Home » .NET | active directory | Daniel | EPiServer | Microsoft

EPiServer 4 and the active directory

2. December 2009 by Daniel Berg 5 Comments

This post describes the error “The trust relationship between the primary domain and the trusted domain failed” in EPiServer 4.

The problem

924206_32902585 I don’t know why; but I always seem to end up in trouble with the active directory. It’s like a curse. Or a blessing in disguise.

This time it was EPiServer 4. Built as an intranet that had been along for the ride for a few AD changes. Until now it had been implemented with forms authentication.

When switching to windows authentication, we received this error: “The trust relationship between the primary domain and the trusted domain failed”.

Now, looking at the error it’s easy to jump to the conclusion that there’s a trust issue in a cross-forest AD. Roll in the big-gun network administrators have them poke at it for a few hours. While the error was spawned in a cross-forest active directory, the user trying to connect and the actual server were in the same domain!

This was the setup:

  • The IIS website was using Windows Integrated Authentication
  • The application pool was running under an active directory account
  • Web.config was configured to use authentication mode Windows

Why this happens

funny-pictures-cat-is-pondering There are a number of reasons why this might occur. What they all have in common, however, is that the code can’t reach a specific domain. Usually this stems from the IsInRole-method from the IPrincipal-object.

A quick search on the error in your favorite search engine results in a FAQ hit over at world.episerver.com. EPiServer, for good and bad, explains that this is because the server has lost connection with the domain and that Windows accounts should not be used. The blame is put on ASP.NET. They also include two workarounds. Neither of them worked for us. Our server was in the domain!

So, wtf?

Cause and how to solve it

We tried all the workarounds. Even this one. 759716_98328347

As a last resort we had a look at the actual groups that were setup in the EPiServer database. There we found old groups that had been configured with LDAP. Pointing to an old domain. Holy smelly domains,  Batman!

EPiServer is designed to check if the current user is a member of any of the configured groups when he/she requests a page. Since EPiServer couldn’t find the domain specified with the IsInRole-method for the groups in the database when we made our request, it threw an exception. And rightly so.

So the lesson of the story is:

If you get this error, check the groups in web.config for the “location”-elements (admin, edit, webservices, etc) and the groups set in the EPiServer database.

Comments

Martin S.
Sweden Martin S. said:

Good catch man, must have taken a while to find!

Documenting this one.

Cheers!

# 12/2/2009 6:52:42 AM
daniel
Sweden daniel said:

Thanks, dude! :)

And, yes, yes it did. But it felt darned good when we solved it! :)

# 12/2/2009 7:30:58 AM
Peter
Sweden Peter said:

I have seen this error a few times when logging in on a site we host, seems to be happening quite randomly. Will check out your solution!

# 12/2/2009 5:56:48 PM
daniel
Sweden daniel said:

Hey Peter!

If it happens randomly then I would disable the caching of active directory objects.

In the local security policy of the server change the cache value of the "Interactive Logon: Number of previous logons to cache" to 0 (zero)

# 12/2/2009 6:20:47 PM
Anders Hattestad
Norway Anders Hattestad said:

Thx for the tip.

# 12/3/2009 3:10:41 AM

Add comment


(Will show your Gravatar icon)

  Country flag


  • Comment
  • Preview
Loading