SBS2011: Unable to login to RWA - An error (87) occurred while enumerating the groups. The group's SID could not be resolved

1. When a user tries to login to Remote Web Access from a client machine, it takes long time to evaluate user credentials. At the same time, you can observe following entries consistently in C:\Program Files\Windows Small Business Server\Logs\WebApp\RemoteAccess.log

[4664] 110721.142158.0004: RemoteAccess: [Identity] User not in RemoteAccess group should not access Content page
[4664] 110721.142158.0023: RemoteAccess: [Website] Request for path [ErrorPage] from []
[4664] 110721.142158.0023: RemoteAccess: [Extensibility] The request path 'ErrorPage' does not match any web add-in
[4664] 110721.142158.0033: RemoteAccess: [Website] Error page is called by path /error
[4664] 110721.142158.0033: RemoteAccess: [Identity] User not in RemoteAccess group should not access Content page
[4664] 110721.142158.0053: RemoteAccess: [Website] Request for path [ErrorPage] from []
[4664] 110721.142158.0053: RemoteAccess: [Extensibility] The request path 'ErrorPage' does not match any web add-in
[4664] 110721.142158.0053: RemoteAccess: [Website] Error page is called by path /error
[4664] 110721.142158.0053: RemoteAccess: [Identity] User not in RemoteAccess group should not access Content page
[4664] 110721.142158.0092: RemoteAccess: [Website] Request for path [ErrorPage] from []
[4664] 110721.142158.0092: RemoteAccess: [Extensibility] The request path 'ErrorPage' does not match any web add-in
[4664] 110721.142158.0092: RemoteAccess: [Website] Error page is called by path /error
[4664] 110721.142158.0092: RemoteAccess: [Identity] User not in RemoteAccess group should not access Content page

2. If you try to login to Remote Web Access with the same user on the server itself, you get following exception on the web page:

An error (87) occurred while enumerating the groups.  The group's SID could not be resolved.


Description:An unhandled exception occurred during the execution of the current web request. Please review the stack trace for more information about the error and where it originated in the code.

Exception Details: System.DirectoryServices.AccountManagement.PrincipalOperationException: An error (87) occurred while enumerating the groups.  The group's SID could not be resolved.

Source Error:

An unhandled exception was generated during the execution of the current web request. Information regarding the origin and location of the exception can be identified using the exception stack trace below.


Stack Trace:

[PrincipalOperationException: An error (87) occurred while enumerating the groups. The group's SID could not be resolved.]
 System.DirectoryServices.AccountManagement.SidList.TranslateSids(String target, IntPtr[] pSids) +1318
 System.DirectoryServices.AccountManagement.SidList..ctor(List`1 sidListByteFormat, String target, NetCred credentials) +265
 System.DirectoryServices.AccountManagement.ADDNLinkedAttrSet.TranslateForeignMembers() +568
 System.DirectoryServices.AccountManagement.ADDNLinkedAttrSet.MoveNextForeign(Boolean& outerNeedToRetry) +135
 System.DirectoryServices.AccountManagement.ADDNLinkedAttrSet.MoveNext() +136
 System.DirectoryServices.AccountManagement.FindResultEnumerator`1.MoveNext() +137
 System.Linq.Enumerable.Contains(IEnumerable`1 source, TSource value, IEqualityComparer`1 comparer) +280
 Microsoft.WindowsServerSolutions.Web.Security.SBSRoleProvider.GetRolesForUser(String username) +443
 Microsoft.WindowsServerSolutions.Web.Security.WssgRoleProviderBase.CanUserAccessAddin(String username, Guid addinId) +347
 Microsoft.WindowsServerSolutions.Web.Extensibility.WebAddInLoader.CheckAccess(WebAddInInfo addinInfo) +337
 Microsoft.WindowsServerSolutions.Web.Extensibility.WebAddInLoader.LoadAddInFromDir(DirectoryInfo di, Boolean isBuiltIn) +520
 Microsoft.WindowsServerSolutions.Web.Extensibility.WebAddInLoader.LoadTopDir(Boolean isBuiltin) +528
 Microsoft.WindowsServerSolutions.Web.Extensibility.WebAddInLoader.LoadAddIns() +118
 Microsoft.WindowsServerSolutions.Web.Extensibility.WebAddInLoader.GetAddInArrayWithCulture(CultureInfo culture) +141
 Microsoft.WindowsServerSolutions.Web.RemoteAccessSite.Sqm.RecordAddInCounts(ISqmProvider sqm) +37
 Microsoft.WindowsServerSolutions.Web.RemoteAccessSite.Sqm.Record() +39
 Microsoft.WindowsServerSolutions.Web.RemoteAccessSite.Global.Global_PostLogOn(Object sender, EventArgs e) +235
 Microsoft.WindowsServerSolutions.Web.Security.WssgMembershipProviderBase.Login(String username, String password) +144
 Microsoft.WindowsServerSolutions.Web.RemoteAccessSite.LogOnHelper.LoginUser(String name, String password) +496
 Microsoft.WindowsServerSolutions.Web.RemoteAccessSite.LogOn.LogOnButton_Click(Object sender, EventArgs ea) +496
 System.Web.UI.WebControls.ImageButton.OnClick(ImageClickEventArgs e) +134
 System.Web.UI.WebControls.ImageButton.RaisePostBackEvent(String eventArgument) +165
 System.Web.UI.Page.ProcessRequestMain(Boolean includeStagesBeforeAsyncPoint, Boolean includeStagesAfterAsyncPoint) +3691

Version Information: Microsoft .NET Framework Version:4.0.30319; ASP.NET Version:4.0.30319.1

3. At this point, you can also verify similar exception from C:\Program Files\Windows Small Business Server\Logs\WebApp\RemoteAccess.log:

