You are viewing limited content. For full access, please sign in.

Question

Question

Directory Server System.Runtime.InteropServices.COMException (0x00005011)

Directory Server Version 10
Updated October 31, 2017
asked on October 31, 2017

I have a customer site that periodically is having issues with Directory Server syncing with AD.  When the sync fails, the DS Operational Trace Log list the following:

System.Runtime.InteropServices.COMException (0x00005011): Unknown error (0x5011)
   at System.DirectoryServices.SearchResultCollection.ResultsEnumerator.MoveNext()
   at System.DirectoryServices.SearchResultCollection.get_InnerList()
   at System.DirectoryServices.SearchResultCollection.get_Count()
   at Laserfiche.LicenseManager.ADGS.ADGSModule.ApplyADGSRule(LicenseCacheEntry lce, DirectorySearcher searcher, String rootDN, String host, IdentityProviderSpecs providerSpecs, ADGSRule rule, List`1 cycleCheck)
   at Laserfiche.LicenseManager.ADGS.ADGSModule.ApplyADGSRule(LicenseCacheEntry lce, DirectorySearcher searcher, IdentityProviderSpecs providerSpecs, ADGSRule rule)
   at Laserfiche.LicenseManager.ADGS.ADGSModule.SynchronizeDatabase(Object data)

Type:
System.Runtime.InteropServices.COMException

Stack Trace:
   at System.DirectoryServices.SearchResultCollection.ResultsEnumerator.MoveNext()
   at System.DirectoryServices.SearchResultCollection.get_InnerList()
   at System.DirectoryServices.SearchResultCollection.get_Count()
   at Laserfiche.LicenseManager.ADGS.ADGSModule.ApplyADGSRule(LicenseCacheEntry lce, DirectorySearcher searcher, String rootDN, String host, IdentityProviderSpecs providerSpecs, ADGSRule rule, List`1 cycleCheck)
   at Laserfiche.LicenseManager.ADGS.ADGSModule.ApplyADGSRule(LicenseCacheEntry lce, DirectorySearcher searcher, IdentityProviderSpecs providerSpecs, ADGSRule rule)
   at Laserfiche.LicenseManager.ADGS.ADGSModule.SynchronizeDatabase(Object data)

They are running Laserfiche Directory Server Version 10.0.0.270 on Windows 2012 R2.

Any ideas on the cause and/or how to resolve it?

0 0

Replies

replied on October 31, 2017

This might be a permissions issue. The user access to AD does not have permission to do so.

 

Please check followings:

1. Where does this identity provider locate? As under internal domain or cross domain?

If it is located cross domain, please provide the identity provider settings with a domain user's credential.

If you already provide LFDS with a domain user's credential to do the query,  please double check that domain user is still active and the password is not expired. An easier way is just to fill out the query principal again in identity provider General page.

2. What is the service user of Laserfiche Directory Server? You can check this by Microsoft Windows Admin Tools: Services.

If you left the query principal blank, LFDS will use its service user to access AD. If that service user does not have required permission, AD sync will fail as well.

 

 

 

 

1 0
View 1 previous reply
replied on October 31, 2017

The domain service account that all LF services on that box run as has read permissions to AD, but has not been granted anything more.

Not sure what, if any,additional rights are needed to AD.

Here is what is set for the first Identity provider (local domain):

And here is the second (parent domain):

 

0 0
replied on October 31, 2017 Show version history

1.  Could you please further track down which IdP AD sync failed by turning off its  sync status and sync AD manually?

2. Try filling out the domain user credentials in "User name" and "Password" under IdP General tab, then sync AD manually. See if AD sync still fails and same error logged in ETW.

1 0
replied on October 31, 2017 Show version history

Thank you so much for your help looking into this.  It turned out that they had (without letting me know) added users from Domain C (no Identity Provider) into a sync'ed group in Domain A (the local Domain) and the Domain A service account does not have permissions to Domain C's AD.  After removing the Domain C users from the Domain A group, the sync completed as expected.  They are going to create a Domain C service account that we can use to define the Identity Provider for Domain C and then try those users again.

 

If Domain C users are in a Domain A group, when the Domain A group is synced, will the Domain A Identity Provider be used since the sync'ed group is in Domain A or the Domain C Identity Provider because the users are in Domain C?

1 0
replied on October 31, 2017 Show version history

It only depends on how you set your AD rules in Identity Provider. If Domain C Identity Provider does not have a AD rule that contains a Domain C user, then this Domain C user won't get synced through Domain C IdP.

If Domain C users are in a Domain A group and also in a Domain C group, both AD group have a corresponding AD sync rule set up in the IdP, then both AD rules will be applied during AD group sync.

0 0
You are not allowed to follow up in this post.

Sign in to reply to this post.

Details
Related Posts
Loading ...