ACS forwarding from untrusted domain 0x80090325 SEC_E_UNTRUSTED_ROOT

Similar Messages

• SQL server(PC1) --- PC2: Login failed. The login is from untrusted domain and cannot be used with windows authentification

  Hey,
  I'want to make connection from my laptop(xxx.xxx.xxx.xxx = A) to a fixed computer(SQL server xxx.xxx.xxx.xxx =B). My connection string = "Provider=SQLNCLI11; Data source:name-pc/SQLEXPRESS; Integrated circuit=SSPI;Intial Catalog=Database name for visual
  studio C#.
  Laptop -> PC1 : Eror
  It works when i use localhost or 127.0.0.1 and i can read my database without any problems if i install SQL server on my laptop. Know i install it to PC1 and uninstall on my laptop. When i change the name-pc by an ip-adress i get this error: Login failed.
  The login is from untrusted domain and cannot be used with windows authentification. I did some research on multiple forums where they say about Local security policy(secpol.exe) but i don't have this file. 
  PC2-> PC3: work fine but i want to work with my laptop and i don't understand why it isn't working with my Laptop. 
  Can someone help me?
  Thx a lot and sry about my english(its a disaster) 
  Thibaut

  Hello,
  Yes, for the Windows Authentication to work you should be using the same Windows account and password.
  Are you willing to create SQL logins inside SQL Server and allow your users to connect to SQL Server using SQL Authentication
  instead of Windows Authentication? That could be a solution on a workgroup network.
  Hope this helps.
  Regards,
  Alberto Morillo
  SQLCoffee.com

• Protect SQL database from untrusted domain

  Hello,
  I have some problems protecting a SQL 2008 SP3 database from untrusted domain with DPM 2012 R2 RU3. 
  When I try to protect the databases, it does not appear in the tree to select them, also when I try to recover a database into untrusted domain it doesnt appear in the tree.
  The NT Authority\System has sysadmin permissions, I have all TCP ports open and  the following UDP ports: 389,88,netbios-dgm,netbios-ns.
  Any idea ?

  Hi
  Is this sql Server part of Sql Server Cluster or a standalone Sql Server?
  Regards, Trinadh [MSFT] This posting is provided "AS IS" with no warranties, and confers no rights. If you found the reply helpful, please "MARK IT AS ANSWER". Looking for source of information for DPM?
  http://blogs.technet.com/b/dpm/ http://technet.microsoft.com/en-in/library/hh758173.aspx

• Does iCloud accept emails forwarded from other domains ?

  I used to forward emails from the dbradley.net email server directly to my .mac account and Apple stopped allowing forwarded emails. Now with iCloud can I forward dbradley.net email to my iCloud account ?
  Dennis
  <Email Edited By Host>

  I have asked for your email address to be edited out. Posting your address in an open thread is a sure way to be bombarded by unwanted email, remember it will be here long after you have resolved your problem, for automated detection software to find.
  If you want people to contact you, enable others to see your email address in your profile.
  You can forward mail to any account, nothing in iCloud will stop you doing this.

• BizTalk + untrusted domain

  Hi all,
  We have a requirement to send and receive files from untrusted domains using biztalk.
  We have multiple interfaces need to created(messaging scenario) which can receive and send files using file adapter from/to untrusted and different domains.
  Is biztalk support file transfering in untrusted different domains?If yes how can we do it incase of file adapter .if not then can we do it using sftp or any other way?
  Manish

  Hi Manish,
  I would personally prefer to use FTP/SFTP to domain which can be authenticated at our end. But File adapter does provide this options.
  FTP adapter does have options to provide credentials to access the ftp folders.
  FTP security :
  http://msdn.microsoft.com/en-us/library/aa559285.aspx
  SFTP depends upon which 3rdparty adapter you use. But I am sure all the 3rd parties provides option to pass in your credentials to authenticate.
  If this answers your question please mark it accordingly. If this post is helpful, please vote as helpful by clicking the upward arrow mark next to my reply.

