EPiServer 4 and the active directory
This post describes the error “The trust relationship between the primary domain and the trusted domain failed” in EPiServer 4.
This time it was EPiServer 4. Built as an intranet that had been along for the ride for a few AD changes. Until now it had been implemented with forms authentication.
When switching to windows authentication, we received this error: “The trust relationship between the primary domain and the trusted domain failed”.
Now, looking at the error it’s easy to jump to the conclusion that there’s a trust issue in a cross-forest AD. Roll in the big-gun network administrators have them poke at it for a few hours. While the error was spawned in a cross-forest active directory, the user trying to connect and the actual server were in the same domain!
This was the setup:
- The IIS website was using Windows Integrated Authentication
- The application pool was running under an active directory account
- Web.config was configured to use authentication mode Windows
Why this happens
There are a number of reasons why this might occur. What they all have in common, however, is that the code can’t reach a specific domain. Usually this stems from the IsInRole-method from the IPrincipal-object.
A quick search on the error in your favorite search engine results in a FAQ hit over at world.episerver.com. EPiServer, for good and bad, explains that this is because the server has lost connection with the domain and that Windows accounts should not be used. The blame is put on ASP.NET. They also include two workarounds. Neither of them worked for us. Our server was in the domain!
Cause and how to solve it
We tried all the workarounds. Even this one.
As a last resort we had a look at the actual groups that were setup in the EPiServer database. There we found old groups that had been configured with LDAP. Pointing to an old domain. Holy smelly domains, Batman!
EPiServer is designed to check if the current user is a member of any of the configured groups when he/she requests a page. Since EPiServer couldn’t find the domain specified with the IsInRole-method for the groups in the database when we made our request, it threw an exception. And rightly so.
So the lesson of the story is:
If you get this error, check the groups in web.config for the “location”-elements (admin, edit, webservices, etc) and the groups set in the EPiServer database.