RDS Trust relationship issue
Hi,
We have 3 domains
DOM1.domain.local (top domain)
DOM2.DOM1.domain.local (sub domain)
DOM3.DOM1.domain.local (sub domain)
When we setup a brand new RDS 2012 server in DOM2 we can't add users from DOM3 and vica versa.
When we install a RDS 2012 server in DOM1 we can't add users from DOM2 and DOM3.
The error message says that the network path was not found. And to check for a two-way trust.
We can't change settings on the trust relationship, because it is a child domain, it will always be a two-way trust. (the validation works without any problem)
Adding users from the other subdomain to the local group "Remote Desktop Users" isn't a problem. But that doesn't work any more in server 2012.
Anyone an idea?
Regards
Stijn
Hi,
After referring your post, I can understand that you can’t able to add users from another domain.
Can cross-domain user can able to login successfully?
In your situation, I will suggest you to change Trust type to cross-forest trust.
Understanding when to Create a Forest Trust:
http://technet.microsoft.com/en-us/library/cc771397.aspx
How to Configure Cross-Forest Administration:
http://technet.microsoft.com/en-us/library/bb232078(v=exchg.80).aspx
Refer below post (Answered By :Mark McNichols):
http://social.technet.microsoft.com/Forums/windowsserver/en-US/b243ec10-ae0c-4501-94b7-acd3a4d1e90e/rds-and-sid-error-with-twoway-trust
The article which is described in above post by Mark McNichols (KB972133):
http://support.microsoft.com/kb/972133
Might This Helps!
Thanks.
Similar Messages
-
Hi,
SharePoint 2010 Backup has been taken from production and restored through Semantic Tool in one of the server.The wepapplication of which the backup was taken is working fine.
But the problem is that the SharePoint is not working correctly.We cannot create any new webapplication ,cannot navigate to the ServiceApplications.aspx page it shows error.Even the Search and UserProfile Services of the existing Web Application is not working.Checking
the SharePoint Logs I found out the below exception
11/30/2011 12:14:53.78 WebAnalyticsService.exe (0x06D4) 0x2D24 SharePoint Foundation Database
8u1d High Flushing connection pool 'Data Source=urasvr139;Initial Catalog=SharePoint_Config;Integrated Security=True;Enlist=False;Connect Timeout=15'
11/30/2011 12:14:53.78 WebAnalyticsService.exe (0x06D4) 0x2D24 SharePoint Foundation Topology
2myf Medium Enabling the configuration filesystem and memory caches.
11/30/2011 12:14:53.79 WebAnalyticsService.exe (0x06D4) 0x12AC SharePoint Foundation Database
8u1d High Flushing connection pool 'Data Source=urasvr139;Initial Catalog=SharePoint_Config;Integrated Security=True;Enlist=False;Connect Timeout=15'
11/30/2011 12:14:53.79 WebAnalyticsService.exe (0x06D4) 0x12AC SharePoint Foundation Topology
2myf Medium Enabling the configuration filesystem and memory caches.
11/30/2011 12:14:55.54 mssearch.exe (0x0864) 0x2B24 SharePoint Server Search Propagation Manager
fo2s Medium [3b3-c-0 An] aborting all propagation tasks and propagation-owned transactions after waiting 300 seconds (0 indexes) [indexpropagator.cxx:1607] d:\office\source\search\native\ytrip\tripoli\propagation\indexpropagator.cxx
11/30/2011 12:14:55.99 OWSTIMER.EXE (0x1DF4) 0x1994 SharePoint Foundation Topology
75dz High The SPPersistedObject with
Name User Profile Service Application, Id 9577a6aa-33ec-498e-b198-56651b53bf27, Parent 13e1ef7d-40c2-4bcb-906c-a080866ca9bd failed to initialize with the following error: System.SystemException: The trust relationship between the primary domain and the trusted
domain failed. at System.Security.Principal.SecurityIdentifier.TranslateToNTAccounts(IdentityReferenceCollection sourceSids, Boolean& someFailed) at System.Security.Principal.SecurityIdentifier.Translate(IdentityReferenceCollection
sourceSids, Type targetType, Boolean forceSuccess) at System.Security.Principal.SecurityIdentifier.Translate(Type targetType) at Microsoft.SharePoint.Administration.SPAce`1.get_PrincipalName()
at Microsoft.SharePoint.Administration.SPAcl`1.Add(String princip...
11/30/2011 12:14:55.99* OWSTIMER.EXE (0x1DF4) 0x1994 SharePoint Foundation Topology
75dz High ...alName, String displayName, Byte[] securityIdentifier, T grantRightsMask, T denyRightsMask) at Microsoft.SharePoint.Administration.SPAcl`1..ctor(String persistedAcl)
at Microsoft.SharePoint.Administration.SPServiceApplication.OnDeserialization() at Microsoft.SharePoint.Administration.SPIisWebServiceApplication.OnDeserialization() at Microsoft.SharePoint.Administration.SPPersistedObject.Initialize(ISPPersistedStoreProvider
persistedStoreProvider, Guid id, Guid parentId, String name, SPObjectStatus status, Int64 version, XmlDocument state)
11/30/2011 12:14:56.00 OWSTIMER.EXE (0x1DF4) 0x1994 SharePoint Foundation Topology
8xqx High Exception in RefreshCache. Exception message :The trust relationship between the primary domain and the trusted domain failed.
11/30/2011 12:14:56.00 OWSTIMER.EXE (0x1DF4) 0x1994 SharePoint Foundation Timer
2n2p Monitorable The following error occured while trying to initialize the timer: System.SystemException: The trust relationship between the primary domain and the trusted domain failed. at System.Security.Principal.SecurityIdentifier.TranslateToNTAccounts(IdentityReferenceCollection
sourceSids, Boolean& someFailed) at System.Security.Principal.SecurityIdentifier.Translate(IdentityReferenceCollection sourceSids, Type targetType, Boolean forceSuccess) at System.Security.Principal.SecurityIdentifier.Translate(Type
targetType) at Microsoft.SharePoint.Administration.SPAce`1.get_PrincipalName() at Microsoft.SharePoint.Administration.SPAcl`1.Add(String principalName, String displayName, Byte[] securityIdentifier, T grantRightsMask,
T denyRightsMask) at Microsoft.SharePoint.Administrati...
11/30/2011 12:14:56.00* OWSTIMER.EXE (0x1DF4) 0x1994 SharePoint Foundation Timer
2n2p Monitorable ...on.SPAcl`1..ctor(String persistedAcl) at Microsoft.SharePoint.Administration.SPServiceApplication.OnDeserialization() at Microsoft.SharePoint.Administration.SPIisWebServiceApplication.OnDeserialization()
at Microsoft.SharePoint.Administration.SPPersistedObject.Initialize(ISPPersistedStoreProvider persistedStoreProvider, Guid id, Guid parentId, String name, SPObjectStatus status, Int64 version, XmlDocument state) at Microsoft.SharePoint.Administration.SPConfigurationDatabase.GetObject(Guid
id, Guid parentId, Guid type, String name, SPObjectStatus status, Byte[] versionBuffer, String xml) at Microsoft.SharePoint.Administration.SPConfigurationDatabase.GetObject(SqlDataReader dr) at Microsoft.SharePoint.Administration.SPConfigurationDatabase.RefreshCache(Int64
currentVe...
Please guide me on the above issue ,this will be of great help
Thanks.I have same error. Verified for trust , ports , cleaned up cache.. nothing has helped.
The problem is caused by User profile Synch Service:
UserProfileProperty_WCFLogging :: ProfilePropertyService.GetProfileProperties Exception: System.SystemException:
The trust relationship between the primary domain and the trusted domain failed. at System.Security.Principal.SecurityIdentifier.TranslateToNTAccounts(IdentityReferenceCollection sourceSids,
Boolean& someFailed) at System.Security.Principal.SecurityIdentifier.Translate(IdentityReferenceCollection sourceSids, Type targetType, Boolean forceSuccess) at System.Security.Principal.SecurityIdentifier.Translate(Type
targetType) at Microsoft.SharePoint.Administration.SPAce`1.get_PrincipalName() at Microsoft.SharePoint.Administration.SPAcl`1.Add(String principalName, String displayName, SPIdentifierType identifierType, Byte[]
identifier, T grantRightsMask, T denyRigh...
08/23/2014 13:00:20.96* w3wp.exe (0x2204)
0x293C SharePoint Portal Server User Profiles
eh0u Unexpected ...tsMask) at Microsoft.SharePoint.Administration.SPAcl`1..ctor(String persistedAcl)
at Microsoft.Office.Server.Administration.UserProfileApplication.get_SerializedAdministratorAcl() at Microsoft.Office.Server.Administration.UserProfileApplication.GetProperties() at Microsoft.Office.Server.UserProfiles.ProfilePropertyService.GetProfileProperties()
Please let me know if you any solution found for this?
Regards,
Kunal -
When I try to log on to my DC it says "The security database on the server does not have a computer account for this workstation trust relationship". It won't let me log on. I installed another server server 2012r2 (its virtual )
and I can get to ADSI edit.
I think what happened was I had a pc that could not connect without unplugging the network cable. So I found this fix
FIX: “The security database on the server does not have a computer account for this workstation trust relationship”2032011
I’ve seen a lot of solutions, or suggestions rather, with regard to the error in the title of this post. In my experience, the problem can almost always be resolved without extra domain add/removes and reboots, which is the most prevalent solution I have
seen around. Usually, this issue is due to a mismatch between attributes of the computer account in Active Directory and those values on the system itself. Here are the steps I take to fix this issue when it crops up:
Open up Active Directory Users & Computers pointed to the domain the computer account resides in
From the “View” pull-down menu, make sure that “Advanced Features” is checked
Navigate to the part of your organizational unit (OU) structure where the computer account for this server resides
Open the Properties for the computer object
Choose the “Attribute Editor” tab on the Properties dialog box
Check the Attributes dNSHostName & servicePrincipalName – anywhere that a fully qualified hostname is specified (e.g. myserver.mydomainname.com), make sure that the entry matches the hostname
you have configured when you go here on your server: Start -> Computer -> Right-Click, Properties -> Change Settings (under “Computer name, domain… settings”) -> Full Computer Name
As an example, for a fictitious W2K8 R2 server whose Full Computer Name is “srv1.mydomainname.com”, these attribute/value pairs should be in Active Directory:
dNSHostName:
srv1.mydomainname.com
servicePrincipalName:
HOST/SRV1
HOST/srv1.mydomainname.com
RestrictedKrbHost/SRV1
RestrictedKrbHost/srv1.mydomainname.com
TERMSRV/SRV1
TERMSRV/srv1.mydomainname.com"
Not reading it carefully I add a computer with the same name as the pc having the issue and followed the above. The problem is that I did not notice that the spn did not want the name of my server (serv1) but the name of the trouble
pc.
dcdiag output
PS C:\Users\administrator.TOM> dcdiag.exe
Directory Server Diagnosis
Performing initial setup:
Trying to find home server...
***Error: DC3 is not a Directory Server. Must specify /s:<Directory Server> or /n:<Naming Context> or nothing to
use the local machine.
ERROR: Could not find home server.
