Error 31 and 1359 unable to enumerate users


 Product(s):ProjectWise User Synchronization
 Version(s):Connect
 Area: User Synchronization Service
 Original Author:Dana Guthrie, Bentley Technical Support Group

Problem

When users go into ProjectWise administrator, and try to add a group or user to be synchronized, they get these errors when choosing the domain.

Unable to enumerate users. Error 31 when adding a synchronized group

Unable to enumerate users. Error 1359 when adding a synchronized user

Due to the nature of the technology that underlies the User Sync Service (LDAP) the process is sensitive to any updates that Microsoft pushes that affect the underlying encryption protocols.

Steps to reproduce:

  1. Log in to Projectwise Administrator
  2. Expand Windows Security System \ User Synchronization Service \ Synchronized accounts
  3. Right click on User Groups and choose "New \ Synchronized User Group"
  4. Choose Use local computer and click next
  5. Change the domain to your domain and the error appears.
  6. Click Next on the Welcome screen wizard

Note:

This issue appeared after the following windows updates where applied to a domain controller.

July 9, 2019—KB4507460
July 16, 2019—KB4507459

The following Windows update appears to fix the issue that the above KBs broke
September 9, 2019  KB4512574 (Servicing Stack Update) *cumulative Patch 
 
If the September 9 patch does not resolve the issue then you will need to run the following commands to reset the network tunnel from the User Sync server to the domain controller.

Solution

The solution involves running a pair of commands from an elevated command prompt on your server that runs the user Projectwise User Sync Service. The first command provides a list of domain controllers for your domain. You will use the information from this command to determine which domain controller you want to use in the next command.  The second command resets the Secure Channel between the Server and a domain controller that you choose from your domain.

  1. Before running the commands, please make sure your Domain controller is fully patched, we are looking specifically for KB4512574 (released on 9/9/2019) which fixes issues from earlier updates that we believe caused this issue.
  2. After verifying patch level on the Domain Controller, open an elevated command prompt on the Integration Server where the User Sync Service is deployed and run the following command: 
    1. nltest /dclist:<your domain name>
  3.  After running this command, make a note of the domain controller as highlighted in the example output below:
    1. In this example, my test domain is named "MYDOMAIN" and the domain controller the command was issued against is "DC1". These will be different values on your domain. The important part is the  '\\DC1', as it tells you what domain controller you are currently pointed at. 
       
      C:\Windows\system32>nltest /dclist:MYDOMAIN
      Get list of DCs in domain 'DAN' from '\\DC1'.
          DC1.MYDOMAIN.net [PDC]  [DS] Site: Default-First-Site-Name
      The command completed successfully
       
  4. Next, run the reset command as shown below.
    nltest /server:UserSyncServer /sc_reset:<domain name> \<DomainController>
    1. In this example, UserSyncServer is the server (normally your integration server where're you are running the user sync service),with MYDOMAIN being the domain name, and DC1 being the only Domain Controller shown as a result from the previous command.  You may have more than one Domain controller listed and will have to choose with which one to connect.

nltest /server:UserSyncServer /sc_reset:MYDOMAIN\DC1

A couple of things to note:
First there is no reboot or interruption when you run the nltest commands from the integration server.
Second, if you are on a delayed update cycle, the issue may reoccur after an update catches you up to the specified KB4512574. If that occurs, simply re-run the nltest commands after the patch is verified as applied to the Domain Controller you wish to point to.

If the above does not solve the problem for you please log a service request.

Workaround

Add the User manually from ProjectWise Admin:

  1. Right click User Node -> New -> User
  2. Fill the following information: