RFC Trust Relationship - Authentication

Similar Messages

• RFC Trust relationship no longer working after system migration

  My enviroment 3 ERP 6.0 systems (DEV, QAS & PRD) and Solution Manager 4.0. All are on Oracle 10.2.0.2/AIX 6.1
  Previously the systems were on  Solaris 10 before migrating to AIX enviroment via a heterogeneous system copy. After the exercise  I realised the following
  1. Trust relationship between Solution Manager & the satelite systems is broken. The CUA (Solution Manager is the central system( used to rely on these RFC's
  2. Early watch reports are no longer generated
  Kindly advice how I can delete the trusted RFC's and regenerate from Solution manager transaction SMSY
  Thanks & regards

  Hi,
  please check:
  http://help.sap.com/saphelp_nw70ehp1/helpdata/en/8b/0010519daef443ab06d38d7ade26f4/content.htm
  http://help.sap.com/saphelp_nw04/helpdata/en/22/042671488911d189490000e829fbbd/content.htm
  Please check:
  RFC destinations for Earlywatch and MOPZ
  Thanks
  regards
  Vikram

• NW RFC SDK: Non-SAP to ABAP with username (trust relationship)

  Hello,
  I have a quite challenging non-SAP-to-ABAP RFC scenario with a trust relationship.
  Hereu2019s the scenario:
  An Oracle database server acts as an RFC client and calls RFC function modules in an ABAP server. (I assume the Oracle programmers are going to use NW RFC SDK 7.1 or JCo 3.0 on the Oracle server and call that from their PL/SQL based database application.)
  The challenge is that I donu2019t want to use a single u201Ctechnical useru201D on the ABAP side because that would mean that all the users on the Oracle side would be mapped to one single ABAP user. Also, I donu2019t want to have to store individual ABAP passwords on the Oracle side.
  Instead, I want the ABAP server to trust the RFC client the same way it might
  a) trust a NetWeaver AS Java server after installing the Java serveru2019s certificate in transaction STRUSTSSO2 or
  b) the way it might trust another ABAP server after configuring a trust relationship (transaction SMT1?)
  The ABAP server should accept incoming RFC connections from the Oracle RFC client with just the user name and no password given and run the resulting processes in the ABAP system under the user id given in the RFC call.
  I imagine the ideal solution somehow along the following lines (simplified scenario for a PC-based prototype):
  - I download run a program that creates a certificate file (public key?) which I import into the ABAP system.
  - The same program creates a matching file (private key?) for the RFC client.
  - For reasons of simplicity, let us imagine the RFC client as a stand-alone Java SE application running on a PC.
  - The Java SE application uses the JCo library to connect to the ABAP system.
  - When opening the connection, it passes a username, but no password. Instead, it passes a Base64-encoded string that was generated by our key/certificate generator program.
  - On the ABAP side, the function modules are run under the username used by the Java SE application when establishing the RFC connection.
  Is that possible at all? How would you solve this?
  Thank you very much in advance and best regards,
  Thorsten

  Hello,
  Thanks a lot for your extremely high-quality replies. Iu2019ve been trying to work with them.
  Frankly, just when (after Gregoru2019s and Timu2019s posts) I was hoping that working my way deeply enough into SNC, I would be able to solve my problem, Wolfgang comes along and tells me what Iu2019m aiming at wonu2019t work. Now Iu2019m confused.
  The way I understand Wolfgang, the special trust an AS ABAP can put into another AS ABAP or an AS Java (u201Cremote RFC client, give me one certificate and I will accept every username if they come from youu201D) can not be put into a custom-made remote server software (such as the Oracle server application) acting as the RFC client, because when acting as RFC clients, the remote AS Java or AS ABAP use proprietary elements of the RFC protocol which are not available to me when I program my RFC client in the Oracle application.
  @Wolfgang, is that correct?
  Solution 1: Individual X.509 Certificates
  Instead, I can establish X.509-based trust relationships at the level of individual usernames: create a certificate for each Oracle user, import them into the AS ABAP, map them to an ABAP user, and store the certificate on the Oracle side (Iu2019m still note sure about the different certificates and keys used publicly and privately here).
  Solution 2: AS ABAP as User Management Engine for the Oracle Application
  I can also see an alternative that would spare me the trouble of generating, importing, mapping and storing the certificates: delegate the user management to the AS ABAP and delete the (custom-built) logon and password-checking mechanism in the PL/SQL application:
  Users are created centrally in CUA and distributed along with their passwords into (among others) the AS ABAP.
  When a user logs on to the PL/SQL application, the username and password are sent for validation to an ABAP BAPI.
  If authentication is successful, the AS ABAP returns a SAPLogon ticket which can be stored in the session context of the PL/SQL application and used in subsequent RFC calls. The password (a hash?) would only be transferred once during logon.
  What do you think? Would both solutions work or am I still getting something wrong? Can you see a better alternative that would reduce
  for solution 1 the administrative overhead for synchronization
  for solution 2 the run-time dependency Oracle-ABAP and the change impact on the Oracle applicationu2019s user management concept?
  Thanks a lot,
  Thorsten

• WSUS Sync is not working Sync failed: UssCommunicationError: WebException: The underlying connection was closed: Could not establish trust relationship for the SSL/TLS secure channel. --- System.Security.Authentication.AuthenticationException: The remote