• Error 18452 "Login failed. The login is from an untrusted domain and cannot be used with Windows authentication" on SQL Server 2008 R2 Enterprise Edition 64-bit SP2 clustered instance

  Hi there,
  I have a Windows 2008 R2 Enterprise x64 SP2 cluster which has 2 SQL Server 2008 R2 Enterprise Edition x64 SP2
  instances.
  A domain account "Domain\Login" is administrator on both physcial nodes and "sysadmin" on both SQL Server instances.
  Currently both instances are running on same node.
  While logging on to SQL Server instance 2 thru "Domain\Login" using "IP2,port2", I get error 18452 "Login failed. The login is from an untrusted domain and cannot be used with Windows authentication". This happened in the past
  as well but issue resolved post insatllation of SQL Server 2008R2 SP2. This has re-occurred now. But it connects using 'SQLVirtual2\Instance2' without issue.
  Same login with same rights is able to access Instance 1 on both 'SQLVirtual1\Instance1' and "IP1,port1" without any issue.
  Please help resolve the issue.
  Thanks,
  AY

  Hello,
  I Confirm that I encountred the same problem when the first domain controller was dow !!
  During a restarting of the first domain controller, i tried to failover my SQL Server instance to a second node, after that I will be able to authenticate SQL Server Login but Windows Login returns Error 18452 !
  When the firts DC restart finishied restarting every thing was Ok !
  The Question here : Why the cluster instance does'nt used the second DC ???
  Best Regards     
  J.K

• SCCM MP Account from accessing across untrusted domain

  Hi,
  I am wondering if anyone has any suggestion on how to setup MP connection account from MP in untrusted domain (DMZ) to site server. I tried to create a user account in the domain where SCCM primary site exists and configured that account for MP to use but
  unfortunately I am getting following error..
    *** [28000][18452][Microsoft][SQL Server Native Client 11.0][SQL Server]Login failed. The login is from an untrusted domain and cannot be used with Windows authentication.
  I have not tried using SQL replica yet but I thought if account works then I would refrain from using SQL replica.
  Thanks,

  ** Resolved **
  Instead of using DOMAIN\USER, I created a local account on site server and assigned EXECUTE right to DB.. Its now communicating from DMZ without any problem...

• Login failed. The login is from an untrusted domain and cannot be used with Windows authentication.

  Hello,
  I have gone through couple of posts regarding this issue but couldn't get the right solution. Could you please help what exactly we are missing here.
  Details:
  1) we have two SQL instances on one standalone machine (Default Instance (2008 SP3) + Named Instance (SQL 2012 SP1))
  2) Both instances are configured to accept SQL+ Windows authentication.
  3) when we give access to our users they are getting following exception if they connect with 'windows authentication'. (For both instances)
  Login failed. The login is from an untrusted domain and cannot be used with Windows authentication.
  Note: (Being a sys + windows admin I'm able to connect both the instances from same client machine without
  any issues)
  4) Also, we observed following error in windows application event log,
   SSPI handshake failed with error code 0x8009030c, state 14 while establishing a connection with integrated security; the connection has been closed. Reason: AcceptSecurityContext failed. The Windows error code indicates the cause of failure.
  The logon attempt failed   [CLIENT: 192.168.xxx.xyx]
  5) If we create SQL login it is working fine without any issues.
  Could someone guide/help  me identifying and fixing this issue.
  Thank you

  Hello,
  Are those Windows Logins associated to domain Windows accounts? Windows Logins work for domain accounts and local Windows account created on the server where the SQL Server instance is installed (and used to login locally to the server).
  Could you try to delete one of the Windows logins that fail to login , and try to recreate them?
  The following resources may help:
  http://blogs.msdn.com/b/dataaccesstechnologies/archive/2012/12/19/error-message-quot-login-failed-the-login-is-from-an-untrusted-domain-and-cannot-be-used-with-windows-authentication-quot.aspx
  http://support.microsoft.com/kb/555332
  Hope this helps.
  Regards,
  Alberto Morillo
  SQLCoffee.com

• Email forwarding from my own domain to my verizon email account is taking a long time...

  Email forwarding from my own domain to my verizon email account is taking a long time.
  I have email addresses registered at moniker.com.  When I send an email to an email address that is forwarding to my verizon email, it takes a long time to arrive.

