locked
A constraint violation occurred during ADFS 3 setup RRS feed

  • Question

  • Hi,

    We are fighting ADFS 3 setup for a few days now.

    The error message appear after the DB setup.

    We investigated the source of the error by elevating the tracing log and find out it related to the entries the ADFS generates in

    DN:'CN=.....,CN=ADFS,CN=Microsoft,CN=Program Data,DC=...  etc

    The exception is from the trace log is:

    Exception: A constraint violation occurred.

    StackTrace:    at System.DirectoryServices.DirectoryEntry.CommitChanges()
       at Microsoft.IdentityServer.Dkm.ADRepository.SetGroupContainerSecurity(Guid keyGuid)
       at Microsoft.IdentityServer.Dkm.ADRepository.CreateGroupContainer()
       at Microsoft.IdentityServer.Dkm.DKMBase.InitializeGroup(IdentityReference identity)
       at Microsoft.IdentityServer.Configuration.Providers.DkmProvider.CreateDkmGroup(DkmConfiguration dkmSettings)
       at Microsoft.IdentityServer.Configuration.Tasks.DKMSetup.DKMSetupTask.DoSetupDKM(IDKMSetupContext context)
       at Microsoft.IdentityServer.Deployment.Core.Tasks.ConfigurationTaskBase.Execute(IDeploymentContext context, IProgressReporter progressReporter) 

    Our programmers decompiled the setup code and found out SetGroupContainerSecurity   code.

    We ran the code in a standalone tester and got the same problem.

    We need to know what's the problem with our AD that gives us the error.

    The code is:

    private void SetGroupContainerSecurity(Guid keyGuid)
            {
                CultureInfo invariantCulture = CultureInfo.InvariantCulture;
                object[] str = new object[] { keyGuid.ToString() };
                string str1 = string.Format(invariantCulture, "<GUID={0}>", str);
                using (DirectoryEntry directoryEntry = this.GetDirectoryEntry(str1))
                {
                    ActiveDirectorySecurity objectSecurity = directoryEntry.ObjectSecurity;
                    if (!objectSecurity.AreAccessRulesCanonical)
                    {
                        CanonicalizeAcl(objectSecurity);
                    }
                 
                    objectSecurity.SetAccessRuleProtection(true, true);
                 
                    directoryEntry.CommitChanges();
                }
                using (DirectoryEntry directoryEntry1 = this.GetDirectoryEntry(str1))
                {
                    ActiveDirectorySecurity activeDirectorySecurity = directoryEntry1.ObjectSecurity;
                    if (!activeDirectorySecurity.AreAccessRulesCanonical)
                    {
                        CanonicalizeAcl(activeDirectorySecurity);
                    }
                    activeDirectorySecurity.PurgeAccessRules(new SecurityIdentifier(WellKnownSidType.BuiltinPreWindows2000CompatibleAccessSid, null));
                    directoryEntry1.CommitChanges();
                }
                using (DirectoryEntry directoryEntry2 = this.GetDirectoryEntry(str1))
                {
                    ActiveDirectorySecurity objectSecurity1 = directoryEntry2.ObjectSecurity;
                    if (!objectSecurity1.AreAccessRulesCanonical)
                    {
                        CanonicalizeAcl(objectSecurity1);
                    }
                    objectSecurity1.PurgeAccessRules(new SecurityIdentifier(WellKnownSidType.AuthenticatedUserSid, null));
                    directoryEntry2.CommitChanges();
                }
            }

    Thanks

    Dror S

    Tuesday, February 28, 2017 4:12 PM

All replies

  • Top of my head, I'll say either a permission issue (you need to be a domain admin to run the wizard) or maybe something more tricky such as a modification of the maximum size of the thumbnailPhoto attribute. Ring any bells or are we far?

    Note: Posts are provided “AS IS” without warranty of any kind, either expressed or implied, including but not limited to the implied warranties of merchantability and/or fitness for a particular purpose.

    Tuesday, February 28, 2017 9:01 PM
  • The violation can come from various fields.

    I'm not sure where to look.

    Is there a log in the AD that can give more detailed info on what fields caused this error?

    Dror

    Wednesday, March 1, 2017 6:41 AM
  • But can you check the security of the object in AD? To see if there isn't anything blocking the creation?

    Note: Posts are provided “AS IS” without warranty of any kind, either expressed or implied, including but not limited to the implied warranties of merchantability and/or fitness for a particular purpose.

    Friday, March 3, 2017 3:47 PM