PS C:\Users\administrator.TOM> dcdiag.exe /s:DC2
Directory Server Diagnosis
Performing initial setup:
* Identified AD Forest.
Done gathering initial info.
Doing initial required tests
Testing server: Default-First-Site\DC2
Starting test: Connectivity
The host 9e0dca7a-d017-445a-b354-adee5ff53d48._msdcs.TOM could not be resolved to an IP address. Check the DN
server, DHCP, server name, etc.
Neither the the server name (DC2.TOM) nor the Guid DNS name (9e0dca7a-d017-445a-b354-adee5ff53d48._msdcs.TOM)
could be resolved by DNS. Check that the server is up and is registered correctly with the DNS server.
Got error while checking LDAP and RPC connectivity. Please check your firewall settings.
......................... DC2 failed test Connectivity
Doing primary tests
Testing server: Default-First-Site\DC2
Skipping all tests, because server DC2 is not responding to directory service requests.
Running partition tests on : ForestDnsZones
Starting test: CheckSDRefDom
......................... ForestDnsZones passed test CheckSDRefDom
Starting test: CrossRefValidation
......................... ForestDnsZones passed test CrossRefValidation
Running partition tests on : DomainDnsZones
Starting test: CheckSDRefDom
......................... DomainDnsZones passed test CheckSDRefDom
Starting test: CrossRefValidation
......................... DomainDnsZones passed test CrossRefValidation
Running partition tests on : Schema
Starting test: CheckSDRefDom
......................... Schema passed test CheckSDRefDom
Starting test: CrossRefValidation
......................... Schema passed test CrossRefValidation
Running partition tests on : Configuration
Starting test: CheckSDRefDom
......................... Configuration passed test CheckSDRefDom
Starting test: CrossRefValidation
......................... Configuration passed test CrossRefValidation
Running partition tests on : TOM
Starting test: CheckSDRefDom
......................... TOM passed test CheckSDRefDom
Starting test: CrossRefValidation
......................... TOM passed test CrossRefValidation
Running enterprise tests on : TOM
Starting test: LocatorCheck
......................... TOM passed test LocatorCheck
Starting test: Intersite
......................... TOM passed test Intersite
PS C:\Users\administrator.TOM> regsvr32 schmmgmt.dll
PS C:\Users\administrator.TOM> netdig /fix
netdig : The term 'netdig' is not recognized as the name of a cmdlet, function, script file, or operable program.
Check the spelling of the name, or if a path was included, verify that the path is correct and try again.
At line:1 char:1
+ netdig /fix
+ ~~~~~~
+ CategoryInfo : ObjectNotFound: (netdig:String) [], CommandNotFoundException
+ FullyQualifiedErrorId : CommandNotFoundException
PS C:\Users\administrator.TOM> Setup /PrepareSchema
Setup : The term 'Setup' is not recognized as the name of a cmdlet, function, script file, or operable program. Check
the spelling of the name, or if a path was included, verify that the path is correct and try again.
At line:1 char:1
+ Setup /PrepareSchema
+ ~~~~~
+ CategoryInfo : ObjectNotFound: (Setup:String) [], CommandNotFoundException
+ FullyQualifiedErrorId : CommandNotFoundException
PS C:\Users\administrator.TOM> netdiag /test
netdiag : The term 'netdiag' is not recognized as the name of a cmdlet, function, script file, or operable program.
Check the spelling of the name, or if a path was included, verify that the path is correct and try again.
At line:1 char:1
+ netdiag /test
+ ~~~~~~~
+ CategoryInfo : ObjectNotFound: (netdiag:String) [], CommandNotFoundException
+ FullyQualifiedErrorId : CommandNotFoundException
PS C:\Users\administrator.TOM> nslooup
nslooup : The term 'nslooup' is not recognized as the name of a cmdlet, function, script file, or operable program.
Check the spelling of the name, or if a path was included, verify that the path is correct and try again.
At line:1 char:1
+ nslooup
+ ~~~~~~~
+ CategoryInfo : ObjectNotFound: (nslooup:String) [], CommandNotFoundException
+ FullyQualifiedErrorId : CommandNotFoundException
PS C:\Users\administrator.TOM>Ok fixed.
At a elevated cmd prompt run ;
C:\Users\administrator.TOM>setspn -x
As you can see the DC serv1 had duplicate SPNs.
Checking domain DC=TOM
Processing entry 1
HOST/serv1.TOM is registered on these accounts:
CN=SERV1,OU=Domain Controllers,DC=TOM
CN=C00049,CN=Computers,DC=TOM
{14E52635-0A95-4a5c-BDB1-E0D0C703B6C8}/TOWN-HBWJ29ZOQC is registered on these ac
counts:
CN=Administrator,CN=Users,DC=TOM
CN=TOWN-HBWJ29ZOQC,CN=Computers,DC=TOM
{14E52635-0A95-4a5c-BDB1-E0D0C703B6C8}/town-hbwj29zoqc.TOM is registered on thes
e accounts:
CN=Administrator,CN=Users,DC=TOM
CN=TOWN-HBWJ29ZOQC,CN=Computers,DC=TOM
RestrictedKrbHost/serv1 is registered on these accounts:
CN=C00049,CN=Computers,DC=TOM
CN=SERV1,OU=Domain Controllers,DC=TOM
RestrictedKrbHost/serv1.TOM is registered on these accounts:
CN=C00049,CN=Computers,DC=TOM
CN=SERV1,OU=Domain Controllers,DC=TOM
found 5 groups of duplicate SPNs.
