Troubleshooting: Unable to login into Orchestrator Using AD user on a different domain than the Orchestrator

How to resolve login issues using a user that is in a different domain than Orchestrator, where trust exists, but can not login?

Problem

User in different domain than the Orchestrator, but where trust exists cannot login

Cause

The Orchestrator machine cannot resolve the DNS entry for the domain of the user trying to log into Orchestrator.

Solution

The customer needs to investigate using his IT team to fix the DNS entries for the DC of the domain of the Authenticating user.

Replicating

The problem can be replicated by breaking the ability to resolve the DNS entry for the Domain of the Authenticating User

  1. Create 2 domains with 2 different DC (FirstDomain, FirstDomainDC, SecondDomain, SecondDomainDC)
  2. Create 2 way trust between FirstDomain and SecondDomain (Type External, nonTransitive, DomainWide Authentication)
  3. Create one user FirstUser on FirstDomain and assign him to FirstGroup in FirstDomain
  4. Add FirstUser to SecondDomain group
  5. Provision Orchestrator in Second Domain with SecondDomain user
  6. Import FirstGroup in Orchestrator
  7. Attempt to Windows Authenticate with FirstUser- Success!
  8. On FirstDomain open DNS Manager and disable the ForwardLookupZones for the FirstDomainDC (pause the _msdcs.DOMAIN)
  9. IISRESET
  10. Browse to the Orchestrator Login Page
  11. Click the 'WindowsLogin' Page
  12. Feed Credentials of FirstUser
  13. 500 Error occurs
  14. Below in chronological order the Events in EventViewer

 

Event code: 3005
Event message: An unhandled exception has occurred.
Event time: 2/13/2020 3:10:34 PM
Event time (UTC): 2/13/2020 1:10:34 PM
Event ID: 6871b264644c43e886a8fae5ccfd20e7
Event sequence: 1003
Event occurrence: 5
Event detail code: 0

Application information:
Application domain: /LM/W3SVC/1/ROOT-1-132260695108999315
Trust level: Full
Application Virtual Path: /
Application Path: C:\Program Files (x86)\UiPath\Orchestrator\
Machine name: your_machine_name

Process information:
Process ID: 8224
Process name: w3wp.exe
Account name: your_account_name
Exception information:
Exception type: InvalidOperationException
Exception message: This request has been blocked because sensitive information could be disclosed to third party web sites when this is used in a GET request. To allow GET requests, set JsonRequestBehavior to AllowGet.
at Abp.Web.Mvc.Controllers.Results.AbpJsonResult.ExecuteResult(ControllerContext context)
at System.Web.Mvc.Async.AsyncControllerActionInvoker.<>c__DisplayClass3_1.<BeginInvokeAction>b__1(IAsyncResult asyncResult)
at System.Web.Mvc.Async.AsyncControllerActionInvoker.EndInvokeAction(IAsyncResult asyncResult)
at System.Web.Mvc.Controller.<>c.<BeginExecuteCore>b__152_1(IAsyncResult asyncResult, ExecuteCoreState innerState)
at System.Web.Mvc.Async.AsyncResultWrapper.WrappedAsyncVoid`1.CallEndDelegate(IAsyncResult asyncResult)
at System.Web.Mvc.Controller.EndExecuteCore(IAsyncResult asyncResult)
at Castle.DynamicProxy.AbstractInvocation.Proceed()
at Castle.DynamicProxy.AbstractInvocation.Proceed()
at System.Web.Mvc.Async.AsyncResultWrapper.WrappedAsyncVoid`1.CallEndDelegate(IAsyncResult asyncResult)
at Castle.Proxies.AccountControllerProxy.EndExecute_callback(IAsyncResult asyncResult)
at Castle.DynamicProxy.AbstractInvocation.Proceed()
at Castle.DynamicProxy.AbstractInvocation.Proceed()
at System.Web.Mvc.MvcHandler.<>c.<BeginProcessRequest>b__20_1(IAsyncResult asyncResult, ProcessRequestState innerState)
at System.Web.Mvc.Async.AsyncResultWrapper.WrappedAsyncVoid`1.CallEndDelegate(IAsyncResult asyncResult)
at System.Web.Mvc.MvcHandler.EndProcessRequest(IAsyncResult asyncResult)
at System.Web.HttpApplication.CallHandlerExecutionStep.<>c__DisplayClass7_0.<InvokeEndHandler>b__0()
at System.Web.HttpApplication.CallHandlerExecutionStep.InvokeEndHandler(IAsyncResult ar)
at System.Web.HttpApplication.CallHandlerExecutionStep.OnAsyncHandlerCompletion(IAsyncResult ar)