  Hmmm ... none of the header is showing this hitting the Verizon edge anywhere along the line.   At some point the header has to show the mail transiting vztpa.verizon.com or vzsac.verizon.com which are intake servers for messages headed for Verizon.   What I'm see in the header so far is that it took about 4-6 seconds (depending on what clocks you believe) to make from one end of the connection to the other.
  You got this out of your Verizon mailbox?

• ACS appliance 4.1 - machine authentification from trusted Domain failed

  We have a acs appliance 4.1 with a agent running on a X domain controller to authenticate user's from the X domain active directory.
  User's and Computer's are able to authenticate without any issue on X domain.
  We have recently add a trusted Y domain on this X domain.
  User's from Y domain are able to authenticate on our ACS without any issue , but machine are not able to authenticate.
  03/14/2011
  10:44:32
  Authen failed
  host/FLADWS0072.Ydomain
  Default Group
  00-26-82-d6-9b-3f
  (Default)
  External DB user invalid or bad password
  Machine use is the following settings to authenticate :
  EAP type : EAP (PEAP) 
  Authentification method : EAP-MSCHAP v2
  On Y domain active directory :
  Remote access permission is ok for machine
  On ACS applicance :
  "Enable PEAP machine authentication" is select + the machine from X Domain are authenticate without any issue.
  Any idea where is should start to invetigate ?
  Tks in advance for your help

  Dear Valued Cisco Customer,
  I will be out of the office from 03/20/2010 until 04/04/2010. During
  this time, I will have no access to email or voicemail. If you require
  assistance during my absence, please contact Manivannan Srinivasan via
  phone at 469-255-4806 or via email at [email protected] and this
  engineer will continue to work any immediate concerns you may have at
  this time. If this issue can wait until my return on 04/05/2010, I will
  be glad to continue working with you. If you require assistance outside
  of our business hours (10:00am - 7:00pm CST), please contact the TAC by
  calling 1800-553-2447 or email [email protected] and request to have the
  service request re-assigned.
  Best Regards,
  Abhishek Neelakanata

• On Saturday I suddenly stopped being able to download my email from my domain. No changes had been made in the settings. It did this one other day.

  I am using Thunderbird 24.3.0, the most recent version. My computer operates on Windows Vista. Suddenly on Saturday, Thunderbird stopped downloading messages from my domain. I had not changed any settings in Thunderbird. This happened about a week and a half ago as well & then was okay.
  I am able to send messages with no problem. It acts like it is contacting my email accounts but nothing gets downloaded. My web hosting people have been unable to help.
  Since then I have tried different things, even closing & re-opening Thunderbird, disabling all plug-ins, but nothing helped. Only one thing temporarily helped was when I sent some emails to Comcast accounts I have (they get forwarded to my domain emails), suddenly two of my emails downloaded. It hasn't worked on additional attempts to do this.
  One error from the error console showed: Timestamp: 3/2/2014 10:06:31 PM
  Error: SyntaxError: missing ; before statement
  Source File: javascript:%20Could%20not%20read%20chrome%20manifest%20'file:///C:/Program%2520Files/Mozilla%2520Thunderbird/chrome.manifest'.
  Line: 1, Column: 7
  Source Code:
  Could not read chrome manifest 'file:///C:/Program%20Files/Mozilla
  Is something corrupt with my installation of Thunderbird & if so, how did that happen when nothing was changed?
  I am at a loss.

  Please disregard this. I tried everything but restarting my computer & when I did, it downloaded all my messages.

• SCCM 2012 R2 - Distribution Point untrusted domain - Not acknowledging Network Access Account (FYI)