Went to the computers OU and changed computer c00049 to the correct SPN. Now I have a new issues, I'll start a new thread. -
Trust relationship after upgrading to Windows 8.1
Hi
I have recently upgraded 20 laptops to Windows 8.1, lately some of the laptops keep saying trust relationship cannot contact to domain, I have taken them off the domain and then put them back on, the laptops then work again but each day with some laptops
the same thing happens again and I have to repeat the whole procedure. Recenlty the same laptop every day for the pass 5 days, it is really annoying and time consumingHi Carl Shorty,
What error message do you receive?
Do you means that the computer in error keeps losing the trust relationship every day?
This issue that machine trust cannot be established occurs because the computer's machine account has the incorrect role or its password has become mismatched with that of the domain database.
If we can login as local-admin , we join the domain from the client if at the same time you can provide an administrator username and password on the domain. We can delete the existing computer account in Server Manager, recreate the computer account, synchronize
the domain, and then on the client rejoin the domain.
For details, you can refer to: Trust Relationship Between Workstation and Domain Fails
http://support.microsoft.com/kb/162797
If this doesn’t work, we could use the command netdom reset 'machinename' /domain:'domainname
to reset the member security channel.
Best regards,
Fangzhou CHEN
Fangzhou CHEN
TechNet Community Support -
Hello,
We are facing an issue when triggering a new build using TFS 2013 Update 4, VS2013 Update 4 using TFVCTemplate.12.XAML template. All our other older build definitions just work fine but not the TFVCTemplate.12.XAML. It seems to me that some certificate
might be invalidated. Can anyone please point me in the right direction?
Thanks,
Mitul
TF215097: An error occurred while initializing a build for build definition :
Exception Message: One or more errors occurred. (type AggregateException)
Exception Stack Trace: at System.Threading.Tasks.Task`1.GetResultCore(Boolean waitCompletionNotification)
at Microsoft.TeamFoundation.Build.Client.FileContainerHelper.GetFile(TfsTeamProjectCollection projectCollection, String itemPath, Stream outputStream)
at Microsoft.TeamFoundation.Build.Client.FileContainerHelper.GetFileAsString(TfsTeamProjectCollection projectCollection, String itemPath)
at Microsoft.TeamFoundation.Build.Client.ProcessTemplate.Download(String sourceGetVersion)
at Microsoft.TeamFoundation.Build.Hosting.BuildControllerWorkflowManager.PrepareRequestForBuild(WorkflowManagerActivity activity, IBuildDetail build, WorkflowRequest request, IDictionary`2 dataContext)
at Microsoft.TeamFoundation.Build.Hosting.BuildWorkflowManager.TryStartWorkflow(WorkflowRequest request, WorkflowManagerActivity activity, BuildWorkflowInstance& workflowInstance, Exception& error, Boolean& syncLockTaken)
Inner Exception Details:
Exception Message: An error occurred while sending the request. (type HttpRequestException)
Exception Stack Trace: at Microsoft.VisualStudio.Services.WebApi.VssHttpRetryMessageHandler.<SendAsync>d__1.MoveNext()
--- End of stack trace from previous location where exception was thrown ---
at System.Runtime.CompilerServices.TaskAwaiter.ThrowForNonSuccess(Task task)
at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task)
at System.Runtime.CompilerServices.ConfiguredTaskAwaitable`1.ConfiguredTaskAwaiter.GetResult()
at Microsoft.VisualStudio.Services.WebApi.HttpClientExtensions.<DownloadFileFromTfsAsync>d__2.MoveNext()
Inner Exception Details:
Exception Message: The underlying connection was closed: Could not establish trust relationship for the SSL/TLS secure channel. (type WebException)Exception Stack Trace: at System.Net.HttpWebRequest.EndGetResponse(IAsyncResult asyncResult)
at System.Net.Http.HttpClientHandler.GetResponseCallback(IAsyncResult ar)
Inner Exception Details:
Exception Message: The remote certificate is invalid according to the validation procedure. (type AuthenticationException)
Exception Stack Trace: at System.Net.TlsStream.EndWrite(IAsyncResult asyncResult)
at System.Net.ConnectStream.WriteHeadersCallback(IAsyncResult ar)Hi Mitul,
Thanks for your reply.
It’s strange, if your old build definitions can work using the same TFS Build Server, that indicate your TFS Server configuration is correct and can works. But only new build definition with default TfvcTemplate.12.xaml template cannot build successful.
Please share your TFS Server detailed environment information here. And share your
Build Service Properties dialog screenshot here.
Try to clean the Cache for TFS 2013 manually(delete the content of the folder only, not the cache folder itself):
Clean the Cache folder on Server machine. The folder path is:
C:\Program Files\Microsoft Team Foundation Server 12.0\Application Tier\Web Services\_tfs_data.
After cleaned, on Server machine, click Start and select
Run… to open the dialog box, then input iisreset.exe and click OK, wait it run completely.
Additionally, you can run the TFS 2013 Power Tools BPA to scan the installation of your TFS Server.
We are trying to better understand customer views on social support experience, so your participation in this interview project would be greatly appreciated if you have time. Thanks for helping make community forums a great place.
Click
HERE to participate the survey. -
I know there are loads of posts with same issue and most of them were related to proxy and connectivity .
This was case for me as well (few months back). Now the same error is back. But I've confirmed that FW ports and proxy are fine this time around.
server is configured on http port 80
ERROR
Sync failed: UssCommunicationError: WebException: The underlying connection was closed: Could not establish trust relationship for the SSL/TLS secure channel. ---> System.Security.Authentication.AuthenticationException: The remote certificate is invalid
according to the validation procedure.~~at System.Web.Services.Protocols.WebClientProtocol.GetWebResponse(WebRequest request). Source: Microsoft.SystemsManagementServer.SoftwareUpdatesManagement.WSyncAction.WSyncAction.SyncWSUS
I've checked proxy server connectivity. I'm able browse following site from WSUS server
http://catalog.update.microsoft.com/v7/site/Home.aspx?sku=wsus&version=3.2.7600.226&protocol=1.8
I did telnet proxy server on the particular port (8080) and that is also fine.
