Some or all identity references could not be translated.

Discussion in 'ASP .Net Security' started by Darko Bazulj, Jun 5, 2008.

  1. Darko Bazulj

    Darko Bazulj Guest

    Hi,

    what I try to do:

    create user/group in AD(works fine).
    set permissions on folder for created user/group(problems)

    If I try that I get the following error:

    System.Security.Principal.IdentityNotMappedException: Some or all identity
    references could not be translated.
    at
    System.Security.Principal.NTAccount.Translate(IdentityReferenceCollection
    sourceAccounts, Type targetType, Boolean forceSuccess)
    at System.Security.Principal.NTAccount.Translate(Type targetType)
    at
    System.Security.AccessControl.CommonObjectSecurity.ModifyAccess(AccessControlModification
    modification, AccessRule rule, Boolean& modified)
    at
    System.Security.AccessControl.ObjectSecurity.ModifyAccessRule(AccessControlModification
    modification, AccessRule rule, Boolean& modified)

    If I try set permissions for same user/group about 30 seconds after creation
    everything went fine.

    CODE:

    Dim identity As NTAccount

    identity = New NTAccount(strUserName)

    Dim dInfo As New DirectoryInfo(strFolderName)
    Dim dSecurity As DirectorySecurity =
    dInfo.GetAccessControl(AccessControlSections.Access)

    dSecurity.AddAccessRule(New FileSystemAccessRule(identity, _
    rights, _
    iFlags, _
    pFlags, _
    acType))

    dInfo.SetAccessControl(dSecurity)

    Can someone help, suggest something??
     
    Darko Bazulj, Jun 5, 2008
    #1
    1. Advertisements

  2. Darko Bazulj

    Joe Kaplan Guest

    Don't use an NTAccount for the IdentityReference. Instead, use a
    SecurityIdentifier type and build that based on reading the objectSid
    attribute of the user or group you created previously. That way, you don't
    have to worry about any replication lag causing the name translation to fail
    since there is no name translation involved when you use the SID directly.

    Joe K.
     
    Joe Kaplan, Jun 5, 2008
    #2
    1. Advertisements

  3. Darko Bazulj

    Darko Bazulj Guest

    Hi Joe,

    it works now :))
    Thank you for help.

    Can you suggest me something about AD.

    what I do:

    create OU and then create user.
    But I sometimes recive error, like there is no OU which I just created but
    OU is there

    strDNSADDomain=
    I was put just domain(domain.loc) but I then recived error frequently.
    Then I put full DC name(ad1.domain.loc) but mistakes were reduce but
    nevertheless knows happen.

    Can you suggest something??


    Code:
    ----------

    create user:

    Dim ctx As New PrincipalContext(ContextType.Domain, strDNSADDomain,
    strOU)

    Dim user As New UserPrincipal(ctx)

    user.SamAccountName = strSamAccountName
    If Not String.IsNullOrEmpty(strDescription) Then user.Description =
    strDescription
    user.SetPassword(strPassword)
    user.Enabled = True
    user.PasswordNeverExpires = True

    If Not String.IsNullOrEmpty(strUPN) Then user.UserPrincipalName =
    strUPN

    user.Save()

    user.Dispose()
    ctx.Dispose()

    create OU:

    Dim objAD As DirectoryEntry
    Dim objOU As DirectoryEntry

    strOU = "OU=" + strOU

    objAD = New DirectoryEntry(strPath)

    objOU = objAD.Children.Add(strOU, "OrganizationalUnit")
    If Not String.IsNullOrEmpty(strDescription) Then
    objOU.Properties("description").Add(strDescription)
    If Not String.IsNullOrEmpty(struPNSuffix) Then
    objOU.Properties("uPNSuffixes").Add(struPNSuffix)
    objOU.CommitChanges()

    objOU.Dispose()
    objAD.Dispose()

    Error:
    -------

    There is no such object on the server. -- at
    System.DirectoryServices.AccountManagement.PrincipalContext.DoLDAPDirectoryInit()
    at
    System.DirectoryServices.AccountManagement.PrincipalContext.DoDomainInit()
    at System.DirectoryServices.AccountManagement.PrincipalContext.Initialize()
    at
    System.DirectoryServices.AccountManagement.PrincipalContext.ContextForType(Type
    t) at
    System.DirectoryServices.AccountManagement.Principal.GetStoreCtxToUse() at
    System.DirectoryServices.AccountManagement.Principal.set_SamAccountName(String
    value) at serviceprovisioning.ActiveDirectory.CreateUser(String
    strSamAccountName, String strPassword, String strOU, String strDescription,
    String strUPN, String strDNSADDomain)


    ----------------------------------------------
    #example if someone else have similar problems.

