Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

Windows Authentication in IIS 7.5 Fails with Trust Relationship Exception

I have an ASP.Net 2.0 application that uses integrated Windows Authentication to authenticate/authorize users. The application works fine on Windows XP/IIS 5.1, Windows Server 2008/IIS 7, and Windows Vista/IIS 7. When I try to run this application on Windows 7/IIS 7.5, I get the following exception: The trust relationship between this workstation and the primary domain failed.

The stack trace is as follows:

[SystemException: The trust relationship between this workstation and the primary domain failed.
]
   System.Security.Principal.NTAccount.TranslateToSids(IdentityReferenceCollection sourceAccounts, Boolean& someFailed) +1085
   System.Security.Principal.NTAccount.Translate(IdentityReferenceCollection sourceAccounts, Type targetType, Boolean forceSuccess) +46
   System.Security.Principal.WindowsPrincipal.IsInRole(String role) +128
   System.Web.Configuration.AuthorizationRule.IsTheUserInAnyRole(StringCollection roles, IPrincipal principal) +229
   System.Web.Configuration.AuthorizationRule.IsUserAllowed(IPrincipal user, String verb) +354
   System.Web.Configuration.AuthorizationRuleCollection.IsUserAllowed(IPrincipal user, String verb) +245
   System.Web.Security.UrlAuthorizationModule.OnEnter(Object source, EventArgs eventArgs) +11153304
   System.Web.SyncEventExecutionStep.System.Web.HttpApplication.IExecutionStep.Execute() +80
   System.Web.HttpApplication.ExecuteStep(IExecutionStep step, Boolean& completedSynchronously) +171

The web.config file contains the following information related to authentication/authorization:

<authentication mode="Windows" />
<authorization&gt
  <!--Deny anonymous users--&gt
  <deny users="?"/&gt
  <allow roles="domain\GroupWithAccess"/&gt
  <deny users="*"/&gt
</authorization&gt

Most of the results I found when researching this error state that the problem is related to a broken computer account in the domain and list the solution as re-joining the domain. I've done this but the error still appears. "Normal" domain operations work fine (accessing UNC shares, logging in, etc.).

This application runs in the Classic .Net AppPool for compatibility reasons. I tried changing the identity of the AppPool to "NetworkService" but the error still persists.

Any help is greatly appreciated.

like image 628
Sean Carpenter Avatar asked Aug 11 '09 12:08

Sean Carpenter


People also ask

How do you fix the trust relationship between the primary domain and the trusted domain failed?

Resolution. To resolve this issue, remove the computer from the domain, and then connect the computer to the domain. Use a local administrator account to log on to the computer.

How do I turn off Windows authentication in IIS?

On the taskbar, click Start, and then click Control Panel. In Control Panel, click Programs and Features, and then click Turn Windows Features on or off. Expand Internet Information Services, then World Wide Web Services, then Security. Select Windows Authentication, and then click OK.

How does Windows authentication work in IIS?

Authentication: The client generates and hashes a response and sends it to the IIS server. The server receives the challenge-hashed response and compares it to what it knows to be the appropriate response. If the received response matches the expected response, the user is successfully authenticated to the server.


2 Answers

I finally found an answer to this after experiencing the same problem on Windows Server 2008 R2. From this article:

Disable the following policies on the Windows 2008 R2 server, run gpupdate /force and restart the server.

"Computer Configuration\Windows Setting\Security Settings\Local Policies\Security Option"

Domain Member: Digitally encrypt or sign secure channel data (always)
Domain Member: Digitally encrypt secure channel data (When possible)
Domain Member: Digitally sign secure channel data (When possible)

I can confirm that this fixed the problem on Windows 7 as well.

like image 136
Sean Carpenter Avatar answered Nov 07 '22 12:11

Sean Carpenter


I'm adding this for future reference:

"Error 1789 when you use the LookupAccountName function on a computer that is running Windows 7 or Windows Server 2008 R2"

http://support.microsoft.com/kb/976494

That might be a solution to the problem as well.

like image 35
jishi Avatar answered Nov 07 '22 11:11

jishi