Orchestrator Windows AD Group User Unable To Access The Orchestrator

system · January 3, 2025, 4:48pm

It is not possible to assign roles for the Active Directory groups, when particular roles are assigned for AD groups. It is being assigned but access is not granted/provided.

Issue Description

When logging in through AD, while fetching group membership, the following error is thrown:

UiPath.IdentityServer.Directory.Abstractions.Interfaces.IDirectoryAdapterConfiguration Error retrieving AD security groups for .

InvalidOperationException*This Principal object represents a well-known SID and does not correspond to an actual store object. This operation is not supported on it.* at System.DirectoryServices.AccountManagement.Principal.CheckFakePrincipal()

at System.DirectoryServices.AccountManagement.Principal.GetUnderlyingObject()

at UiPath.IdentityServer.Directory.Active.ActiveDirectoryExtensions.ToDirectoryGroupDto(GroupPrincipal principal, String domain)

at UiPath.IdentityServer.Directory.Active.ActiveDirectoryClient.<>c__DisplayClass23_0.b__0(GroupPrincipal x)

at System.Linq.Enumerable.SelectEnumerableIterator`2.MoveNext()

at System.Linq.Enumerable.WhereEnumerableIterator`1.ToArray

at System.Collections.Immutable.ImmutableExtensions.FallbackWrapper`1.get_Count()

at System.Collections.Immutable.ImmutableList`1.CreateRange(IEnumerable`1 items)

at System.Collections.Immutable.ImmutableList`1.AddRange(IEnumerable`1 items)

at System.Collections.Immutable.ImmutableList.ToImmutableList[TSource](IEnumerable`1 source)

at UiPath.IdentityServer.Directory.Active.ActiveDirectoryClient.GetGroupsByUserPrincipalInternal(String domain, UserPrincipal principal)

at UiPath.IdentityServer.Directory.Active.ActiveDirectoryClient.GetGroupsByUserPrincipal(String domain, Func`1 principalFunc, CancellationToken token)

at UiPath.IdentityServer.Directory.Active.ActiveDirectoryClient.GetUserGroupsAsync(DirectoryIdentifier directoryIdentifier, IEnumerable`1 groupIdentifiers, CancellationToken token)

Root Cause

The GetGroupsByUserPrincipal returns a Well Known SID due to the AD configuration for the user and fails to complete the group fetch.

Resolution

Switch to TokenGroups. This fetch strategy uses a different implementation for retrieving groups, which means it won't encounter the same issue, and it will be quicker.

As a workaround, consider switching to tokengroups, which is both faster and does not populate the groups using the code that throws the error. For more details, see Performance - Best Practices.

Topic		Replies	Views
See Error(#10000) Frequently While Assigning Role To AD User In Orchestrator Knowledge Base orchestrator , 2022_10_3	0	439	August 8, 2023
Unable To Access The Folder With AD User Login Knowledge Base orchestrator	0	329	August 8, 2023
Orchestrator on prem 2021.10 : AD issues Orchestrator orchestrator , active_directory , identityserver	7	2241	February 15, 2022
Orchestrator - Inherit from groups stopped working Orchestrator orchestrator , question , active_directory	2	627	August 10, 2023
PrincipalOperationException: While trying to retrieve the authorization groups, an error (5) occurred Knowledge Base orchestrator	0	2384	April 15, 2021

Orchestrator Windows AD Group User Unable To Access The Orchestrator

It is not possible to assign roles for the Active Directory groups, when particular roles are assigned for AD groups. It is being assigned but access is not granted/provided.

Issue Description

Root Cause

Resolution

Related topics