I've doubt on certificates, any idea which are the certificates which we need to look? And if certificate is expired then (my guess) we won't be able open the above mentioned windows update catalog site?
Any tips appreciated !
Anoop C Nair (My Blog www.AnoopCNair.com)
- Twitter @anoopmannur -
FaceBook Forum For SCCMHi Lawrence ! - Many thanks for looking into this thread and replying. Appreciate your help.
Your reply ("SSL is enabled/configured, and the certificate being used is invalid
(or the cert does not exist or cannot be obtained), or the SSL connection could not be established.") is very helpful.
I've already tested CONTENT DOWNLOAD and it's working fine. WSUS Sync was also working fine for years with proxy server configured on port (8080) and WSUS server on port 80.
My Guess (this is my best guess ;)) is this something to do with Firewall or Proxy side configuration rather than WSUS. However, I'm not finding a way to prove this to proxy/firewall team. From their perspective all the required port communication open and
proxy server is also reachable. More over we're able to access internet (Microsoft Update Catalog site) over same port (8080).
Any other hints where I can prove them it's a sure shot problem from their side.
Thanks again !!
Anoop C Nair (My Blog www.AnoopCNair.com)
- Twitter @anoopmannur -
FaceBook Forum For SCCM -
Office Web Apps 2013 + could not establish trust relationship
We currently have a three tier SharePoint 2013 Farm:
1. Web Front End Server (Server 2008 R2 Enterprise) - Servername: TEST2SP013.domain.dom
2. Central Admin Server (Server 2008 R2 Enterprise) - Servername: TEST2SPCA013.domain.dom
3. SQL Server (Server 2012 Datacenter) - Servername: TESTSQL012.domain.dom
All Machines are in the same IP/Subnet.
We are trying to setup a new server (Server 2012 R2 Datacenter) (Servername: TEST022.domain.dom) to run Office Web Apps 2013 in our TEST environment to test the system before rolling in production and have had issues throughout the entire process.
The technet articles we have used are:
http://technet.microsoft.com/en-us/library/jj219435.aspx
http://technet.microsoft.com/en-us/library/ff431687.aspx
http://technet.microsoft.com/en-us/library/jj219627.aspx
We finally have what I thought was a correct setup but anytime we try to edit or view a word, excel, powerpoint document within SharePoint 2013, we receive "Sorry, there was a problem and we can't open this document. If this happens again, try opening
the document in Microsoft Word."
We found a few How-To Setup Office Web Apps sites where other people provided step-by step instructions:
blogs.msdn.com/b/sowmyancs/archive/2012/10/29/install-configure-amp-monitor-office-web-apps-2013-for-sp-2013.aspx
http://www.wictorwilen.se/office-web-apps-2013-securing-your-wac-farm
http://blogs.technet.com/b/justin_gao/archive/2013/06/30/configuring-office-web-apps-server-communication-using-https.aspx
We reviewed the ULS logs and found the following error:
02/14/2014 13:38:40.24 w3wp.exe (0x1C04) 0x1BB4 Office Web Apps
WAC Hosting Interaction adhsk Unexpected WOPI CheckFile: Catch-All Failure [exception:Microsoft.Office.Web.Common.EnvironmentAdapters.UnexpectedErrorException: HttpRequest failed ---> Microsoft.Office.Web.Apps.Common.HttpRequestAsyncException:
No Response in WebException ---> System.Net.WebException: The underlying connection was closed: Could not establish trust relationship for the SSL/TLS secure channel. ---> System.Security.Authentication.AuthenticationException: The remote certificate
is invalid according to the validation procedure. at System.Net.TlsStream.EndWrite(IAsyncResult asyncResult) at System.Net.ConnectStream.WriteHeadersCallback(IAsyncResult ar) --- End of
inner exception stack trace --- at System.Net.HttpWebRequest.EndGetResponse(IAsyncResult asyncResult) at Microsoft.Office.Web.Apps.Common.Ht... 7bed0d51-511d-4541-a059-e2f72942e617
None of the article provide specific step-by-step instructions with using HTTPS in a test environment specifically when it comes to Self-Signed Certs through Active Directory Certificate Services.
We tried creating a Self-Signed Cert through IIS on the Office Web Apps Box which did not work.
We tried creating a Cert through Active Directory Certificate Services which did not work.
We tried adding the Cert through Central Admin > Security > Manage Trust which did not help.
We verified "get-spwopizone" is set to internal-https
We can access the Web Apps https://test022/hosting/discovery site and view the XML with no issue on any machine on our network.
We added our domain to the list of approved domains that can use Office Web Apps as well as add "Domain Users" as the security group that can "EDIT" Office Documents through Office Web Apps.
After each step, we tried performing either a system reboot or IIS Reset on the Office Web Appcs and WFE box.
My Question is how do we generate a certificate (either self-signed through IIS on the Office Web Apps Box or through AD) that will allow this application to work? I read that the Fully Qualified Domain Name needs to be in the SAN field of the Cert but when
we request it, I have no way of entering this information. I tried following http://technet.microsoft.com/en-us/library/ff625722 to manually request a certificate with a Custom SAN but that did not work either.
I am assuming the certificate issue is with the New Office Web Apps box. Is this correct?
