[Active Directory Group Mapping] Active Directory Group Mapping Invalid Token error
Forge component by Hernâni Fernandes
Published on 02 Jun 2019
Application Type

Trying to set up AD Group Mappings, but getting Invalid Token.  Looking for ideas on how to resolve.

We have installed the Active Directory and Active Directory Group Mapping forge components.  We have a Rective Web app, with AD and IDP connectors.  One is for our company and the other is for the client company so we can use both Azure AD domains for authentication.  We are attempting to connect the client Azure AD to map groups to roles.  The Access Token appears to be created correctly, however when we attempt to Create New Mapping for Roles or Groups we get an Invalid Token message.  We are not seeing what might be causing this.  We have followed the instructions on setting up these components.  Error logs indicate that the server could not be contacted (Stack trace below)

The server could not be contacted.

eSpaceVer: Id=24892, PubId=0, CompiledWith=
RequestUrl: https://ts-dev.outsystemsenterprise.com/ActiveDirectoryGroupMapping/ADGroupToOSRoleMappingDetail.aspx?(Not.Licensed.For.Production)= (Method: GET)
AppDomain: /LM/W3SVC/1/ROOT/ActiveDirectoryGroupMapping-431-132562558432682292
FilePath: D:\OutSystems\Platform Server\running\ActiveDirectoryGroupMapping.101318386\ADGroupToOSRoleMappingDetail.aspx
ClientIp: X-Forwarded-For:
Locale: en-US
DateFormat: yyyy-MM-dd
PID: 3472 ('w3wp', Started='1/23/2021 12:09:30 AM', Priv=2306Mb, Virt=2113552Mb)
TID: 1265
Thread Name:
.NET: 4.0.30319.42000

[1] The server could not be contacted.
at System.DirectoryServices.AccountManagement.PrincipalContext.ReadServerConfig(String serverName, ServerProperties& properties)
at System.DirectoryServices.AccountManagement.PrincipalContext.DoServerVerifyAndPropRetrieval()
at System.DirectoryServices.AccountManagement.PrincipalContext..ctor(ContextType contextType, String name, String container, ContextOptions options, String userName, String password)
at System.DirectoryServices.AccountManagement.PrincipalContext..ctor(ContextType contextType, String name, String userName, String password)
at OutSystems.NssActiveDirectory.CssActiveDirectory.MssAD_SetGlobalDomain(String ssDomain, String ssContainer, String ssUsername, String ssPassword)
at ssActiveDirectoryCore.RssExtensionActiveDirectory.MssAD_SetGlobalDomain(HeContext heContext, String inParamDomain, String inParamContainer, String inParamUsername, String inParamPassword)

[2] The LDAP server is unavailable.
at System.DirectoryServices.Protocols.LdapConnection.Connect()
at System.DirectoryServices.Protocols.LdapConnection.SendRequestHelper(DirectoryRequest request, Int32& messageID)
at System.DirectoryServices.Protocols.LdapConnection.SendRequest(DirectoryRequest request, TimeSpan requestTimeout)
   at System.DirectoryServices.AccountManagement.PrincipalContext.ReadServerConfig(String serverName, ServerProperties& properties)


Rank: #698

Dear Mark

It seems the errors are due to some permission or server configuration issues either at OutSystems or Active Directory Side. 

The mapping is especially useful when you're authenticating the end users of your OutSystems applications using Active Directory, this is not a requirement. You can still map Active Directory Groups to OutSystems Roles even when using Internal Authentication or LDAP.

Can you try this once with skipping mapping and try to use End User Authentication like https://success.outsystems.com/Documentation/11/Developing_an_Application/Secure_the_Application/End_User_Management/End_Users_Authentication/Configure_Azure_AD_Authentication

Please feel free to share your thoughts.

Rank: #3786

@Manish Gupta 

Thanks for the response.  We have installed Azure AD authentication into our environment and are able to do SSO authentication with our Azure AD.  The next step we are working on is to now associate specific AD groups to roles in our application.  I have installed the Active Directory Group Mapping app from the forge.  We set up a token and it indicates that saves successfully.  However, when we go in to map the groups, we get an invalid token from the app.  It seems to indicate that it can't connect to an LDAP server.  One comment that is in the documentation at the bottom is that the web front ends need to be in the domain that active directory group mapping is trying to work in.  Not sure how we do this in the managed outsystems environment.


Rank: #698

@Mark Collins, Thanks for sharing the details here. I hope you have already checked but if missed please check this could help you: https://success.outsystems.com/Documentation/11/Developing_an_Application/Secure_the_Application/End_User_Management/End_Users_Authentication/Configure_LDAP_Authentication

Rank: #3786

Thanks for the link.  Will work with my AD team in the morning to see if the link you sent helps us connect to AD using LDAP.  I don't think we have done anything with LDAP for connectivity, just the AD connectivity using native Outsystems providers and IDP since we have 2 different AD groups that we need connected to our application.

Rank: #698

Okay, Please let me know the progress. Many thanks