  I know there are loads of posts with same issue and most of them were related to proxy and connectivity .
  This was case for me as well (few months back). Now the same error is back. But I've confirmed that FW ports and proxy are fine this time around.
  server is configured on http port 80 
  ERROR
  Sync failed: UssCommunicationError: WebException: The underlying connection was closed: Could not establish trust relationship for the SSL/TLS secure channel. ---> System.Security.Authentication.AuthenticationException: The remote certificate is invalid
  according to the validation procedure.~~at System.Web.Services.Protocols.WebClientProtocol.GetWebResponse(WebRequest request). Source: Microsoft.SystemsManagementServer.SoftwareUpdatesManagement.WSyncAction.WSyncAction.SyncWSUS
  I've checked proxy server connectivity. I'm able browse following site from WSUS server
  http://catalog.update.microsoft.com/v7/site/Home.aspx?sku=wsus&version=3.2.7600.226&protocol=1.8
  I did telnet proxy server on the particular port (8080) and that is also fine.
  I've doubt on certificates, any idea which are the certificates which we need to look? And if certificate is expired then (my guess) we won't be able open the above mentioned windows update catalog site?
  Any tips appreciated !
  Anoop C Nair (My Blog www.AnoopCNair.com)
  - Twitter @anoopmannur -
  FaceBook Forum For SCCM

  Hi Lawrence ! - Many thanks for looking into this thread and replying. Appreciate your help.
  Your reply  ("SSL is enabled/configured, and the certificate being used is invalid
  (or the cert does not exist or cannot be obtained), or the SSL connection could not be established.") is very helpful.
  I've already tested CONTENT DOWNLOAD and it's working fine. WSUS Sync was also working fine for years with proxy server configured on port (8080) and WSUS server on port 80.
  My Guess (this is my best guess ;)) is this something to do with Firewall or Proxy side configuration rather than WSUS. However, I'm not finding a way to prove this to proxy/firewall team. From their perspective all the required port communication open and
  proxy server is also reachable. More over we're able to access internet (Microsoft Update Catalog site) over same port (8080).
  Any other hints where I can prove them it's a sure shot problem from their side.
  Thanks again !!
  Anoop C Nair (My Blog www.AnoopCNair.com)
  - Twitter @anoopmannur -
  FaceBook Forum For SCCM

• How to set up trust relationship between oc4j an tomcat

  Howdy
  According to the EJB 2.0 spec., section 19.8.1.1, second paragraph: "EJB containers are required to provide deployers or administrators with the tools to configure trust relationships with intermediate web or EJB containers."
  What tools/methods are available for OC4J?
  To give my question some context:
  I'm trying to set up things so that I have Tomcat (4.1.x) as a servlet container and OC4J (9.0.3) as an EJB container. I wan't Tomcat to authenticate users (using it's JDNI (LDAP) realm, and then have it forward a javax.security.Principal representing the user, when invoking EJB's on OC4J from servlets. One task in that is to make the OC4J instance trust the Tomcat instance, so that OC4J accepts a principal sent from Tomcat as already authenticated.
  I've been unable to find any docs on this subject.
  Any help appreciated.
  best regards Christian Surlykke

  Christian -- Setting up the trust relationship is described in interoperability section of the OC4J v903 Services Guide. I would probably start there.
  Thanks -- Jeff

• Office Web Apps 2013 + could not establish trust relationship

  We currently have a three tier SharePoint 2013 Farm:
  1. Web Front End Server (Server 2008 R2 Enterprise) - Servername: TEST2SP013.domain.dom
  2. Central Admin Server (Server 2008 R2 Enterprise) - Servername: TEST2SPCA013.domain.dom
  3. SQL Server (Server 2012 Datacenter) - Servername: TESTSQL012.domain.dom
  All Machines are in the same IP/Subnet.
  We are trying to setup a new server (Server 2012 R2 Datacenter) (Servername: TEST022.domain.dom) to run Office Web Apps 2013 in our TEST environment to test the system before rolling in production and have had issues throughout the entire process.
  The technet articles we have used are:
  http://technet.microsoft.com/en-us/library/jj219435.aspx
  http://technet.microsoft.com/en-us/library/ff431687.aspx
  http://technet.microsoft.com/en-us/library/jj219627.aspx
  We finally have what I thought was a correct setup but anytime we try to edit or view a word, excel, powerpoint document within SharePoint 2013, we receive "Sorry, there was a problem and we can't open this document. If this happens again, try opening
  the document in Microsoft Word."
  We found a few How-To Setup Office Web Apps sites where other people provided step-by step instructions:
  blogs.msdn.com/b/sowmyancs/archive/2012/10/29/install-configure-amp-monitor-office-web-apps-2013-for-sp-2013.aspx
  http://www.wictorwilen.se/office-web-apps-2013-securing-your-wac-farm
  http://blogs.technet.com/b/justin_gao/archive/2013/06/30/configuring-office-web-apps-server-communication-using-https.aspx
  We reviewed the ULS logs and found the following error:
  02/14/2014 13:38:40.24  w3wp.exe (0x1C04)                        0x1BB4 Office Web Apps              
   WAC Hosting Interaction        adhsk Unexpected WOPI CheckFile: Catch-All Failure [exception:Microsoft.Office.Web.Common.EnvironmentAdapters.UnexpectedErrorException: HttpRequest failed ---> Microsoft.Office.Web.Apps.Common.HttpRequestAsyncException:
  No Response in WebException ---> System.Net.WebException: The underlying connection was closed: Could not establish trust relationship for the SSL/TLS secure channel. ---> System.Security.Authentication.AuthenticationException: The remote certificate
  is invalid according to the validation procedure.     at System.Net.TlsStream.EndWrite(IAsyncResult asyncResult)     at System.Net.ConnectStream.WriteHeadersCallback(IAsyncResult ar)     --- End of
  inner exception stack trace ---     at System.Net.HttpWebRequest.EndGetResponse(IAsyncResult asyncResult)     at Microsoft.Office.Web.Apps.Common.Ht... 7bed0d51-511d-4541-a059-e2f72942e617
  None of the article provide specific step-by-step instructions with using HTTPS in a test environment specifically when it comes to Self-Signed Certs through Active Directory Certificate Services.
  We tried creating a Self-Signed Cert through IIS on the Office Web Apps Box which did not work.
  We tried creating a Cert through Active Directory Certificate Services which did not work.
  We tried adding the Cert through Central Admin > Security > Manage Trust which did not help.
  We verified "get-spwopizone" is set to internal-https
  We can access the Web Apps https://test022/hosting/discovery site and view the XML with no issue on any machine on our network.
  We added our domain to the list of approved domains that can use Office Web Apps as well as add "Domain Users" as the security group that can "EDIT" Office Documents through Office Web Apps. 
  After each step, we tried performing either a system reboot or IIS Reset on the Office Web Appcs and WFE box.
  My Question is how do we generate a certificate (either self-signed through IIS on the Office Web Apps Box or through AD) that will allow this application to work? I read that the Fully Qualified Domain Name needs to be in the SAN field of the Cert but when
  we request it, I have no way of entering this information. I tried following http://technet.microsoft.com/en-us/library/ff625722 to manually request a certificate with a Custom SAN but that did not work either.
  I am assuming the certificate issue is with the New Office Web Apps box. Is this correct?
  -Chris

  If internal cert then you will have to add certificate from OWA to tursted certificates in each sharepoint server plus add the certificate from central admin in Sharepoint through manage trust. Also you will need to install p7b file (file that contains
  path to root certificate to verify each intermediate certificate) for internal cert to each sharepoint server to not get certificate error.
  sachin

• Reporting services with R2 on DPM2012 - Could not establish trust relationship for the SSL/TLS secure channel

  Hi everyone,
  A somewhat similar question has been asked before by others but none of the answers given has helped me.I am attempting a DPM 2012 installation, which is failing at the "deploying reports" stage.My analysis of logs seems to point me in the direction of an SSL
  error, which does not make sense since the configuration files say SSL is disabled (or at least, should be).
  Here are the symptoms:
  1.I am able to browse http://FQDN/Reports_MSDPM2012 folder from internet explorer
  2.I am also able to browse http://FQDN/ReportServer_MSDPM2012 from internet explorer
  3.The information given in the logs and relevant config files is shown below:
  <<RSREPORTSERVER.CONFIG>>
  <ConnectionType>Default</ConnectionType>
  <LogonUser></LogonUser>
  <LogonDomain></LogonDomain>
  <LogonCred></LogonCred>
  <InstanceId>MSRS10_50.MSDPM2012</InstanceId>
  <InstallationID>{d9b1c335-5842-4a81-9148-79184c38bf09}</InstallationID>
  <Add Key="SecureConnectionLevel" Value="0"/>
  <Add Key="CleanupCycleMinutes" Value="10"/>
  <Add Key="MaxActiveReqForOneUser" Value="20"/>
  <Add Key="DatabaseQueryTimeout" Value="120"/>
  <Add Key="RunningRequestsScavengerCycle" Value="60"/>
  <Add Key="RunningRequestsDbCycle" Value="60"/>
  <Add Key="RunningRequestsAge" Value="30"/>
  <Add Key="MaxScheduleWait" Value="5"/>
  <Add Key="DisplayErrorLink" Value="true"/>
  <Add Key="WebServiceUseFileShareStorage" Value="false"/>
  <!--  <Add Key="ProcessTimeout" Value="150" /> -->
  <!--  <Add Key="ProcessTimeoutGcExtension" Value="30" /> -->
  <!--  <Add Key="WatsonFlags" Value="0x0430" /> full dump-->
  <!--  <Add Key="WatsonFlags" Value="0x0428" /> minidump -->
  <!--  <Add Key="WatsonFlags" Value="0x0002" /> no dump-->
  <Add Key="WatsonFlags" Value="0x0428"/>
  <Add Key="WatsonDumpOnExceptions" 
  4.The DPM log file still appears to be using SSL even though i used reporting services configuration to remove SSL bindings:
  running.Microsoft.Internal.EnterpriseStorage.Dls.Setup.Exceptions.BackEndErrorException: exception ---> Microsoft.Internal.EnterpriseStorage.Dls.Setup.Exceptions.ReportDeploymentException:
  exception ---> System.Reflection.TargetInvocationException: Exception has been thrown by the target of an invocation. ---> System.Net.WebException: The underlying connection was closed: Could
  not establish trust relationship for the SSL/TLS secure channel. ---> System.Security.Authentication.AuthenticationException:
  The remote certificate is invalid according to the validation procedure.
     at System.Net.Security.SslState.StartSendAuthResetSignal(ProtocolToken message, AsyncProtocolRequest asyncRequest,
  Exception exception)
  5:I do have an SCCM site on the default web site used by SMS clients but on different ports
  I am stumped.Somebody please give some advice
  Thank you

  Hi
  This is an old post but did you come right?

