Remote Web Access Is Not Allowed For Your User Account

[Today's post comes to us courtesy of Rituraj Choudhary from Commercial Technical Support]

After Small Business Server 2011 Standard has been updated with Update Rollup 2, some users may not be able to log on to the Remote Web Access with the following error:

“Remote Web Access is not allowed for your user account. Contact the person who manages your server.”

image

In the "C:\Program Files\Windows Small Business Server\Logs\WebApp\RemoteAccess.log" file, you will see the following:

[12468] 120419.103511.7516: RemoteAccess: [Identity] CheckUserInGroup hit exceptions: System.Runtime.InteropServices.COMException (0x80005000): Unknown error (0x80005000)
at System.DirectoryServices.DirectoryEntry.Bind(Boolean throwIfFail)
at System.DirectoryServices.DirectoryEntry.Bind()
at System.DirectoryServices.DirectoryEntry.get_AdsObject()
at System.DirectoryServices.PropertyValueCollection.PopulateList()
at System.DirectoryServices.PropertyValueCollection..ctor(DirectoryEntry entry, String propertyName)
at System.DirectoryServices.PropertyCollection.get_Item(String propertyName)
at Microsoft.WindowsServerSolutions.Web.Security.SBSRoleProvider.IsGroup(String distinguishedName)
at Microsoft.WindowsServerSolutions.Web.Security.SBSRoleProvider.CheckUserInGroup(String userDn, String groupDn, List`1 processedGroups)
[12468] 120508.103511.7526: RemoteAccess: [Identity] CheckUserInGroup user:CN=April Reagan,OU=SBSUsers,OU=Users,OU=MyBusiness,DC=Contoso,DC=local. group:CN=Windows SBS Admin Tools Group,OU=Security Groups,OU=MyBusiness,DC=Contoso,DC=local
[12468] 120419.103511.8186:: RemoteAccess: [Identity] GetRolesForUser 'CONTOSO\AprilReagan': hasAccess=False, isAdmin=False, inLink=False, inAdminTools=False, allComputers=False

This happens due to the fact that some Active Directory User or Organizational Unit name contains a forward slash (‘ / ’) character. The current resolution is to remove the offending character (‘ / ’) from the name(s).

To find the offending User or OU, you may simply browse through the Active Directory Users and Computers console. If you are assisting someone, you may ask for a LDIFDE dump of the users and the Organizational Units as: 

   ldifde -f users.txt -d "dc=contoso,dc=local" -p subtree -r "(objectCategory=User)" -l "cn"
   ldifde -f org.txt -d "dc=contoso,dc=local" -p subtree -r "(objectCategory=organizationalUnit)" -l "ou"

(In the above examples, “dc=contoso,dc=local” is the distinguished name of the domain; change it as per your environment)
Once you get the output, look for the user or organizational unit names with character ‘/’ in their name. Remove the character and modify it conventionally. That should take care of this issue.

In the following example, getting rid of the ‘ / ’ from the name of “Test o/u” will fix the issue:

dn: OU=Domain Controllers,DC=Contoso,DC=local
changetype: add
ou: Domain Controllers

dn: OU=MyBusiness,DC=Contoso,DC=local
changetype: add
ou: MyBusiness



dn: OU=Test o/u,OU=SBSUsers,OU=Users,OU=MyBusiness,DC=Contoso,DC=local
changetype: add
ou: Test o/u …

Open Active Directory Users and Computers to rename the object and remove the ‘/’ character.

image