Microsoft KB Archive/316329

= C++ Classes for Security Descriptor Editing in an ADSI Client Return Error 0x80070539 =

Article ID: 316329

Article Last Modified on 1/31/2007

-

APPLIES TO


 * Microsoft Windows 2000 Service Pack 1
 * Microsoft Windows 2000 Service Pack 2
 * Microsoft Windows 2000 Advanced Server
 * Microsoft Windows 2000 Advanced Server
 * Microsoft Windows 2000 Service Pack 1
 * Microsoft Windows 2000 Service Pack 2

-



This article was previously published under Q316329



SYMPTOMS
If you run a program that works with Active Directory, and the program changes the security on objects by editing access control lists (ACLs), the following error message may be returned when the program calls IADsSecurityDescriptor::put_DiscretionaryAcl:

Error code: 0x80070539 (decimal -2147023559)

Error message text: The security ID structure is invalid.

Error constant: ERROR_INVALID_SID

This problem may occur even though you do not use a security identifier (SID) when you add a new access control entry (ACE). For example, this problem may occur when you remove an ACE.



CAUSE
When it stores the ACE C++ objects as ACLs in the security descriptor, the program converts the account name to the corresponding SID. This also occurs for ACEs that already exist. If the domain controller for this operation does not respond, the code path may return &quot;ERROR_INVALID_SID.&quot; Note that &quot;ERROR_INVALID_SID&quot; may also be returned for account names that are not valid that you place in the ACL.

The domain that the account comes from is actually reachable because you have already mapped the SID in the ACL to an account name to populate the IADsAccessControlEntry classes. The error message occurs because the class library uses a different method of locating a domain controller for the accounts domain when the classes are converted back to the ACL structure.



RESOLUTION
To work around this behavior, use either of the following methods:
 * Do not set the security in the program. Instead, set the security manually.
 * Record a network trace of the traffic that the program generates on the network. Determine where the program tries to locate or contact a domain controller that does not respond. It is a good idea to filter for traffic in and out of the computer that is running the program, and to increase the trace buffer size.

You see successful DNS resolution and LDAP requests to this domain controller in the trace, but RPC sessions are not established and RPC requests do not succeed.

The errors can vary. The errors may include problems in creating the TCP session for the RPC session, unsuccessful RPC Bind requests to the endpoint mapper (session to TCP port 135), or unsuccessful RPC requests to the SAM server RPC interface. If you have trouble reading the network trace, you can contact Microsoft Product Support Services for help.

After you have identified the domain controller, fix the problem on that domain controller. How to fix the problem depends on the type of the problem. For example, the domain controller may be out of resources. You can ask Microsoft Product Support Services for help with this issue. If you cannot fix the problem in a timely fashion, remove all the ACEs for all accounts from this domain from the ACL on the object. Run the program and then add the accounts back to the ACL later, if appropriate.

To record a network trace, you can use the Network Monitor tool that is included with Windows 2000 Server (the program must run on this server in this case) or Microsoft Systems Management Server (SMS). If you cannot use one of these methods, you can contact Microsoft Product Support Services for a temporary version of this tool.

For a complete list of Microsoft Product Support Services phone numbers and information about support costs, visit the following Microsoft Web site:

http://support.microsoft.com/directory/overview.asp

To create a trace by using the Network Monitor tool that is included with Windows 2000 Server:  Install the Network Monitor tool:  Click Start, point to Settings, click Control Panel, double-click Add/Remove Programs, and then click Add/Remove Windows Components. In the Windows Components Wizard, click Management and Monitoring Tools, and then click Details. In the Management and Monitoring Tools window, click Network Monitor Tools. Click OK, click Next, and then click Finish.  Configure Network Monitor and set a capture filter:  Click Start, point to Programs, click Administrative Tools, and then click Network Monitor.</li> On the Network Monitor Capture menu, click Filter.</li> Double-click (Address Pairs).</li> Under Station 1, click the local computer name. Under Direction, click the two-way arrow (<-->). Under Station 2, click *ANY.</li> Click OK, and then click OK.</li></ol> </li> Capture the data:  On the Capture menu, click Start.</li> Run the program that causes error 0x80070539.</li> After the error is reported, switch back to Network Monitor. On the Capture menu, click Stop.</li> On the Capture menu, click Display Captured Data.</li></ol> </li></ol>

<div class="status_section">

STATUS
Microsoft has confirmed that this is a problem in the Microsoft products that are listed at the beginning of this article.

Keywords: kbfix kbenv kbprb KB316329

-

[mailto:TECHNET@MICROSOFT.COM Send feedback to Microsoft]

© Microsoft Corporation. All rights reserved.