Monday, June 30, 2008

BDC Crawl Missing Security Identifier

SOLUTION - We rebuild the SSP

Error: I ran across the interesting little error with the BDC which I did not expect. You may know that in the Share Service Provider (SSP) you need to give user permissions to the BDC. Well you may come across this error when you index a content source that is using the BDC:

The parameter is incorrect. (Could not create a security identifier for the identity 'XXX\YYY'. This identity may have been deleted.)

Symptoms: If you view the BDC content source crawl log there will be no errors however this error will be listed as an error in the Crawl Settings for search itself. This error will be created for every record that was indexed.

Cause: Well I found out that the user account in question had been deleted from Active Directory.

Resolution: To resolve the issue I had to remove the user account from the Business Data Catalog permissions as well as from all the BDC applications and entities permissions. Once I did that, run a full index, and everything will work.

Background: The first question I had was why are there no errors on the BDC content source? Knowing what I know about the BDC I suspect this is what occurred. First, there are connection errors to the BDC data source (SQL Server in this case); for instance there were no access issues to the database or the database objects that were being used in the Application Definition File (ADF). Second, knowing this I can only assume there is an error with the way the index is being built. Basically the error is in reference to the validation of Active Directory account that has permissions to the BDC application and its entities.

Deeper Dive: Digging a little deeper the following is the root of the issue. Many developers create an ADF using a tool or by hand and may not add an AccessControlList node. These nodes get added to the ADF when permissions are added in Central Administration. The AccessControlList can be added to both the LobSystem and Entity nodes.

The AccessControlList nodes must be added to the ADF prior to it being crawled. This is why if an administrator goes to Central Administration and gives a user or a group permission to the BDC, they must do a new full index of the BDC content source.

The following is an example the AccessControlList. In this example, account XXX\YYYY is being given full rights. This XML can be added to both the LobSystem and Entity node.

<AccessControlList>
<AccessControlEntry Principal="XXX\YYYY">
<Right BdcRight="Edit" />
<Right BdcRight="Execute" />
<Right BdcRight="SetPermissions" />
<Right BdcRight="SelectableInClients" />
</AccessControlEntry>
</AccessControlList>

Avoiding this Error: The error is occurring because the account XXX\YYYY does not exist in Active Directory account. It is recommend that permissions through a Active Directory group to minimize the occurrence of this error.

1 comment:

Jason Apergis said...

We just tried to go to production on this and run into a problem. In production there are no BDC entities at all, these will be the first. The AD account that had been removed has permissions to the BDC. I have not idea why this account is there, given I inherited this. However this time I get an error trying to remove the AD account. I did not get that error in our QA environment. We tried adding the AD account back to the domain but still we cannot remove that AD account. If we cannot do it, we will get there associated to this blog. Stumped right now.