Backtrack:  
 
by lunarg on June 10th 2015, at 14:20

After migrating AD from 2003 to 2012, I ran into this issue on a RADIUS server running 2008 R2, used for authentication. When attempting to retrieve AD information for a particular user, the following error appeared:

Error
An error (1301) occurred while enumerating the groups. The group's SID could not be resolved.

Solution

The solution (at least for Windows 7 and 2008 R2), is to install hotfix 2830145.

The hotfix is only available by request through e-mail.

Background

When attempting to log on to a 2012-based domain controller, the following SIDs are unmappable:

  • S-1-18-1 : Authentication authority asserted identity
  • S-1-18-2 : Service asserted identity

2012 introduces two new security principal SIDs that are used for differentation between proof of possession and Service-for-User-to-Self (S4U2Self) protocol transititions. Applications on Windows version before 2012 that use these SIDs, may fail.

You can easily check whether this is the problem by using SysInternals PsGetSid utility.

psgetsid S-1-18-1

The command should fail with the following error:

Error
Error querying SID:
No mapping between account names and security IDs was done.