Ambiguous SID Error in PFDAVAdmin

  • Article

May 13, 2010 Edit: The Download Center has been updated with the new build of PFDAVAdmin which contains the fix for this issue.

With the release of the new PFDAVAdmin a few weeks ago, some customers started running into an “Ambiguous SID” error when trying to add the Everyone group or Anonymous group in the permissions window. The error looks like this:

error

When you add a new entity to the permissions window, PFDAVAdmin looks up all objects with that SID to make sure it is unique. However, in some cases it’s actually normal to have more than one object with an ObjectSid that matches the Everyone or Anonymous SID. You should always have one in the configuration context under CN=WellKnown Security Principals, but many environments will also have one in the domain context under CN=Foreign Security Principals. This is when PFDAVAdmin finds two matches for these SIDs, and it chokes.

One customer worked with me directly to track down the problem (thanks Giuliano!), and it’s fixed in my internal build. The Download Center will be updated with the new build, hopefully next week.

In the meantime, if you have an urgent need for the fix, click the Email link to the left to contact me directly.

If you’re getting this error with something other than Everyone or Anonymous, then you can use the following Powershell script to figure out which objects match the SID in question.

# Find-Sid.ps1
#
# The purpose of this script is to find all objects that have a
# given SID in objectSid, sidHistory, or msExchMasterAccountSid.
#
# Syntax:
#
# .\Find-Sid <sid>
#
# Example:
#
# .\Find-Sid S-1-1-0

param([string]$sidString)

$gcRootDSE = [ADSI]"GC://RootDSE"
$gcRoot = [ADSI]("GC://" + $gcRootDSE.dnsHostName)

$sid = new-object System.Security.Principal.SecurityIdentifier($sidString)
[byte[]]$sidBytes = ,0 * $sid.BinaryLength
$sid.GetBinaryForm($sidBytes, 0)

$byteString = ""
for ($x = 0; $x -lt $sidBytes.Length; $x++)
{
$byteString = $byteString + "\" + $sidBytes[$x].ToString("X2")
}

$filter = "(|(objectSid=" + $byteString + ")(sidHistory=" + $byteString + ")(msExchMasterAccountSid=" + $byteString + "))"
$searcher = new-object System.DirectoryServices.DirectorySearcher($gcRoot, $filter, @("distinguishedName"), [System.DirectoryServices.SearchScope]::Subtree)
$results = $searcher.FindAll()

"Matching objects:"
foreach ($result in $results)
{
$result.Properties["distinguishedname"]
}