This access control...
 
Notifications
Clear all

This access control list is not in canonical form and therefore cannot be modified.

14 Posts
7 Users
0 Reactions
5,215 Views
Posts: 42
Topic starter
(@gflex)
Trusted Member
Joined: 8 years ago

Hi,

We upgraded to 1.4.2 and when i try to create a new organisation with Exchange i get this error

Error creating organization. See audit log for more details. 

Server was unable to process request. ---> Error executing 'CREATE_ORG' task on 'gbo' ORGANIZATION ---> Server was unable to process request. ---> This access control list is not in canonical form and therefore cannot be modified.

00:00:01
Domain ID: 2758

00:00:01
Domain Name: gbo.xx

00:00:02
SetAclPermissions
Server was unable to process request. ---> This access control list is not in canonical form and therefore cannot be modified.
at System.Web.Services.Protocols.SoapHttpClientProtocol.ReadResponse(SoapClientMessage message, WebResponse response, Stream responseStream, Boolean asyncCall)
at System.Web.Services.Protocols.SoapHttpClientProtocol.Invoke(String methodName, Object[] parameters)
at SolidCP.EnterpriseServer.OrganizationController.CreateOrganization(Int32 packageId, String organizationId, String organizationName, String domainName)

00:00:02
ORGANIZATION_DELETE_ORG

00:00:02
Org ID: 7536

00:00:02
Org Name: gbo

00:00:02
Org ID: 7536

00:00:02
Org Name: gbo

00:00:02
Org ID: 7536

00:00:02
Org Name: gbo

00:00:02
BLACKBERRY_GET_BLACKBERRY_USERS

00:00:02
BLACKBERRY_GET_BLACKBERRY_USERS_COUNT

00:00:02
ORGANIZATION_CLEANUP_ORGANIZATION_ENTERPRISE_STORAGE

00:00:02
Org ID: 7536

00:00:02
Org Name: gbo

00:00:02
REMOTE_DESKTOP_SERVICES_CLEANUP

00:00:02
ORGANIZATION_FOLDERS_DELETE_ALL_FOLDERS

00:00:02
ORGANIZATION_FOLDERS_DELETE_FOLDERS_BY_TYPE

00:00:04
Org ID: 7536

00:00:04
Org Name: gbo

00:00:04
ORGANIZATION_DELETE_DOMAIN

00:00:04
Org ID: 7536

00:00:04
Org Name: gbo

00:00:04
Domain ID: 2758

00:00:04
Domain Name: gbo.xx

00:00:04
Domain ID: 2758

00:00:04
Domain Name: gbo.xx

00:00:04
Server was unable to process request. ---> This access control list is not in canonical form and therefore cannot be modified.
at System.Web.Services.Protocols.SoapHttpClientProtocol.ReadResponse(SoapClientMessage message, WebResponse response, Stream responseStream, Boolean asyncCall)
at System.Web.Services.Protocols.SoapHttpClientProtocol.Invoke(String methodName, Object[] parameters)
at SolidCP.EnterpriseServer.OrganizationController.CreateOrganization(Int32 packageId, String organizationId, String organizationName, String domainName)

[10/17/2018 3:56:21 PM] ERROR: HostedSolution
System.InvalidOperationException: This access control list is not in canonical form and therefore cannot be modified.
at System.Security.AccessControl.CommonAcl.RemoveQualifiedAces(SecurityIdentifier sid, AceQualifier qualifier, Int32 accessMask, AceFlags flags, Boolean saclSemantics, ObjectAceFlags objectFlags, Guid objectType, Guid inheritedObjectType)
at System.Security.AccessControl.DiscretionaryAcl.RemoveAccess(AccessControlType accessType, SecurityIdentifier sid, Int32 accessMask, InheritanceFlags inheritanceFlags, PropagationFlags propagationFlags, ObjectAceFlags objectFlags, Guid objectType, Guid inheritedObjectType)
at System.Security.AccessControl.DirectoryObjectSecurity.ModifyAccess(AccessControlModification modification, ObjectAccessRule rule, Boolean& modified)
at System.Security.AccessControl.DirectoryObjectSecurity.RemoveAccessRule(ObjectAccessRule rule)
at System.Collections.Generic.List`1.ForEach(Action`1 action)
at SolidCP.Providers.HostedSolution.ActiveDirectoryUtils.RemoveIdentityAllows(String objectPath, IdentityReference identity)
at SolidCP.Providers.HostedSolution.ADPermission.SetOUAclPermissions(OrganizationProvider orgProvider, String organizationId, String rootDomain, String rootDomainPath)
at SolidCP.Providers.HostedSolution.OrganizationProvider.SetOUAclPermissions(String organizationId)

