Project Active Directory PWA group could not be resolved

 

Applies to: Project Server 2013, Project Server 2010

Topic Last Modified: 2013-12-18

Element ID / Rule Name:   Project_Active_Directory_PWA_Group_Could_Not_Be_Resolved

Summary:   During Microsoft Project Web App security group synchronization, Microsoft Project Server could not resolve the top-level Active Directory object for the Project Web App security group. Active Directory synchronization has been tagged for failure for this UNRESOLVED_TOKEN_VAL(PWA_2nd_NoVer) group.

Cause:   The Project Server application server cannot access Active Directory for any of the following reasons:

  • The Project Server application server is using a SharePoint Service Account (SA) account that does not have read access to the Active Directory directory service. This can occur if the SSP is configured to use a local computer account.

  • The Project Server application server does not currently have network access to the domain.

  • TCP or UDP ports that are required for Project Server and Active Directory to communicate are not open between the Project Server application server and the Active Directory store. This can occur if a firewall is configured to block the ports described in the following list:

    • 389/UDP – LDAP: LDAP is the Lightweight Directory Access Protocol that provides a standard way to access directory services. LDAP is the primary protocol that is used to access an Active Directory store.

    • 636/TCP – LDAP over SSL: When Secure Sockets Layer (SSL) is enabled, the LDAP data that is transmitted and received is encrypted.

    • 3268/TCP – Microsoft global catalog: Active Directory global catalogs listen on this port.

    • 3269/TCP – Microsoft global catalog with LDAP/SSL: Microsoft global catalog SSL connections listen on this port.

  • The Active Directory group no longer exists in the Active Directory store. For example, the group may have been deleted by an administrator.

  • The Project Server application server's SA account does not have read access to an Active Directory group or user object.

Possible resolutions include the following:

  • Verify that the service account that is used by the SA that is used by the Project Server application server is a domain account that has read access to Active Directory.

  • Verify that the Project Server application server is joined to an Active Directory domain.

  • Verify that the Project Server application server has network access.

  • Verify that the TCP and UDP ports listed in the previous section are open between the Active Directory store and the Project Server application server.

  • Verify that at least one Active Directory group exists in the Active Directory store with the same Active Directory GUID that is stored in the Office Project Server application server.

  • Use the Active Directory Service Interfaces (ADSI) Edit tool to check security permissions on individual Active Directory group and user objects. The SA account must be able to read all Active Directory group and user objects that are involved in the synchronization process.

    Note

    The ADSI Edit tool is available for Windows Server 2008 when you install the Active Directory Domain Services (AD DS) role to make a server a domain controller. It is also available as a part of the Remote Server Administration Tools (RSAT) kit available. See Installing or Removing the Remote Server Administration Tools Pack (https://go.microsoft.com/fwlink/p/?LinkId=143345) in the TechNet Library.

See Also

Other Resources

Project Active Directory connection failed
Project Active Directory exception occurred during synchronization
Project Active Directory nested foreign security principal could not be resolved
Project Active Directory nested object could not be resolved
Project Active Directory PWA group could not be resolved
Project Active Directory top-level group has no members
Project Creating Report Center Web failed
Project Cube Build Service Analysis Services server connection failure
Project Cube Build Service Analysis Services server lock time out
Project Cube Build Service attempt to overwrite failed
Project Cube Build Service Decision Support Object is not installed
Project notification XSLT transformation error
Project Failure creating a Project workspace
Project General Data Access Layer error connecting to database
Project General Data Access Layer error while getting connection strings
Project notification e-mail delivery failed
Project notification XSLT transformation error
Project Queue general percentage SQL retries per day
Project Queue general percentage SQL retries per hour
Project Queue jobs average wait time per day
Project queue jobs percentage jobs failed per day
Project queue jobs percentage failed per hour
Project Queue System restarting due to unexpected error
Project Reporting server side event has failed
Project Server event handler could not be found
Project Server event service could not be found
Project SQL user view refresh message was not queued
Project user view was truncated
Project Windows SharePoint Services format error
Project Winproj average time taken for project open
Project Winproj average percentage of incremental save to full save
Project workspace user synchronization failed