• Preserving SOA Logical Ports and Trust Relationships during DB Refresh

  Hi,
  I have been searching for this for a while and have not had any luck so far. I thought maybe the vast experience in this community might be able to help me.
  I am trying to preserve the SOA Logical Ports and the SMT1 Trust relationships of the target server during  DB Refresh. Is there a list of tables that we could export (Much like exporting/transporting RFC Destination)?
  Regards
  Shantanu

  Hi
  Check the here under tables if they fits to your needs
  Regards
  SRT_LP                       Logical Ports
  SRT_LP_FEAT            Logical Port Feature
  SRT_LP_OP_FEAT     Logical Port Feature (Operation-Dependent)
  SRT_LP_SXI_ADDR   Logical Ports: XI Addressing
  RSECACTB                 Table for ABAP Access Authorization for Secure Memory
  RSECTAB                    Secure Memory: Memory for Encrypted Data
  RFCTRUST                 List of existing trusting systems
  RFCSYSACL               List of permitted trusted systems for the current system

• Could not establish trust relationship for the SSL/TLS secure channel with authority

  Hello everyone, I need to establish a connection between my HTTPS WCF hosted in Windows Azure Web Role and my Windows Store App Client. The service is actually exposed for testing purposes using a self-signed certificate.
  I have installed the certificate in Personal and Trusted Root Certification Authorities in Current User and Local Manchine.
  In the Windows Store App, I create the service reference pointing to the cloud https service, then edit the manifest and create a new declaration to Add a New Certificate, I checked Exclusive Trust and Auto select, pointing to Root storage name and
  my self-signed certificate.cer.
  The result is the following exception in the IntelliTrace stack:
  Exception:Caught: "The remote certificate is invalid according to the validation procedure." (System.Security.Authentication.AuthenticationException)
  A System.Security.Authentication.AuthenticationException was caught: "The remote certificate is invalid according to the validation procedure."
  Time: 19/01/2015 04:42:33 p. m.
  Thread:Worker Thread[17080]
  Exception:Thrown: "Could not establish trust relationship for the SSL/TLS secure channel with authority 'appchallengewhi.cloudapp.net'." (System.ServiceModel.Security.SecurityNegotiationException)
  A System.ServiceModel.Security.SecurityNegotiationException was thrown: "Could not establish trust relationship for the SSL/TLS secure channel with authority 'appchallengewhi.cloudapp.net'."
  Time: 19/01/2015 04:42:34 p. m.
  Thread:Worker Thread[17080]
  Appreciate any help, to solve this with the approach of WCF Service Reference in Windows Store App.
  Note:
  If I call the HTTPS service using a Console App it works very good using the following the code:
  ChannelFactory<IAgentService> factory = new ChannelFactory<IAgentService>("basicHttpBinding_IAgentService");
  ServicePointManager.ServerCertificateValidationCallback = (sender, cert, chain, error) => true;
  IAgentService wcfProxy = factory.CreateChannel();
  Thanks in advance,
  RC

  Maybe not implemented.
  https://social.msdn.microsoft.com/Forums/windowsapps/en-US/2dab2818-8f4c-4474-a7a1-db2cbfb40d40/accepting-client-certificate-for-https-connections?forum=winappswithcsharp

• Could not establish trust relationship for the SSL/TLS secure channel with authority SharePoint ssis connectors

  Hi All,
  I am using SharePoint List Connectors to load the data from Sharepoint list to  Sql server.
  I have created an ssis package and attached to the SQL agent job in works fine
  SharePoint Source dev url : http://company.dev.com (working fine)(http)
  DB server:(server\instance)
  I thought all i good and can test with the uat sharepoint url.
  I have changed the configuration url yo point to uat.(https)
  SharePoint Source dev url : https://companyuat.dev.com (working fine)
  DB server:(server\instance)
  Suddently it fails when  with the following error:
  In both the cases i am running the agent job from the same db server
  DB server:(server\instance)
  Error Message:
  Could not establish trust relationship for the SSL/TLS secure channel with authority 'companyuat.dev.com'. --->  System.Net.WebException: The underlying connection was closed: Could not establish trust relationship for the SSL/TLS secure channel.
  ---> System.Security.Authentication.AuthenticationException: The remote certificate is invalid according to the validation procedure.
  Source: Data Flow Task SharePoint List Source [1] Description: System.ServiceModel.Security.SecurityNegotiationException: Could not establish trust relationship for the SSL/TLS secure channel with authority 'companyuat.dev.com'. ---> System.Net.WebException:
  The underlying connection was closed: Could not establish trust relationship for the SSL/TLS secure channel. ---> System.Security.Authentication.AuthenticationException: The remote certificate is invalid according to the validation procedure.  
  Is there is workaround to reslove this?Any inputs highly appreciated as it is time to move to production :(.
  Thanks
  Ravi
  Ravi

  This is the important error: The remote certificate is invalid according to the validation procedure.
  Your SharePoint server certificate is invalid. You have to either correct your certificate or make your SSIS client machine explicitly trust the server certificate.
  SSIS Tasks Components Scripts Services | http://www.cozyroc.com/

• Cisco ISE - multiple AD - trust relationships

  Hello,
  I have a customer who has multple AD forests and an ISE deployment running 1.1.3.
  The customer scenario is as follows - there is an Internal AD forest (internal users) and an External AD forest (external users such as consultants). The objective is to use Cisco ISE to authenticate and authorize the users in both AD forests. CIsco ISE is connected to the Internal AD forest.
  We know that multiple AD support is coming in 2014 with versioon 1.3 - other options such as LDAP/EAP-TLS are not a viable option for the customer.
  1.       Currently  – the Internal AD forest has an External, Non-transitive – one-way trust with the External Forest
       a.       The objective here is to use a feature called Selective Authentication  in order to filter the outgoing requests from the External Forest to the Internal Forest – this is a selective trust feature that can be used to control access to specific resources in Internal Forest and for authentication between Internal/External Forest via Cisco ISE
       b.      Preliminary testing has shown that a one way trust seems to work for Cisco ISE authentication/authorization
       c.       Further testing is underway to test the Selective Authentication feature (ie restrict access to specific resources etc…)
  Question : has any one used this and is this a supported method by Cisco (I know they mention a mutual trust relationship is required)?
  2.       We are exploring a second scenario - the Internal AD forest will have an External, Non-transitive – two-way trust with the External Forest
       a.       Same objectives as in  1 – we would attempt to use the Selective Authentication in the following fashion (this is an example)
            i.      External Forest has outgoing filter to allow access to specific resources in Internal Forest, and for authentication
            ii.      Internal Forest has incoming filter to deny access to all resources in External Forest
  In this case we would filter so it resembles a 1 way trust relationship - anyone try this, anyone know if this would be a supported method by Cisco?
  Thanks in advance for your replies.
  Robert C.

  Cisco has published a nice new guide on Active Directory integration with ISE 1.3. As noted there:
  "Cisco ISE can connect with multiple Active Directory domains that do not have a two-way trust or have zero trust between them. Active Directory multi-domain join comprises a set of distinct Active Directory domains with their own groups, attributes, and authorization policies for each join."
  I've setup one such deployment just recently and found it quite simple to just add the second domain and use it an en external identity source accordingly.

• [SCOM Forest] -- Certificate -- [Gateway Servers Forest] -- Trust Relationship -- [Multiple Forests]

  Hello, and sorry for this strange title, i couldn't find a simple way to write my question.
  - I want to use agent monitoring from my SCOM 2012 SP1 management servers
  to servers in multiple forests.
  - I don't want to set two-way trust between my scom forest and the monitored forests.
  - I would prefer not to install 2 gateway servers in each forest.
  So would it be possible to create a intermediate forest for my gateway servers, use certificate authentication between management and gateway servers, and use two way trust between this intermediate forest and forests to monitor.
  [SCOM Forest]<-- Certificate --> [Gateway Servers Forest] <-- Trust Relationship --> [Multiple Forests]
  Do you think this would work ?

  Hello,
  worked
  your
  approach?
  I'm
  in
  a
  similar
  situation,
  can you
  share
  the
  results?

• Getting Error The trust relationship between the primary domain and the trusted domain failed in SharePoint 2010

