RFC Trust Relationship - Authentication
Hello Experts,
Could anyone tell me what really happens behind the scenes when you setup the RFC Trust Relationship on ABAP systems?
Do the trusted system certifcate imported to the trusting system?
Do the systems exchange the certificates/keys while authentication?
Is there any help document available giving more details about what happens behind the scenes of RFC trust relationship configuration and how the single sign on possible?
One on-site consultant said that the systems exchange the certificates, and another consultant said that they exchange keys and the data is encrypted. If there is no SNC enabled how is the data is encrypted.
And also I do not see the trusted system certificate in trusting system "certifcate list".
My assumption is adding 2 systems to RFC trust relationship neither adds trusted system certificate into the trusting system nor exchange keys between systems for RFC Call. The calling system(trusted system) gets authenticated based on S_RFCACL authorization in trusting system.
Please share your thoughts or any relevant help documents
Thanks,
Himadama
Hi
Please go to this link :
http://help.sap.com/saphelp_nw70ehp1/helpdata/en/47/95443fbee8700fe10000000a42189d/frameset.htm
it also has clear doucmentation and steps to setup a trusted relationship:
pay attention to the following three pointers from the above link for using trusted RFC
"● A user in the target system
● Authorizations for the applications he or she needs to use in the target system
● Authorization for the object S_RFCACL
This authorization object regulates a useru2019s right to log onto a system via a trusted connection"
Regards
Similar Messages
-
RFC Trust relationship no longer working after system migration
My enviroment 3 ERP 6.0 systems (DEV, QAS & PRD) and Solution Manager 4.0. All are on Oracle 10.2.0.2/AIX 6.1
Previously the systems were on Solaris 10 before migrating to AIX enviroment via a heterogeneous system copy. After the exercise I realised the following
1. Trust relationship between Solution Manager & the satelite systems is broken. The CUA (Solution Manager is the central system( used to rely on these RFC's
2. Early watch reports are no longer generated
Kindly advice how I can delete the trusted RFC's and regenerate from Solution manager transaction SMSY
Thanks & regardsHi,
please check:
http://help.sap.com/saphelp_nw70ehp1/helpdata/en/8b/0010519daef443ab06d38d7ade26f4/content.htm
http://help.sap.com/saphelp_nw04/helpdata/en/22/042671488911d189490000e829fbbd/content.htm
Please check:
RFC destinations for Earlywatch and MOPZ
Thanks
regards
Vikram -
NW RFC SDK: Non-SAP to ABAP with username (trust relationship)
Hello,
I have a quite challenging non-SAP-to-ABAP RFC scenario with a trust relationship.
Hereu2019s the scenario:
An Oracle database server acts as an RFC client and calls RFC function modules in an ABAP server. (I assume the Oracle programmers are going to use NW RFC SDK 7.1 or JCo 3.0 on the Oracle server and call that from their PL/SQL based database application.)
The challenge is that I donu2019t want to use a single u201Ctechnical useru201D on the ABAP side because that would mean that all the users on the Oracle side would be mapped to one single ABAP user. Also, I donu2019t want to have to store individual ABAP passwords on the Oracle side.
Instead, I want the ABAP server to trust the RFC client the same way it might
a) trust a NetWeaver AS Java server after installing the Java serveru2019s certificate in transaction STRUSTSSO2 or
b) the way it might trust another ABAP server after configuring a trust relationship (transaction SMT1?)
The ABAP server should accept incoming RFC connections from the Oracle RFC client with just the user name and no password given and run the resulting processes in the ABAP system under the user id given in the RFC call.
I imagine the ideal solution somehow along the following lines (simplified scenario for a PC-based prototype):
- I download run a program that creates a certificate file (public key?) which I import into the ABAP system.
- The same program creates a matching file (private key?) for the RFC client.
- For reasons of simplicity, let us imagine the RFC client as a stand-alone Java SE application running on a PC.
- The Java SE application uses the JCo library to connect to the ABAP system.
- When opening the connection, it passes a username, but no password. Instead, it passes a Base64-encoded string that was generated by our key/certificate generator program.
- On the ABAP side, the function modules are run under the username used by the Java SE application when establishing the RFC connection.
Is that possible at all? How would you solve this?
Thank you very much in advance and best regards,
ThorstenHello,
Thanks a lot for your extremely high-quality replies. Iu2019ve been trying to work with them.
Frankly, just when (after Gregoru2019s and Timu2019s posts) I was hoping that working my way deeply enough into SNC, I would be able to solve my problem, Wolfgang comes along and tells me what Iu2019m aiming at wonu2019t work. Now Iu2019m confused.
The way I understand Wolfgang, the special trust an AS ABAP can put into another AS ABAP or an AS Java (u201Cremote RFC client, give me one certificate and I will accept every username if they come from youu201D) can not be put into a custom-made remote server software (such as the Oracle server application) acting as the RFC client, because when acting as RFC clients, the remote AS Java or AS ABAP use proprietary elements of the RFC protocol which are not available to me when I program my RFC client in the Oracle application.
@Wolfgang, is that correct?
Solution 1: Individual X.509 Certificates
Instead, I can establish X.509-based trust relationships at the level of individual usernames: create a certificate for each Oracle user, import them into the AS ABAP, map them to an ABAP user, and store the certificate on the Oracle side (Iu2019m still note sure about the different certificates and keys used publicly and privately here).
Solution 2: AS ABAP as User Management Engine for the Oracle Application
I can also see an alternative that would spare me the trouble of generating, importing, mapping and storing the certificates: delegate the user management to the AS ABAP and delete the (custom-built) logon and password-checking mechanism in the PL/SQL application:
Users are created centrally in CUA and distributed along with their passwords into (among others) the AS ABAP.
When a user logs on to the PL/SQL application, the username and password are sent for validation to an ABAP BAPI.
If authentication is successful, the AS ABAP returns a SAPLogon ticket which can be stored in the session context of the PL/SQL application and used in subsequent RFC calls. The password (a hash?) would only be transferred once during logon.
What do you think? Would both solutions work or am I still getting something wrong? Can you see a better alternative that would reduce
for solution 1 the administrative overhead for synchronization
for solution 2 the run-time dependency Oracle-ABAP and the change impact on the Oracle applicationu2019s user management concept?
Thanks a lot,
Thorsten -
I know there are loads of posts with same issue and most of them were related to proxy and connectivity .
This was case for me as well (few months back). Now the same error is back. But I've confirmed that FW ports and proxy are fine this time around.
server is configured on http port 80
ERROR
Sync failed: UssCommunicationError: WebException: The underlying connection was closed: Could not establish trust relationship for the SSL/TLS secure channel. ---> System.Security.Authentication.AuthenticationException: The remote certificate is invalid
according to the validation procedure.~~at System.Web.Services.Protocols.WebClientProtocol.GetWebResponse(WebRequest request). Source: Microsoft.SystemsManagementServer.SoftwareUpdatesManagement.WSyncAction.WSyncAction.SyncWSUS
I've checked proxy server connectivity. I'm able browse following site from WSUS server
http://catalog.update.microsoft.com/v7/site/Home.aspx?sku=wsus&version=3.2.7600.226&protocol=1.8
I did telnet proxy server on the particular port (8080) and that is also fine.
I've doubt on certificates, any idea which are the certificates which we need to look? And if certificate is expired then (my guess) we won't be able open the above mentioned windows update catalog site?
Any tips appreciated !
Anoop C Nair (My Blog www.AnoopCNair.com)
- Twitter @anoopmannur -
FaceBook Forum For SCCMHi Lawrence ! - Many thanks for looking into this thread and replying. Appreciate your help.
Your reply ("SSL is enabled/configured, and the certificate being used is invalid
(or the cert does not exist or cannot be obtained), or the SSL connection could not be established.") is very helpful.
I've already tested CONTENT DOWNLOAD and it's working fine. WSUS Sync was also working fine for years with proxy server configured on port (8080) and WSUS server on port 80.
My Guess (this is my best guess ;)) is this something to do with Firewall or Proxy side configuration rather than WSUS. However, I'm not finding a way to prove this to proxy/firewall team. From their perspective all the required port communication open and
proxy server is also reachable. More over we're able to access internet (Microsoft Update Catalog site) over same port (8080).
Any other hints where I can prove them it's a sure shot problem from their side.
Thanks again !!
Anoop C Nair (My Blog www.AnoopCNair.com)
- Twitter @anoopmannur -
FaceBook Forum For SCCM -
How to set up trust relationship between oc4j an tomcat
Howdy
According to the EJB 2.0 spec., section 19.8.1.1, second paragraph: "EJB containers are required to provide deployers or administrators with the tools to configure trust relationships with intermediate web or EJB containers."
What tools/methods are available for OC4J?
To give my question some context:
I'm trying to set up things so that I have Tomcat (4.1.x) as a servlet container and OC4J (9.0.3) as an EJB container. I wan't Tomcat to authenticate users (using it's JDNI (LDAP) realm, and then have it forward a javax.security.Principal representing the user, when invoking EJB's on OC4J from servlets. One task in that is to make the OC4J instance trust the Tomcat instance, so that OC4J accepts a principal sent from Tomcat as already authenticated.
I've been unable to find any docs on this subject.
Any help appreciated.
best regards Christian SurlykkeChristian -- Setting up the trust relationship is described in interoperability section of the OC4J v903 Services Guide. I would probably start there.
Thanks -- Jeff -
Office Web Apps 2013 + could not establish trust relationship
We currently have a three tier SharePoint 2013 Farm:
1. Web Front End Server (Server 2008 R2 Enterprise) - Servername: TEST2SP013.domain.dom
2. Central Admin Server (Server 2008 R2 Enterprise) - Servername: TEST2SPCA013.domain.dom
3. SQL Server (Server 2012 Datacenter) - Servername: TESTSQL012.domain.dom
All Machines are in the same IP/Subnet.
We are trying to setup a new server (Server 2012 R2 Datacenter) (Servername: TEST022.domain.dom) to run Office Web Apps 2013 in our TEST environment to test the system before rolling in production and have had issues throughout the entire process.
The technet articles we have used are:
http://technet.microsoft.com/en-us/library/jj219435.aspx
http://technet.microsoft.com/en-us/library/ff431687.aspx
http://technet.microsoft.com/en-us/library/jj219627.aspx
We finally have what I thought was a correct setup but anytime we try to edit or view a word, excel, powerpoint document within SharePoint 2013, we receive "Sorry, there was a problem and we can't open this document. If this happens again, try opening
the document in Microsoft Word."
We found a few How-To Setup Office Web Apps sites where other people provided step-by step instructions:
blogs.msdn.com/b/sowmyancs/archive/2012/10/29/install-configure-amp-monitor-office-web-apps-2013-for-sp-2013.aspx
http://www.wictorwilen.se/office-web-apps-2013-securing-your-wac-farm
http://blogs.technet.com/b/justin_gao/archive/2013/06/30/configuring-office-web-apps-server-communication-using-https.aspx
We reviewed the ULS logs and found the following error:
02/14/2014 13:38:40.24 w3wp.exe (0x1C04) 0x1BB4 Office Web Apps
WAC Hosting Interaction adhsk Unexpected WOPI CheckFile: Catch-All Failure [exception:Microsoft.Office.Web.Common.EnvironmentAdapters.UnexpectedErrorException: HttpRequest failed ---> Microsoft.Office.Web.Apps.Common.HttpRequestAsyncException:
No Response in WebException ---> System.Net.WebException: The underlying connection was closed: Could not establish trust relationship for the SSL/TLS secure channel. ---> System.Security.Authentication.AuthenticationException: The remote certificate
is invalid according to the validation procedure. at System.Net.TlsStream.EndWrite(IAsyncResult asyncResult) at System.Net.ConnectStream.WriteHeadersCallback(IAsyncResult ar) --- End of
inner exception stack trace --- at System.Net.HttpWebRequest.EndGetResponse(IAsyncResult asyncResult) at Microsoft.Office.Web.Apps.Common.Ht... 7bed0d51-511d-4541-a059-e2f72942e617
None of the article provide specific step-by-step instructions with using HTTPS in a test environment specifically when it comes to Self-Signed Certs through Active Directory Certificate Services.
We tried creating a Self-Signed Cert through IIS on the Office Web Apps Box which did not work.
We tried creating a Cert through Active Directory Certificate Services which did not work.
We tried adding the Cert through Central Admin > Security > Manage Trust which did not help.
We verified "get-spwopizone" is set to internal-https
We can access the Web Apps https://test022/hosting/discovery site and view the XML with no issue on any machine on our network.
We added our domain to the list of approved domains that can use Office Web Apps as well as add "Domain Users" as the security group that can "EDIT" Office Documents through Office Web Apps.
After each step, we tried performing either a system reboot or IIS Reset on the Office Web Appcs and WFE box.
My Question is how do we generate a certificate (either self-signed through IIS on the Office Web Apps Box or through AD) that will allow this application to work? I read that the Fully Qualified Domain Name needs to be in the SAN field of the Cert but when
we request it, I have no way of entering this information. I tried following http://technet.microsoft.com/en-us/library/ff625722 to manually request a certificate with a Custom SAN but that did not work either.
I am assuming the certificate issue is with the New Office Web Apps box. Is this correct?
-ChrisIf internal cert then you will have to add certificate from OWA to tursted certificates in each sharepoint server plus add the certificate from central admin in Sharepoint through manage trust. Also you will need to install p7b file (file that contains
path to root certificate to verify each intermediate certificate) for internal cert to each sharepoint server to not get certificate error.
sachin -
Hi everyone,
A somewhat similar question has been asked before by others but none of the answers given has helped me.I am attempting a DPM 2012 installation, which is failing at the "deploying reports" stage.My analysis of logs seems to point me in the direction of an SSL
error, which does not make sense since the configuration files say SSL is disabled (or at least, should be).
Here are the symptoms:
1.I am able to browse http://FQDN/Reports_MSDPM2012 folder from internet explorer
2.I am also able to browse http://FQDN/ReportServer_MSDPM2012 from internet explorer
3.The information given in the logs and relevant config files is shown below:
<<RSREPORTSERVER.CONFIG>>
<ConnectionType>Default</ConnectionType>
<LogonUser></LogonUser>
<LogonDomain></LogonDomain>
<LogonCred></LogonCred>
<InstanceId>MSRS10_50.MSDPM2012</InstanceId>
<InstallationID>{d9b1c335-5842-4a81-9148-79184c38bf09}</InstallationID>
<Add Key="SecureConnectionLevel" Value="0"/>
<Add Key="CleanupCycleMinutes" Value="10"/>
<Add Key="MaxActiveReqForOneUser" Value="20"/>
<Add Key="DatabaseQueryTimeout" Value="120"/>
<Add Key="RunningRequestsScavengerCycle" Value="60"/>
<Add Key="RunningRequestsDbCycle" Value="60"/>
<Add Key="RunningRequestsAge" Value="30"/>
<Add Key="MaxScheduleWait" Value="5"/>
<Add Key="DisplayErrorLink" Value="true"/>
<Add Key="WebServiceUseFileShareStorage" Value="false"/>
<!-- <Add Key="ProcessTimeout" Value="150" /> -->
<!-- <Add Key="ProcessTimeoutGcExtension" Value="30" /> -->
<!-- <Add Key="WatsonFlags" Value="0x0430" /> full dump-->
<!-- <Add Key="WatsonFlags" Value="0x0428" /> minidump -->
<!-- <Add Key="WatsonFlags" Value="0x0002" /> no dump-->
<Add Key="WatsonFlags" Value="0x0428"/>
<Add Key="WatsonDumpOnExceptions"
4.The DPM log file still appears to be using SSL even though i used reporting services configuration to remove SSL bindings:
running.Microsoft.Internal.EnterpriseStorage.Dls.Setup.Exceptions.BackEndErrorException: exception ---> Microsoft.Internal.EnterpriseStorage.Dls.Setup.Exceptions.ReportDeploymentException:
exception ---> System.Reflection.TargetInvocationException: Exception has been thrown by the target of an invocation. ---> System.Net.WebException: The underlying connection was closed: Could
not establish trust relationship for the SSL/TLS secure channel. ---> System.Security.Authentication.AuthenticationException:
The remote certificate is invalid according to the validation procedure.
at System.Net.Security.SslState.StartSendAuthResetSignal(ProtocolToken message, AsyncProtocolRequest asyncRequest,
Exception exception)
5:I do have an SCCM site on the default web site used by SMS clients but on different ports
I am stumped.Somebody please give some advice
Thank youHi
This is an old post but did you come right? -
Preserving SOA Logical Ports and Trust Relationships during DB Refresh
Hi,
I have been searching for this for a while and have not had any luck so far. I thought maybe the vast experience in this community might be able to help me.
I am trying to preserve the SOA Logical Ports and the SMT1 Trust relationships of the target server during DB Refresh. Is there a list of tables that we could export (Much like exporting/transporting RFC Destination)?
Regards
ShantanuHi
Check the here under tables if they fits to your needs
Regards
SRT_LP Logical Ports
SRT_LP_FEAT Logical Port Feature
SRT_LP_OP_FEAT Logical Port Feature (Operation-Dependent)
SRT_LP_SXI_ADDR Logical Ports: XI Addressing
RSECACTB Table for ABAP Access Authorization for Secure Memory
RSECTAB Secure Memory: Memory for Encrypted Data
RFCTRUST List of existing trusting systems
RFCSYSACL List of permitted trusted systems for the current system -
Could not establish trust relationship for the SSL/TLS secure channel with authority
Hello everyone, I need to establish a connection between my HTTPS WCF hosted in Windows Azure Web Role and my Windows Store App Client. The service is actually exposed for testing purposes using a self-signed certificate.
I have installed the certificate in Personal and Trusted Root Certification Authorities in Current User and Local Manchine.
In the Windows Store App, I create the service reference pointing to the cloud https service, then edit the manifest and create a new declaration to Add a New Certificate, I checked Exclusive Trust and Auto select, pointing to Root storage name and
my self-signed certificate.cer.
The result is the following exception in the IntelliTrace stack:
Exception:Caught: "The remote certificate is invalid according to the validation procedure." (System.Security.Authentication.AuthenticationException)
A System.Security.Authentication.AuthenticationException was caught: "The remote certificate is invalid according to the validation procedure."
Time: 19/01/2015 04:42:33 p. m.
Thread:Worker Thread[17080]
Exception:Thrown: "Could not establish trust relationship for the SSL/TLS secure channel with authority 'appchallengewhi.cloudapp.net'." (System.ServiceModel.Security.SecurityNegotiationException)
A System.ServiceModel.Security.SecurityNegotiationException was thrown: "Could not establish trust relationship for the SSL/TLS secure channel with authority 'appchallengewhi.cloudapp.net'."
Time: 19/01/2015 04:42:34 p. m.
Thread:Worker Thread[17080]
Appreciate any help, to solve this with the approach of WCF Service Reference in Windows Store App.
Note:
If I call the HTTPS service using a Console App it works very good using the following the code:
ChannelFactory<IAgentService> factory = new ChannelFactory<IAgentService>("basicHttpBinding_IAgentService");
ServicePointManager.ServerCertificateValidationCallback = (sender, cert, chain, error) => true;
IAgentService wcfProxy = factory.CreateChannel();
Thanks in advance,
RCMaybe not implemented.
https://social.msdn.microsoft.com/Forums/windowsapps/en-US/2dab2818-8f4c-4474-a7a1-db2cbfb40d40/accepting-client-certificate-for-https-connections?forum=winappswithcsharp -
Hi All,
I am using SharePoint List Connectors to load the data from Sharepoint list to Sql server.
I have created an ssis package and attached to the SQL agent job in works fine
SharePoint Source dev url : http://company.dev.com (working fine)(http)
DB server:(server\instance)
I thought all i good and can test with the uat sharepoint url.
I have changed the configuration url yo point to uat.(https)
SharePoint Source dev url : https://companyuat.dev.com (working fine)
DB server:(server\instance)
Suddently it fails when with the following error:
In both the cases i am running the agent job from the same db server
DB server:(server\instance)
Error Message:
Could not establish trust relationship for the SSL/TLS secure channel with authority 'companyuat.dev.com'. ---> System.Net.WebException: The underlying connection was closed: Could not establish trust relationship for the SSL/TLS secure channel.
---> System.Security.Authentication.AuthenticationException: The remote certificate is invalid according to the validation procedure.
Source: Data Flow Task SharePoint List Source [1] Description: System.ServiceModel.Security.SecurityNegotiationException: Could not establish trust relationship for the SSL/TLS secure channel with authority 'companyuat.dev.com'. ---> System.Net.WebException:
The underlying connection was closed: Could not establish trust relationship for the SSL/TLS secure channel. ---> System.Security.Authentication.AuthenticationException: The remote certificate is invalid according to the validation procedure.
Is there is workaround to reslove this?Any inputs highly appreciated as it is time to move to production :(.
Thanks
Ravi
RaviThis is the important error: The remote certificate is invalid according to the validation procedure.
Your SharePoint server certificate is invalid. You have to either correct your certificate or make your SSIS client machine explicitly trust the server certificate.
SSIS Tasks Components Scripts Services | http://www.cozyroc.com/ -
Cisco ISE - multiple AD - trust relationships
Hello,
I have a customer who has multple AD forests and an ISE deployment running 1.1.3.
The customer scenario is as follows - there is an Internal AD forest (internal users) and an External AD forest (external users such as consultants). The objective is to use Cisco ISE to authenticate and authorize the users in both AD forests. CIsco ISE is connected to the Internal AD forest.
We know that multiple AD support is coming in 2014 with versioon 1.3 - other options such as LDAP/EAP-TLS are not a viable option for the customer.
1. Currently – the Internal AD forest has an External, Non-transitive – one-way trust with the External Forest
a. The objective here is to use a feature called Selective Authentication in order to filter the outgoing requests from the External Forest to the Internal Forest – this is a selective trust feature that can be used to control access to specific resources in Internal Forest and for authentication between Internal/External Forest via Cisco ISE
b. Preliminary testing has shown that a one way trust seems to work for Cisco ISE authentication/authorization
c. Further testing is underway to test the Selective Authentication feature (ie restrict access to specific resources etc…)
Question : has any one used this and is this a supported method by Cisco (I know they mention a mutual trust relationship is required)?
2. We are exploring a second scenario - the Internal AD forest will have an External, Non-transitive – two-way trust with the External Forest
a. Same objectives as in 1 – we would attempt to use the Selective Authentication in the following fashion (this is an example)
i. External Forest has outgoing filter to allow access to specific resources in Internal Forest, and for authentication
ii. Internal Forest has incoming filter to deny access to all resources in External Forest
In this case we would filter so it resembles a 1 way trust relationship - anyone try this, anyone know if this would be a supported method by Cisco?
Thanks in advance for your replies.
Robert C.Cisco has published a nice new guide on Active Directory integration with ISE 1.3. As noted there:
"Cisco ISE can connect with multiple Active Directory domains that do not have a two-way trust or have zero trust between them. Active Directory multi-domain join comprises a set of distinct Active Directory domains with their own groups, attributes, and authorization policies for each join."
I've setup one such deployment just recently and found it quite simple to just add the second domain and use it an en external identity source accordingly. -
Hello, and sorry for this strange title, i couldn't find a simple way to write my question.
- I want to use agent monitoring from my SCOM 2012 SP1 management servers
to servers in multiple forests.
- I don't want to set two-way trust between my scom forest and the monitored forests.
- I would prefer not to install 2 gateway servers in each forest.
So would it be possible to create a intermediate forest for my gateway servers, use certificate authentication between management and gateway servers, and use two way trust between this intermediate forest and forests to monitor.
[SCOM Forest]<-- Certificate --> [Gateway Servers Forest] <-- Trust Relationship --> [Multiple Forests]
Do you think this would work ?Hello,
worked
your
approach?
I'm
in
a
similar
situation,
can you
share
the
results? -
Hi,
SharePoint 2010 Backup has been taken from production and restored through Semantic Tool in one of the server.The wepapplication of which the backup was taken is working fine.
But the problem is that the SharePoint is not working correctly.We cannot create any new webapplication ,cannot navigate to the ServiceApplications.aspx page it shows error.Even the Search and UserProfile Services of the existing Web Application is not working.Checking
the SharePoint Logs I found out the below exception
11/30/2011 12:14:53.78 WebAnalyticsService.exe (0x06D4) 0x2D24 SharePoint Foundation Database
8u1d High Flushing connection pool 'Data Source=urasvr139;Initial Catalog=SharePoint_Config;Integrated Security=True;Enlist=False;Connect Timeout=15'
11/30/2011 12:14:53.78 WebAnalyticsService.exe (0x06D4) 0x2D24 SharePoint Foundation Topology
2myf Medium Enabling the configuration filesystem and memory caches.
11/30/2011 12:14:53.79 WebAnalyticsService.exe (0x06D4) 0x12AC SharePoint Foundation Database
8u1d High Flushing connection pool 'Data Source=urasvr139;Initial Catalog=SharePoint_Config;Integrated Security=True;Enlist=False;Connect Timeout=15'
11/30/2011 12:14:53.79 WebAnalyticsService.exe (0x06D4) 0x12AC SharePoint Foundation Topology
2myf Medium Enabling the configuration filesystem and memory caches.
11/30/2011 12:14:55.54 mssearch.exe (0x0864) 0x2B24 SharePoint Server Search Propagation Manager
fo2s Medium [3b3-c-0 An] aborting all propagation tasks and propagation-owned transactions after waiting 300 seconds (0 indexes) [indexpropagator.cxx:1607] d:\office\source\search\native\ytrip\tripoli\propagation\indexpropagator.cxx
11/30/2011 12:14:55.99 OWSTIMER.EXE (0x1DF4) 0x1994 SharePoint Foundation Topology
75dz High The SPPersistedObject with
Name User Profile Service Application, Id 9577a6aa-33ec-498e-b198-56651b53bf27, Parent 13e1ef7d-40c2-4bcb-906c-a080866ca9bd failed to initialize with the following error: System.SystemException: The trust relationship between the primary domain and the trusted
domain failed. at System.Security.Principal.SecurityIdentifier.TranslateToNTAccounts(IdentityReferenceCollection sourceSids, Boolean& someFailed) at System.Security.Principal.SecurityIdentifier.Translate(IdentityReferenceCollection
sourceSids, Type targetType, Boolean forceSuccess) at System.Security.Principal.SecurityIdentifier.Translate(Type targetType) at Microsoft.SharePoint.Administration.SPAce`1.get_PrincipalName()
at Microsoft.SharePoint.Administration.SPAcl`1.Add(String princip...
11/30/2011 12:14:55.99* OWSTIMER.EXE (0x1DF4) 0x1994 SharePoint Foundation Topology
75dz High ...alName, String displayName, Byte[] securityIdentifier, T grantRightsMask, T denyRightsMask) at Microsoft.SharePoint.Administration.SPAcl`1..ctor(String persistedAcl)
at Microsoft.SharePoint.Administration.SPServiceApplication.OnDeserialization() at Microsoft.SharePoint.Administration.SPIisWebServiceApplication.OnDeserialization() at Microsoft.SharePoint.Administration.SPPersistedObject.Initialize(ISPPersistedStoreProvider
persistedStoreProvider, Guid id, Guid parentId, String name, SPObjectStatus status, Int64 version, XmlDocument state)
11/30/2011 12:14:56.00 OWSTIMER.EXE (0x1DF4) 0x1994 SharePoint Foundation Topology
8xqx High Exception in RefreshCache. Exception message :The trust relationship between the primary domain and the trusted domain failed.
11/30/2011 12:14:56.00 OWSTIMER.EXE (0x1DF4) 0x1994 SharePoint Foundation Timer
2n2p Monitorable The following error occured while trying to initialize the timer: System.SystemException: The trust relationship between the primary domain and the trusted domain failed. at System.Security.Principal.SecurityIdentifier.TranslateToNTAccounts(IdentityReferenceCollection
sourceSids, Boolean& someFailed) at System.Security.Principal.SecurityIdentifier.Translate(IdentityReferenceCollection sourceSids, Type targetType, Boolean forceSuccess) at System.Security.Principal.SecurityIdentifier.Translate(Type
targetType) at Microsoft.SharePoint.Administration.SPAce`1.get_PrincipalName() at Microsoft.SharePoint.Administration.SPAcl`1.Add(String principalName, String displayName, Byte[] securityIdentifier, T grantRightsMask,
T denyRightsMask) at Microsoft.SharePoint.Administrati...
11/30/2011 12:14:56.00* OWSTIMER.EXE (0x1DF4) 0x1994 SharePoint Foundation Timer
2n2p Monitorable ...on.SPAcl`1..ctor(String persistedAcl) at Microsoft.SharePoint.Administration.SPServiceApplication.OnDeserialization() at Microsoft.SharePoint.Administration.SPIisWebServiceApplication.OnDeserialization()
at Microsoft.SharePoint.Administration.SPPersistedObject.Initialize(ISPPersistedStoreProvider persistedStoreProvider, Guid id, Guid parentId, String name, SPObjectStatus status, Int64 version, XmlDocument state) at Microsoft.SharePoint.Administration.SPConfigurationDatabase.GetObject(Guid
id, Guid parentId, Guid type, String name, SPObjectStatus status, Byte[] versionBuffer, String xml) at Microsoft.SharePoint.Administration.SPConfigurationDatabase.GetObject(SqlDataReader dr) at Microsoft.SharePoint.Administration.SPConfigurationDatabase.RefreshCache(Int64
currentVe...
Please guide me on the above issue ,this will be of great help
Thanks.I have same error. Verified for trust , ports , cleaned up cache.. nothing has helped.
The problem is caused by User profile Synch Service:
UserProfileProperty_WCFLogging :: ProfilePropertyService.GetProfileProperties Exception: System.SystemException:
The trust relationship between the primary domain and the trusted domain failed. at System.Security.Principal.SecurityIdentifier.TranslateToNTAccounts(IdentityReferenceCollection sourceSids,
Boolean& someFailed) at System.Security.Principal.SecurityIdentifier.Translate(IdentityReferenceCollection sourceSids, Type targetType, Boolean forceSuccess) at System.Security.Principal.SecurityIdentifier.Translate(Type
targetType) at Microsoft.SharePoint.Administration.SPAce`1.get_PrincipalName() at Microsoft.SharePoint.Administration.SPAcl`1.Add(String principalName, String displayName, SPIdentifierType identifierType, Byte[]
identifier, T grantRightsMask, T denyRigh...
08/23/2014 13:00:20.96* w3wp.exe (0x2204)
0x293C SharePoint Portal Server User Profiles
eh0u Unexpected ...tsMask) at Microsoft.SharePoint.Administration.SPAcl`1..ctor(String persistedAcl)
at Microsoft.Office.Server.Administration.UserProfileApplication.get_SerializedAdministratorAcl() at Microsoft.Office.Server.Administration.UserProfileApplication.GetProperties() at Microsoft.Office.Server.UserProfiles.ProfilePropertyService.GetProfileProperties()
Please let me know if you any solution found for this?
Regards,
Kunal -
When I try to log on to my DC it says "The security database on the server does not have a computer account for this workstation trust relationship". It won't let me log on. I installed another server server 2012r2 (its virtual )
and I can get to ADSI edit.
I think what happened was I had a pc that could not connect without unplugging the network cable. So I found this fix
FIX: “The security database on the server does not have a computer account for this workstation trust relationship”2032011
I’ve seen a lot of solutions, or suggestions rather, with regard to the error in the title of this post. In my experience, the problem can almost always be resolved without extra domain add/removes and reboots, which is the most prevalent solution I have
seen around. Usually, this issue is due to a mismatch between attributes of the computer account in Active Directory and those values on the system itself. Here are the steps I take to fix this issue when it crops up:
Open up Active Directory Users & Computers pointed to the domain the computer account resides in
From the “View” pull-down menu, make sure that “Advanced Features” is checked
Navigate to the part of your organizational unit (OU) structure where the computer account for this server resides
Open the Properties for the computer object
Choose the “Attribute Editor” tab on the Properties dialog box
Check the Attributes dNSHostName & servicePrincipalName – anywhere that a fully qualified hostname is specified (e.g. myserver.mydomainname.com), make sure that the entry matches the hostname
you have configured when you go here on your server: Start -> Computer -> Right-Click, Properties -> Change Settings (under “Computer name, domain… settings”) -> Full Computer Name
As an example, for a fictitious W2K8 R2 server whose Full Computer Name is “srv1.mydomainname.com”, these attribute/value pairs should be in Active Directory:
dNSHostName:
srv1.mydomainname.com
servicePrincipalName:
HOST/SRV1
HOST/srv1.mydomainname.com
RestrictedKrbHost/SRV1
RestrictedKrbHost/srv1.mydomainname.com
TERMSRV/SRV1
TERMSRV/srv1.mydomainname.com"
Not reading it carefully I add a computer with the same name as the pc having the issue and followed the above. The problem is that I did not notice that the spn did not want the name of my server (serv1) but the name of the trouble
pc.
dcdiag output
PS C:\Users\administrator.TOM> dcdiag.exe
Directory Server Diagnosis
Performing initial setup:
Trying to find home server...
***Error: DC3 is not a Directory Server. Must specify /s:<Directory Server> or /n:<Naming Context> or nothing to
use the local machine.
ERROR: Could not find home server.
PS C:\Users\administrator.TOM> dcdiag.exe /s:DC2
Directory Server Diagnosis
Performing initial setup:
* Identified AD Forest.
Done gathering initial info.
Doing initial required tests
Testing server: Default-First-Site\DC2
Starting test: Connectivity
The host 9e0dca7a-d017-445a-b354-adee5ff53d48._msdcs.TOM could not be resolved to an IP address. Check the DN
server, DHCP, server name, etc.
Neither the the server name (DC2.TOM) nor the Guid DNS name (9e0dca7a-d017-445a-b354-adee5ff53d48._msdcs.TOM)
could be resolved by DNS. Check that the server is up and is registered correctly with the DNS server.
Got error while checking LDAP and RPC connectivity. Please check your firewall settings.
......................... DC2 failed test Connectivity
Doing primary tests
Testing server: Default-First-Site\DC2
Skipping all tests, because server DC2 is not responding to directory service requests.
Running partition tests on : ForestDnsZones
Starting test: CheckSDRefDom
......................... ForestDnsZones passed test CheckSDRefDom
Starting test: CrossRefValidation
......................... ForestDnsZones passed test CrossRefValidation
Running partition tests on : DomainDnsZones
Starting test: CheckSDRefDom
......................... DomainDnsZones passed test CheckSDRefDom
Starting test: CrossRefValidation
......................... DomainDnsZones passed test CrossRefValidation
Running partition tests on : Schema
Starting test: CheckSDRefDom
......................... Schema passed test CheckSDRefDom
Starting test: CrossRefValidation
......................... Schema passed test CrossRefValidation
Running partition tests on : Configuration
Starting test: CheckSDRefDom
......................... Configuration passed test CheckSDRefDom
Starting test: CrossRefValidation
......................... Configuration passed test CrossRefValidation
Running partition tests on : TOM
Starting test: CheckSDRefDom
......................... TOM passed test CheckSDRefDom
Starting test: CrossRefValidation
......................... TOM passed test CrossRefValidation
Running enterprise tests on : TOM
Starting test: LocatorCheck
......................... TOM passed test LocatorCheck
Starting test: Intersite
......................... TOM passed test Intersite
PS C:\Users\administrator.TOM> regsvr32 schmmgmt.dll
PS C:\Users\administrator.TOM> netdig /fix
netdig : The term 'netdig' is not recognized as the name of a cmdlet, function, script file, or operable program.
Check the spelling of the name, or if a path was included, verify that the path is correct and try again.
At line:1 char:1
+ netdig /fix
+ ~~~~~~
+ CategoryInfo : ObjectNotFound: (netdig:String) [], CommandNotFoundException
+ FullyQualifiedErrorId : CommandNotFoundException
PS C:\Users\administrator.TOM> Setup /PrepareSchema
Setup : The term 'Setup' is not recognized as the name of a cmdlet, function, script file, or operable program. Check
the spelling of the name, or if a path was included, verify that the path is correct and try again.
