Problems logging into the CMS

Adam Moxley

Vote:

I've installed EPiServer CMS 5 R2 SP1 on my maching (running Windows XP).

The demo templated are running fine in IIS and through Visual Studio, but I'm getting errors when trying to log into the actual CMS. I'm using my windows account username and password and am getting the following error:

Some or all identity references could not be translated.Exception Details: System.Security.Principal.IdentityNotMappedException: Some or all identity references could not be translated.

Source Error:

An unhandled exception was generated during the execution of the current web request. Information regarding the origin and location of the exception can be identified using the exception stack trace below.

Stack Trace:


[IdentityNotMappedException: Some or all identity references could not be translated.]
System.Security.Principal.SecurityIdentifier.Translate(IdentityReferenceCollection sourceSids, Type targetType, Boolean forceSuccess) +7606192
System.Security.Principal.SecurityIdentifier.Translate(Type targetType) +100
EPiServer.Security.WindowsMembershipProvider.GroupNamesFromIdentity(WindowsIdentity identity, String[] deletePrefix) +259
EPiServer.Security.WindowsMembershipProvider.ValidateUser(String username, String password) +190
System.Web.UI.WebControls.Login.AuthenticateUsingMembershipProvider(AuthenticateEventArgs e) +60
System.Web.UI.WebControls.Login.OnAuthenticate(AuthenticateEventArgs e) +119
System.Web.UI.WebControls.Login.AttemptLogin() +115
System.Web.UI.WebControls.Login.OnBubbleEvent(Object source, EventArgs e) +101
System.Web.UI.Control.RaiseBubbleEvent(Object source, EventArgs args) +37
System.Web.UI.WebControls.Button.OnCommand(CommandEventArgs e) +118
System.Web.UI.WebControls.Button.RaisePostBackEvent(String eventArgument) +166
System.Web.UI.WebControls.Button.System.Web.UI.IPostBackEventHandler.RaisePostBackEvent(String eventArgument) +10
System.Web.UI.Page.RaisePostBackEvent(IPostBackEventHandler sourceControl, String eventArgument) +13
System.Web.UI.Page.RaisePostBackEvent(NameValueCollection postData) +36
System.Web.UI.Page.ProcessRequestMain(Boolean includeStagesBeforeAsyncPoint, Boolean includeStagesAfterAsyncPoint) +1565

 Can anyone help?

#27990

Feb 16, 2009 17:23

John Walsh

Vote:

Is there any solution to this? I am getting it on a CMS 6 R2 installation when trying to use ActiveDirectory.

[IdentityNotMappedException: Some or all identity references could not be translated.]
   System.Security.Principal.SecurityIdentifier.Translate(IdentityReferenceCollection sourceSids, Type targetType, Boolean forceSuccess) +450
   System.Security.Principal.SecurityIdentifier.Translate(Type targetType) +350
   EPiServer.Security.WindowsMembershipProvider.GroupNamesFromIdentity(WindowsIdentity identity, String[] deletePrefix) +310
   EPiServer.Security.WindowsRoleProvider.GetRolesForUser(String username) +190
   System.Web.Security.RolePrincipal.IsInRole(String role) +263
   EPiServer.Security.WindowsAdministratorsRole.IsInVirtualRole(IPrincipal principal, Object context) +40
   EPiServer.Security.VirtualRolePrincipal.IsInVirtualRole(String role, SecurityEntityType type) +168
   EPiServer.Security.VirtualRolePrincipal.IsInRole(String role, SecurityEntityType type) +579
   EPiServer.Security.WindowsAdministratorsRole.IsInVirtualRole(IPrincipal principal, Object context) +40
   EPiServer.Security.VirtualRolePrincipal.IsInVirtualRole(String role, SecurityEntityType type) +168
   EPiServer.Security.VirtualRolePrincipal.IsInRole(String role, SecurityEntityType type) +579
   EPiServer.Security.AccessControlList.QueryAccess(IPrincipal principal, AccessLevel maxAccess) +288
   EPiServer.Security.AccessControlList.QueryDistinctAccess(IPrincipal principal, AccessLevel access) +20
   EPiServer.PageBase.GetPage(PageReference pageLink, ILanguageSelector selector) +389
   EPiServer.Web.PageExtensions.SaveCurrentPage.get_CurrentPage() +375
   EPiServer.PageBase.InitializeCulture() +116
   ASP.default_aspx.__BuildControlTree(default_aspx __ctrl) in \default.aspx:1
   ASP.default_aspx.FrameworkInitialize() in c:\Windows\Microsoft.NET\Framework64\v4.0.30319\Temporary ASP.NET Files\root\470b9cc4\f65ffcf\App_Web_xtm4foch.1.cs:0
   System.Web.UI.Page.ProcessRequest(Boolean includeStagesBeforeAsyncPoint, Boolean includeStagesAfterAsyncPoint) +72
   System.Web.UI.Page.ProcessRequest() +269
   System.Web.UI.Page.ProcessRequest(HttpContext context) +167
   ASP.default_aspx.ProcessRequest(HttpContext context) in c:\Windows\Microsoft.NET\Framework64\v4.0.30319\Temporary ASP.NET Files\root\470b9cc4\f65ffcf\App_Web_xtm4foch.1.cs:0
   System.Web.CallHandlerExecutionStep.System.Web.HttpApplication.IExecutionStep.Execute() +625
   System.Web.HttpApplication.ExecuteStep(IExecutionStep step, Boolean& completedSynchronously) +270