  Hello!
  Scenario
  Built a single primary site server in one domain with multiple distribution points. All site servers are member of this one site.
  The distribution points in the primary site servers' domain function as expected. The distribution point deployed to an untrusted domain does not. The primary site server can see all objects in the domain, publishes successfully, and CCM client on the
  DP in the untrusted domain knows its part of the site, knows its AD site (according to locationservices.log). The DP role is installed properly, logs are populating, queries are being made for application lists and updates. nfortuantely authentication
  errors indicate that this software can'tbe downloaded.
  In essence the DP in the untrusted domain can't pull down content from the primary site server. The role uses BITS to download content from IIS on the primary site server, but the requests each throw a 401 error. Unauthorised. This should be an easy fix.
  Create a Network Access Account in the primary site server's domain, assign it to the site (Software Distribution setting), wait for the DP to pick up the setting and watch it retrieve its content. The DP in the untrusted domain is configured as a Pull DP,
  implying it has to use a Network Access Account to download content. It knows the content is available and makes every effort to download it.
  Problem
  The DP in the untrusted domain doesn't know a Network Access Account (NAA) has been defined for the site.
  The account does exist, created in the primary site server's domain and assigned to the site. Its not a password issue. IIS has not been set for Anonymous access as this isn't needed - the NAA should provide the credentials it requires to pull down content.
  A manual check using the URL of the package confirms the package is accessible from the DP when using the NAA's credentials. I've allowed enough time (i think) for the DP to acknowledge the NAA. For fun the DP role was removed, and the CCM agent removed. Both
  were reinstalled. A fresh install didn't detect the NAA.
  Solution
  After some soul searching and a little frustration, it came down to this: A Pull DP always uses the Network Access Account. If the DP can't find a Network Access account it will fail to pull down content. This is undisputed. Found an article that states
  the Pull DP always uses the CCM client configuration to do its dirty work. At that point the CCM client was checked. It had the classic problem of only displaying two Actions - Machine Policy Retrieval & Evaluation Cycle, User policy Retrieval & Evaluation
  Cycle. Most components were installed but not enabled. This is fairly common. Looked at the console, found the device, added the Approval column. Turns out it wasn't auto-approved. Reason being that the client is in an untrusted domain and clients in untrusted
  domains aren't approved automatically (by default).
  In this case something as simple as an Approving the client fixed these issues. 
  The DataTransferService.log highlights the issue:
  <![LOG[CDTSJob::JobError: DTS Job ID='{17E0B672-F699-434D-B063-87CC2ACF715C}' BITS Job ID='{38B81ADE-55B5-4BD7-A881-DBFF13943EDE}' ErrorCode=0x80190191]LOG]!><time="18:25:54.264+00" date="02-19-2015" component="DataTransferService"
  context="" type="1" thread="3136" file="dtsjob.cpp:3501">
  <![LOG[CDTSJob::JobError: DTS Job ID='{17E0B672-F699-434D-B063-87CC2ACF715C}' URL='http://PRIMARYSERVER.A.B.COM:80/SMS_DP_SMSPKG$/5af1680e-4a14-4dc5-8a60-bda7370e6d68'
  ProtType=1]LOG]!><time="18:25:54.264+00" date="02-19-2015" component="DataTransferService" context="" type="1" thread="3136" file="dtsjob.cpp:3504">
  <![LOG[Authentication required by the proxy, DTS Job ID='{17E0B672-F699-434D-B063-87CC2ACF715C}' BITS Job ID='{38B81ADE-55B5-4BD7-A881-DBFF13943EDE}'.]LOG]!><time="18:25:54.264+00" date="02-19-2015" component="DataTransferService"
  context="" type="3" thread="3136" file="dtsjob.cpp:3513">
  <![LOG[DTSJob {8814E9A1-3D26-4089-83CF-3C7D17BCEC6E} in state 'Cancelled'.]LOG]!><time="18:25:54.264+00" date="02-19-2015" component="DataTransferService" context="" type="1" thread="3688"
  file="dtsjob.h:166">
  <![LOG[DTS job {17E0B672-F699-434D-B063-87CC2ACF715C} BITS job
  {38B81ADE-55B5-4BD7-A881-DBFF13943EDE} encountered Access Denied error during download.  Will retry using Network Access Account.]LOG]!><time="18:25:54.264+00" date="02-19-2015" component="DataTransferService"
  context="" type="2" thread="3136" file="dtsjob.cpp:3652">
  <![LOG[DTSJob {8814E9A1-3D26-4089-83CF-3C7D17BCEC6E} cancelled by client.]LOG]!><time="18:25:54.280+00" date="02-19-2015" component="DataTransferService" context="" type="1" thread="3688"
  file="dtsjob.cpp:3205">
  <![LOG[No network access account info found.]LOG]!><time="18:25:54.327+00" date="02-19-2015" component="DataTransferService" context="" type="1"
  thread="3136" file="netaccessaccount.cpp:288">
  <![LOG[The network access account is not defined.]LOG]!><time="18:25:54.327+00" date="02-19-2015" component="DataTransferService" context=""
  type="1" thread="3136" file="netaccessaccount.cpp:858">
  <![LOG[DTSJob {17E0B672-F699-434D-B063-87CC2ACF715C} encountered error setting BITS job to use Network Access Account
  (0x00000000).]LOG]!><time="18:25:54.327+00" date="02-19-2015" component="DataTransferService" context="" type="3" thread="3136" file="dtsjob.cpp:1885">
  The IIS server logs u_ex150219.log captures the request:
  2015-02-19 123.11.12.13 GET /SMS_DP_SMSPKG$/5af1680e-4a14-4dc5-8a60-bda7370e6d68/sccm /windows6.1-kb3021917-x64.cab 80 - 9.10.11.12 Microsoft+BITS/7.7 -
  401 2 5 1509 2
  2015-02-19 123.11.12.13 GET /SMS_DP_SMSPKG$/5af1680e-4a14-4dc5-8a60-bda7370e6d68/sccm /windows6.1-kb3021917-x64.cab 80 - 9.10.11.12 Microsoft+BITS/7.7 -
  401 1 3221225581 1509 4
  2015-02-19 123.11.12.13 GET /SMS_DP_SMSPKG$/5af1680e-4a14-4dc5-8a60-bda7370e6d68/sccm /windows6.1-kb3021917-x64.cab 80 - 9.10.11.12 Microsoft+BITS/7.7 -
  401 1 3221225581 1509 3
  2 x Domains: DomainA and DomainX
  - Single domain forests
  - No trusts between domains/forests
  DomainA\PRIMARYSERVER
  - Primary Site Server, MP, DP, IIS, all roles
  DomainX\DP1
  - Distribution Point, IIS, etc
  - CCM client installed