[4664] 110721.135937.6574: RemoteAccess: [Identity] FABRIKAM\BobK logged on.
[4664] 110721.135937.6614: RemoteAccess: [Extensibility] Cannot load AddInfoProvider; Provider not specified in the config file.
[4664] 110721.135937.6614: RemoteAccess: [Extensibility] Create a WebAddInLoader in Session : cc89df56-abc3-474d-a5d7-b5b7f68eb040
[4664] 110721.135937.6614: RemoteAccess: [Extensibility] Try to load addins
[4664] 110721.135937.9629: RemoteAccess: [Website] Exception happens during rendering the file [~/AccountPage/Logon.aspx]; Error Code: 0x80004005
[4664] 110721.135937.9846: Exception:
---------------------------------------
An exception of type 'Type: System.Web.HttpUnhandledException, System.Web, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a' has occurred.
Timestamp: 07/21/2011 13:59:37
Message: Exception of type 'System.Web.HttpUnhandledException' was thrown.
Stack:    at System.Web.UI.Page.HandleError(Exception e)
    at System.Web.UI.Page.ProcessRequestMain(Boolean includeStagesBeforeAsyncPoint, Boolean includeStagesAfterAsyncPoint)
    at System.Web.UI.Page.ProcessRequest(Boolean includeStagesBeforeAsyncPoint, Boolean includeStagesAfterAsyncPoint)
    at System.Web.UI.Page.ProcessRequest()
    at System.Web.UI.Page.ProcessRequest(HttpContext context)
    at Microsoft.WindowsServerSolutions.Web.RemoteAccessSite.RealPageHandler.ProcessRequest(HttpContext context)
---------------------------------------
An exception of type 'Type: System.DirectoryServices.AccountManagement.PrincipalOperationException, System.DirectoryServices.AccountManagement, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089' has occurred.
Timestamp: 07/21/2011 13:59:37
Message: An error (87) occurred while enumerating the groups.  The group's SID could not be resolved.
Stack:    at System.DirectoryServices.AccountManagement.SidList.TranslateSids(String target, IntPtr[] pSids)
    at System.DirectoryServices.AccountManagement.SidList..ctor(List`1 sidListByteFormat, String target, NetCred credentials)
    at System.DirectoryServices.AccountManagement.ADDNLinkedAttrSet.TranslateForeignMembers()
    at System.DirectoryServices.AccountManagement.ADDNLinkedAttrSet.MoveNextForeign(Boolean& outerNeedToRetry)
    at System.DirectoryServices.AccountManagement.ADDNLinkedAttrSet.MoveNext()
    at System.DirectoryServices.AccountManagement.FindResultEnumerator`1.MoveNext()
    at System.Linq.Enumerable.Contains[TSource](IEnumerable`1 source, TSource value, IEqualityComparer`1 comparer)
    at Microsoft.WindowsServerSolutions.Web.Security.SBSRoleProvider.GetRolesForUser(String username)
    at Microsoft.WindowsServerSolutions.Web.Security.WssgRoleProviderBase.CanUserAccessAddin(String username, Guid addinId)
    at Microsoft.WindowsServerSolutions.Web.Extensibility.WebAddInLoader.CheckAccess(WebAddInInfo addinInfo)
    at Microsoft.WindowsServerSolutions.Web.Extensibility.WebAddInLoader.LoadAddInFromDir(DirectoryInfo di, Boolean isBuiltIn)
    at Microsoft.WindowsServerSolutions.Web.Extensibility.WebAddInLoader.LoadTopDir(Boolean isBuiltin)
    at Microsoft.WindowsServerSolutions.Web.Extensibility.WebAddInLoader.LoadAddIns()
    at Microsoft.WindowsServerSolutions.Web.Extensibility.WebAddInLoader.GetAddInArrayWithCulture(CultureInfo culture)
    at Microsoft.WindowsServerSolutions.Web.RemoteAccessSite.Sqm.RecordAddInCounts(ISqmProvider sqm)
    at Microsoft.WindowsServerSolutions.Web.RemoteAccessSite.Sqm.Record()
    at Microsoft.WindowsServerSolutions.Web.RemoteAccessSite.Global.Global_PostLogOn(Object sender, EventArgs e)
    at Microsoft.WindowsServerSolutions.Web.Security.WssgMembershipProviderBase.Login(String username, String password)
    at Microsoft.WindowsServerSolutions.Web.RemoteAccessSite.LogOnHelper.LoginUser(String name, String password)
    at Microsoft.WindowsServerSolutions.Web.RemoteAccessSite.LogOn.LogOnButton_Click(Object sender, EventArgs ea)
    at System.Web.UI.WebControls.ImageButton.OnClick(ImageClickEventArgs e)
    at System.Web.UI.WebControls.ImageButton.RaisePostBackEvent(String eventArgument)
    at System.Web.UI.Page.ProcessRequestMain(Boolean includeStagesBeforeAsyncPoint, Boolean includeStagesAfterAsyncPoint)

 

The issue is encountered if there are any unresolved SIDs or Foreign Security Principal as member of either of these groups:

Administrators
Windows SBS Remote Web Access Users
Windows SBS Link Users
Windows SBS Admin Tools Group

Check all the groups mentioned in 'Cause' section, for any unresolved (orphaned) SIDs or Foreign Security Principals. For example, here are steps to check the group "Administrators":

1. Open Active Directory Users and Computers

2. Expand <DomainName>.local and click on Builtin OU

3. Go to the properties of 'Administrators' builtin group and select 'Members' tab.

4. Check all the members and verify if its unresolved SID or Foreign Security Principal. Check all member groups recursively similarly.

5. Remove the unresolved SID or Foreign Security Principal and try to login to Remote Web Access again.

Caution: You can see all Foreign Security Principals in Active Directory Users and Computers > ForeignSecurityPrincipals OU. If there is any application or service which relies on any Foreign Security Principal to be member of the groups, for example "Administrators", then removing Foreign Security Principal from "Administrators" can cause that service/application to break.