This is a rather odd event ID to debug coming from the SDK service:
An exception was thrown while processing GetUserRolesForOperationAndUser for session ID uuid:88d5570d-5b94-4849-ab54-09928ea899cb;id=761.
Exception message: Value does not fall within the expected range.
Full Exception: System.ArgumentException: Value does not fall within the expected range.
at Microsoft.Interop.Security.AzRoles.IAzApplication2.InitializeClientContextFromStringSid(String SidString, Int32 lOptions, Object varReserved)
at Microsoft.EnterpriseManagement.Mom.Sdk.Authorization.AzManHelper.GetScopedRoleAssignmentsForUser(Int32 operationNumericId, String userName)
at Microsoft.EnterpriseManagement.Mom.Sdk.Authorization.AuthorizationService.GetUserRolesForOperationAndUser(Guid operationId, String userName)
at Microsoft.EnterpriseManagement.ServiceDataLayer.SecurityConfigurationService.GetUserRolesForOperationAndUser(Guid operationId, String userName)
at Microsoft.EnterpriseManagement.Mom.ServiceDataLayer.SdkDataAccessBackCompatProxy.GetUserRolesForOperationAndUser(Guid operationId, String userName)
After taking an IDNA Dump, we found out this function is executed: http://msdn.microsoft.com/en-us/library/windows/desktop/aa377364(v=vs.85).aspx
IAzApplication::InitializeClientContextFromStringSid method? with parameters :
o SidString = “S-1-5-18”
o lOptions = 0x0
o varReserved = empty VARIANT struct (normal)
o ppClientContext = empty IAzClientContext** (it’s out variable so normal)
SID “S-1-5-18” is referring to LocalSystem so it seems when we call InitializeClientContextFromStringSid for SID “S-1-5-18” (LocalSystem), we would always get a failure and not be able to initialize the ClientContext struct causing the event ID 26319.
This happens because for the lOptions parameter, we pass no options (0x0) and this it will try to resolve this SID from AD – but the LocalSystem SID can only be resolved locally. So at this point it seems it`s by design, at least the function behaves as it should, so there is no direct thread to the SDK service if you get the error.
The only question then remains why is local system SID being called? It`s probably because of the user roles or because of the run as accounts. So if you get the error, you can ignore it-there is nothing wrong, however you can get rid of it, by configuring run as accounts to a minimal level(maintaining distribution to more secure) and setting domain users where possible.
This is very individual to every environment.. but the errors come from the configuration of the accounts.
Later edit. Ok, so it took some time until somebody else reported this error to me, so only now I got to the cause of the actual issue. While the error is certainly linked to accounts, now I can say that the GetUserRolesForOperationAndUser function is used by some monitors part of the SQL reporting services MP and need to be run in a domain user context or else they will fail. The error happens if you configure Service SID or local system accounts for the sql reporting service run as account.
We will also update the SQL MP guide to include this information as well.
The workaround is pretty simple, since this issue is currently by design and will not be changed.
Since the monitors don`t work and will trigger the SDK error, we have disabled them through an override for the sql reporting server
-Web Service accessible
-Report manager accessible
If you disable these monitors (that are already in critical state so they don`
t work anyway) for the reporting servers that don`t use a domain account as a run as account for monitoring, the SDK events should stop.