13 Replies
Posts: 1509
Admin
(@trobinson)
Noble Member
Joined: 9 years ago

Hello,

Sorry for the delay. I cannot recreate this on our development environment.

Can you confirm that in Configuration -> Servers -> Settings -> Active Directory Settings you have it set to use:

Security Mode: Use Active Directory Accounts

Authentication Type: None

Root domain: <Your domain>

Please then click update at the bottom of the page.

Also check the SolidCP server which is the Hosted ORG is using a AD account which has Domain Admins rights.

If your still having the error please check the Windows Event Log under Applications -> SolidCP.

Kind Regards,

Trevor Robinson

Reply
Posts: 42
Topic starter
(@gflex)
Trusted Member
Joined: 8 years ago

Hi Trevor,

Thnkas for your reply.

Tested everything you mention, still no luck.

The strange thing is that before the uppdate when on 1.4.1 everything was running smothly.

Are there any changes in 1.4.2 thatcan be related to this?

This is from event log

[10/17/2018 3:56:21 PM] ERROR: HostedSolution
System.InvalidOperationException: This access control list is not in canonical form and therefore cannot be modified.
at System.Security.AccessControl.CommonAcl.RemoveQualifiedAces(SecurityIdentifier sid, AceQualifier qualifier, Int32 accessMask, AceFlags flags, Boolean saclSemantics, ObjectAceFlags objectFlags, Guid objectType, Guid inheritedObjectType)
at System.Security.AccessControl.DiscretionaryAcl.RemoveAccess(AccessControlType accessType, SecurityIdentifier sid, Int32 accessMask, InheritanceFlags inheritanceFlags, PropagationFlags propagationFlags, ObjectAceFlags objectFlags, Guid objectType, Guid inheritedObjectType)
at System.Security.AccessControl.DirectoryObjectSecurity.ModifyAccess(AccessControlModification modification, ObjectAccessRule rule, Boolean& modified)
at System.Security.AccessControl.DirectoryObjectSecurity.RemoveAccessRule(ObjectAccessRule rule)
at System.Collections.Generic.List`1.ForEach(Action`1 action)
at SolidCP.Providers.HostedSolution.ActiveDirectoryUtils.RemoveIdentityAllows(String objectPath, IdentityReference identity)
at SolidCP.Providers.HostedSolution.ADPermission.SetOUAclPermissions(OrganizationProvider orgProvider, String organizationId, String rootDomain, String rootDomainPath)
at SolidCP.Providers.HostedSolution.OrganizationProvider.SetOUAclPermissions(String organizationId)

Reply
Posts: 1509
Admin
(@trobinson)
Noble Member
Joined: 9 years ago

Hello,

Can you see if there is a information message just before the error which tells you what its about to run?

This should help us narrow down the issue.

Do note that we do offer paid premium support if you would like us to have hands on with the issue using the contact button at the top of the page.

Kind Regards,

Trevor Robinson

Reply
Posts: 6
(@lostlogic)
Active Member
Joined: 7 years ago

We had this issue on a domain that was initially created with a Small Business Server (SBS).

The solution was to set the security rights of the base OU of the domain (DC=contoso,DC=com) to it's defaults.

Reply
Page 1 / 3
Share: