You are viewing limited content. For full access, please sign in.

Question

Question

The trust relationship between the primary domain and the trusted domain failed

Audit Trail
Updated April 8, 2024
asked on March 27, 2024

Today, when we try to access Audit Trail, we are receiving the following error in the browser:

When I look in the Event Viewer I am seeing the following error:

Log Name:      Laserfiche-AuditTrail-Service/Admin
Source:        Laserfiche-AuditTrail-Service
Date:          3/27/2024 10:32:02 AM
Event ID:      290
Task Category: Task290
Level:         Warning
Keywords:      Session0,Session1,Session2,Session3,AdminChannel
User:          IIS APPPOOL\AuditTrailAppPool
Computer:      xxxx
Description:
General error: unhandled exception. 
Type: STR_WARN_GENERAL_EXCEPTION
Stack trace:
   at System.Environment.GetStackTrace(Exception e, Boolean needFileInfo)
   at System.Environment.get_StackTrace()
   at Laserfiche.AuditAnalytics.Utility.AuditResource.SetStackTrace(String stackTrace)
   at Laserfiche.AuditAnalytics.Utility.Helper.AuditResourceHelper.CreateReportResourceFromException(AuditResource resource, Exception exception, Boolean promptDebugAuditException)
   at Laserfiche.AuditAnalytics.Utility.Helper.LogHelper.Log(Exception exception, IDictionary`2 attributes)
   at Laserfiche.AuditAnalytics.Utility.Web.AuditHandleErrorAttribute.OnException(ExceptionContext filterContext)
   at System.Web.Mvc.ControllerActionInvoker.InvokeExceptionFilters(ControllerContext controllerContext, IList`1 filters, Exception exception)
   at System.Web.Mvc.Async.AsyncControllerActionInvoker.<>c__DisplayClass3_1.<BeginInvokeAction>b__1(IAsyncResult asyncResult)
   at System.Web.Mvc.Async.AsyncControllerActionInvoker.EndInvokeAction(IAsyncResult asyncResult)
   at System.Web.Mvc.Controller.<>c.<BeginExecuteCore>b__152_1(IAsyncResult asyncResult, ExecuteCoreState innerState)
   at System.Web.Mvc.Async.AsyncResultWrapper.WrappedAsyncVoid`1.CallEndDelegate(IAsyncResult asyncResult)
   at System.Web.Mvc.Controller.EndExecuteCore(IAsyncResult asyncResult)
   at System.Web.Mvc.Async.AsyncResultWrapper.WrappedAsyncVoid`1.CallEndDelegate(IAsyncResult asyncResult)
   at System.Web.Mvc.Controller.EndExecute(IAsyncResult asyncResult)
   at System.Web.Mvc.MvcHandler.<>c.<BeginProcessRequest>b__20_1(IAsyncResult asyncResult, ProcessRequestState innerState)
   at System.Web.Mvc.Async.AsyncResultWrapper.WrappedAsyncVoid`1.CallEndDelegate(IAsyncResult asyncResult)
   at System.Web.Mvc.MvcHandler.EndProcessRequest(IAsyncResult asyncResult)
   at System.Web.HttpApplication.CallHandlerExecutionStep.System.Web.HttpApplication.IExecutionStep.Execute()
   at System.Web.HttpApplication.ExecuteStepImpl(IExecutionStep step)
   at System.Web.HttpApplication.ExecuteStep(IExecutionStep step, Boolean& completedSynchronously)
   at System.Web.HttpApplication.PipelineStepManager.ResumeSteps(Exception error)
   at System.Web.HttpApplication.BeginProcessRequestNotification(HttpContext context, AsyncCallback cb)
   at System.Web.HttpRuntime.ProcessRequestNotificationPrivate(IIS7WorkerRequest wr, HttpContext context)
   at System.Web.Hosting.PipelineRuntime.ProcessRequestNotificationHelper(IntPtr rootedObjectsPointer, IntPtr nativeRequestContext, IntPtr moduleData, Int32 flags)
   at System.Web.Hosting.PipelineRuntime.ProcessRequestNotification(IntPtr rootedObjectsPointer, IntPtr nativeRequestContext, IntPtr moduleData, Int32 flags)
   at System.Web.Hosting.UnsafeIISMethods.MgdIndicateCompletion(IntPtr pHandler, RequestNotificationStatus& notificationStatus)
   at System.Web.Hosting.UnsafeIISMethods.MgdIndicateCompletion(IntPtr pHandler, RequestNotificationStatus& notificationStatus)
   at System.Web.Hosting.PipelineRuntime.ProcessRequestNotificationHelper(IntPtr rootedObjectsPointer, IntPtr nativeRequestContext, IntPtr moduleData, Int32 flags)
   at System.Web.Hosting.PipelineRuntime.ProcessRequestNotification(IntPtr rootedObjectsPointer, IntPtr nativeRequestContext, IntPtr moduleData, Int32 flags)
Inner resource:
General error: The trust relationship between the primary domain and the trusted domain failed.
 
Type: System.SystemException
Stack trace:
   at System.Security.Principal.NTAccount.TranslateToSids(IdentityReferenceCollection sourceAccounts, Boolean& someFailed)
   at System.Security.Principal.NTAccount.Translate(IdentityReferenceCollection sourceAccounts, Type targetType, Boolean forceSuccess)
   at System.Security.Principal.WindowsPrincipal.IsInRole(String role)
   at Laserfiche.AuditAnalytics.AuditCommon.Authentication.WindowsIdentityEx.IsInRoleEx(WindowsPrincipal principal, String role)
   at WebAuditReport.Controllers.BaseController.<GetAllowedRepositories>d__24.MoveNext()
   at System.Linq.Buffer`1..ctor(IEnumerable`1 source)
   at System.Linq.Enumerable.ToArray[TSource](IEnumerable`1 source)
   at System.Lazy`1.CreateValue()
   at System.Lazy`1.LazyInitValue()
   at WebAuditReport.Controllers.BaseController.get_ReadyRepositories()
   at WebAuditReport.Controllers.BaseController.InitDefaultContext()
   at WebAuditReport.Controllers.LegacyRedirectionController.InitDefaultContext()
   at WebAuditReport.Controllers.LegacyRedirectionController.<Aspx>d__1.MoveNext()
--- End of stack trace from previous location where exception was thrown ---
   at System.Runtime.ExceptionServices.ExceptionDispatchInfo.Throw()
   at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task)
   at System.Web.Mvc.Async.TaskAsyncActionDescriptor.EndExecute(IAsyncResult asyncResult)
   at System.Web.Mvc.Async.AsyncControllerActionInvoker.<>c__DisplayClass8_0.<BeginInvokeAsynchronousActionMethod>b__1(IAsyncResult asyncResult)
   at System.Web.Mvc.Async.AsyncControllerActionInvoker.EndInvokeActionMethod(IAsyncResult asyncResult)
   at System.Web.Mvc.Async.AsyncControllerActionInvoker.AsyncInvocationWithFilters.<>c__DisplayClass11_0.<InvokeActionMethodFilterAsynchronouslyRecursive>b__0()
   at System.Web.Mvc.Async.AsyncControllerActionInvoker.AsyncInvocationWithFilters.<>c__DisplayClass11_2.<InvokeActionMethodFilterAsynchronouslyRecursive>b__2()
   at System.Web.Mvc.Async.AsyncControllerActionInvoker.AsyncInvocationWithFilters.<>c__DisplayClass11_2.<InvokeActionMethodFilterAsynchronouslyRecursive>b__2()
   at System.Web.Mvc.Async.AsyncControllerActionInvoker.EndInvokeActionMethodWithFilters(IAsyncResult asyncResult)
   at System.Web.Mvc.Async.AsyncControllerActionInvoker.<>c__DisplayClass3_6.<BeginInvokeAction>b__4()
   at System.Web.Mvc.Async.AsyncControllerActionInvoker.<>c__DisplayClass3_1.<BeginInvokeAction>b__1(IAsyncResult asyncResult)
Event Xml:
<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
  <System>
    <Provider Name="Laserfiche-AuditTrail-Service" Guid="{DDDDBBB7-A545-5A42-D2EF-44FDAEA71A29}" />
    <EventID>290</EventID>
    <Version>0</Version>
    <Level>3</Level>
    <Task>290</Task>
    <Opcode>0</Opcode>
    <Keywords>0x8000f00000000001</Keywords>
    <TimeCreated SystemTime="2024-03-27T17:32:02.342205500Z" />
    <EventRecordID>2304498</EventRecordID>
    <Correlation />
    <Execution ProcessID="9312" ThreadID="6172" />
    <Channel>Laserfiche-AuditTrail-Service/Admin</Channel>
    <Computer>xxxx</Computer>
    <Security UserID="xxxx" />
  </System>
  <EventData>
    <Data Name="parameter0">unhandled exception.</Data>
    <Data Name="stack_track">
Type: STR_WARN_GENERAL_EXCEPTION
Stack trace:
   at System.Environment.GetStackTrace(Exception e, Boolean needFileInfo)