Request information:
Request URL: https://rodelworch03.deskover.local:443/Account/ExternalLoginCallback?ReturnUrl=/&mayRegisterTenant=False
Request path: /Account/ExternalLoginCallback
User host address: 10.10.16.50
User: your_user
Is authenticated: True
Authentication Type: Negotiate
Thread account name: your_account_name
Thread information:
Thread ID: 61
Thread account name: your_account_name
Is impersonating: False
Stack trace: at Abp.Web.Mvc.Controllers.Results.AbpJsonResult.ExecuteResult(ControllerContext context)
at System.Web.Mvc.Async.AsyncControllerActionInvoker.<>c__DisplayClass3_1.<BeginInvokeAction>b__1(IAsyncResult asyncResult)
at System.Web.Mvc.Async.AsyncControllerActionInvoker.EndInvokeAction(IAsyncResult asyncResult)
at System.Web.Mvc.Controller.<>c.<BeginExecuteCore>b__152_1(IAsyncResult asyncResult, ExecuteCoreState innerState)
at System.Web.Mvc.Async.AsyncResultWrapper.WrappedAsyncVoid`1.CallEndDelegate(IAsyncResult asyncResult)
at System.Web.Mvc.Controller.EndExecuteCore(IAsyncResult asyncResult)
at Castle.DynamicProxy.AbstractInvocation.Proceed()
at Castle.DynamicProxy.AbstractInvocation.Proceed()
at System.Web.Mvc.Async.AsyncResultWrapper.WrappedAsyncVoid`1.CallEndDelegate(IAsyncResult asyncResult)
at Castle.Proxies.AccountControllerProxy.EndExecute_callback(IAsyncResult asyncResult)
at Castle.DynamicProxy.AbstractInvocation.Proceed()
at Castle.DynamicProxy.AbstractInvocation.Proceed()
at System.Web.Mvc.MvcHandler.<>c.<BeginProcessRequest>b__20_1(IAsyncResult asyncResult, ProcessRequestState innerState)
at System.Web.Mvc.Async.AsyncResultWrapper.WrappedAsyncVoid`1.CallEndDelegate(IAsyncResult asyncResult)
at System.Web.Mvc.MvcHandler.EndProcessRequest(IAsyncResult asyncResult)
at System.Web.HttpApplication.CallHandlerExecutionStep.<>c__DisplayClass7_0.<InvokeEndHandler>b__0()
at System.Web.HttpApplication.CallHandlerExecutionStep.InvokeEndHandler(IAsyncResult ar)
at System.Web.HttpApplication.CallHandlerExecutionStep.OnAsyncHandlerCompletion(IAsyncResult ar)
Error retrieving AD security groups for USER.System.DirectoryServices.AccountManagement.PrincipalOperationException: Creating an instance of the COM component with CLSID {080D0D78-F421-11D0-A36E-00C04FB950DC} from the IClassFactory failed due to the following error: 800401e4 Invalid syntax (Exception from HRESULT: 0x800401E4 (MK_E_SYNTAX)). ---> System.Runtime.InteropServices.COMException: Creating an instance of the COM component with CLSID {080D0D78-F421-11D0-A36E-00C04FB950DC} from the IClassFactory failed due to the following error: 800401e4 Invalid syntax (Exception from HRESULT: 0x800401E4 (MK_E_SYNTAX)).
at void System.DirectoryServices.AccountManagement.ADStoreCtx.LoadDomainInfo()
at string System.DirectoryServices.AccountManagement.ADStoreCtx.get_DnsDomainName()
at ResultSet System.DirectoryServices.AccountManagement.ADStoreCtx.GetGroupsMemberOfAZ(Principal p)
--- End of inner exception stack trace ---
at ResultSet System.DirectoryServices.AccountManagement.ADStoreCtx.GetGroupsMemberOfAZ(Principal p)
