsoft.com/en-us/library/bb348316.aspx

Dim ctx As New PrincipalContext(ContextType.Domain, strDNSADDomain, strOU)
Dim user As New UserPrincipal(ctx)

strOU = DN - name of newly created OU in which I want to create user

strDNSADDomain = I set empty string, domain name or full DNS DC name
If I set empty string or domain name the error occurs often.
But if I set full DNS DC name the error occurs from time to time when I
start to use application, then I just enter DNS name of second DC and code
start to work.

If I put some sleep(20-30sec) in code the application work but I think that
there is some better way.

hmm...

I think I know where is the problem.

Problem is in creation of OU.
When I create OU I don't bind to specific DC but for path enter
"LDAP://OU=name,DC=domain,DC=loc"
Maybe if I enter "LDAP://DC1.domain.name:389/OU=name,DC=domain,DC=loc"

But is this good approach, what if this DC stop to work?

Can you suggest what is the good way to create OU and user inside newly
created OU and to avoid problem with AD replication?
Is there some trick like with SID/user name?

Thank you for your help.
 
J

Joe Kaplan

It seems like the key for you is to ensure that you always use the same DC
for doing your write operations, so it would likely be a good idea to use
fixed DC names for this particular app.

Joe K.
 
D

Darko Bazulj

Hi Joe,

Thank you for suggestions.

I decide to do next:

enumerate DCs
try to connect to first and if connection is sucessfull continue but if not
then try to connect to second DC.

Regards,
Darko Bazulj
 
J

Joe Kaplan

You can also use the FindDomainController method on the domain class to get
more control over this and make sure you get DCs in your site and such. It
might be an easier and more robust approach to do the same basic thing.

Joe K.
 
D

Darko Bazulj

Hi Joe,

good suggestion, I tried and it works :)

Good thing is that only active DC will return.
I tested with blocking(IPSec) data between DC and memeber on which I run
code.

Code: maybe help to someone

Dim instance As Domain
Dim returnValue As DomainController

instance = Domain.GetCurrentDomain

returnValue =
instance.FindDomainController(LocatorOptions.ForceRediscovery)

Console.WriteLine(returnValue.Name)

Regards,
Darko Bazulj
 

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments. After that, you can post your question and our members will help you out.

Ask a Question

Similar Threads

ntaccaunt.translate and AD 1
ASPNET_WP could not be started: 80004005. 5
Domain could not be contacted problem 5
Specified Domain does not exist or could not be contacted 1
Streaming file to user: 'File could not be opened' 7
ASP.NET process identity does not have read permissions to the global assembly cache 1
Invoking Excel COM object with CLSID is either not valid or not registered 5
Impersonation in ASP.NET 4

Members online

No members online now.
Total: 29 (members: 0, guests: 29)
Robots: 145

Forum statistics

Threads
473,755
Messages
2,569,534
Members
45,008
Latest member
Rahul737

Latest Threads

Top