Windows Auth in IIS 7.5 Fails with Trust Relationship Exception
Sean Carpenter
I have an ASP.Net 2.0 application that uses integrated Windows
Authentication to authenticate/authorize users. The application works fine
on Windows XP/IIS 5.1, Windows Server 2008/IIS 7, and Windows Vista/IIS 7.
When I try to run this application on Windows 7/IIS 7.5, I get the following
exception: The trust relationship between this workstation and the primary
domain failed.
The stack trace is as follows:
[SystemException: The trust relationship between this workstation and the
primary domain failed.]
System.Security.Principal.NTAccount.TranslateToSids(IdentityReferenceCollection
sourceAccounts, Boolean& someFailed) +1085
System.Security.Principal.NTAccount.Translate(IdentityReferenceCollection
sourceAccounts, Type targetType, Boolean forceSuccess) +46
System.Security.Principal.WindowsPrincipal.IsInRole(String role) +128
System.Web.Configuration.AuthorizationRule.IsTheUserInAnyRole(StringCollection
roles, IPrincipal principal) +229
System.Web.Configuration.AuthorizationRule.IsUserAllowed(IPrincipal user,
String verb) +354
System.Web.Configuration.AuthorizationRuleCollection.IsUserAllowed(IPrincipal
user, String verb) +245
System.Web.Security.UrlAuthorizationModule.OnEnter(Object source, EventArgs
eventArgs) +11153304
System.Web.SyncEventExecutionStep.System.Web.HttpApplication.IExecutionStep.Execute()
+80
System.Web.HttpApplication.ExecuteStep(IExecutionStep step, Boolean&
completedSynchronously) +171
The web.config file contains the following information related to
authentication/authorization:
<authentication mode="Windows" />
<authorization>
<!--Deny anonymous users-->
<deny users="?"/>
<allow roles="domain\GroupWithAccess"/>
<deny users="*"/>
</authorization>
Most of the results I found when researching this error state that the
problem is related to a broken computer account in the domain and list the
solution as re-joining the domain. I've done this but the error still
appears. "Normal" domain operations work fine (accessing UNC shares, logging
in, etc.). I've also run nltest and gotten success messages back for /query
and /sc_query which leads me to believe that the trust relationship with the
domain is OK.
This application runs in the Classic .Net AppPool for compatibility reasons.
I tried changing the identity of the AppPool to "NetworkService" but the
error still persists.
Any help is greatly appreciated.
Sean Carpenter
WenJun Zhang[msft]
Have you tested with some other domain accounts? Do alll accounts have the
same problem? Before you reproduce the error, please open event viewer and
clear Windows logs->security log. Check if there is any corresponding
failure audit after the error occurs.
Furthermore please test creating a new web site and a simple helloworld
ASP.net page, see if it also encounter the same SystemException when using
integrated authentication. We have to narrow if the problem is specific to
your web application first.
I look forward to your update. Thanks.
Sincerely,
WenJun Zhang
Microsoft Online Community Support
Delighting our customers is our #1 priority. We welcome your comments and
suggestions about how we can improve the support we provide to you.
==================================================
Get notification to my posts through email? Please refer to
http://msdn.microsoft.com/en-us/subscriptions/aa948868.aspx#notifications.
MSDN Managed Newsgroup support offering is for non-urgent issues where an
initial response from the community or a Microsoft Support Engineer within
2 business day is acceptable. Please note that each follow up response may
take approximately 2 business days as the support professional working with
you may need further investigation to reach the most efficient resolution.
The offering is not appropriate for situations that require urgent,
real-time or phone-based interactions. Issues of this nature are best
handled working with a dedicated Microsoft Support Engineer by contacting
Microsoft Customer Support Services (CSS) at
http://msdn.microsoft.com/en-us/subscriptions/aa948874.aspx
==================================================
This posting is provided "AS IS" with no warranties, and confers no rights.
Sean Carpenter
Thanks for the suggestions. I cleared the Security log and then reproduced
the problem, but I don't see any errors being logged.
I created a simple test site like suggested and was able to recreate the
problem. However, I was able to come up with some additional details. If I
set the "authorization" element in web.config to allow a user it works
correctly:
<authorization>
<allow users="domain\MyUserName" />
<deny users="*" />
</authorization>
If I then change it to allow an Active Directory group instead, it fails
with the same exception as before:
<authorization>
<allow users="domain\AGroupIBelongTo" />
<deny users="*" />
</authorization>
Thanks for the help.
Sean Carpenter
""WenJun Zhang[msft]"" <wjz...@online.microsoft.com> wrote in message
news:NYYJy1XI...@TK2MSFTNGHUB02.phx.gbl...
WenJun Zhang[msft]
I'd suggest you further check security log on the domain controller after
reproducing the issue to see if there is any clue. Also does other AD user
group meet the same problem or just that particular one?
Sean Carpenter
There are no entries in the security log on the domain controller after
reproducing the issue. I should mention that this is a Windows 2000 Active
Directory domain in case that makes a difference. The problem exists with
any AD group I use, not just the one in question for this app.
Thanks,
Sean Carpenter
""WenJun Zhang[msft]"" <wjz...@online.microsoft.com> wrote in message
news:irJWgIlI...@TK2MSFTNGHUB02.phx.gbl...
Ken Schaefer
logged by default. You may need to update the auditing policy.
Cheers
Ken
"Sean Carpenter" <msne...@nospam.nospam> wrote in message
news:e1Mk13OJ...@TK2MSFTNGP02.phx.gbl...