at ResultSet System.DirectoryServices.AccountManagement.UserPrincipal.GetAuthorizationGroupsHelper()
at IReadOnlyList<DirectoryGroupDto> UiPath.Orchestrator.Core.DirectoryService.ActiveDirectoryClient.GetGroupsByUser(string domain, string name)
System.Runtime.InteropServices.COMException (0x800401E4): Creating an instance of the COM component with CLSID {080D0D78-F421-11D0-A36E-00C04FB950DC} from the IClassFactory failed due to the following error: 800401e4 Invalid syntax (Exception from HRESULT: 0x800401E4 (MK_E_SYNTAX)).
at void System.DirectoryServices.AccountManagement.ADStoreCtx.LoadDomainInfo()
at string System.DirectoryServices.AccountManagement.ADStoreCtx.get_DnsDomainName()
at ResultSet System.DirectoryServices.AccountManagement.ADStoreCtx.GetGroupsMemberOfAZ(Principal p)
UiPath.Orchestrator.Core.Exceptions.BadRequestException: Error code - 1413, Message - 'The user is not a member of the specified AD domain.' ---> System.DirectoryServices.AccountManagement.PrincipalOperationException: Creating an instance of the COM component with CLSID {080D0D78-F421-11D0-A36E-00C04FB950DC} from the IClassFactory failed due to the following error: 800401e4 Invalid syntax (Exception from HRESULT: 0x800401E4 (MK_E_SYNTAX)). ---> System.Runtime.InteropServices.COMException: Creating an instance of the COM component with CLSID {080D0D78-F421-11D0-A36E-00C04FB950DC} from the IClassFactory failed due to the following error: 800401e4 Invalid syntax (Exception from HRESULT: 0x800401E4 (MK_E_SYNTAX)).
at void System.DirectoryServices.AccountManagement.ADStoreCtx.LoadDomainInfo()
at string System.DirectoryServices.AccountManagement.ADStoreCtx.get_DnsDomainName()
at ResultSet System.DirectoryServices.AccountManagement.ADStoreCtx.GetGroupsMemberOfAZ(Principal p)
--- End of inner exception stack trace ---
at ResultSet System.DirectoryServices.AccountManagement.ADStoreCtx.GetGroupsMemberOfAZ(Principal p)
at ResultSet System.DirectoryServices.AccountManagement.UserPrincipal.GetAuthorizationGroupsHelper()
at IReadOnlyList<DirectoryGroupDto> UiPath.Orchestrator.Core.DirectoryService.ActiveDirectoryClient.GetGroupsByUser(string domain, string name)
--- End of inner exception stack trace ---
at IReadOnlyList<DirectoryGroupDto> UiPath.Orchestrator.Core.DirectoryService.ActiveDirectoryClient.GetGroupsByUser(string domain, string name)
at async Task<IEnumerable<UiUser>> UiPath.Orchestrator.Core.DirectoryService.DirectoryUserManager.GetGroupsAsync(string domain, string name)
at async Task<IEnumerable<UiUser>> UiPath.Orchestrator.Core.DirectoryService.Extensions.GetGroupsAsync(IDirectoryUserManager manager, string loginName)
at async Task<IEnumerable<TenantDto>> UiPath.Orchestrator.Web.Common.ExternalUserMapping.DirectoryUserMapper.GetDirectoryUserTenantsAsync(ExternalLoginInfo info)
at async Task<List<TenantDto>> UiPath.Orchestrator.Web.Common.ExternalUserMapping.DirectoryUserMapper.GetTenantsAsync(ExternalLoginInfo info)
