LDAP Role Provider Argument Exception

If you’re seeing the following error in the ULS logs, hopefully it’ll be as simple a fix for you as it was for me:

LdapRoleProvider.GetRolesFor() exception: {0}.System.ArgumentException: The (&(((ObjectClass=group))(member=CN=Some User,CN=Users,DC=domain,DC=local)) search filter is invalid.

at System.DirectoryServices.SearchResultCollection.ResultsEnumerator.MoveNext()

at Microsoft.Office.Server.Security.LdapRoleProvider.GetRolesFor(String userOrGroupDN, DirectoryEntry groupContainer, LdapDistinguishedNameManager ldapDnManager, List`1& userRoles)

To resolve this error, all that’s required is to updated the Group and User filter values for the role provider in the forms web application and the security token’s web configuration files.

The role provider settings I had looked something like:

    <add name="SPRoleManager" type="Microsoft.Office.Server.Security.LdapRoleProvider, Microsoft.Office.Server, Version=, Culture=neutral, PublicKeyToken=71e9bce111e9429c" server="domain.local" port="389" useSSL="false" groupContainer="CN=users,DC=domain,DC=local" groupNameAttribute="cn" groupNameAlternateSearchAttribute="samAccountName" groupMemberAttribute="member" userNameAttribute="sAMAccountName" dnAttribute="distinguishedName" groupFilter="((ObjectClass=group)" userFilter="((ObjectClass=person)" scope="Subtree" />

Notice the values for groupFilter and userFilter((ObjectClass=person).

This is correct for the Central Administration web configuration. For the forms web application and security token’s configuration this should be updated to (&amp;(ObjectClass=person)).

Perform an IIS reset and next time you log in the exception in the ULS log should be resolved.

This entry was posted in Configuration, SharePoint and tagged , , . Bookmark the permalink.
0 0 votes
Article Rating
Notify of

Solve the maths problem shown below before posting: *

Inline Feedbacks
View all comments