-ChrisIf internal cert then you will have to add certificate from OWA to tursted certificates in each sharepoint server plus add the certificate from central admin in Sharepoint through manage trust. Also you will need to install p7b file (file that contains
path to root certificate to verify each intermediate certificate) for internal cert to each sharepoint server to not get certificate error.
sachin -
Windows 7: Trust Relationship Error - Local Administrator Account Locked.
I have 2 Windows 7 Professional machines that recently locked me out citing the "Trust Relationship between this workstation and primary domain failed".
I assumed all I would have to do is log in as local administrator and remove it from the domain and then re-add it. When I tried to log on, it told me that I have the password was incorrect - which I knew it wasn't. After a
few tries I got a different message that said that the account was locked. No idea how this could have happened. Every other local account was locked as well.
I checked the AD on our 2003 server and I didn't see anything out of the norm. The computers were in the correct OU, and were not disabled in anyway. I searched online for a solution, but they all required me to be able to log on to the local
admin, which is disabled.
I tried to boot to Safe Mode with a Command Prompt and typed in: net user administrator /active:yes .
It told me that the change had been made, but when I reboot it still shows the local account as disabled.
Any suggestions would be greatly appreciated.
Edit: It is Windows 7 Professional x64I have had this issue twice as well. However I have been always been able to log in with local admin rights. removing then rejoining to domain seems to never get things back to normal for me. Once it is reset and joined back to the domain all software just
seems to be missing but still there at the same time. Like Antivirus shows its installed in c:\program files but its not running. If I go to domain users start menu everything is missing but go into c:\program files and its all there. So every time I have
seen this error a reimage is what I do seems to work a lot better than dealing with the head aches. Sorry I was not any help but that is my two cents. -
Trust Relationship Failed after Upgrading Surface Pro to Win 8.1
I upgraded a Surface Pro to Windows 8.1 a few days ago. After the upgrade we are getting an error that says that "the trust relationship between this workstation and the primary domain failed". The Surface was joined to a Windows Server 2012 Essentials
domain network before upgrading to Win 8.1.
I brought the tablet back to my own office which is off the DC network and now it logs in without any problem, obviously using Cached Credentials.
I found this
blog post but I couldn't determine how it applies to my specific case. I do have a local Administrator's account that I can access.
What could be causing this problem and what steps should I take to resolve it?I had someone else have a similar issue with a PC not surface and the solution was to disjoin it from the domain from rejoin it. I think that the upgrade process doesn't seem to retain all the settings correctly as my colleague lost some other stuff too
during the upgrade. I've not tested it myself so can't really comment - but disjoin and rejoin should resolve the issue you are having. (I'm not sure why the person on the blog advises against this, as although there are other ways as mentioned - i've never
had much success, whereas disjoin and rejoin fixes pretty quick.) Maybe others will share their thoughts on this.
Regards,
Denis Cooper
MCITP EA - MCT
Help keep the forums tidy, if this has helped please mark it as an answer
My Blog
LinkedIn: -
Domain Trust Relationships in Windows Small Business Server 2011
I have seen that SBS 2011 (and older SBS versions, apparently) do not 'support' Domain Trust relationships.
Before coming across this information, I have already successfully created a trust relationship between a newly created SBS 2011 domain and an existing 2008 Domain, and everything seems to be working fine - users from one domain are recognized on the other,
etc.
So I was wondering - is the 'not supported' more of a 'you're on your own if it breaks', is this a violation of the license, or is it some sort of freak occurrence and I am extremely lucky to have gotten this to work. This is actually my first time
setting up a trust relationship and the entire process took about 10 minutes, so it seemed extremely easy for something that I now find out is unsupported.
If it is a license violation, I'll remove the trust relationship immediately. This is not a permanent configuration, just testing our software on the SBS2011 platform and domain trusts were the most expedient way of adding the SBS Domain users to the
list of authorized users on our primary domain's SQL Server.
Thanks in advance.From here, it says that the trust relationship is not supported for SBS: http://technet.microsoft.com/en-us/library/cc672124%28v=ws.10%29.aspx
This means that this have not been tested by Microsoft and if you will have issues, you will not get supported from Microsoft.
I don't think that this is a violation of the license but it will be better to check with a Microsoft licensing expert in your country.
More if you ask them here: http://social.technet.microsoft.com/Forums/en-US/category/sbsserver
This
posting is provided "AS IS" with no warranties or guarantees , and confers no rights.
Microsoft
Student Partner 2010 / 2011
Microsoft
Certified Professional
Microsoft
Certified Systems Administrator: Security
Microsoft
Certified Systems Engineer: Security
Microsoft
Certified Technology Specialist: Windows Server 2008 Active Directory, Configuration
Microsoft
Certified Technology Specialist: Windows Server 2008 Network Infrastructure, Configuration
Microsoft
Certified Technology Specialist: Windows Server 2008 Applications Infrastructure, Configuration
Microsoft
Certified Technology Specialist: Windows 7, Configuring
Microsoft
Certified Technology Specialist: Designing and Providing Volume Licensing Solutions to Large Organizations
Microsoft
Certified IT Professional: Enterprise Administrator
Microsoft Certified IT Professional: Server Administrator
Microsoft Certified Trainer -
Hi
Had to un-install and then re-install MS SQL Server 2012 with SSRS.
After we re-installed we are able to get to the Web Services page but not the Report Server page and get the above error message. We need to use SSL and when we bind the cert in RS Configuration Manager it says it does this successfully on the WebServices
tab. We also do a similar exercise on the ReportServer page.
Any help warmly welcomed :D
ThanksHi Rich Whight,
According to your description, after you re-installed SQL Server 2012 with SSRS, you are able to access Web Service URL, but when you tried to access Report Manager URL, the error occurred: The underlying connection was closed. Could not establish trust
relationship for the SSL/TLS Secure channel.
