Cannot determine the SID for the user while browsing BAM Portal
Recently I came across this very well known issue while browsing to BAM Portal and after lot of troubleshooting it turned out to be an issue with the way BAM Mgmt Service do the authentication.
In our case we were able to browse the BAM Portal but BAM Portal was not able to consume out of the box BAM Mgmt Web Service. And we were getting following entry in the event viewer:
Event Type: Error
Event Source: Bam Web Service
Event Category: None
Event ID: 12033
Referenced database 'BAMPrimaryImport' on server 'MyComputer' is not accessible. The error is:
System.NullReferenceException: Object reference not set to an instance of an object.
at Microsoft.BizTalk.Bam.WebServices.AsyncResult.End(AsyncResult asyncResult)
at Microsoft.BizTalk.Bam.WebServices.Management.GetViewSummaryAsyncResult.End(IAsyncResult result)
We enabled BAM traces. It contains following information:
06/20/2009 13:57:00 Microsoft.BizTalk.Bam.WebServices.Management.GetViewSummaryAsyncResult CompleteGetViewSummary Error Exception thrown
Object reference not set to an instance of an object.
at Microsoft.BizTalk.Bam.WebServices.TraceHelper.ThrowHelperSoapException(XmlQualifiedName faultCode, Exception exception, Int32 eventId, String message)
at Microsoft.BizTalk.Bam.WebServices.SecurityHelper.CompareUsernames(String user1, String user2)
at Microsoft.BizTalk.Bam.WebServices.Management.GetViewSummaryAsyncResult.ReadCurrentUsersViews(SqlDataReader sqlReader, Boolean isDbo)
I came across this blog by Tiho, so we cross checked following points:
- BAMPrimaryImportDB is running under a domain account.
- SQL Server is running under Windows Authentication.
- We were able to browse the BAM Mgmt Web Service directly and we can invoke the Web Methods without any issue.
Later, while looking at the list of users who has access to the view, we found that there is a user who no longer exist in the Active Directory, but has still access to the view. Once we removed that user from the access list of the view, everything started working properly!!! So we wonder how a user who is not even present in Active Directory can cause such a issue.
We took a dive in the code and found that when you browse to BAM portal, you will see the list of views for which you have the access. The job of filtering the views based on authorization is done by the BAM Mgmt WS. In order to do the authorization BAM will take a list of all the users/groups who has access to the view and then tries to compare it with the current user. The catch here is the way comparison is happening. It is not a a string comparison. We translate the username/group to its security identifiers (SID) and then do the comparison. And in our case it was failing when the username to SID conversion was happening, as the user was not present in AD.
Unfortunately, the behaviour is same in BizTalk 2009. Product team is working on this and we should see a fix soon.