SharePoint – PSConfig Failure IdentityNotMappedException

  • Article

The Issue:

 

Unable to create a new farm PSConfig fails with System.Security.Principal.IdentityNotMappedException.

 

Behind the Scene:

 

Error in Logs:

 

[DATE] 13:11:35 9 ERR Task configdb has failed with an unknown exception
[DATE] 13:11:35 9 ERR Exception: System.Security.Principal.IdentityNotMappedException: Some or all identity references could not be translated.
at System.Security.Principal.NTAccount.Translate(IdentityReferenceCollection sourceAccounts, Type targetType, Boolean forceSuccess)
at System.Security.Principal.NTAccount.Translate(Type targetType)
at System.Security.AccessControl.CommonObjectSecurity.ModifyAccess(AccessControlModification modification, AccessRule rule, Boolean& modified)
at System.Security.AccessControl.CommonObjectSecurity.AddAccessRule(AccessRule rule)
at Microsoft.SharePoint.Administration.Claims.SPSecurityTokenServiceCertificate.ProvisionLocal()
at Microsoft.SharePoint.Administration.Claims.SPSecurityTokenServiceApplication.ProvisionLocal(SPServiceInstance serviceInstance)
at Microsoft.SharePoint.Administration.SPIisWebServiceInstance.Provision()
at Microsoft.SharePoint.Administration.SPFarm.Join(Boolean skipRegisterAsDistributedCacheHost)
at Microsoft.SharePoint.PostSetupConfiguration.ConfigurationDatabaseTask.CreateOrConnectConfigDb()
at Microsoft.SharePoint.PostSetupConfiguration.ConfigurationDatabaseTask.Run()
at Microsoft.SharePoint.PostSetupConfiguration.TaskThread.ExecuteTask()

 

 

Below is what we are seeing: The problem was rooted outside of SharePoint, in IIS. We proved that with below steps.

 

+ In IIS, create a new app pool. Use a local admin domain account as the app pool identity. In the below example the App Pool is named "SecurityTokenServiceApplicationPool"
+ Run the below commands in PowerShell :

 

$NTAccount = new-object System.Security.Principal.NTAccount('IIS APPPOOL\SecurityTokenServiceApplicationPool')
$TranslatedToSidObject = $NTAccount.Translate( [System.Security.Principal.SecurityIdentifier])
$SID = New-Object System.Security.Principal.SecurityIdentifier($TranslatedToSidObject.Value)
$TranslatedToNTAccount = $SID.Translate([System.Security.Principal.NTAccount])
Write-host $TranslatedToSidObject.Value `t`t $TranslatedToNTAccount.Value

 

+ We will see failure in the commands on affected box, while it works in other environments:

 

$NTAccount = new-object System.Security.Principal.NTAccount('IIS APPPOOL\SecurityTokenServiceApplicationPool')
$TranslatedToSidObject = $NTAccount.Translate( [System.Security.Principal.SecurityIdentifier])
Exception calling "Translate" with "1" argument(s): "Some or all identity references could not be translated."
At line:1 char:1
+ $TranslatedToSidObject = $NTAccount.Translate( [System.Security.Principal.Securi ...
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ CategoryInfo : NotSpecified: (:) [], MethodInvocationException
+ FullyQualifiedErrorId : IdentityNotMappedException

 

 

How this was fixed:

 

The problem was that the Application Host Helper Service (AppHostSvc) wasn't running. The accounts were getting created just fine when we went to use the app pool (like browse the default web site using the app pool).
WAS makes sure the accounts are created and the rights are assigned when it goes to start a worker process.
The AppHostSvc, though, will create the account when you simply add the app pool to the config, whether you're using it yet or not.
This service was set to manual start. We started it and everything worked as expected. PSConfig completed.