Howdy, Stranger!
Categories
- All Categories
- 73 General
- 73 Announcements
- 66.5K Microsoft Dynamics NAV
- 18.5K NAV Three Tier
- 38.4K NAV/Navision Classic Client
- 3.6K Navision Attain
- 2.4K Navision Financials
- 115 Navision DOS
- 854 Navision e-Commerce
- 1K NAV Tips & Tricks
- 772 NAV Dutch speaking only
- 615 NAV Courses, Exams & Certification
- 2K Microsoft Dynamics-Other
- 1.5K Dynamics AX
- 264 Dynamics CRM
- 109 Dynamics GP
- 10 Dynamics SL
- 1.5K Other
- 992 SQL General
- 385 SQL Performance
- 33 SQL Tips & Tricks
- 34 Design Patterns (General & Best Practices)
- Architectural Patterns
- 10 Design Patterns
- 5 Implementation Patterns
- 53 3rd Party Products, Services & Events
- 1.7K General
- 1.1K General Chat
- 1.6K Website
- 79 Testing
- 1.2K Download section
- 23 How Tos section
- 259 Feedback
- 12 NAV TechDays 2013 Sessions
- 13 NAV TechDays 2012 Sessions
Options
Error when creating new user(Error Message: Some or all identity references could not be translated)
apap
Member Posts: 67
Hi everyone,
we have a Dynamics NAV 2013 R2 installation (Version 7.10.36897).
The topology of the implementation is the following two virtual machines are used as application servers each one having one DynamicsNAV71 nav server instance,in front of them a load balancer,and behind them a SQL cluster with two nodes(vms) with always On availability group.
Only the windows client is used and windows authentication credential type is used.
NAV is connected into 2 domains (domain 1 and domain 2). All the servers are staged in domain 1. (please see the attachment for the hierarchy tree)
Users from both domains can access the windows client through the load balancer.New NAV Users from domain 1 can be created inside domain 1,and new users from domain 2 can be created inside domain 2
The error is raised when a Super user from domain 1 tries to create one new windows authenticated nav user user from domain 2.
Steps to get the error are the following:
1.Press the dropdownlist for selecting windows user name in new user card page
2.Then in the Select User,Group,Computer dialog box we select the location of domain 2
3.In the check name we pass a valid windows user Domain2\userx
4.When we go to press ok, we are prompted to pass the network credentials for an account with permissions for Domain 2.
5.We pass correct account credentials and when we press ok, we are getting this error: "A call to Microsoft.Dynamics.Nav.Management.DSObjectPicker.DSObjectPickerWrapper.InvokeDialogAndReturnSid failed with this message:Some or all identity references could not be translated)
The strange thing is that if we go and add the user through finding his windows sid from the powershell and then add him with a sql query it works, user is created correctly with any permissions we want,can access the client etc. (or if we use the cmdlet -NewNAVserverUSer)
So if we follow the steps:
1.In powershell
$objUser = New-Object System.Security.Principal.NTAccount(" Domain2\userx ")
$strSID = $objUser.Translate([System.Security.Principal.SecurityIdentifier])
$strSID.Value
it returns a valid sid
2.in sql server
USE [NAV]
DECLARE @USERSID uniqueidentifier, @WINDOWSSID nvarchar(119), @USERNAME nvarchar(50), @USERSIDTXT varchar(50)
SELECT NEWID()
SET @USERNAME = 'Domain2\userx'
SET @USERSID = NEWID()
SET @USERSIDTXT = CONVERT(VARCHAR(50), @USERSID)
SET @WINDOWSSID = 'S-1-x-xx-xxxxx-xxxxx-xxxx-xxxx'
INSERT INTO [dbo].[User]
([User Security ID],[User Name],[Full Name],[State],[Expiry Date],[Windows Security ID],[Change Password],[License Type]
,[Authentication Email])
VALUES
(@USERSID,@USERNAME,'',0,'1753-01-01 00:00:00.000',@WINDOWSSID,0,0,'')
INSERT INTO [dbo].[User Property]
([User Security ID],[Password],[Name Identifier],[Authentication Key],[WebServices Key],[WebServices Key Expiry Date],
[Authentication Object ID])
VALUES
(@USERSID,'','','','','1753-01-01 00:00:00.000','')
INSERT INTO [dbo].[Access Control]
([User Security ID],[Role ID],[Company Name])
VALUES
(@USERSID,'SUPER','')
GO
Any thoughts,proposals are very much appreciated
Kind regards
PS We have found the following two relevant posts but in the first one the issue is bypassed and it won't say why it works or not
https://community.dynamics.com/nav/f/34/t/144073
and we did find another trusted domain related issue in the following article:
forum.mibuso.com/discussion/26615/nav-5-login-on-trusted-domain-problem
we have a Dynamics NAV 2013 R2 installation (Version 7.10.36897).