   at System.Environment.get_StackTrace()
   at Laserfiche.AuditAnalytics.Utility.AuditResource.SetStackTrace(String stackTrace)
   at Laserfiche.AuditAnalytics.Utility.Helper.AuditResourceHelper.CreateReportResourceFromException(AuditResource resource, Exception exception, Boolean promptDebugAuditException)
   at Laserfiche.AuditAnalytics.Utility.Helper.LogHelper.Log(Exception exception, IDictionary`2 attributes)
   at Laserfiche.AuditAnalytics.Utility.Web.AuditHandleErrorAttribute.OnException(ExceptionContext filterContext)
   at System.Web.Mvc.ControllerActionInvoker.InvokeExceptionFilters(ControllerContext controllerContext, IList`1 filters, Exception exception)
   at System.Web.Mvc.Async.AsyncControllerActionInvoker.&lt;&gt;c__DisplayClass3_1.&lt;BeginInvokeAction&gt;b__1(IAsyncResult asyncResult)
   at System.Web.Mvc.Async.AsyncControllerActionInvoker.EndInvokeAction(IAsyncResult asyncResult)
   at System.Web.Mvc.Controller.&lt;&gt;c.&lt;BeginExecuteCore&gt;b__152_1(IAsyncResult asyncResult, ExecuteCoreState innerState)
   at System.Web.Mvc.Async.AsyncResultWrapper.WrappedAsyncVoid`1.CallEndDelegate(IAsyncResult asyncResult)
   at System.Web.Mvc.Controller.EndExecuteCore(IAsyncResult asyncResult)
   at System.Web.Mvc.Async.AsyncResultWrapper.WrappedAsyncVoid`1.CallEndDelegate(IAsyncResult asyncResult)
   at System.Web.Mvc.Controller.EndExecute(IAsyncResult asyncResult)
   at System.Web.Mvc.MvcHandler.&lt;&gt;c.&lt;BeginProcessRequest&gt;b__20_1(IAsyncResult asyncResult, ProcessRequestState innerState)
   at System.Web.Mvc.Async.AsyncResultWrapper.WrappedAsyncVoid`1.CallEndDelegate(IAsyncResult asyncResult)
   at System.Web.Mvc.MvcHandler.EndProcessRequest(IAsyncResult asyncResult)
   at System.Web.HttpApplication.CallHandlerExecutionStep.System.Web.HttpApplication.IExecutionStep.Execute()
   at System.Web.HttpApplication.ExecuteStepImpl(IExecutionStep step)
   at System.Web.HttpApplication.ExecuteStep(IExecutionStep step, Boolean&amp; completedSynchronously)
   at System.Web.HttpApplication.PipelineStepManager.ResumeSteps(Exception error)
   at System.Web.HttpApplication.BeginProcessRequestNotification(HttpContext context, AsyncCallback cb)
   at System.Web.HttpRuntime.ProcessRequestNotificationPrivate(IIS7WorkerRequest wr, HttpContext context)
   at System.Web.Hosting.PipelineRuntime.ProcessRequestNotificationHelper(IntPtr rootedObjectsPointer, IntPtr nativeRequestContext, IntPtr moduleData, Int32 flags)
   at System.Web.Hosting.PipelineRuntime.ProcessRequestNotification(IntPtr rootedObjectsPointer, IntPtr nativeRequestContext, IntPtr moduleData, Int32 flags)
   at System.Web.Hosting.UnsafeIISMethods.MgdIndicateCompletion(IntPtr pHandler, RequestNotificationStatus&amp; notificationStatus)
   at System.Web.Hosting.UnsafeIISMethods.MgdIndicateCompletion(IntPtr pHandler, RequestNotificationStatus&amp; notificationStatus)
   at System.Web.Hosting.PipelineRuntime.ProcessRequestNotificationHelper(IntPtr rootedObjectsPointer, IntPtr nativeRequestContext, IntPtr moduleData, Int32 flags)
   at System.Web.Hosting.PipelineRuntime.ProcessRequestNotification(IntPtr rootedObjectsPointer, IntPtr nativeRequestContext, IntPtr moduleData, Int32 flags)
Inner resource:
General error: The trust relationship between the primary domain and the trusted domain failed.
 
