SAP Knowledge Base Article - Preview

1567614 - XI 3.1 - AD Users lose their membership of AD groups in BOE

Symptom

  • While browsing through the CMC > Groups, the list of users appears empty when selecting an AD group. Users lose their membership of groups and cannot login to the system
  • In BusinessObjects CMS logs (no tracing enabled, asserts only), the following errors appear:

2011/02/27 11:05:52.814|>>|A| | 6760|1036| |||||||||||||||assert failure: (.\secplugin.cpp:2531). (false : The secWinAD plugin failed to get the name for the account with ID "S-1-5-21-211361085-4038243005-3459511423-xxxxxx". ).
2011/02/27 11:05:52.814|>>|A| | 6760|1504| |||||||||||||||assert failure: (.\ad_acct_entity.cpp:151). (false : WINAD: CAccountEntity::InitFromSid() -- BindIADsToLDAPFromSid hr=-2147016656).
  • As per Microsoft KB, hr=-2147016656 translates as "There is no such object on the server" (Please check the "See also" section for further reference)
  • After enabling tracing, CMS logs show some users being part of no groups during AD graph update - highlighted below in bold. At this point it may show the wrong domain as part of the "DC" information:

2011/02/27 14:01:17.528|==| | | 6760|2836| |||||||||||||||WINAD: ADAggregationManager::GetNestedParents() -- Mapped group 'S-1-5-21-211361085-4038243005-3459511423-xxxxxx' not found in graph, possibly an invalid mapped group.
...
2011/02/27 14:01:17.528|==| | | 6760|2836| |||||||||||||||WINAD: ADAccountFactory::GetAccount() called for aliasId 4EA4CD983EC0B1408DEABE1851WXYZ:UserName;CN=Name\, User,OU=Organization Unit,OU=Department,OU=Users,OU=Domain,DC=DomainComponent,DC=DomainComponent2
2011/02/27 14:01:17.528|==| | | 6760|2836| |||||||||||||||WINAD: ADAggregationManager::GetMappedParentsWithGraph() -- User CN=Name\, User,OU=Organization Unit,OU=Department,OU=Users,OU=Domain,DC=DomainComponent,DC=DomainComponent2 is in 0 mapped AD groups.


Read more...

Environment

  • Business Objects Enterprise XI 3.1
  • AD authentication

Product

SAP BusinessObjects Enterprise XI 3.1

Keywords

r3 3.1 everyone group missing member sidhistory migrate domain , KBA , BI-BIP-AUT , Authentication, ActiveDirectory, LDAP, SSO, Vintela , Problem

About this page

This is a preview of a SAP Knowledge Base Article. Click more to access the full version on SAP for Me (Login required).

Search for additional results

Visit SAP Support Portal's SAP Notes and KBA Search.