  Based on the above, you are using a PullDP. If so, have you installed the client agent on this system? The client agent is required on PullDPs in untrusted domains so that they can acquire the NAA.
  Jason | http://blog.configmgrftw.com | @jasonsandys

• Running CM console from untrusted forest

  Is it possible to get CM 2012 console to work from untrusted AD forest somehow? 

  Yes. See here
  http://configmgrblog.com/2012/07/13/connecting-with-the-console-to-configmgr-2012-in-a-different-domain/
  Gerry Hampson | Blog:
  www.gerryhampsoncm.blogspot.ie | LinkedIn:
  Gerry Hampson | Twitter:
  @gerryhampson

• JAAS between WLS (untrusted) domains - ServerIdentity failed validation

  I'm trying to create a proxy/delegate class that can be used by clients to
  transparently access a server.
  The class should be usable from clients within WLS containers and from
  regular java apps.
  Using JNDI authentication everything works fine.
  Using JAAS I'm having a problem when my client is a EJB app in an untrusted
  WLS domain. When the login is requested the following error is occuring:
  <ServerIdentity failed validation, downgrading to anonymous.>
  I want to be able to do a JAAS login to a non-trusted domain. I'm assuming
  that the server is trying to pass the subject who is logged into the current
  container, and my call to LoginContext.login()
  Any thoughts?
  //Example of code
  loginContext = new LoginContext("ServiceSecurity", new
  FW_SimpleCallbackHandler(pUser, pPassword, pUrl));
  loginContext.login();
  Subject subject = loginContext.getSubject();
  serviceHome = (ServiceHome)weblogic.security.Security.runAs( subject,
  new PrivilegedExceptionAction() {
  public Object run() throws Exception{
  //JNDI lookup
  //Create session bean instance
  weblogic.security.Security.runAs( subject,
  new PrivilegedExceptionAction() {
  public Object run() throws Exception{
  //do operation on instance

