Friday, May 14, 2010

Workstation Trust Relationship Issue


You receive the following error message, when you try to login to the domain. 

The security database on the server does not have a computer account for this workstation trust relationship. 



1.    Open ADSI Edit
2.    Go to Domain Partition
3.    Right click on the computer and go to Properties.
4.    Double click ServicePrincipalName and verify the SPN value for your Domain
5.    If SPN Value is missing, add a new SPN value in the following format. 

6. Restart the computer. 

Service Principal Name (SPN) - SPN consist of Service Class, Host, Port and Service Name in the following format:

<service class>/<host>:<port>/<service name>

The <service class> and <host> are required. But the <port> and <service name> are optional.

I have seen this issue on Vista, Windows 7, Windows 2008 and Windows 2008 R2 machines. As you might know Winlogon service on these Operating Systems use Kerberos logon. So the Service Principal Names (SPNs) need to be configured properly to support Kerberos Authentication.

However, if you are running Windows 7 or Windows Server 2008 R2, adding the computer to a Windows 2000 domain and running a program that calls the LookupAccountName function to retrieve a security identifier (SID) for an account, you may want to consider the following hotfix:

Other Reference Articles:

Typical Symptoms when secure channel is broken -

Machine Account Password Process -

Kerberos Authentication Problems -


Post a Comment

Popular Posts


Twitter Delicious Facebook Digg Stumbleupon Favorites More