Friday, May 14, 2010

Workstation Trust Relationship Issue

Issue:

You receive the following error message, when you try to login to the domain. 

The security database on the server does not have a computer account for this workstation trust relationship. 

image

Solution/Workaround:

1.    Open ADSI Edit
2.    Go to Domain Partition
3.    Right click on the computer and go to Properties.
4.    Double click ServicePrincipalName and verify the SPN value for your Domain
5.    If SPN Value is missing, add a new SPN value in the following format. 
        HOST/computername.domainname.com

6. Restart the computer. 

Service Principal Name (SPN) - SPN consist of Service Class, Host, Port and Service Name in the following format:

<service class>/<host>:<port>/<service name>

The <service class> and <host> are required. But the <port> and <service name> are optional.

I have seen this issue on Vista, Windows 7, Windows 2008 and Windows 2008 R2 machines. As you might know Winlogon service on these Operating Systems use Kerberos logon. So the Service Principal Names (SPNs) need to be configured properly to support Kerberos Authentication.


However, if you are running Windows 7 or Windows Server 2008 R2, adding the computer to a Windows 2000 domain and running a program that calls the LookupAccountName function to retrieve a security identifier (SID) for an account, you may want to consider the following hotfix:

http://support.microsoft.com/kb/976494


Other Reference Articles:

Typical Symptoms when secure channel is broken - http://blogs.technet.com/b/asiasupp/archive/2007/01/18/typical-symptoms-when-secure-channel-is-broken.aspx

Machine Account Password Process - http://blogs.technet.com/b/askds/archive/2009/02/15/test2.aspx

Kerberos Authentication Problems - http://blogs.technet.com/b/askds/archive/2008/05/29/kerberos-authentication-problems-service-principal-name-spn-issues-part-1.aspx

http://technet.microsoft.com/en-us/library/ee849847(WS.10).aspx


15 comments:

Thank you, it was very helpful.

Hello,
I appreciate your post though this did not resolve my issues with the same "trust relationship.." issue. I see the host/machine_name.domain.local in ADSI edit and another 5 listings that seem to be correct.

I can easily rejoin the machine to the domain though I am trying to figure out why this keeps happening. It is happening more than I would like throughout our Windows 7 network. We deployed using Windows Deployment services and sysprep to create the images. This all goes fine and works. Though throughout the school year, we have machines here and there (not all machines...just a few) that are obviously loosing their connection with AD.

What is confusing is that a machine I am working on now was joined to the domain this past August 2010 and I am just now getting this issue on this machine. Do you have any ideas you could share with me of how to approach this. We are not having replication issues in our AD structure. It seems that the computer password is not changing somehow as I believe it expires after a certain time period. THen the secure channel is broken between it and AD not allowing users to login to the machine.
ANy help would be appreciated.
Thanks,
DC

Do you see any name resolution issues between workstation and DC? Did you verify the SPN?

thanks Santhosh, this was very helpful in troubleshooting quickprep provisioned linked clone desktops with view 4.6. It seems the computer accounts were created without the correct ServicePrincipalName

Thanks for the feedback. You will see this issue if you “cloning” the computer accounts.

Hi,

I am glad to find this site !

While login in to the client machine (Win7) we are facing the same issue like "The trust relationship failed"
we used to fix this by unjoining the machince from domain and rejoin it. Is there any way to fix this issue without do this stuff.

your answer will must helpful for us.

thanks,
Venkat.

Hi Venkat,

Did you try the options described in this blog?

Did you verify the SPN?

Great post. Here’s a tutorial that shows how you can easily build an online database-driven web application with a parent-child table relationship, without codinghttp://blog.caspio.com/web-database/creating-one-to-many-relational-datapages/

This comment has been removed by a blog administrator.

This worked spot on for me! Never even came across ADSI editor before. Thanks a bunch

Thanks santosh.
That was very helpful
Cheers

Post a Comment

Popular Posts

Share

Twitter Delicious Facebook Digg Stumbleupon Favorites More