#58342

Apr 19, 2012 17:21

Johan Johanson

Vote:

AD can be a real pain sometimes.. Especially with domain prefixes.. My guess would be Windows can't authenticate the username, it's either non-existing or can't contact the domain controller or the username is truncated or something, try these things:

Is your username very long?

Try to prefix your logon name with the domain name..

Make sure you have access to the domain controller..

See if the user logon name and the legacy field (pre-windows 2000) match, try both (with/without domain prefix).

#58344

Apr 19, 2012 19:33

Vote:

By looking at the stacktraces you both get, I believe its one of the groups that the user belongs that cannot be translated by Windows.

The groups that belongs to a WindowsIdentity are all in the form "S-1-2-3-4-5-nnn", which is not very friendly to the user, so a call to Translate()
is made to get the more human readible name, like "Everyone".

One of the logged in user's groups fail this Translate call, and to find _which_ group that is would require some debugging on the machine, either hooking up the debugger and set a breakpoint onb the IdentityNotMappedException. One could also setup the debugger to dump a memory dump
and then inspect it later if this is on a production server and the problem is not reproducable on development machine.

I'd be happy to assist you in continuing troubleshooting if yo want.

/johan

#58352

Edited, Apr 20, 2012 11:22

John Walsh

Vote:

For me it was much simpler than that. I had a mismatch in my web.config.

I was also using Multiplexor with ActiveDirectoryProvider first and WindowsProvider second. Removing the WindowsProvider made it work.

So I just changed from Multiplexor to only go with ActiveDirectoryProvider and now all is good.

#58359

Apr 20, 2012 14:46

Johan Johanson

Vote:

Haha I'm glad you got it sorted :)

#58360

Apr 20, 2012 14:50

John Walsh

Vote:

i still wonder why the windowsprovidor wouldnt work as a 2nd providor. I had a local windows user i had been using up until connecting to the AD.

#58361

Apr 20, 2012 15:00

Vote:

Troubleshooting this error right now on a 5R2 intranet that has been moved to a new domain. I have built a console app to catch which SID throws the error. In my case right now it's the lookup for S-1-18-1 (AUTHENTICATION_AUTHORITY_ASSERTED_IDENTITY) that fails. The server is a Windows 2003 server but the domain controller is 2012.

http://support.microsoft.com/kb/2830145/en-us?sd=rss&spid=14019

We are looking into if the hotfix mentioned is available for 2003.

Otherwise I guess we need to implement our own WindowsMembershipProvider where public static string[] GroupNamesFromIdentity(WindowsIdentity identity, string[] deletePrefix) doesn't call Translate() for the new 2012 SID's or just does a try/catch.

... or has anyone solved this another way when hosted on Windows 2003?

This is the console app I created and ran as a user from the troublesome domain:

namespace SecurityDebug
{
    using System;
    using System.Collections.Generic;
    using System.Linq;
    using System.Security.Principal;
    using System.Text;

    public class Program
    {
        public static void Main(string[] args)
        {
            var identity = WindowsIdentity.GetCurrent();

            if (identity != null)
            {
                Console.WriteLine("Starting to list current user's (" + identity.Name + ") groups:");
                GetGroupNamesFromIdentity(identity);
            }
        }

        public static void GetGroupNamesFromIdentity(WindowsIdentity identity)
        {
            if (identity.Groups != null)
            {
                foreach (IdentityReference item in identity.Groups)
                {
                    Console.WriteLine();
                    Console.WriteLine(item.Value);

                    try
                    {
                        string value = item.Translate(typeof(NTAccount)).Value;
                        Console.WriteLine("Translated to: " + value);
                    }
                    catch (Exception)
                    {
                        Console.WriteLine("-- TRANSLATE FAILED --");
                    }
                }
            }
        }
    }
}

#80717

Edited, Jan 30, 2014 11:41

Jonas Hjalmarsson

Vote:

Löste du detta på något sätt Johan? Jag har precis stött på motsvarande problem efter AD-uppgradering på ett EPi5-intranät.

#82729

Mar 19, 2014 8:14

Vote:

Yes, I created my own WindowsRole and Membership provider. In there I just do:

foreach (IdentityReference item in identity.Groups)
                    {
                        string groupName;

                        if (!IdentityToName.TryGetValue(item, out groupName))
                        {
                            switch (item.Value)
                            {
                                case "S-1-18-1":
                                case "S-1-18-2":
                                    Log.DebugFormat("2003 incompatible SID found: {0}", item.Value);
                                    continue;
                            }

#82732

Mar 19, 2014 9:26