When a domain user tries to log in to the PVS console, gets error: "The domain/user does not have access to the Farm."


The environment may or may not have multiple PVS sites and/or multiple domains.

The domain user has been added to the "Farm Administrators" under the Security tab on the Farm Properties and is able to successfully log in when tries from another PVS server in the same farm.

Download and install a Microsoft hotfix from https://support.microsoft.com/en-us/kb/2830145

Pre-requisite:
To apply this hotfix, you must be running Windows 7 SP1, Windows Server 2008 R2 SP1, Windows Server 2008 SP2 or Windows Vista SP2.
 

---

Problem Cause

When a user logs in to a PVS server console, the PVS SOAP Server queries all Active Directory groups to which the user belongs in order to establish what permissions the user has.
If the environment has Windows Server 2012 domain controllers and at least one Windows Server 2008 Provisioning Server, the issue will only occur when the user tries to log in to one of the 2008 PVS servers console because the following user groups' security identifiers (SIDs) cannot be resolved on the 2008 Servers:

S-1-18-1 - Authentication authority asserted identity
S-1-18-2 - Service asserted identity

This can be seen on CDF traces, which show that one of the user group's SID fails to be identified when querying AD:

,"Exception System.DirectoryServices.AccountManagement.PrincipalOperationException: An error (1301) occurred while enumerating the groups.  The group's SID could not be resolved.",""