ActiveDirectoryRoleProvider causes IIS to restart

One morning I found myself in the delicate situation that an EPiServer website had crashed with the incredibly informative error message

“Faulting application w3wp.exe, version 6.0.3790.3959, stamp 45d6968e, faulting module kernel32.dll, version 5.2.3790.4480, stamp 49c51f0a, debug? 0, fault address 0x0000bef7.”

This error is due to an infinite loop that after a while crashes the entire app domain and forces a restart of the IIS. The reason this time for this infinite loop was a recursive call in EPiServers ActiveDirectoryRoleProvider class in the older versions of EPi 5 that can crash if the Active Directory (AD) has a group that is member of itself. Although this is highly unusual, it obviously happened in this case.

My recommendation is to check your EPi 5 sites if you have downloaded the code for ActiveDirectoryRoleprovider. The faulting method is:

   1:  private List<string> GetRolesForUserRecursive(DirectoryData entry)

   2:  {

   3:   List<string> subtree = new List<string>();

   4:   string[] propertyValue;

   5:   if (entry.TryGetValue(_memberOfAttribute, out propertyValue))

   6:   {

   7:    foreach (string role in propertyValue)

   8:    {

   9:     DirectoryData roleEntry = _factory.GetEntry(role);

  10:     if (roleEntry == null || roleEntry.SchemaClassName != "group")

  11:     {

  12:      continue;

  13:     }

  14:     string[] roleName;

  15:     if (roleEntry.TryGetValue(_roleNameAttribute, out roleName))

  16:     {

  17:      subtree.Add(roleName[0]);

  18:     }

  19:     subtree.AddRange(GetRolesForUserRecursive(roleEntry));

  20:    }

  21:   }

  22:   return subtree;

  23:  }

Things to notice in this code is that line 10 doesn’t check if the role has already been checked which means that line 19 will be run for the same role again…and again. A couple of thousand loops later the server crashes.

Fix:

I did a fix myself before I realized that EPiServer has already done it in the later versions of EPi 5. Using the reflector I noticed that this was fixed in EPiServer v5.2.375.236:

   1:  private void GetRolesForUserRecursive(DirectoryData entry, List<string> roles, HashSet<string> visitedDirectoryEntry)

   2:  {

   3:      string[] strArray;

   4:      if (entry.TryGetValue("memberOf", out strArray))

   5:      {

   6:        foreach (string str in strArray)

   7:        {

   8:          DirectoryData data = this._factory.GetEntry(str);

   9:          if (((data != null) && (data.SchemaClassName == "group")) &&
                 !visitedDirectoryEntry.Contains(data.DistinguishedName))

  10:          {

  11:           string[] strArray2;

  12:           if (data.TryGetValue(this._roleNameAttribute, out strArray2))

  13:           {

  14:               roles.Add(strArray2[0]);

  15:           }

  16:           visitedDirectoryEntry.Add(data.DistinguishedName);

  17:           this.GetRolesForUserRecursive(data, roles, visitedDirectoryEntry);

  18:          }

  19:        }

  20:      }

  21:  }

  22:   

In the new code EPiServer store which roles have been checked in a HashSet called visitedDirectoryEntry and only does a recursive call if that role hasn’t already been checked. If you want to update your code I would recommend to download the almighty reflector and use it on the new EPiServer.dll to grab their updated code for the RoleProvider. Even better would be if EPiServer could update their old code (that can still be downloaded).

Nasty bug that took me a few hours to solve. Hopefully this helps someone who has the same informative error message.

Good luck and happy coding!