The issue may be caused when the certificate isn't installed correctly in the trusted root for the local computer. To verify and install the certificate, Please refer to the steps blow:
In RsReportServer.config file(default location: C:\Program Files\Microsoft SQL Server\MSRS11.MSSQLSERVER\Reporting Services\ReportServer), change the “SecureConnectionLevel” element value from 0 to 3.
Add correct value to <UrlRoot> element.
Add the same value to the <ReportServerUrl> element as step2.
Go to Microsoft management Console, add the certificate which you use to access the report server under “Trusted Root Certification Authorities”.
For more information about SSL configuration and Managing Trusted Root Certificates, please refer to the following documents:
http://blogs.msdn.com/b/mariae/archive/2007/12/12/ssl-configuration-and-reporting-services.aspx
http://technet.microsoft.com/en-us/library/cc754841.aspx
If you have any more questions, please feel free to ask.
Best Regards,
Wendy Fu -
Error 12703 VMM cannot establish a trust relationship SSL/TLS V2V
Issue with V2V in VMM. I though I'd share this one. On a customer site doing a number of V2Vs and P2Vs via VMM. On the V2V it would create the object then fail with the message below where %ServerName is one of the Hyper-V hosts:
12703 VMM cannot establish a trust relationship for
the SSL/TLS secure channel for %ServerName;
server.
Install the certificate to the trusted
people root store of the VMM server
and then try the operation again.
After much digging and testing I found it was an issue with VMM talking to the ESX host. Nothing to do with certs or the hyper-v hosts. I've worked round this issue by migrating the VM onto another ESX host. The ESX environment is going to be decommissioned
anyway.
Hope this helps someone out there.Please let us know if you are using
SharePoint communicates to an external service via HTTPS
Please try perform following steps:
Fix is to setup a trust between SharePoint and the server requiring certificate validation.
In SharePoint Central Administration site, go to “Security” and then “Manage Trust”. Upload the certificates to SharePoint. The key is to get both the root and subordinate certificates on to SharePoint.
The steps to get the certificates from the remote server hosting the WCF service are as follows:
1. Browse from IE to the WCF service (e.g., https://remotehost/service.svc?wsdl)
2. Right click on the browser body and choose “Properties” and then “Certificates” and then “Certificate Path”.
This tells you the certificate chain that’s required by the other server in order to communicate with it properly. You can double-click on each level in the certificate chain to go to that particular certificate, then click on “Details” tab, “Copy to
File” to save the certificate with the default settings.
As an example, get both VeriSign & VeriSign Class 3 Extended Validation SSL CA.
reference : http://blogs.technet.com/b/sharepointdevelopersupport/archive/2013/06/13/could-not-establish-trust-relationship-for-ssl-tls-secure-channel.aspx
If my contribution helps you, please click Mark As Answer on that post and
Vote as Helpful
Thanks, ShankarSingh(MCP) -
Hi, experts
I'm trying to configure a lab environment according tutorial http://www.msexchange.org/articles-tutorials/exchange-server-2010/compliance-policies-archiving/rights-management-server-exchange-2010-part3.html
After completing configuration, I execute cmdlet Set-IRMConfiguration -InternalLicensingEnabled $true, but get error
The remote certificate is invalid according to the validation procedure. ---> The underlying connection was closed: Cou
ld not establish trust relationship for the SSL/TLS secure channel. ---> Failed to get Server Info from https://exhv-65
94/_wmcs/certification/server.asmx.
+ CategoryInfo : InvalidOperation: (:) [Set-IRMConfiguration], Exception
+ FullyQualifiedErrorId : C810E449,Microsoft.Exchange.Management.RightsManagement.SetIRMConfiguration
Then I run cmdlet Test-IRMConfiguration -Sender [email protected] and get error
Results : Checking Exchange Server ...
- PASS: Exchange Server is running in Enterprise.
Loading IRM configuration ...
- PASS: IRM configuration loaded successfully.
Retrieving RMS Certification Uri ...
- PASS: RMS Certification Uri: https://server1/_wmcs/certification.
Verifying RMS version for https://server1/_wmcs/certification ...
- WARNING: Failed to verify RMS version. IRM features require AD RMS on Windows Server 2008 SP2 with the
hotfixes specified in Knowledge Base article 973247 (http://go.microsoft.com/fwlink/?linkid=3052&kbid=973247)
or AD RMS on Windows Server 2008 R2.
Microsoft.Exchange.Security.RightsManagement.RightsManagementException: Failed to get Server Info from https:
//server1/_wmcs/certification/server.asmx. ---> System.Net.WebException: The underlying connection was clos
ed: Could not establish trust relationship for the SSL/TLS secure channel. ---> System.Security.Authenticatio
n.AuthenticationException: The remote certificate is invalid according to the validation procedure.