  Hi,
  SharePoint 2010 Backup has been taken from production and restored through Semantic Tool in one of the server.The wepapplication of which the backup was taken is working fine.
  But the problem is that the SharePoint is not working correctly.We cannot create any new webapplication ,cannot navigate to the ServiceApplications.aspx page it shows error.Even the Search and UserProfile Services of the existing Web Application is not working.Checking
  the SharePoint Logs I found out the below exception
  11/30/2011 12:14:53.78  WebAnalyticsService.exe (0x06D4)         0x2D24 SharePoint Foundation          Database                     
   8u1d High     Flushing connection pool 'Data Source=urasvr139;Initial Catalog=SharePoint_Config;Integrated Security=True;Enlist=False;Connect Timeout=15' 
  11/30/2011 12:14:53.78  WebAnalyticsService.exe (0x06D4)         0x2D24 SharePoint Foundation          Topology                     
   2myf Medium   Enabling the configuration filesystem and memory caches. 
  11/30/2011 12:14:53.79  WebAnalyticsService.exe (0x06D4)         0x12AC SharePoint Foundation          Database                     
   8u1d High     Flushing connection pool 'Data Source=urasvr139;Initial Catalog=SharePoint_Config;Integrated Security=True;Enlist=False;Connect Timeout=15' 
  11/30/2011 12:14:53.79  WebAnalyticsService.exe (0x06D4)         0x12AC SharePoint Foundation          Topology                     
   2myf Medium   Enabling the configuration filesystem and memory caches. 
  11/30/2011 12:14:55.54  mssearch.exe (0x0864)                    0x2B24 SharePoint Server Search       Propagation Manager          
   fo2s Medium   [3b3-c-0 An] aborting all propagation tasks and propagation-owned transactions after waiting 300 seconds (0 indexes)  [indexpropagator.cxx:1607]  d:\office\source\search\native\ytrip\tripoli\propagation\indexpropagator.cxx 
  11/30/2011 12:14:55.99  OWSTIMER.EXE (0x1DF4)                    0x1994 SharePoint Foundation          Topology                     
   75dz High     The SPPersistedObject with
  Name User Profile Service Application, Id 9577a6aa-33ec-498e-b198-56651b53bf27, Parent 13e1ef7d-40c2-4bcb-906c-a080866ca9bd failed to initialize with the following error: System.SystemException: The trust relationship between the primary domain and the trusted
  domain failed.       at System.Security.Principal.SecurityIdentifier.TranslateToNTAccounts(IdentityReferenceCollection sourceSids, Boolean& someFailed)     at System.Security.Principal.SecurityIdentifier.Translate(IdentityReferenceCollection
  sourceSids, Type targetType, Boolean forceSuccess)     at System.Security.Principal.SecurityIdentifier.Translate(Type targetType)     at Microsoft.SharePoint.Administration.SPAce`1.get_PrincipalName()    
  at Microsoft.SharePoint.Administration.SPAcl`1.Add(String princip... 
  11/30/2011 12:14:55.99* OWSTIMER.EXE (0x1DF4)                    0x1994 SharePoint Foundation          Topology                     
   75dz High     ...alName, String displayName, Byte[] securityIdentifier, T grantRightsMask, T denyRightsMask)     at Microsoft.SharePoint.Administration.SPAcl`1..ctor(String persistedAcl)    
  at Microsoft.SharePoint.Administration.SPServiceApplication.OnDeserialization()     at Microsoft.SharePoint.Administration.SPIisWebServiceApplication.OnDeserialization()     at Microsoft.SharePoint.Administration.SPPersistedObject.Initialize(ISPPersistedStoreProvider
  persistedStoreProvider, Guid id, Guid parentId, String name, SPObjectStatus status, Int64 version, XmlDocument state) 
  11/30/2011 12:14:56.00  OWSTIMER.EXE (0x1DF4)                    0x1994 SharePoint Foundation          Topology                     
   8xqx High     Exception in RefreshCache. Exception message :The trust relationship between the primary domain and the trusted domain failed.   
  11/30/2011 12:14:56.00  OWSTIMER.EXE (0x1DF4)                    0x1994 SharePoint Foundation          Timer                        
   2n2p Monitorable The following error occured while trying to initialize the timer: System.SystemException: The trust relationship between the primary domain and the trusted domain failed.       at System.Security.Principal.SecurityIdentifier.TranslateToNTAccounts(IdentityReferenceCollection
  sourceSids, Boolean& someFailed)     at System.Security.Principal.SecurityIdentifier.Translate(IdentityReferenceCollection sourceSids, Type targetType, Boolean forceSuccess)     at System.Security.Principal.SecurityIdentifier.Translate(Type
  targetType)     at Microsoft.SharePoint.Administration.SPAce`1.get_PrincipalName()     at Microsoft.SharePoint.Administration.SPAcl`1.Add(String principalName, String displayName, Byte[] securityIdentifier, T grantRightsMask,
  T denyRightsMask)     at Microsoft.SharePoint.Administrati... 
  11/30/2011 12:14:56.00* OWSTIMER.EXE (0x1DF4)                    0x1994 SharePoint Foundation          Timer                        
   2n2p Monitorable ...on.SPAcl`1..ctor(String persistedAcl)     at Microsoft.SharePoint.Administration.SPServiceApplication.OnDeserialization()     at Microsoft.SharePoint.Administration.SPIisWebServiceApplication.OnDeserialization()    
  at Microsoft.SharePoint.Administration.SPPersistedObject.Initialize(ISPPersistedStoreProvider persistedStoreProvider, Guid id, Guid parentId, String name, SPObjectStatus status, Int64 version, XmlDocument state)     at Microsoft.SharePoint.Administration.SPConfigurationDatabase.GetObject(Guid
  id, Guid parentId, Guid type, String name, SPObjectStatus status, Byte[] versionBuffer, String xml)     at Microsoft.SharePoint.Administration.SPConfigurationDatabase.GetObject(SqlDataReader dr)     at Microsoft.SharePoint.Administration.SPConfigurationDatabase.RefreshCache(Int64
  currentVe...
  Please guide me on the above issue ,this will be of great help
  Thanks.

