BCAAA: [4284:4412] CheckTokenMembership() failed; status=87:0x57:The parameter is incorrect.
AuthGroup 'DOMAIN\Group' does not exist; status=1789:0x6fd:The trust relationship between this workstation and the primary domain failed.
Event ID 1221 occurs when an AD group that does not exist (or no longer exists) is referenced in policy on the ProxySG.
This can be caused, for example, when you delete a group from AD, but do not change rules that use this group on the SG. The proxySG does not check, upon policy installation, whether a group exists or not. Instead if compiles a list of all groups that are referenced in policy and asks the AD about them. These are the so-called groups of interest (GOI).
It can cause excessive log entries in BCAAA because the event is logged every time the appliance evaluates a rule where the group is defined.
Usually, the event contains details about the group to investigate. You must locate the policy rules where the group is defined and disable or remove it to verify that the events stop occurring.
If the event log entry does not show the offending group name, you will need to enable BCAAA debug logging as per this KB article: Enable BCAAA debug logging
In the resulting debug logs, you will then see the name of the group that is referenced in SG policy but that no longer exists (or no longer is accessible) in AD. For example:
2015/11/12 14:17:07.691  Failed to look up group GroupName='foobar', error 0x800400b8
Imported Document ID: 000008064
Subscribing will provide email updates when this Article is updated. Login is required.
Thanks for your feedback. Let us know if you have additional comments below. (requires login)
Subscribed to the Article.
Unable to subscribe
Thanks for your additional feedback !!!
Enterprise Support Virtual Agent
Rate Me :
Tell us more:
Welcome! My name is Sami, the Enterprise Support Virtual Agent answering technical support questions.