at System.Net.Security.SslState.StartSendAuthResetSignal(ProtocolToken message, AsyncProtocolRequest async
Request, Exception exception)
at System.Net.Security.SslState.ProcessReceivedBlob(Byte[] buffer, Int32 count, AsyncProtocolRequest async
Request)
at System.Net.Security.SslState.StartReceiveBlob(Byte[] buffer, AsyncProtocolRequest asyncRequest)
at System.Net.Security.SslState.ProcessReceivedBlob(Byte[] buffer, Int32 count, AsyncProtocolRequest async
Request)
at System.Net.Security.SslState.StartReceiveBlob(Byte[] buffer, AsyncProtocolRequest asyncRequest)
at System.Net.Security.SslState.ProcessReceivedBlob(Byte[] buffer, Int32 count, AsyncProtocolRequest async
Request)
at System.Net.Security.SslState.StartReceiveBlob(Byte[] buffer, AsyncProtocolRequest asyncRequest)
at System.Net.Security.SslState.ForceAuthentication(Boolean receiveFirst, Byte[] buffer, AsyncProtocolRequ
est asyncRequest)
at System.Net.Security.SslState.ProcessAuthentication(LazyAsyncResult lazyResult)
at System.Threading.ExecutionContext.Run(ExecutionContext executionContext, ContextCallback callback, Obje
ct state)
at System.Net.TlsStream.ProcessAuthentication(LazyAsyncResult result)
at System.Net.TlsStream.Write(Byte[] buffer, Int32 offset, Int32 size)
at System.Net.PooledStream.Write(Byte[] buffer, Int32 offset, Int32 size)
at System.Net.ConnectStream.WriteHeaders(Boolean async)
--- End of inner exception stack trace ---
at System.Web.Services.Protocols.WebClientProtocol.GetWebResponse(WebRequest request)
at System.Web.Services.Protocols.HttpWebClientProtocol.GetWebResponse(WebRequest request)
at System.Web.Services.Protocols.SoapHttpClientProtocol.Invoke(String methodName, Object[] parameters)
at Microsoft.Exchange.Security.RightsManagement.SOAP.Server.ServerWS.GetServerInfo(ServerInfoRequest[] req
uests)
at Microsoft.Exchange.Security.RightsManagement.ServerWSManager.ValidateServiceVersion(String featureXPath
--- End of inner exception stack trace ---
at Microsoft.Exchange.Security.RightsManagement.ServerWSManager.ValidateServiceVersion(String featureXPath
at Microsoft.Exchange.Management.RightsManagement.IRMConfigurationValidator.ValidateRmsVersion(Uri uri, Se
rviceType serviceType)
at Microsoft.Exchange.Management.RightsManagement.IRMConfigurationValidator.TryGetRacAndClc()
OVERALL RESULT: PASS with warnings on disabled features
From the error message, this issue seem to related with SSL/TLS connection. So I go back to check configuration and find out a difference to tutorial. Current SCP url is https://server1/_wmcs/certification, but in tutorial it is https://server1:433/_wmcs/certification.
On my opinion, I don't think it is the real reason.
So, how can I resolve this error? Could you give me some suggestion? Thanks in advance.
System Info:
Windows Server 2008 R2 + Exchange Server 2010 SP3 RTMHi
Please have a try with the solution on this KB article
“Error message when you try to test access from the Microsoft Dynamics CRM E-mail Router: "Incoming Status: Failure - The underlying connection was closed: Could not establish trust relationship for the SSL/TLS secure channel"”
http://support.microsoft.com/kb/954584/en-us
Cheers
Zi Feng
TechNet Community Support -
I tried to redeem a digital download copy of a movie and was presented the following error:
The underlying connection was closed: Could not establish trust relationship for the SSL/TLS secure channel.
Any guesses on what it is and how to resolve it?
ThanksHi
Abhilash Francis,
Could you tell us your scenario? What's your project? Is it a WCF service?
Looks like this is not a code issue.
Just from the error information,
it seems that you do not configure the service certificate very well so as to Server was unable to process request.
I am not completely sure what the real scenario is, but it might be a problem of that It is a WCF services application, please check these following articles to configure the service certificate.
If not, please feel free to let me know.
How to: Configure an IIS-hosted WCF service with SSL
Could not establish trust
relationship for the SSL/TLS secure channel
Hope this helps.
Best regards,
Kristin
We are trying to better understand customer views on social support experience, so your participation in this interview project would be greatly appreciated if you have time. Thanks for helping make community forums a great place.
Click
HERE to participate the survey. -
Hi,
in our windows server 2008 R2 standard , we are facing this error "Security database on the server doesn't have a computer account for this workstation trust relationship " on an regular basis. we have did below mentioned teps to solve the issue
1. Disjoin the system from Domain & joined it again.
2. tested the computer secure channel connection.
3. checked the DNS settings of server
4.checked the computer account in AD which disabled or not.
Everything was ok but after doing changes again after 2 - 3 days we are facing same error message.
Please help to sort the issue on an urgent basis.When the error happen, can you check the computer account in your AD's console (with advanced feature at on), to check the date it was updated and if the SID is the same ? (objectSID and pwdLastset)
I guess someone try to domain join a computer with the same name, and flush your computer account at the same time.
Regards, Philippe
Don't forget to mark as answer or vote as helpful to help identify good information. ( linkedin endorsement never hurt too :o) )
Answer an interesting question ? Create a
wiki article about it!
Maybe you are looking for
-
Pages '08 will not open .doc documents after upgrading to Mavericks
Since updating to Mavericks Pages '08 will not open .doc documents even when created with Pages.
-
Loading an xml file from an xml file
I'm trying to load an xml file from an xml file, but I'm having problems. My first xml file is really simple - it only contains one attribute with the name of another xml file in it (eventually I will have multiple xml files in here and run a loop on
-
I need reinstall itunes in my computer, but error 7 (windows error 126)
I need to reinstall itunes in my computer, because error 7 (windows error 126) appears, and I dont know how to do it.
-
CSS issues in Firefox and Safari
I have this bit of code that i cant seem to get working in firefox or safari .backgr { text-align:center; margin-left:0px; margin-top:0px; background-color:#CCCCCC; border:solid 1px; What am i doing wrong ASP, SQL2005, DW8 VBScript, Access
-
Hi All, I have one problem maybe somebody can help. After my SAP server crash then I have install Oracle 8.1.7.2 and also SAP R3 4.6C. Everything seems like OK until I found problem when backup redo log thru DB13. The error is like as follow: Job sta