Distribution Group Expansion failures

  • Article

A customer reported that they were unable to expand Distribution Groups using Communicator 2007 R2 clients, although the solution was simple enough I want to document the steps that I took so that it may help someone troubleshoot similar issues in the future. This issue also emphasizes the fact that the problem might not always be with the product/application you are working on but could be related to the underlying system.

This is the error that the users were getting:

Cannot perform this action, and the cause is unknown. Contact your system administrator to investigate this problem.

To  check what was happening, I looked at the configuration information on the client and figured out their Internal Distribution Group Expansion string. To do so, Ctrl+Right Click on the Communicator icon in the System tray and then click on Configuration Information. Distribution Group Expansion URLs are listed near the top as "DG URL Internal" and "DG URL External".

Since the problem was apparent on the internal network as well as external we started troubleshooting the internal issue first, the internal URL is of the following format : https://<Pool FQDN>/GroupExpansion/Int/service.asmx

To test we simply paste the URL in IE on the client machine and were prompted for password and then presented the DG expansion page, which is expected. I ensure that there were no proxies configured and the Validation Wizard on the server passed as well. Since there were no obvious problems, i decided to collect STRACE logs for Communicator.exe and analyze them using HTTPReplay.

STRACE log shows 401 (this why we get the prompt for password when using IE) followed by 500 errors from the server:

  POST /GroupExpansion/Int/service.asmx HTTP/1.1
 Accept: text/xml
 SOAPAction: "DistributionListExpander/ExpandDistributionList"
 Content-Type: text/xml; charset=utf-8
 User-Agent: Microsoft+Office+Communicator/2.0
 Host: ocspool-fkl.mmc.com
 Authorization: Negotiate TlRMTVNTUAADAAAAGAAYAHgAAAAYABgAkAAAAAYABgBIAAAADAAMAE4AAAAeAB4AWgAAAAAAAACoAAAAAAAIogUBKAoAAAAPTQBHAEQAZQBkAGEAaABlAHIAQQBVAFMAWQBEAAAAAQBMAFAAMQA2ADYANgAyAFoAmvOAYNdNMBcAAAAAAAAAAAAAAAAAAAAAMcimIYIFnCkyISDgYYY5cJQCU6AhuS+w
 Connection: Keep-Alive
 Cache-Control: no-cache
 Content-Length: 425
 --------------------------------------------------------------------------------
 <soap:Envelope xmlns:soap="https://schemas.xmlsoap.org/soap/envelope/" xmlns:xsi="https://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="https://www.w3.org/2001/XMLSchema" xmlns:soapenc="https://schemas.xmlsoap.org/soap/encoding/"><soap:Body><ExpandDistributionList xmlns="DistributionListExpander"><groupMailAddress>distributionlistmailaddress@tailspintoys.com</groupMailAddress></ExpandDistributionList></soap:Body></soap:Envelope>
 --------------------------------------------------------------------------------
 06:58:40:949 - Response length is 616 (238+378)
 --------------------------------------------------------------------------------
 HTTP/1.1 500 Internal Server Error
 Date: Tue, 19 Jun 2012 06:58:40 GMT
 Server: Microsoft-IIS/6.0
 X-Powered-By: ASP.NET
 X-AspNet-Version: 2.0.50727
 Cache-Control: private
 Content-Type: text/xml; charset=utf-8
 Content-Length: 378
 --------------------------------------------------------------------------------
 <?xml version="1.0" encoding="utf-8"?><soap:Envelope xmlns:soap="https://schemas.xmlsoap.org/soap/envelope/" xmlns:xsi="https://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="https://www.w3.org/2001/XMLSchema"><soap:Body><soap:Fault><faultcode>soap:Server</faultcode><faultstring>a3b071b8-aba2-4a8f-9987-c674c99a5466</faultstring><detail /></soap:Fault></soap:Body></soap:Envelope> 
 --------------------------------------------------------------------------------

This clearly indicates a problem with the server, so we collected Logs on the server using OCS Logger and selected the component "Dlx" (Stands for DL eXpansion, ingenious!) with ALL Flags and I found the following:

  00001 TL_ERROR(TF_COMPONENT) [2]1668.3974::06/19/2012-07:24:10.526.02f72991 (Dlx,Service.GetSecurityDescriptorBinaryForm:99.idx(1095))ObjectSecurity property accessor failed: The binary form of an ACE object is invalid.
 00002 Parameter name: binaryForm at System.Security.AccessControl.GenericAce.CreateFromBinaryForm(Byte[] binaryForm, Int32 offset)
 00003 at System.Security.AccessControl.RawAcl.SetBinaryForm(Byte[] binaryForm, Int32 offset)
 00004 at System.Security.AccessControl.RawSecurityDescriptor..ctor(Byte[] binaryForm, Int32 offset)
 00005 at System.DirectoryServices.ActiveDirectorySecurity..ctor(Byte[] sdBinaryForm, SecurityMasks securityMask)
 00006 at System.DirectoryServices.DirectoryEntry.GetObjectSecurityFromCache()
 00007 at System.DirectoryServices.DirectoryEntry.get_ObjectSecurity()
 00008 at Microsoft.LiveServer.DLExpansion.Service.GetSecurityDescriptorBinaryForm(SearchResult group)
 00009 TL_ERROR(TF_COMPONENT) [2]1668.3974::06/19/2012-07:24:10.526.02f72992 (Dlx,Service.GetSecurityDescriptorBinaryForm:99.idx(1099))Security descriptor not found for : System.DirectoryServices.SearchResult
 00010 TL_ERROR(TF_COMPONENT) [3]1668.3974::06/19/2012-07:24:10.526.02f72a8e (Dlx,Service.TraceExtension.ProcessMessage:99.idx(2207))( 00D93EE2 )6411c44d-7394-4a6b-a724-9939702f00ba: 6411c44d-7394-4a6b-a724-9939702f00ba, stack trace: NULL

Did a quick search for  "ObjectSecurity property accessor failed: The binary form of an ACE object is invalid." and found https://support.microsoft.com/kb/928569/ which describes an issue with .Net framework 2.0. Installed the hotfix on the server and the issue got fixed!