    Dim identity As NTAccount

    identity = New NTAccount(strUserName)

    Dim sid As SecurityIdentifier =
    DirectCast(identity.Translate(GetType(SecurityIdentifier)),
    SecurityIdentifier)

    Dim dInfo As New DirectoryInfo(strFolderName)
    Dim dSecurity As DirectorySecurity =
    dInfo.GetAccessControl(AccessControlSections.Access)

    dSecurity.AddAccessRule(New FileSystemAccessRule(sid, _
    rights, _
    iFlags, _
    pFlags, _
    acType))

    dInfo.SetAccessControl(dSecurity)
     
    Darko Bazulj, Jun 6, 2008
    #3
  4. Darko Bazulj

    Joe Kaplan Guest

    I didn't quite follow what you were saying here. You do need to make sure
    you are working off of the same server though. Could that be the problem?
    Please try to explain again.

    Joe K.
     
    Joe Kaplan, Jun 9, 2008
    #4
  5. Darko Bazulj

    Darko Bazulj Guest

    Hi Joe,

    I will try to explain better.

    First I create OU then inside that OU I create otheres OUs, users and
    groups.
    But sometimes I get error "There is no such object on the server", like
    there is no OU which I just created.
    To create users and groups I use
    "System.DirectoryServices.AccountManagement" class.
    http://msdn.microsoft.com/en-us/library/bb348316.aspx

    Dim ctx As New PrincipalContext(ContextType.Domain, strDNSADDomain, strOU)
    Dim user As New UserPrincipal(ctx)

    strOU = DN - name of newly created OU in which I want to create user

    strDNSADDomain = I set empty string, domain name or full DNS DC name
    If I set empty string or domain name the error occurs often.
    But if I set full DNS DC name the error occurs from time to time when I
    start to use application, then I just enter DNS name of second DC and code
    start to work.

    If I put some sleep(20-30sec) in code the application work but I think that
    there is some better way.

    hmm...

    I think I know where is the problem.

    Problem is in creation of OU.
    When I create OU I don't bind to specific DC but for path enter
    "LDAP://OU=name,DC=domain,DC=loc"
    Maybe if I enter "LDAP://DC1.domain.name:389/OU=name,DC=domain,DC=loc"

    But is this good approach, what if this DC stop to work?

    Can you suggest what is the good way to create OU and user inside newly
    created OU and to avoid problem with AD replication?
    Is there some trick like with SID/user name?

    Thank you for your help.
     
    Darko Bazulj, Jun 9, 2008
    #5
  6. Darko Bazulj

    Joe Kaplan Guest

    It seems like the key for you is to ensure that you always use the same DC
    for doing your write operations, so it would likely be a good idea to use
    fixed DC names for this particular app.

    Joe K.
     
    Joe Kaplan, Jun 13, 2008
    #6
  7. Darko Bazulj

    Darko Bazulj Guest

    Hi Joe,

    Thank you for suggestions.

    I decide to do next:

    enumerate DCs
    try to connect to first and if connection is sucessfull continue but if not
    then try to connect to second DC.

    Regards,
    Darko Bazulj
     
    Darko Bazulj, Jun 13, 2008
    #7
  8. Darko Bazulj

    Joe Kaplan Guest

    You can also use the FindDomainController method on the domain class to get
    more control over this and make sure you get DCs in your site and such. It
    might be an easier and more robust approach to do the same basic thing.

    Joe K.
     
    Joe Kaplan, Jun 13, 2008
    #8
  9. Darko Bazulj

    Darko Bazulj Guest

    Hi Joe,

    good suggestion, I tried and it works :)

    Good thing is that only active DC will return.
    I tested with blocking(IPSec) data between DC and memeber on which I run
    code.

    Code: maybe help to someone

    Dim instance As Domain
    Dim returnValue As DomainController

    instance = Domain.GetCurrentDomain

    returnValue =
    instance.FindDomainController(LocatorOptions.ForceRediscovery)

    Console.WriteLine(returnValue.Name)

    Regards,
    Darko Bazulj
     
    Darko Bazulj, Jun 15, 2008
    #9
    1. Advertisements

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments (here). After that, you can post your question and our members will help you out.