Symptoms
Users from trusted domains can't be used for application filtering, error Object username is not valid and cannot be used is thrown:
This may occur even though:
- The domain is reachable
- The group exists in Active Directory
- Individual users can be added successfully
- Only groups fail validation
Running the command below on the affected server may show domain groups as Unknown SID instead of the proper group name: 'whoami /groups'
Cause
This issue may occur when NTLM security hardening settings on Windows Server (commonly observed on Windows Server 2022) prevent proper SID-to-name resolution for domain groups.
When these settings are enforced, Windows cannot correctly resolve domain group SIDs, which causes Parallels RAS to fail object validation when adding groups to filtering rules.
In such cases:
- Domain groups appear as Unknown SID
- Group resolution fails during validation
- RAS returns the error “Object username is not valid and cannot be used.”
Resolution
1. Verify that SID-to-name resolution works correctly by running: 'whoami /groups'
2. If domain groups appear as Unknown SID, review the following registry values on the affected system: 'HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\MSV1_0' (Registry Path)
3. Ensure the following values are set to 0:
- NTLMMinClientSec
- NTLMMinServerSec
- RestrictReceivingNTLMTraffic
- RestrictSendingNTLMTraffic
4. After updating the registry values:
- Restart the affected server.
- Run'whoami /groups' again to confirm domain groups are properly resolved.
- Retry adding the group to the filtering rule in Parallels RAS Console.
Once SID resolution is restored, the group can be added successfully without triggering the error.
Was this article helpful?
Tell us how we can improve it.