The SID is a number that uniquely identifies each group in the AD infrastructure, and BCAAA uses this number to compare the user's groups with the ProxySG's GroupsOfInterest following authentication.Īfter turning on BCAAA debug trace, you'll see a line similar to the following when BCAAA receives a GroupOfInterest query message from the ProxySG:Ĥ 23:33:20.686 GOI: groups=89 length=2137 This query is performed to lookup the SID (Security Identifier) of each group in the policy. When Active Directory (AD) groups are used in policy, the ProxySG via the BCAAA agent performs a GroupOfInterest query of the AD infrastructure. The error code returned from getsid should match the error code in the BCAAA debug log, and may provide a clue as to nature of the problem. If getsid fails, then the BCAAA server was unable to query the group, and this may indicate that the customer has a problem with their AD deployment. Because BCAAA server belongs to the domain, it contacted a DC to retrieve the information. This made getsid query to 127.0.0.1-BCAAA server for this information. This can be used to either further diagnose the issue or to direct the focus as appropriate the AD infrastructure. Most likely, given the above situation where the group is not found, you will not receive values or you will receive an error. The output of the utility will be two SID values. You will want to run this command on the system where the BCAAA agent resides that is not resolving the SID's. When using the tool in this way, use the following syntax substituting the BCAAAServerNetBIOSName and the Group you are resolving. To retrieve this information, the utility invokes the 'LookupAccountName' API in a manner similar to the BCAAA agent. The original purpose of the utility is to compare the SID of an account at two different domain controllers to ensure that the information is consistent. It can be found at the following URL along with a number of other AD utilities:
A very useful tool in troubleshooting this type of condition is the getsid.exe utility from Microsoft.
0 kommentar(er)
