[Active Directory] "Array dimensions exceeded supported range." Error when trying to add new AD group.

[Active Directory] "Array dimensions exceeded supported range." Error when trying to add new AD group.

  
Forge Component
(6)
Published on 2017-07-12 by Renato Pauleta
6 votes
Published on 2017-07-12 by Renato Pauleta

Hello,

I am trying to add an AD group for all our end users to have access to our application. We have already configured the AD in the application and we are now trying to add the AD group. We don't know if we need to create the group or if we should be able to search for the group.

We have attempted to add the AD group but we received the following error :
"Array dimensions exceeded supported range."

Below you will find a screenshot of the data that we used:



Please note: We were informed by our IT support staff that the SAM name has to be "DC-SG Star ARAS Dashboard".



Wallid Da Costa Gomez wrote:

Hello,

I am trying to add an AD group for all our end users to have access to our application. We have already configured the AD in the application and we are now trying to add the AD group. We don't know if we need to create the group or if we should be able to search for the group.

We have attempted to add the AD group but we received the following error :
"Array dimensions exceeded supported range."

Below you will find a screenshot of the data that we used:



Please note: We were informed by our IT support staff that the SAM name has to be "DC-SG Star ARAS Dashboard".



Hi Wallid,

I don't see a screenshot.

You only need to use the AD_GroupCreate if the group does not yet exist in the AD. If it was already created manually then you need to either search for it to know the Distinguished Name (DN) or use the DN directly if you're certain of its name.

Then you probably want to use the AD_UserAddToGroup to add users to the group. Is it here you're getting that error?



Hi Renato,

Here is the screenshot that we've mentioned in the previous post.


What we are trying to accomplish is to get a list of the users within the AD group we are trying to add for authorization purposes. We have already configured the site property with the AD Access Token. Because the group has already been created by our IT Support staff, we tried to do a search for it via the Group tab, but we did not get any results.

Maybe we are not doing the search for the group correctly on our end, but can we achieve this via the Active Directory component's interface or do wee need to use the Actions in "ActiveDirectoryCore". 

Wallid Da Costa Gomez wrote:

Hi Renato,

Here is the screenshot that we've mentioned in the previous post.


What we are trying to accomplish is to get a list of the users within the AD group we are trying to add for authorization purposes. We have already configured the site property with the AD Access Token. Because the group has already been created by our IT Support staff, we tried to do a search for it via the Group tab, but we did not get any results.

Maybe we are not doing the search for the group correctly on our end, but can we achieve this via the Active Directory component's interface or do wee need to use the Actions in "ActiveDirectoryCore". 

The error itself is something I need to check, but otherwise you don't need to create the group, because it already exists on the AD side.

So you should be able to do a search using the ADConfigurations module, the screens there are just examples on how to use the actions from Core.

You can search by "name" or by DN. If the group is in the same domain as the one you've configured in the access tokens, you should be able to see it. One way to see if the connection is working is by doing a plain search without any values on the inputs and you should get all the results.


Let me know how it goes.

Renato Pauleta wrote:

Wallid Da Costa Gomez wrote:

Hi Renato,

Here is the screenshot that we've mentioned in the previous post.


What we are trying to accomplish is to get a list of the users within the AD group we are trying to add for authorization purposes. We have already configured the site property with the AD Access Token. Because the group has already been created by our IT Support staff, we tried to do a search for it via the Group tab, but we did not get any results.

Maybe we are not doing the search for the group correctly on our end, but can we achieve this via the Active Directory component's interface or do wee need to use the Actions in "ActiveDirectoryCore". 

The error itself is something I need to check, but otherwise you don't need to create the group, because it already exists on the AD side.

So you should be able to do a search using the ADConfigurations module, the screens there are just examples on how to use the actions from Core.

You can search by "name" or by DN. If the group is in the same domain as the one you've configured in the access tokens, you should be able to see it. One way to see if the connection is working is by doing a plain search without any values on the inputs and you should get all the results.


Let me know how it goes.

We have tried it but we did not get any results. We proceeded with debugging and have found that the when the search action is using the token, the "DecryptAES26" action is giving the "Array dimensions exceeded supported range." error.


Ok.

Which version of the CryptoAPI extension are you guys using? I'm using 1.6.

When debugging can you see the token and the information from the access, name, domain, user?


Renato Pauleta wrote:

Ok.

Which version of the CryptoAPI extension are you guys using? I'm using 1.6.

When debugging can you see the token and the information from the access, name, domain, user?


We are using the same version. When debugging we can see the token, name and domain. 


I've found a potential issue within the backoffice. If you create an access token and then update it with more or less information it will not allow to decrypt. Still, I'm unsure this is the issue.


Can you try removing and creating the access token again? (don't forget to also update the token in the ADConfigurations module site property)



Renato Pauleta wrote:

I've found a potential issue within the backoffice. If you create an access token and then update it with more or less information it will not allow to decrypt. Still, I'm unsure this is the issue.


Can you try removing and creating the access token again? (don't forget to also update the token in the ADConfigurations module site property)



We've just tried it. But still no luck. We are getting the same error when we are debugging it.


That's really weird.

My last suggestion is to use the "ActiveDirectory" extension directly, by calling the AD_SetGlobalDomain first (with the Domain, Username and Password) and then the "AD_SearchGroup" and see if that works.

It seems to be a problem with the way I've built the token functionality to hide the password and improve security. I'll have to check what's going on with it. In the mean time if you can use the extension directly, at least you'll have a way of proceeding.

Thank you for the assistance and we will try out this suggestion.