at async Task<ActionResult> UiPath.Orchestrator.Web.Controllers.AccountController.ExternalLoginCallback(string returnUrl, string tenancyName, Nullable<bool> mayRegisterTenant)
at object System.Web.Mvc.Async.TaskAsyncActionDescriptor.EndExecute(IAsyncResult asyncResult)
at IAsyncResult System.Web.Mvc.Async.AsyncControllerActionInvoker.BeginInvokeAsynchronousActionMethod(ControllerContext controllerContext, AsyncActionDescriptor actionDescriptor, IDictionary<string, object> parameters, AsyncCallback callback, object state)+(IAsyncResult asyncResult) => { }
at ActionResult System.Web.Mvc.Async.AsyncControllerActionInvoker.EndInvokeActionMethod(IAsyncResult asyncResult)
at Func<ActionExecutedContext> System.Web.Mvc.Async.AsyncControllerActionInvoker+AsyncInvocationWithFilters.InvokeActionMethodFilterAsynchronouslyRecursive(int filterIndex)+() => { }
at Func<ActionExecutedContext> System.Web.Mvc.Async.AsyncControllerActionInvoker+AsyncInvocationWithFilters.InvokeActionMethodFilterAsynchronouslyRecursive(int filterIndex)+() => { }
at Func<ActionExecutedContext> System.Web.Mvc.Async.AsyncControllerActionInvoker+AsyncInvocationWithFilters.InvokeActionMethodFilterAsynchronouslyRecursive(int filterIndex)+() => { }
at Func<ActionExecutedContext> System.Web.Mvc.Async.AsyncControllerActionInvoker+AsyncInvocationWithFilters.InvokeActionMethodFilterAsynchronouslyRecursive(int filterIndex)+() => { }
at Func<ActionExecutedContext> System.Web.Mvc.Async.AsyncControllerActionInvoker+AsyncInvocationWithFilters.InvokeActionMethodFilterAsynchronouslyRecursive(int filterIndex)+() => { }
at Func<ActionExecutedContext> System.Web.Mvc.Async.AsyncControllerActionInvoker+AsyncInvocationWithFilters.InvokeActionMethodFilterAsynchronouslyRecursive(int filterIndex)+() => { }
at Func<ActionExecutedContext> System.Web.Mvc.Async.AsyncControllerActionInvoker+AsyncInvocationWithFilters.InvokeActionMethodFilterAsynchronouslyRecursive(int filterIndex)+() => { }
at Func<ActionExecutedContext> System.Web.Mvc.Async.AsyncControllerActionInvoker+AsyncInvocationWithFilters.InvokeActionMethodFilterAsynchronouslyRecursive(int filterIndex)+() => { }
at Func<ActionExecutedContext> System.Web.Mvc.Async.AsyncControllerActionInvoker+AsyncInvocationWithFilters.InvokeActionMethodFilterAsynchronouslyRecursive(int filterIndex)+() => { }
at Func<ActionExecutedContext> System.Web.Mvc.Async.AsyncControllerActionInvoker+AsyncInvocationWithFilters.InvokeActionMethodFilterAsynchronouslyRecursive(int filterIndex)+() => { }
at Func<ActionExecutedContext> System.Web.Mvc.Async.AsyncControllerActionInvoker+AsyncInvocationWithFilters.InvokeActionMethodFilterAsynchronouslyRecursive(int filterIndex)+() => { }
at Func<ActionExecutedContext> System.Web.Mvc.Async.AsyncControllerActionInvoker+AsyncInvocationWithFilters.InvokeActionMethodFilterAsynchronouslyRecursive(int filterIndex)+() => { }
at Func<ActionExecutedContext> System.Web.Mvc.Async.AsyncControllerActionInvoker+AsyncInvocationWithFilters.InvokeActionMethodFilterAsynchronouslyRecursive(int filterIndex)+() => { }
