Scoped Access Error

Michael_Dugan

Hello,

Recently, I noticed an error appear with cache builder trying to get through user roles and access. I received a generic error stating that something is null, and I cannot determine what is happening. Basically, cache builder connects just fine to the domain controller to check users there and as it's adding users to the Incident Resolvers security role, this error is thrown:

2017-05-22 14:55:43,736, ERROR [   5]:  Error:

System.ArgumentNullException: Value cannot be null.

Parameter name: key

   at System.Collections.Generic.Dictionary`2.FindEntry(TKey key)

   at System.Collections.Generic.Dictionary`2.ContainsKey(TKey key)

   at Cireson.CacheBuilder.Service.Util.RoleUserUtil.GetUsers(IReadOnlyDictionary`2 loginNameMap, IReadOnlyDictionary`2 groupNames, String userOrGroupName, UserRole userRole)

   at Cireson.CacheBuilder.Service.Util.RoleUserUtil.<>c__DisplayClass31_1.<BuildRoleUserMapAsync>b__4(String u)

   at System.Linq.Enumerable.<SelectManyIterator>d__16`2.MoveNext()

   at Cireson.CacheBuilder.Service.Util.RoleUserUtil.<BuildRoleUserMapAsync>d__31.MoveNext()

--- End of stack trace from previous location where exception was thrown ---

   at System.Runtime.CompilerServices.TaskAwaiter.ThrowForNonSuccess(Task task)

   at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task)

   at Cireson.CacheBuilder.Service.Util.RoleUserUtil.<Rebuild>d__19.MoveNext()

--- End of stack trace from previous location where exception was thrown ---

   at System.Runtime.CompilerServices.TaskAwaiter.ThrowForNonSuccess(Task task)

   at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task)

   at Cireson.CacheBuilder.Service.Commands.ScopedAccessCommand.<>c__DisplayClass14_0.<<Synchronize>b__0>d.MoveNext()

--- End of stack trace from previous location where exception was thrown ---

   at System.Runtime.CompilerServices.TaskAwaiter.ThrowForNonSuccess(Task task)

   at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task)

   at Cireson.ServiceManager.DAL.Database.<Retry>d__11.MoveNext()

2017-05-22 14:55:43,740, ERROR [   5]:  Unable to sync SCOPED ACCESS, the operation failed permanently. Please review the log for errors, correct them, then restart the cachebuilder service.

Can anyone provide any explanation around that error?

Much appreciated!

Michael_Dugan

As a side note, we have truncated the CI$User, CI$DomainGroup, and LastModified tables in the ServiceManagement database -- but that did not resolve this error that we're getting.

merlenette_jones

Hello Michael,

Are you able to access the Portal still?

Looks like the groups may not be in the CMDB, I would recommend checking those AD groups exist and if not sync your AD connector.

When the cachebuilder service account tries to retrieve that group from active directory, it receives a null value. It's possible that the distinguished name for that group is out of sync with AD - so please check and see if that's the case here. If that's not the issue, then that probably indicates a permissions problem - here's what I would do: 1. Open powershell as the cachebuilder service account, on the machine where the cachebuilder is running
2. Using the Get-ADGroup command (refer: https://technet.microsoft.com/en-us/library/ee617196.aspx) try to retrieve the group

Jeremy_Whalen

I am having the same issue as @Michael_Dugan Was there ever a solution?
 

Rod_Marten

Jeremy,  I had similar errors.  My root cause is that there was an AD group in the SCSM CMDB that no longer existed in AD.  Deleting the group from the CMDB resolved the issue.

Jeremy_Whalen

Rod, ours was also AD related. We had several corrupted AD user accounts in our Analyst security group. We removed them and, after refreshing the AD connectors, we were back in business.

Narmin_Hemnani

Please let us know the steps to get the corrupted AD users and how you removed them