The topology of the implementation is the following two virtual machines are used as application servers each one having one DynamicsNAV71 nav server instance,in front of them a load balancer,and behind them a SQL cluster with two nodes(vms) with always On availability group.
Only the windows client is used and windows authentication credential type is used.
NAV is connected into 2 domains (domain 1 and domain 2). All the servers are staged in domain 1. (please see the attachment for the hierarchy tree)
Users from both domains can access the windows client through the load balancer.New NAV Users from domain 1 can be created inside domain 1,and new users from domain 2 can be created inside domain 2
The error is raised when a Super user from domain 1 tries to create one new windows authenticated nav user user from domain 2.
Steps to get the error are the following:
1.Press the dropdownlist for selecting windows user name in new user card page
2.Then in the Select User,Group,Computer dialog box we select the location of domain 2
3.In the check name we pass a valid windows user Domain2\userx
4.When we go to press ok, we are prompted to pass the network credentials for an account with permissions for Domain 2.
5.We pass correct account credentials and when we press ok, we are getting this error: "A call to Microsoft.Dynamics.Nav.Management.DSObjectPicker.DSObjectPickerWrapper.InvokeDialogAndReturnSid failed with this message:Some or all identity references could not be translated)
The strange thing is that if we go and add the user through finding his windows sid from the powershell and then add him with a sql query it works, user is created correctly with any permissions we want,can access the client etc. (or if we use the cmdlet -NewNAVserverUSer)
So if we follow the steps:
1.In powershell
$objUser = New-Object System.Security.Principal.NTAccount(" Domain2\userx ")
$strSID = $objUser.Translate([System.Security.Principal.SecurityIdentifier])
$strSID.Value
it returns a valid sid
2.in sql server
USE [NAV]
DECLARE @USERSID uniqueidentifier, @WINDOWSSID nvarchar(119), @USERNAME nvarchar(50), @USERSIDTXT varchar(50)
SELECT NEWID()
SET @USERNAME = 'Domain2\userx'
SET @USERSID = NEWID()
SET @USERSIDTXT = CONVERT(VARCHAR(50), @USERSID)
SET @WINDOWSSID = 'S-1-x-xx-xxxxx-xxxxx-xxxx-xxxx'
INSERT INTO [dbo].[User]
([User Security ID],[User Name],[Full Name],[State],[Expiry Date],[Windows Security ID],[Change Password],[License Type]
,[Authentication Email])
VALUES
(@USERSID,@USERNAME,'',0,'1753-01-01 00:00:00.000',@WINDOWSSID,0,0,'')
INSERT INTO [dbo].[User Property]
([User Security ID],[Password],[Name Identifier],[Authentication Key],[WebServices Key],[WebServices Key Expiry Date],
[Authentication Object ID])
VALUES
(@USERSID,'','','','','1753-01-01 00:00:00.000','')
INSERT INTO [dbo].[Access Control]
([User Security ID],[Role ID],[Company Name])
VALUES
(@USERSID,'SUPER','')
GO
Any thoughts,proposals are very much appreciated
Kind regards
PS We have found the following two relevant posts but in the first one the issue is bypassed and it won't say why it works or not
https://community.dynamics.com/nav/f/34/t/144073
and we did find another trusted domain related issue in the following article:
forum.mibuso.com/discussion/26615/nav-5-login-on-trusted-domain-problem
0
Answers