  Then I'd start talking to BEA support to see if they even know how to do
  this.
  Without the trust relationship I'm not sure if you can achieve what you
  want.
  Dejan
  Mark Fine wrote:
  This is exactly what I am doing.
  Implicitly there is a security context within the session bean (the user
  logs in via the web app and context is propagated). I obtain a LoginContext
  to the other server and call the method within that context.
  It doesn't work because it is implicitly passing the security context of the
  session bean and failing due to lack of trust.
  //Example of code
  loginContext = new LoginContext("ServiceSecurity", new
  FW_SimpleCallbackHandler(pUser, pPassword, pUrl));
  loginContext.login();
  Subject subject = loginContext.getSubject();
  serviceHome = (ServiceHome)weblogic.security.Security.runAs( subject,
  new PrivilegedExceptionAction() {
  public Object run() throws Exception{
  //JNDI lookup
  //Create session bean instance
  weblogic.security.Security.runAs( subject,
  new PrivilegedExceptionAction() {
  public Object run() throws Exception{
  //do operation on instance
  "Deyan D. Bektchiev" <[email protected]> wrote in message
  news:[email protected]...
  In that case you should be able to get the two different Subjects from
  the two different domains (return a different url from the URLCallback
  when you login with JAAS), and afterwards use
  weblogic.security.Security.doAs(...);
  with the correct Subject for the appropriate server when you access the
  servers.
  HTH,
  --dejan
  Mark Fine wrote:
  Thanks, but i think the content was miscommunicated. Everything works
  fine
  when the domains are "trusted". I want to know how to have "untrusted"
  domains talk to each other through explicit logins.
  ie. imagine an application on a domain in a finance department. What if
  they are trusted against other domains and can't / don't want to
  establish
  trust with your domain. They just need access to one particular service
  you
  expose.
  Thanks,
  m
  "Deyan D. Bektchiev" <[email protected]> wrote in message
  news:[email protected]...
  Hi Mark,
  You should first establish a trust relationship between your Weblogic
  servers:
  http://e-docs.bea.com/wls/docs70/secmanage/domain.html#1171534
  Then you can use JAAS to authenticate and get valid Subjects for the two
  users.
  --dejan
  Mark Fine wrote:
  I'm trying to create a proxy/delegate class that can be used by clients
  to
  transparently access a server.
  The class should be usable from clients within WLS containers and from
  regular java apps.
  Using JNDI authentication everything works fine.
  Using JAAS I'm having a problem when my client is a EJB app in an
  untrusted
  WLS domain. When the login is requested the following error is
  occuring:
  <ServerIdentity failed validation, downgrading to anonymous.>
  I want to be able to do a JAAS login to a non-trusted domain. I'm
  assuming
  that the server is trying to pass the subject who is logged into the
  current
  container, and my call to LoginContext.login()
  Any thoughts?
  //Example of code
  loginContext = new LoginContext("ServiceSecurity", new
  FW_SimpleCallbackHandler(pUser, pPassword, pUrl));
  loginContext.login();
  Subject subject = loginContext.getSubject();
  serviceHome = (ServiceHome)weblogic.security.Security.runAs( subject,
  new PrivilegedExceptionAction() {
  public Object run() throws Exception{
  //JNDI lookup
  //Create session bean instance
  weblogic.security.Security.runAs( subject,
  new PrivilegedExceptionAction() {
  public Object run() throws Exception{
  //do operation on instance

• SQL Server Protection untrusted domain

  DPM 2012 R2 on Server 2008R2
  SQL Server:  2008 R2 running SQL 2008R2 in untrusted domain
  Configured environment as Untrusted - local User and agent is communicating with SQL Server.
  Configured protection group and saw all the DB's.  Initially about 1/2 the DB's went to OK but with no recover point and then all went to replica inconsistent. 
  I have configured the local account with local administrator as well as SYSADMIN rights on the SQL application with no luck.  Interesting is on the SQL Server I get App Log events for 1) I/O frozen on DB, 2) I/O resumed, 3) database backed up. 
  I also get System event logs for Software Shadow Copy Provider starting and stopping but I'm getting no data transferred to the DPM server.
  Ideas?

  Fixed:
  Added port 3718 from protected system to DPM on firewall. MS document does not give connection direction so I initially assumed 5718/5719 to be only towards the protected system.