  I have same error. Verified for trust , ports , cleaned up cache.. nothing has helped. 
  The problem is caused by User profile Synch Service:
  UserProfileProperty_WCFLogging :: ProfilePropertyService.GetProfileProperties Exception: System.SystemException:
  The trust relationship between the primary domain and the trusted domain failed.       at System.Security.Principal.SecurityIdentifier.TranslateToNTAccounts(IdentityReferenceCollection sourceSids,
  Boolean& someFailed)     at System.Security.Principal.SecurityIdentifier.Translate(IdentityReferenceCollection sourceSids, Type targetType, Boolean forceSuccess)     at System.Security.Principal.SecurityIdentifier.Translate(Type
  targetType)     at Microsoft.SharePoint.Administration.SPAce`1.get_PrincipalName()     at Microsoft.SharePoint.Administration.SPAcl`1.Add(String principalName, String displayName, SPIdentifierType identifierType, Byte[]
  identifier, T grantRightsMask, T denyRigh...        
  08/23/2014 13:00:20.96*        w3wp.exe (0x2204)                      
          0x293C        SharePoint Portal Server              User Profiles                
          eh0u        Unexpected        ...tsMask)     at Microsoft.SharePoint.Administration.SPAcl`1..ctor(String persistedAcl)    
  at Microsoft.Office.Server.Administration.UserProfileApplication.get_SerializedAdministratorAcl()     at Microsoft.Office.Server.Administration.UserProfileApplication.GetProperties()     at Microsoft.Office.Server.UserProfiles.ProfilePropertyService.GetProfileProperties()
  Please let me know if you any solution found for this?
  Regards,
  Kunal  

• The security database on the server does not have a computer account for this workstation trust relationship

  When I try to log on to my DC it says "The security database on the server does not have a computer account for this workstation trust relationship". It won't let me log on. I installed another server server 2012r2  (its virtual )
  and I can get to ADSI edit. 
  I think what happened was I had a pc that could not connect without unplugging the network cable. So I found this fix 
  FIX: “The security database on the server does not have a computer account for this workstation trust relationship”2032011
  I’ve seen a lot of solutions, or suggestions rather, with regard to the error in the title of this post.  In my experience, the problem can almost always be resolved without extra domain add/removes and reboots, which is the most prevalent solution I have
  seen around.  Usually, this issue is due to a mismatch between attributes of the computer account in Active Directory and those values on the system itself.  Here are the steps I take to fix this issue when it crops up:
  Open up Active Directory Users & Computers pointed to the domain the computer account resides in
  From the “View” pull-down menu, make sure that “Advanced Features” is checked
  Navigate to the part of your organizational unit (OU) structure where the computer account for this server resides
  Open the Properties for the computer object
  Choose the “Attribute Editor” tab on the Properties dialog box
  Check the Attributes dNSHostName & servicePrincipalName – anywhere that a fully qualified hostname is specified (e.g. myserver.mydomainname.com), make sure that the entry matches the hostname
  you have configured when you go here on your server: Start -> Computer -> Right-Click, Properties -> Change Settings (under “Computer name, domain… settings”) -> Full Computer Name
  As an example, for a fictitious W2K8 R2 server whose Full Computer Name is “srv1.mydomainname.com”, these attribute/value pairs should be in Active Directory:
  dNSHostName:
  srv1.mydomainname.com
  servicePrincipalName:
  HOST/SRV1
  HOST/srv1.mydomainname.com
  RestrictedKrbHost/SRV1
  RestrictedKrbHost/srv1.mydomainname.com
  TERMSRV/SRV1
  TERMSRV/srv1.mydomainname.com"
  Not reading it carefully I add a computer with the same name as the pc having the issue and followed the above. The problem is that I did not notice that the spn did not want the name of my server (serv1) but the name of the trouble
  pc.
  dcdiag output
  PS C:\Users\administrator.TOM> dcdiag.exe
  Directory Server Diagnosis
  Performing initial setup:
     Trying to find home server...
     ***Error: DC3 is not a Directory Server.  Must specify /s:<Directory Server> or  /n:<Naming Context> or nothing to
     use the local machine.
     ERROR: Could not find home server.
  PS C:\Users\administrator.TOM> dcdiag.exe /s:DC2
  Directory Server Diagnosis
  Performing initial setup:
     * Identified AD Forest.
     Done gathering initial info.
  Doing initial required tests
     Testing server: Default-First-Site\DC2
        Starting test: Connectivity
           The host 9e0dca7a-d017-445a-b354-adee5ff53d48._msdcs.TOM could not be resolved to an IP address. Check the DN
           server, DHCP, server name, etc.
           Neither the the server name (DC2.TOM) nor the Guid DNS name (9e0dca7a-d017-445a-b354-adee5ff53d48._msdcs.TOM)
           could be resolved by DNS.  Check that the server is up and is registered correctly with the DNS server.
           Got error while checking LDAP and RPC connectivity. Please check your firewall settings.
           ......................... DC2 failed test Connectivity
  Doing primary tests
     Testing server: Default-First-Site\DC2
        Skipping all tests, because server DC2 is not responding to directory service requests.
     Running partition tests on : ForestDnsZones
        Starting test: CheckSDRefDom
           ......................... ForestDnsZones passed test CheckSDRefDom
        Starting test: CrossRefValidation
           ......................... ForestDnsZones passed test CrossRefValidation
     Running partition tests on : DomainDnsZones
        Starting test: CheckSDRefDom
           ......................... DomainDnsZones passed test CheckSDRefDom
        Starting test: CrossRefValidation
           ......................... DomainDnsZones passed test CrossRefValidation
     Running partition tests on : Schema
        Starting test: CheckSDRefDom
           ......................... Schema passed test CheckSDRefDom
        Starting test: CrossRefValidation
           ......................... Schema passed test CrossRefValidation
     Running partition tests on : Configuration
        Starting test: CheckSDRefDom
           ......................... Configuration passed test CheckSDRefDom
        Starting test: CrossRefValidation
           ......................... Configuration passed test CrossRefValidation
     Running partition tests on : TOM
        Starting test: CheckSDRefDom
           ......................... TOM passed test CheckSDRefDom
        Starting test: CrossRefValidation
           ......................... TOM passed test CrossRefValidation
     Running enterprise tests on : TOM
        Starting test: LocatorCheck
           ......................... TOM passed test LocatorCheck
        Starting test: Intersite
           ......................... TOM passed test Intersite
  PS C:\Users\administrator.TOM> regsvr32 schmmgmt.dll
  PS C:\Users\administrator.TOM> netdig /fix
  netdig : The term 'netdig' is not recognized as the name of a cmdlet, function, script file, or operable program.
  Check the spelling of the name, or if a path was included, verify that the path is correct and try again.
  At line:1 char:1
  + netdig /fix
  + ~~~~~~
      + CategoryInfo          : ObjectNotFound: (netdig:String) [], CommandNotFoundException
      + FullyQualifiedErrorId : CommandNotFoundException
  PS C:\Users\administrator.TOM> Setup /PrepareSchema
  Setup : The term 'Setup' is not recognized as the name of a cmdlet, function, script file, or operable program. Check
  the spelling of the name, or if a path was included, verify that the path is correct and try again.
  At line:1 char:1
  + Setup /PrepareSchema
  + ~~~~~
      + CategoryInfo          : ObjectNotFound: (Setup:String) [], CommandNotFoundException
      + FullyQualifiedErrorId : CommandNotFoundException
  PS C:\Users\administrator.TOM> netdiag /test
  netdiag : The term 'netdiag' is not recognized as the name of a cmdlet, function, script file, or operable program.
  Check the spelling of the name, or if a path was included, verify that the path is correct and try again.
  At line:1 char:1
  + netdiag /test
  + ~~~~~~~
      + CategoryInfo          : ObjectNotFound: (netdiag:String) [], CommandNotFoundException
      + FullyQualifiedErrorId : CommandNotFoundException
  PS C:\Users\administrator.TOM> nslooup
  nslooup : The term 'nslooup' is not recognized as the name of a cmdlet, function, script file, or operable program.
  Check the spelling of the name, or if a path was included, verify that the path is correct and try again.
  At line:1 char:1
  + nslooup
  + ~~~~~~~
      + CategoryInfo          : ObjectNotFound: (nslooup:String) [], CommandNotFoundException
      + FullyQualifiedErrorId : CommandNotFoundException
  PS C:\Users\administrator.TOM>