At line:1 char:1
+ Setup /PrepareSchema
+ ~~~~~
+ CategoryInfo : ObjectNotFound: (Setup:String) [], CommandNotFoundException
+ FullyQualifiedErrorId : CommandNotFoundException
PS C:\Users\administrator.TOM> netdiag /test
netdiag : The term 'netdiag' is not recognized as the name of a cmdlet, function, script file, or operable program.
Check the spelling of the name, or if a path was included, verify that the path is correct and try again.
At line:1 char:1
+ netdiag /test
+ ~~~~~~~
+ CategoryInfo : ObjectNotFound: (netdiag:String) [], CommandNotFoundException
+ FullyQualifiedErrorId : CommandNotFoundException
PS C:\Users\administrator.TOM> nslooup
nslooup : The term 'nslooup' is not recognized as the name of a cmdlet, function, script file, or operable program.
Check the spelling of the name, or if a path was included, verify that the path is correct and try again.
At line:1 char:1
+ nslooup
+ ~~~~~~~
+ CategoryInfo : ObjectNotFound: (nslooup:String) [], CommandNotFoundException
+ FullyQualifiedErrorId : CommandNotFoundException
PS C:\Users\administrator.TOM>Ok fixed.
At a elevated cmd prompt run ;
C:\Users\administrator.TOM>setspn -x
As you can see the DC serv1 had duplicate SPNs.
Checking domain DC=TOM
Processing entry 1
HOST/serv1.TOM is registered on these accounts:
CN=SERV1,OU=Domain Controllers,DC=TOM
CN=C00049,CN=Computers,DC=TOM
{14E52635-0A95-4a5c-BDB1-E0D0C703B6C8}/TOWN-HBWJ29ZOQC is registered on these ac
counts:
CN=Administrator,CN=Users,DC=TOM
CN=TOWN-HBWJ29ZOQC,CN=Computers,DC=TOM
{14E52635-0A95-4a5c-BDB1-E0D0C703B6C8}/town-hbwj29zoqc.TOM is registered on thes
e accounts:
CN=Administrator,CN=Users,DC=TOM
CN=TOWN-HBWJ29ZOQC,CN=Computers,DC=TOM
RestrictedKrbHost/serv1 is registered on these accounts:
CN=C00049,CN=Computers,DC=TOM
CN=SERV1,OU=Domain Controllers,DC=TOM
RestrictedKrbHost/serv1.TOM is registered on these accounts:
CN=C00049,CN=Computers,DC=TOM
CN=SERV1,OU=Domain Controllers,DC=TOM
found 5 groups of duplicate SPNs.
Went to the computers OU and changed computer c00049 to the correct SPN. Now I have a new issues, I'll start a new thread. -
Trust relationship after upgrading to Windows 8.1
Hi
I have recently upgraded 20 laptops to Windows 8.1, lately some of the laptops keep saying trust relationship cannot contact to domain, I have taken them off the domain and then put them back on, the laptops then work again but each day with some laptops
the same thing happens again and I have to repeat the whole procedure. Recenlty the same laptop every day for the pass 5 days, it is really annoying and time consumingHi Carl Shorty,
What error message do you receive?
Do you means that the computer in error keeps losing the trust relationship every day?
This issue that machine trust cannot be established occurs because the computer's machine account has the incorrect role or its password has become mismatched with that of the domain database.
If we can login as local-admin , we join the domain from the client if at the same time you can provide an administrator username and password on the domain. We can delete the existing computer account in Server Manager, recreate the computer account, synchronize
the domain, and then on the client rejoin the domain.
For details, you can refer to: Trust Relationship Between Workstation and Domain Fails
http://support.microsoft.com/kb/162797
If this doesn’t work, we could use the command netdom reset 'machinename' /domain:'domainname
to reset the member security channel.
Best regards,
Fangzhou CHEN
Fangzhou CHEN
TechNet Community Support
Maybe you are looking for
-
Value of upgrading WSS 3.0 To SharePoint Foundation?
We have a WSS 3.0 site which the primary purpose is for storing documents that are shared with external business partners who have AD accounts in our domain without them needing to have VPN and access to our file servers. It is especially useful for
-
I have created a dll for Windows Phone 8.1 Xaml WinRT. It has two UserControls and two classes with APIs for developers to use. In the Silverlight environment, I would just send the DLL from the BIN directory to the other developers who would refer
-
Check on duplicate PR00 condition in sales order
In our sales order the pr00 condition is manual , Many a times the user give more than once the pr00 condition , the system accepts the same . How to supress this . I am using the user exit FORM USEREXIT_PRICING_PREPARE_TKOMK OR FORM USEREXIT_PRI
-
all you can recommend is an unsupported plug in that forces me to reset each image manually? Can't images be altered in a batched way, or all at once, back to original without having to do them manually one at a time?!!! Time to change software? What
-
How to pass pageFlowScope variable value as bind variable for VO
Hi, I have one fixed lov (not based on datasource), if i select any value in that lov i want to pass this value to a pageFlowScope variable. After this i want to use this value as bind variable for VO. whenever the vo executes thereafter this bind va