Contents of this directory is archived and no longer updated.

Это будет краткая заметка по решению одной проблемы (пока причина проблемы не установлена) при установке OCSP Responder на контроллере домена под управлением Windows Server 2008 R2 RTM. При такой установке у вас в Application Log может появиться сообщение:

Log Name:      Application
Source:        SceCli
Date:          2009.08.13. 12:46:22
Event ID:      1202
Task Category: None
Level:         Warning
Keywords:      Classic
User:          N/A
Computer:      server.domain.com
Description:
Security policies were propagated with warning. 0x534 : No mapping between account names and security IDs was done.

Advanced help for this problem is available on http://support.microsoft.com. Query for "troubleshooting 1202 events".

Error 0x534 occurs when a user account in one or more Group Policy objects (GPOs) could not be resolved to a SID.  This error is possibly caused by a mistyped or deleted user account referenced in either the User Rights or Restricted Groups branch of a GPO.  To resolve this event, contact an administrator in the domain to perform the following actions:

1.    Identify accounts that could not be resolved to a SID:

From the command prompt, type: FIND /I "Cannot find"  %SYSTEMROOT%\Security\Logs\winlogon.log

The string following "Cannot find" in the FIND output identifies the problem account names.

Example: Cannot find JohnDough.

In this case, the SID for username "JohnDough" could not be determined. This most likely occurs because the account was deleted, renamed, or is spelled differently (e.g. "JohnDoe").

2.    Use RSoP to identify the specific User Rights, Restricted Groups, and Source GPOs that contain the problem accounts:

a.    Start -> Run -> RSoP.msc
b.    Review the results for Computer Configuration\Windows Settings\Security Settings\Local Policies\User Rights Assignment and Computer Configuration\Windows Settings\Security Settings\Local Policies\Restricted Groups for any errors flagged with a red X.
c.    For any User Right or Restricted Group marked with a red X, the corresponding GPO that contains the problem policy setting is listed under the column entitled "Source GPO". Note the specific User Rights, Restricted Groups and containing Source GPOs that are generating errors.

3.    Remove unresolved accounts from Group Policy

a.    Start -> Run -> MMC.EXE
b.    From the File menu select "Add/Remove Snap-in..."
c.    From the "Add/Remove Snap-in" dialog box select "Add..."
d.    In the "Add Standalone Snap-in" dialog box select "Group Policy" and click "Add"
e.    In the "Select Group Policy Object" dialog box click the "Browse" button.
f.    On the "Browse for a Group Policy Object" dialog box choose the "All" tab
g.    For each source GPO identified in step 2, correct the specific User Rights or Restricted Groups that were flagged with a red X in step 2. These User Rights or Restricted Groups can be corrected by removing or correcting any references to the problem accounts that were identified in step 1.

Advanced help for this problem is available on http://support.microsoft.com. Query for "troubleshooting 1202 events".

При установке компонента OCSP Responder роли Active Directory Certificate Services на контроллере домена создаются следующие локальные учётные записи:

  • OCSPISAPIAppPool
  • DefaultAppPool
  • WdiServiceHost

Этим учётным записям автоматически в Default Domain Controllers Policy в разделе User Rights Assignments выдаются следующие права и привилегии:

User Rights Assignment entry

 Account name

Adjust memory quotas for a process

OCSPISAPIAppPool
DefaultAppPool

Generate security audits

OCSPISAPIAppPool
DefaultAppPool

Profile system performance

WdiServiceHost

Replace a process level token

OCSPISAPIAppPool
DefaultAppPool

Однако, эти учётные записи локальные и контроллер домена неспособен их разрешить в SID, т.к. они не доменные. Для решения этой проблемы нужно задать префикс authority этих учётных записей следующим образом:

User Rights Assignment entry

 Account name

Adjust memory quotas for a process

IIS AppPool\OCSPISAPIAppPool
IIS AppPool\DefaultAppPool

Generate security audits

IIS AppPool\OCSPISAPIAppPool
IIS AppPool\DefaultAppPool

Profile system performance

NT Service\WdiServiceHost

Replace a process level token

IIS AppPool\OCSPISAPIAppPool
IIS AppPool\DefaultAppPool

Примечание: при добавлении этих записей вы должны вписывать эти имена прямо в поле Add user or group, а не использовать Browse и Check names.

Я пока не в курсе причины этой проблемы, но она отправлена на изучение в Windows Server Team, а пока – пользуйтесь этим решением :-)


Share this article:

Comments:

AC

There is a known bug in W2K8 R2 where modifying security settings in default domain controllers from W2K8 R2 GPEDIT.MSC causes the "NT Service\" prefix to be remomved for the WdiServiceHost account. A post RTM QFE is in the works. ETA = mid-October. Public Kb article with workaround should be available within a week. Snippet from WINLOGON log below identifies this root cause. Configure WdiServiceHost. Error 1332: No mapping between account names and security IDs was done. Cannot find WdiServiceHost. Configure S-1-5-21-2125830507-553053660-2246957542-519. add SeTimeZonePrivilege. User Rights configuration was completed with one or more errors. Workaround: 1. Open the GPTTMPL.INF file for the Default Domain Controller Policy of a domain controller logging the Event ID 1202. The path to the GPTTMPL.INF file when SYSVOL is located below %SystemRoot% is: %SystemRoot%\Sysvol\domain\Policies\{6AC1786C-016F-11D2-945F-00C04fB984F9}\MACHINE\Microsoft\Windows NT\SecEdit\GPTTMPL.INF 2. Locate the SeSystemProfilePrivilege entry in the GPTTMPL.INF and modify it as follows: Before: SeSystemProfilePrivilege = *S-1-5-32-544,WdiServiceHost After: SeSystemProfilePrivilege = *S-1-5-32-544,nt service\WdiServiceHost Note: NT Service\ should appear after the "," delimiter. Do not prefix NT Service\ with the "*" character. 3. Save the changes to GPTTMPL.INF. 4. From a command prompt on the console of the domain controller whose GPTTMPL.INF file was modified in Step 1, type Gpupdate /force. 5. View the Application log to see if a Event ID 1202 with status code 0x534 was logged. If so, review the WINLOGON.LOG to see if the event was caused by the WdiServiceHost security principal.

Vadims Podāns

Вот ссылка на соответствующую КБ: http://support.microsoft.com/kb/974639

Comments are closed.