GP2013R2 Web Client - unable to initialize because one of the accounts is invalid

(0) Share

Report

Posted on by llupardus

Attempting to install Web Client for GP2013 R2. Successfully installed and can launch site. However, from login screen after entering domain user & password, receive an unexpected error. Event viewer indicates "Unable to initialize the GPWebUserAccounts security group because one of the accounts is invalid." (full details below)

SQL query of ServiceSecurity table in GPWEBCLIENTSESSIONCENTRAL shows the correct domain account for GPWebUserAccounts (domain\group). This account is a group in AD, has admin rights to the machine & only users in group are domain admins. The error is thrown no matter what login we try to use, domain admin or not.

Any help anyone can provide would be appreciated.

- EventData

Unable to initialize the GPWebUserAccounts security group because one of the accounts is invalid. System.ArgumentException: Invalid Identity ---> System.Runtime.InteropServices.COMException: The specified directory service attribute or value does not exist. at System.DirectoryServices.DirectoryEntry.Bind(Boolean throwIfFail) at System.DirectoryServices.DirectoryEntry.Bind() at System.DirectoryServices.DirectoryEntry.get_SchemaEntry() at System.DirectoryServices.AccountManagement.ADStoreCtx.IsContainer(DirectoryEntry de) at System.DirectoryServices.AccountManagement.ADStoreCtx..ctor(DirectoryEntry ctxBase, Boolean ownCtxBase, String username, String password, ContextOptions options) at System.DirectoryServices.AccountManagement.PrincipalContext.CreateContextFromDirectoryEntry(DirectoryEntry entry) at System.DirectoryServices.AccountManagement.PrincipalContext.DoLDAPDirectoryInitNoContainer() at System.DirectoryServices.AccountManagement.PrincipalContext.DoDomainInit() at System.DirectoryServices.AccountManagement.PrincipalContext.Initialize() at System.DirectoryServices.AccountManagement.PrincipalContext.get_QueryCtx() at System.DirectoryServices.AccountManagement.Principal.FindByIdentityWithTypeHelper(PrincipalContext context, Type principalType, Nullable`1 identityType, String identityValue, DateTime refDate) at System.DirectoryServices.AccountManagement.Principal.FindByIdentityWithType(PrincipalContext context, Type principalType, IdentityType identityType, String identityValue) at Microsoft.Dynamics.GP.Web.Foundation.DirectoryServices.PrincipalManager.GetPrincipal(String userName) --- End of inner exception stack trace --- at Microsoft.Dynamics.GP.Web.Foundation.DirectoryServices.PrincipalManager.GetPrincipal(String userName) at System.Linq.Enumerable.WhereSelectEnumerableIterator`2.MoveNext() at Microsoft.Dynamics.GP.Web.Foundation.DirectoryServices.PrincipalManager.AddIdentityValues(String principalCollectionKey, IEnumerable`1 identityValues) at Microsoft.Dynamics.GP.Web.Website.Security.AuthenticationHandler.InitializePrincipalManager()

*This post is locked for comments

I have the same question (0)

All responses (8)

Answers (0)

Jonathan Fear on at

Like (0)

Report

The user you are logging in with is part of the group you specified during the install? What is the user running your services? Does that user have read access to the OUs in AD?

Was this reply helpful? Yes No
Perry Smith - CRi 1,692 on at

Like (0)

Report

I am getting the same error on a new Web Client install.

I have added the service user to have read rights to the OU the groups were created in with no luck.

Any other ideas?

Was this reply helpful? Yes No
IceMan 1,115 on at

Like (0)

Report

Running into this same problem on GP 2016 R2 Web client solution. Did you all come up with a solution?

Was this reply helpful? Yes No
Community Member on at

Like (1)

Report

Quick fix, in the GPCONFIGURATION database, table ServiceSecuirty under GroupID GPWebUserAccounts see if there are any accounts that are invalid or not from the AD, for instance an SQL account or an account from different domain. Delete any unnecessary entries.

The error is generated because one of the accounts listed in the SeriviceSecuirty table under Group ID WebUserAccounts is invalid.

Another way to fix this is to delete de GPCONFIGURATION database and run a repair of the gp web client.

Was this reply helpful? Yes No
Suggested answer

kdd281 469 on at

Like (0)

Report

I would run and repair on the install and confirm the proper AD permissions for the service account you are using, confirm the password and also make sure its not set to change the password at the next login.

Was this reply helpful? Yes No
Derek Albaugh on at

Like (1)

Report

To add on to this, anytime you run a repair or reinstall of Web Client, it's a good idea to drop the existing GPCONFIGURATION database and create a new one, as the repair or reinstall can cause duplicate records to be written to the database, and if a different account was entered during either of these processes from what was originally entered during the initial install, it can cause Web Client to not know which account it is supposed to use and throw errors such as this.

Another reason is when initial accounts are used but then deleted, if they show in the GPCONFIGURATION database tables, Web Client may still attempt to use them, even though they don't exist and give the type of errors shown above in this forum.

Thanks

Was this reply helpful? Yes No
Mitch.M 532 on at

Like (0)

Report

What happens if dropping the GPCONFIGURATION database and repairing again does not resolve the issue?

Was this reply helpful? Yes No
DynamicDiamond 7 on at

Like (0)

Report

We had received the same error as above. Your fix to remove the invalid entries from the ServiceSecurity table worked. Thanks!

Was this reply helpful? Yes No