Type: System.SystemException
Stack trace:
   at System.Security.Principal.NTAccount.TranslateToSids(IdentityReferenceCollection sourceAccounts, Boolean&amp; someFailed)
   at System.Security.Principal.NTAccount.Translate(IdentityReferenceCollection sourceAccounts, Type targetType, Boolean forceSuccess)
   at System.Security.Principal.WindowsPrincipal.IsInRole(String role)
   at Laserfiche.AuditAnalytics.AuditCommon.Authentication.WindowsIdentityEx.IsInRoleEx(WindowsPrincipal principal, String role)
   at WebAuditReport.Controllers.BaseController.&lt;GetAllowedRepositories&gt;d__24.MoveNext()
   at System.Linq.Buffer`1..ctor(IEnumerable`1 source)
   at System.Linq.Enumerable.ToArray[TSource](IEnumerable`1 source)
   at System.Lazy`1.CreateValue()
   at System.Lazy`1.LazyInitValue()
   at WebAuditReport.Controllers.BaseController.get_ReadyRepositories()
   at WebAuditReport.Controllers.BaseController.InitDefaultContext()
   at WebAuditReport.Controllers.LegacyRedirectionController.InitDefaultContext()
   at WebAuditReport.Controllers.LegacyRedirectionController.&lt;Aspx&gt;d__1.MoveNext()
--- End of stack trace from previous location where exception was thrown ---
   at System.Runtime.ExceptionServices.ExceptionDispatchInfo.Throw()
   at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task)
   at System.Web.Mvc.Async.TaskAsyncActionDescriptor.EndExecute(IAsyncResult asyncResult)
   at System.Web.Mvc.Async.AsyncControllerActionInvoker.&lt;&gt;c__DisplayClass8_0.&lt;BeginInvokeAsynchronousActionMethod&gt;b__1(IAsyncResult asyncResult)
   at System.Web.Mvc.Async.AsyncControllerActionInvoker.EndInvokeActionMethod(IAsyncResult asyncResult)
   at System.Web.Mvc.Async.AsyncControllerActionInvoker.AsyncInvocationWithFilters.&lt;&gt;c__DisplayClass11_0.&lt;InvokeActionMethodFilterAsynchronouslyRecursive&gt;b__0()
   at System.Web.Mvc.Async.AsyncControllerActionInvoker.AsyncInvocationWithFilters.&lt;&gt;c__DisplayClass11_2.&lt;InvokeActionMethodFilterAsynchronouslyRecursive&gt;b__2()
   at System.Web.Mvc.Async.AsyncControllerActionInvoker.AsyncInvocationWithFilters.&lt;&gt;c__DisplayClass11_2.&lt;InvokeActionMethodFilterAsynchronouslyRecursive&gt;b__2()
   at System.Web.Mvc.Async.AsyncControllerActionInvoker.EndInvokeActionMethodWithFilters(IAsyncResult asyncResult)
   at System.Web.Mvc.Async.AsyncControllerActionInvoker.&lt;&gt;c__DisplayClass3_6.&lt;BeginInvokeAction&gt;b__4()
   at System.Web.Mvc.Async.AsyncControllerActionInvoker.&lt;&gt;c__DisplayClass3_1.&lt;BeginInvokeAction&gt;b__1(IAsyncResult asyncResult)</Data>
    <Data Name="attributes">{"module_name":"Reporting Site"}</Data>
  </EventData>
</Event>

