Try our conversational search powered by Generative AI!
AI OnAI Off
Problems logging into the CMS
Is there any solution to this? I am getting it on a CMS 6 R2 installation when trying to use ActiveDirectory.
[IdentityNotMappedException: Some or all identity references could not be translated.]
System.Security.Principal.SecurityIdentifier.Translate(IdentityReferenceCollection sourceSids, Type targetType, Boolean forceSuccess) +450
System.Security.Principal.SecurityIdentifier.Translate(Type targetType) +350
EPiServer.Security.WindowsMembershipProvider.GroupNamesFromIdentity(WindowsIdentity identity, String[] deletePrefix) +310
EPiServer.Security.WindowsRoleProvider.GetRolesForUser(String username) +190
System.Web.Security.RolePrincipal.IsInRole(String role) +263
EPiServer.Security.WindowsAdministratorsRole.IsInVirtualRole(IPrincipal principal, Object context) +40
EPiServer.Security.VirtualRolePrincipal.IsInVirtualRole(String role, SecurityEntityType type) +168
EPiServer.Security.VirtualRolePrincipal.IsInRole(String role, SecurityEntityType type) +579
EPiServer.Security.WindowsAdministratorsRole.IsInVirtualRole(IPrincipal principal, Object context) +40
EPiServer.Security.VirtualRolePrincipal.IsInVirtualRole(String role, SecurityEntityType type) +168
EPiServer.Security.VirtualRolePrincipal.IsInRole(String role, SecurityEntityType type) +579
EPiServer.Security.AccessControlList.QueryAccess(IPrincipal principal, AccessLevel maxAccess) +288
EPiServer.Security.AccessControlList.QueryDistinctAccess(IPrincipal principal, AccessLevel access) +20
EPiServer.PageBase.GetPage(PageReference pageLink, ILanguageSelector selector) +389
EPiServer.Web.PageExtensions.SaveCurrentPage.get_CurrentPage() +375
EPiServer.PageBase.InitializeCulture() +116
ASP.default_aspx.__BuildControlTree(default_aspx __ctrl) in \default.aspx:1
ASP.default_aspx.FrameworkInitialize() in c:\Windows\Microsoft.NET\Framework64\v4.0.30319\Temporary ASP.NET Files\root\470b9cc4\f65ffcf\App_Web_xtm4foch.1.cs:0
System.Web.UI.Page.ProcessRequest(Boolean includeStagesBeforeAsyncPoint, Boolean includeStagesAfterAsyncPoint) +72
System.Web.UI.Page.ProcessRequest() +269
System.Web.UI.Page.ProcessRequest(HttpContext context) +167
ASP.default_aspx.ProcessRequest(HttpContext context) in c:\Windows\Microsoft.NET\Framework64\v4.0.30319\Temporary ASP.NET Files\root\470b9cc4\f65ffcf\App_Web_xtm4foch.1.cs:0
System.Web.CallHandlerExecutionStep.System.Web.HttpApplication.IExecutionStep.Execute() +625
System.Web.HttpApplication.ExecuteStep(IExecutionStep step, Boolean& completedSynchronously) +270
Apr 19, 2012 17:21
AD can be a real pain sometimes.. Especially with domain prefixes.. My guess would be Windows can't authenticate the username, it's either non-existing or can't contact the domain controller or the username is truncated or something, try these things:
Is your username very long?
Try to prefix your logon name with the domain name..
Make sure you have access to the domain controller..
See if the user logon name and the legacy field (pre-windows 2000) match, try both (with/without domain prefix).
Apr 19, 2012 19:33
Hi
By looking at the stacktraces you both get, I believe its one of the groups that the user belongs that cannot be translated by Windows.
The groups that belongs to a WindowsIdentity are all in the form "S-1-2-3-4-5-nnn", which is not very friendly to the user, so a call to Translate()
is made to get the more human readible name, like "Everyone".
One of the logged in user's groups fail this Translate call, and to find _which_ group that is would require some debugging on the machine, either hooking up the debugger and set a breakpoint onb the IdentityNotMappedException. One could also setup the debugger to dump a memory dump
and then inspect it later if this is on a production server and the problem is not reproducable on development machine.
I'd be happy to assist you in continuing troubleshooting if yo want.
/johan
Edited,
Apr 20, 2012 11:22
For me it was much simpler than that. I had a mismatch in my web.config.
I was also using Multiplexor with ActiveDirectoryProvider first and WindowsProvider second. Removing the WindowsProvider made it work.
So I just changed from Multiplexor to only go with ActiveDirectoryProvider and now all is good.
Apr 20, 2012 14:46
i still wonder why the windowsprovidor wouldnt work as a 2nd providor. I had a local windows user i had been using up until connecting to the AD.
Apr 20, 2012 15:00
Troubleshooting this error right now on a 5R2 intranet that has been moved to a new domain. I have built a console app to catch which SID throws the error. In my case right now it's the lookup for S-1-18-1 (AUTHENTICATION_AUTHORITY_ASSERTED_IDENTITY) that fails. The server is a Windows 2003 server but the domain controller is 2012.
http://support.microsoft.com/kb/2830145/en-us?sd=rss&spid=14019
We are looking into if the hotfix mentioned is available for 2003.
Otherwise I guess we need to implement our own WindowsMembershipProvider where public static string[] GroupNamesFromIdentity(WindowsIdentity identity, string[] deletePrefix) doesn't call Translate() for the new 2012 SID's or just does a try/catch.
... or has anyone solved this another way when hosted on Windows 2003?
This is the console app I created and ran as a user from the troublesome domain:
namespace SecurityDebug
{
using System;
using System.Collections.Generic;
using System.Linq;
using System.Security.Principal;
using System.Text;
public class Program
{
public static void Main(string[] args)
{
var identity = WindowsIdentity.GetCurrent();
if (identity != null)
{
Console.WriteLine("Starting to list current user's (" + identity.Name + ") groups:");
GetGroupNamesFromIdentity(identity);
}
}
public static void GetGroupNamesFromIdentity(WindowsIdentity identity)
{
if (identity.Groups != null)
{
foreach (IdentityReference item in identity.Groups)
{
Console.WriteLine();
Console.WriteLine(item.Value);
try
{
string value = item.Translate(typeof(NTAccount)).Value;
Console.WriteLine("Translated to: " + value);
}
catch (Exception)
{
Console.WriteLine("-- TRANSLATE FAILED --");
}
}
}
}
}
}
Edited,
Jan 30, 2014 11:41
Löste du detta på något sätt Johan? Jag har precis stött på motsvarande problem efter AD-uppgradering på ett EPi5-intranät.
Mar 19, 2014 8:14
Yes, I created my own WindowsRole and Membership provider. In there I just do:
foreach (IdentityReference item in identity.Groups)
{
string groupName;
if (!IdentityToName.TryGetValue(item, out groupName))
{
switch (item.Value)
{
case "S-1-18-1":
case "S-1-18-2":
Log.DebugFormat("2003 incompatible SID found: {0}", item.Value);
continue;
}
Mar 19, 2014 9:26
This thread is locked and should be used for reference only. Please use the Episerver CMS 7 and earlier versions forum to open new discussions.
I've installed EPiServer CMS 5 R2 SP1 on my maching (running Windows XP).
The demo templated are running fine in IIS and through Visual Studio, but I'm getting errors when trying to log into the actual CMS. I'm using my windows account username and password and am getting the following error: