Gemini Community Support Site

This Gemini community support site can be used to find solutions to product issues. You can log in using Open Id, Google Profile and even Facebook. Feel free to ask a question or browse FAQs and documentation. Product tour videos are also available along with how-to videos demonstrating key Gemini capabilities.




No groups being retrieved from Active Directory

admin
scheduler

I am trying to configure and use the new Active Directory integration feature in Gemini v4.1.0 (build 3106).

I have entered the details into the Active Directory page and tested connectivity to AD successfully. When I go to the Global Groups page, select a group and navigate to the Active Directory tab, however, I see no AD groups in the list.

The scheduler service is installed and running but, despite the positive result from clicking the "Test" button, it seems the scheduler is failing to connect to AD as I'm getting the following errors in the event log:

Event Type: Error Event Source: Countersoft Gemini - Active Directory Event Category: None Event ID: 0 Date: 12/07/2011 Time: 19:09:38 User: N/A Computer: Description: System - Unable to connect to the remote server - at System.Net.HttpWebRequest.GetResponse() at System.Xml.XmlDownloadManager.GetNonFileStream(Uri uri, ICredentials credentials) at System.Xml.XmlDownloadManager.GetStream(Uri uri, ICredentials credentials) at System.Xml.XmlUrlResolver.GetEntity(Uri absoluteUri, String role, Type ofObjectToReturn) at System.Xml.XmlTextReaderImpl.OpenStream(Uri uri) at System.Xml.XmlTextReaderImpl.DtdParserProxy_PushExternalSubset(String systemId, String publicId) at System.Xml.XmlTextReaderImpl.DtdParserProxy.System.Xml.IDtdParserAdapter.PushExternalSubset(String systemId, String publicId) at System.Xml.DtdParser.ParseExternalSubset() at System.Xml.DtdParser.ParseInDocumentDtd(Boolean saveInternalSubset) at System.Xml.DtdParser.Parse(Boolean saveInternalSubset) at System.Xml.XmlTextReaderImpl.DtdParserProxy.Parse(Boolean saveInternalSubset) at System.Xml.XmlTextReaderImpl.ParseDoctypeDecl() at System.Xml.XmlTextReaderImpl.ParseDocumentContent() at System.Xml.XmlTextReaderImpl.Read() at System.Xml.XmlLoader.LoadNode(Boolean skipOverWhitespace) at System.Xml.XmlLoader.LoadDocSequence(XmlDocument parentDoc) at System.Xml.XmlLoader.Load(XmlDocument doc, XmlReader reader, Boolean preserveWhitespace) at System.Xml.XmlDocument.Load(XmlReader reader) at System.Xml.XmlDocument.Load(Stream inStream) at CounterSoft.Gemini.Commons.Rest.Serializer.ConvertToObject[T](Stream stream) at CounterSoft.Gemini.WebServices.BaseService.GetObjectFromResponse[T](Stream stream, Int64 length) at CounterSoft.Gemini.WebServices.BaseService.ProcessResponse[T](String url, Object obj, RequestType requestType) at CounterSoft.Gemini.WebServices.UsersService.GetUsers(EntityLoadPattern loadPattern) at Countersoft.Gemini.Scheduler.ActiveDirectory.ActiveDirectory.Process() at Countersoft.Gemini.Scheduler.Process.Program.Main(String[] args) For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.

How can the test succeed, but the real sync connection fail?

Thanks, Nigel.

nharris
· 1
nharris
Replies (13)
helpful
0
not helpful

Is the scheduler service running ok otherwise? eg. sending emails? Also, please check the Gemini's system log for errors.


Saar Cohen
· 5000
Saar Cohen
helpful
0
not helpful

Yes, it's sending emails quite happily. The system log contains groups of three entries which seem to occur around the same time as it is trying to sync with AD. They are:

Thread was being aborted. at System.RuntimeMethodHandle._InvokeMethodFast(Object target, Object[] arguments, SignatureStruct& sig, MethodAttributes methodAttributes, RuntimeTypeHandle typeOwner) at System.RuntimeMethodHandle.InvokeMethodFast(Object target, Object[] arguments, Signature sig, MethodAttributes methodAttributes, RuntimeTypeHandle typeOwner) at System.Reflection.RuntimeMethodInfo.Invoke(Object obj, BindingFlags invokeAttr, Binder binder, Object[] parameters, CultureInfo culture, Boolean skipVisibilityChecks) at System.Reflection.RuntimeMethodInfo.Invoke(Object obj, BindingFlags invokeAttr, Binder binder, Object[] parameters, CultureInfo culture) at CounterSoft.Gemini.Web.Api.RestHandler.GetResponse(RequestDetails rd, MethodInfo method)

...followed by...

Thread was being aborted. at CounterSoft.Gemini.Web.Api.RestHandler.GetResponse(RequestDetails rd, MethodInfo method) at CounterSoft.Gemini.Web.Api.RestHandler.ProcessRequest(HttpContext context)

.. and finally...

Request timed out.

To complete the picture from the Windows event log point-of-view, I see the following entries for source "Countersoft Gemini - Active Directory":

  • Started
  • Preparing Service Manager
  • Fetching Gemini configuration
  • Loading assembly Countersoft.Gemini.Scheduler.ActiveDirectory.dll
  • Initializing
  • Processing

...and the next entry is the "Unable to connect to the remote server" one mentioned before.


nharris
· 1
nharris
helpful
0
not helpful

How many users do you have in Gemini?

Can you try and change the request execution timeout in the web.config file?

<httpRuntime executionTimeout="90" maxRequestLength="44096" useFullyQualifiedRedirectUrl="false"/>

Change 90 to 300 please.


Mark Wing
· 9108
Mark Wing
helpful
0
not helpful

We currently have 801 active users and 131 inactive.

I tried upping the timeout to 300 and I got event log entries like this:

Event Type: Error Event Source: Countersoft Gemini - Active Directory Event Category: None Event ID: 0 Date: 13/07/2011 Time: 13:31:51 User: N/A Computer: Description: System - The operation has timed out - at System.Net.HttpWebRequest.GetResponse() at CounterSoft.Gemini.WebServices.BaseService.ProcessResponse[T](String url, Object obj, RequestType requestType) at CounterSoft.Gemini.WebServices.UsersService.GetUsers(EntityLoadPattern loadPattern) at Countersoft.Gemini.Scheduler.ActiveDirectory.ActiveDirectory.Process() at Countersoft.Gemini.Scheduler.Process.Program.Main(String[] args) For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.

I have been having some performance problems with the SQL Server instance I am using, so, as an experiment, I tried moving the Gemini database temporarily to another instance. I then didn't get the above event log entry but got this (only an "information" entry) instead:

Could not Syncronised Active Directory groups

Neither failure resulted in new Gemini system log entries.


nharris
· 1
nharris
helpful
0
not helpful

Ah - from the (slightly mangled) gist of the above event log entry, I assumed it had not synchronised anything with AD, but I see that, in fact, it has pulled the list of AD groups over.

Not sure if this means it is working OK or if there was some other failure. I'll try mapping some groups and see what happens.


nharris
· 1
nharris
helpful
0
not helpful

The list of AD groups imported into Gemini appears to be limited to 1000, so I am restricted in what groups I can use for testing purposes. I first tried "Domain Users" and got the following in the event log:

Unable to Update AD Mapping for Active Directory group - Domain Users

Figuring it might be struggling with the number of users in that group, I switched to another I managed to find in the list, containing only five users. That, however gives me:

System - Unable to connect to the remote server - at System.Net.HttpWebRequest.GetResponse() at System.Xml.XmlDownloadManager.GetNonFileStream(Uri uri, ICredentials credentials) at System.Xml.XmlDownloadManager.GetStream(Uri uri, ICredentials credentials) at System.Xml.XmlUrlResolver.GetEntity(Uri absoluteUri, String role, Type ofObjectToReturn) at System.Xml.XmlTextReaderImpl.OpenStream(Uri uri) at System.Xml.XmlTextReaderImpl.DtdParserProxy_PushExternalSubset(String systemId, String publicId) at System.Xml.XmlTextReaderImpl.DtdParserProxy.System.Xml.IDtdParserAdapter.PushExternalSubset(String systemId, String publicId) at System.Xml.DtdParser.ParseExternalSubset() at System.Xml.DtdParser.ParseInDocumentDtd(Boolean saveInternalSubset) at System.Xml.DtdParser.Parse(Boolean saveInternalSubset) at System.Xml.XmlTextReaderImpl.DtdParserProxy.Parse(Boolean saveInternalSubset) at System.Xml.XmlTextReaderImpl.ParseDoctypeDecl() at System.Xml.XmlTextReaderImpl.ParseDocumentContent() at System.Xml.XmlTextReaderImpl.Read() at System.Xml.XmlLoader.Load(XmlDocument doc, XmlReader reader, Boolean preserveWhitespace) at System.Xml.XmlDocument.Load(XmlReader reader) at System.Xml.XmlDocument.Load(Stream inStream) at CounterSoft.Gemini.Commons.Rest.Serializer.ConvertToObject[T](Stream stream) at CounterSoft.Gemini.WebServices.BaseService.GetObjectFromResponse[T](Stream stream, Int64 length) at CounterSoft.Gemini.WebServices.BaseService.ThrowResponseException(WebResponse response) at CounterSoft.Gemini.WebServices.BaseService.ProcessResponse[T](String url, Object obj, RequestType requestType) at CounterSoft.Gemini.WebServices.GroupsService.RemoveGlobalGroupMembership(Int32 globalGroupId, Int32 userId) at Countersoft.Gemini.Scheduler.ActiveDirectory.ActiveDirectory.Process() at Countersoft.Gemini.Scheduler.Process.Program.Main(String[] args) For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.

or:

System - The operation has timed out - at System.Net.HttpWebRequest.GetResponse() at CounterSoft.Gemini.WebServices.BaseService.ProcessResponse[T](String url, Object obj, RequestType requestType) at CounterSoft.Gemini.WebServices.UsersService.GetUsers(EntityLoadPattern loadPattern) at Countersoft.Gemini.Scheduler.ActiveDirectory.ActiveDirectory.Process() at Countersoft.Gemini.Scheduler.Process.Program.Main(String[] args) For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.

Again, nothing more is being added to the Gemini system log.


nharris
· 1
nharris
helpful
0
not helpful

Nigel, there is no restriction on the number of AD groups. Are you saying that Gemini imported only 1000 and you have more?

As for the erros, are those happening when the timeout is set to 300?


Mark Wing
· 9108
Mark Wing
helpful
0
not helpful

I don't know how many group we have defined, but there are precisely 1000 in gemini_adgroups and there are groups I know of that are not in that table.

Yes, the timeout is still set to 300. I just retried it and this time got:

Unable to Update AD Mapping for Active Directory group - GRPeitbu_users

Followed by:

System - Unable to connect to the remote server - at System.Net.HttpWebRequest.GetResponse() at System.Xml.XmlDownloadManager.GetNonFileStream(Uri uri, ICredentials credentials) at System.Xml.XmlDownloadManager.GetStream(Uri uri, ICredentials credentials) at System.Xml.XmlUrlResolver.GetEntity(Uri absoluteUri, String role, Type ofObjectToReturn) at System.Xml.XmlTextReaderImpl.OpenStream(Uri uri) at System.Xml.XmlTextReaderImpl.DtdParserProxy_PushExternalSubset(String systemId, String publicId) at System.Xml.XmlTextReaderImpl.DtdParserProxy.System.Xml.IDtdParserAdapter.PushExternalSubset(String systemId, String publicId) at System.Xml.DtdParser.ParseExternalSubset() at System.Xml.DtdParser.ParseInDocumentDtd(Boolean saveInternalSubset) at System.Xml.DtdParser.Parse(Boolean saveInternalSubset) at System.Xml.XmlTextReaderImpl.DtdParserProxy.Parse(Boolean saveInternalSubset) at System.Xml.XmlTextReaderImpl.ParseDoctypeDecl() at System.Xml.XmlTextReaderImpl.ParseDocumentContent() at System.Xml.XmlTextReaderImpl.Read() at System.Xml.XmlLoader.Load(XmlDocument doc, XmlReader reader, Boolean preserveWhitespace) at System.Xml.XmlDocument.Load(XmlReader reader) at System.Xml.XmlDocument.Load(Stream inStream) at CounterSoft.Gemini.Commons.Rest.Serializer.ConvertToObject[T](Stream stream) at CounterSoft.Gemini.WebServices.BaseService.GetObjectFromResponse[T](Stream stream, Int64 length) at CounterSoft.Gemini.WebServices.BaseService.ThrowResponseException(WebResponse response) at CounterSoft.Gemini.WebServices.BaseService.ProcessResponse[T](String url, Object obj, RequestType requestType) at CounterSoft.Gemini.WebServices.GroupsService.RemoveGlobalGroupMembership(Int32 globalGroupId, Int32 userId) at Countersoft.Gemini.Scheduler.ActiveDirectory.ActiveDirectory.Process() at Countersoft.Gemini.Scheduler.Process.Program.Main(String[] args) For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.

I also just tried upping the timeout to 500 to see if that had any effect but got the same result.

Bizarrely, I have just noticed that during the afternoon (when I was busy with another of the 18 things I'm trying to do at the same time!), it actually DID manage to create Gemini accounts for the five members of that AD group. What really throws me, though, is that the five event log entries reporting the creation of the new users are immediately followed by the "Unable to Update AD Mapping..." and the "System - Unable to connect to the remote server..." events described above so even then it didn't quite work correctly.


nharris
· 1
nharris
helpful
0
not helpful

Ok, will it be possible to do a remote session for us to look at settings and see if we can spot what the issue is? If so, please send an email to support at countersoft dot com


Mark Wing
· 9108
Mark Wing
helpful
0
not helpful

Yes, I could do that - email just sent.

One thing I've noticed about the five accounts that I eventually succeeded in importing yesterday is that a couple of them happen to be inactive AD accounts, yet they are all imported into Gemini as active Gemini accounts. If I let this loose on our production system, that would mean a large number of unnecessary user accounts would be added to our Gemini instance, all of whom would appear in user picklists. Not good - is there any way to filter the accounts that are imported by the "inactive" property?


nharris
· 1
nharris
helpful
0
not helpful

Just been speaking to a developer who has done some AD integration work and he has pointed out the likely cause of the 1000 groups limit. Apparently, LDAP has a MaxPageSize parameter which limits the maximum number of objects that may be returned by a search - surprise, surprise, the default value is 1000.

Seems you can change the page size but the recommended technique is to check the result count returned with the first page of results and, if necessary, request further pages. Have a look at this article


nharris
· 1
nharris
helpful
0
not helpful

Another thing I've been meaning to ask about this functionality is how user name changes are handled? The classic example is a female user gets married and changes her surname and email address. Do you track that to update the Gemini user account or does it consider it to be a new account?

Again, talking to my (semi) tame developer, he was logging AD's internal user identifier (a GUID, I think) against the matching Gemini userid (yes, we had developed some custom functionality along the same lines as yours). When such a change occurred, he could look up the GUID, find the previously-matched Gemini account and update it as necessary.

Obvious thing for you to do would be to put that GUID into the gemini_users table but I don't see it, so does that mean a duplicate account would be created in these circumstances?


nharris
· 1
nharris