Unable to discover SID details for Domain User Group

Owned by Anonymous
Last updated: Nov 13, 2012 by Anonymous
2 min read

Issue

Warning messages in the SMP server logs as follows:

Module: AtrsHost.exe
Source: Arellia.SMP.Resource.Discovery.DomainUserGroupServerDiscoverer.DiscoverResource
Description: Unable to discover SID details for Domain User Group 557d35c5-28c5-414e-9656-bfa6c292088b : 
 Exception=System.Security.Principal.IdentityNotMappedException: Some or all identity references could not be translated.

Background

The warnings are generated by the User Server Resource and/or Domain User Group Resource Discoverers, which are located under Configuration > Settings > Arellia > Infrastructure > Resource Discovery > Server Discoverers. These discoverers were introduced in an earlier release of Arellia as a lightweight method of importing information from Active Directory. With current versions of the product suite it is recommended that Arellia Directory Services Solution be used if you have a reliance on importing information from Active Directory.

Cause

What is happening is that SMP is creating user resources that do not have any data in Inv_Global_Windows_Users or Inv_Global_Account_Details, or do not have a ResourceKey. Arellia is trying to lookup these account in Active Directory and failing due to the accounts not being resolvable. An example of why an account may not be resolvable is due to it being a local windows account, or the Application Identity does not have read access to the user account details.

Resolution

To resolve this issue you can take one of the following steps:

  1. Ignore the warnings. They are only generated for bad accounts. Good accounts will still have their information extracted from Active Directory.
  2. Disable the User Server Resource and/or Domain User Group Resource Discoverers. The warnings will stop occurring, but only do this if you do not need user/group account information from Active Directory.
  3. Follow step #2 and configure Arellia Directory Services Solution. The instructions on how to setup AD Sync are located in this article.
    Do this if you do have a dependency for importing accounts from AD, such as if your ACS policies need to apply to specific users/groups.
  4. Ensure that the Application Identity has the correct rights in Active Directory to import the desired user accounts