at Func<ActionExecutedContext> System.Web.Mvc.Async.AsyncControllerActionInvoker+AsyncInvocationWithFilters.InvokeActionMethodFilterAsynchronouslyRecursive(int filterIndex)+() => { }
at Func<ActionExecutedContext> System.Web.Mvc.Async.AsyncControllerActionInvoker+AsyncInvocationWithFilters.InvokeActionMethodFilterAsynchronouslyRecursive(int filterIndex)+() => { }
at Func<ActionExecutedContext> System.Web.Mvc.Async.AsyncControllerActionInvoker+AsyncInvocationWithFilters.InvokeActionMethodFilterAsynchronouslyRecursive(int filterIndex)+() => { }
at Func<ActionExecutedContext> System.Web.Mvc.Async.AsyncControllerActionInvoker+AsyncInvocationWithFilters.InvokeActionMethodFilterAsynchronouslyRecursive(int filterIndex)+() => { }
at ActionExecutedContext System.Web.Mvc.Async.AsyncControllerActionInvoker.EndInvokeActionMethodWithFilters(IAsyncResult asyncResult)
at IAsyncResult System.Web.Mvc.Async.AsyncControllerActionInvoker.BeginInvokeAction(ControllerContext controllerContext, string actionName, AsyncCallback callback, object state)+() => { }
at IAsyncResult System.Web.Mvc.Async.AsyncControllerActionInvoker.BeginInvokeAction(ControllerContext controllerContext, string actionName, AsyncCallback callback, object state)+(IAsyncResult asyncResult) => { }
System.DirectoryServices.AccountManagement.PrincipalOperationException: Creating an instance of the COM component with CLSID {080D0D78-F421-11D0-A36E-00C04FB950DC} from the IClassFactory failed due to the following error: 800401e4 Invalid syntax (Exception from HRESULT: 0x800401E4 (MK_E_SYNTAX)). ---> System.Runtime.InteropServices.COMException: Creating an instance of the COM component with CLSID {080D0D78-F421-11D0-A36E-00C04FB950DC} from the IClassFactory failed due to the following error: 800401e4 Invalid syntax (Exception from HRESULT: 0x800401E4 (MK_E_SYNTAX)).
at void System.DirectoryServices.AccountManagement.ADStoreCtx.LoadDomainInfo()
at string System.DirectoryServices.AccountManagement.ADStoreCtx.get_DnsDomainName()
at ResultSet System.DirectoryServices.AccountManagement.ADStoreCtx.GetGroupsMemberOfAZ(Principal p)
--- End of inner exception stack trace ---
at ResultSet System.DirectoryServices.AccountManagement.ADStoreCtx.GetGroupsMemberOfAZ(Principal p)
at ResultSet System.DirectoryServices.AccountManagement.UserPrincipal.GetAuthorizationGroupsHelper()
at IReadOnlyList<DirectoryGroupDto> UiPath.Orchestrator.Core.DirectoryService.ActiveDirectoryClient.GetGroupsByUser(string domain, string name)
System.Runtime.InteropServices.COMException (0x800401E4): Creating an instance of the COM component with CLSID {080D0D78-F421-11D0-A36E-00C04FB950DC} from the IClassFactory failed due to the following error: 800401e4 Invalid syntax (Exception from HRESULT: 0x800401E4 (MK_E_SYNTAX)).
at void System.DirectoryServices.AccountManagement.ADStoreCtx.LoadDomainInfo()
at string System.DirectoryServices.AccountManagement.ADStoreCtx.get_DnsDomainName()
at ResultSet System.DirectoryServices.AccountManagement.ADStoreCtx.GetGroupsMemberOfAZ(Principal p)