  Ok fixed. 
  At a elevated cmd prompt run ;
  C:\Users\administrator.TOM>setspn -x
  As you can see the DC serv1 had duplicate SPNs.
  Checking domain DC=TOM
  Processing entry 1
  HOST/serv1.TOM is registered on these accounts:
          CN=SERV1,OU=Domain Controllers,DC=TOM
          CN=C00049,CN=Computers,DC=TOM
  {14E52635-0A95-4a5c-BDB1-E0D0C703B6C8}/TOWN-HBWJ29ZOQC is registered on these ac
  counts:
          CN=Administrator,CN=Users,DC=TOM
          CN=TOWN-HBWJ29ZOQC,CN=Computers,DC=TOM
  {14E52635-0A95-4a5c-BDB1-E0D0C703B6C8}/town-hbwj29zoqc.TOM is registered on thes
  e accounts:
          CN=Administrator,CN=Users,DC=TOM
          CN=TOWN-HBWJ29ZOQC,CN=Computers,DC=TOM
  RestrictedKrbHost/serv1 is registered on these accounts:
          CN=C00049,CN=Computers,DC=TOM
          CN=SERV1,OU=Domain Controllers,DC=TOM
  RestrictedKrbHost/serv1.TOM is registered on these accounts:
          CN=C00049,CN=Computers,DC=TOM
          CN=SERV1,OU=Domain Controllers,DC=TOM
  found 5 groups of duplicate SPNs.
  Went to the computers OU and changed computer c00049 to the correct SPN. Now I have a new issues, I'll start a new thread.

• Trust relationship after upgrading to Windows 8.1

  Hi
  I have recently upgraded 20 laptops to Windows 8.1, lately some of the laptops keep saying trust relationship cannot contact to domain, I have taken them off the domain and then put them back on, the laptops then work again but each day with some laptops
  the same thing happens again and  I have to repeat the whole procedure. Recenlty the same laptop every day for the pass 5 days, it is really annoying and time consuming

  Hi Carl Shorty,
  What error message do you receive?
  Do you means that the computer in error keeps losing the trust relationship every day?
  This issue that machine trust cannot be established occurs because the computer's machine account has the incorrect role or its password has become mismatched with that of the domain database.
  If we can login as local-admin , we join the domain from the client if at the same time you can provide an administrator username and password on the domain. We can delete the existing computer account in Server Manager, recreate the computer account, synchronize
  the domain, and then on the client rejoin the domain.
  For details, you can refer to: Trust Relationship Between Workstation and Domain Fails
  http://support.microsoft.com/kb/162797
  If this doesn’t work, we could use the command netdom reset 'machinename' /domain:'domainname
  to reset the member security channel.
  Best regards,
  Fangzhou CHEN
  Fangzhou CHEN
  TechNet Community Support