I noticed that it mentions "General error: The trust relationship between the primary domain and the trusted domain failed.". What would this be referring to? The server is a member of the domain.

We are using Audit Trail 11.0.2306.3549.

0 0

Answer

SELECTED ANSWER
replied on April 7, 2024 Show version history

I just reviewed Audit Trail code. For the WindowsPrincipal.IsInRole error, Audit Trail is checking the logon user against the audit source trustee list configured on Audit Trail Configuration site. All trustees on the list, including both user and group, are involved. I think it could be helpful to exam every trustee even though some are irrelevant to the logon user.

1 0

Replies

replied on March 27, 2024

Look at the set of calls it's triggering on:

130
   at System.Security.Principal.NTAccount.TranslateToSids(IdentityReferenceCollection sourceAccounts, Boolean&amp; someFailed)
131
   at System.Security.Principal.NTAccount.Translate(IdentityReferenceCollection sourceAccounts, Type targetType, Boolean forceSuccess)
132
   at System.Security.Principal.WindowsPrincipal.IsInRole(String role)
133
   at Laserfiche.AuditAnalytics.AuditCommon.Authentication.WindowsIdentityEx.IsInRoleEx(WindowsPrincipal principal, String role)
134
   at WebAuditReport.Controllers.BaseController.&lt;GetAllowedRepositories&gt;d__24.MoveNext()

This suggests the AD user attempting to authenticate to Audit Trail Reporting is in a different domain (AD1) than the one the Audit Trail server is joined to (AD2), and Audit Trail is failing to authenticate that user because of a domain trust issue between AD1 and AD2. The stack trace seems to indicate the specific place it's failing is when attempting to resolve an NTAccount IdentityReference to a SID, which I believe involves requesting that info from a domain controller.

2 0
View 6 previous replies
replied on March 27, 2024

Thanks for narrowing that down for me, Sam. I will get with our identity team and see if they can help us figure out what is going on.

1 0
replied on April 3, 2024

Do the AuditTrail and AuditTrailConfig virtual directories perform authentication differently? The AuditTrail directory is the one giving the error, but the AuditTrailConfig directory is not.

0 0
replied on April 3, 2024 Show version history

Authentication should be the same as far as I'm aware. This appears to be failing on an Authorization step where it's trying to check if a user is in a group. Presumably if the authenticated user is in a group authorized to run Audit Trail reports. 

WindowsPrincipal.IsInRole Method

Determines whether the current principal belongs to a specified Windows user group.

In my experience, authorization steps usually only happen after successful authentication. This suggests the login itself is succeeding but the group membership evaluation fails.

You should check the roles/groups that are granted permissions on the audit source.

Here are some search hits for "System.Security.Principal.NTAccount.TranslateToSids error: The trust relationship between the primary domain and the trusted domain failed." that may be relevant:

https://stackoverflow.com/questions/50948806/the-trust-relationship-between-the-primary-domain-and-the-trusted-domain-failed

The issue that we had was caused by our application checking to see if a user was in a security group that did not exist. Once we updated it so that it only validated against existing security groups, the problem went away.

https://forums.servicestack.net/t/the-trust-relationship-between-the-primary-domain-and-the-trusted-domain-failed-after-upgrade-to-v5-11/10044

https://stackoverflow.com/questions/65155910/role-authorization-throws-the-trust-relationship-between-this-workstation-and-t

https://stackoverflow.com/questions/22765626/trust-relationship-between-and-the-primary-domain-failed-in-mvc5-authentic

I ran into a similar issue regarding this. The trust relationship error results from calling IsInRole('somerole') when the Claims on the Identity does not contain that role, the Identity is Windows, and that group does not exist in the primary domain, and some trust issue between another domain exists.

https://stackoverflow.com/questions/22518243/user-isinrolefake-group-results-in-the-trust-relationship-between-the-prima

0 0
replied on April 3, 2024

We aren't applying security in Audit Trail using any groups.

0 0
replied on April 3, 2024

If I recall correctly, Audit Trail automatically always grants reporting permissions to members of the local Administrators group. 

0 0
SELECTED ANSWER
replied on April 7, 2024 Show version history

I just reviewed Audit Trail code. For the WindowsPrincipal.IsInRole error, Audit Trail is checking the logon user against the audit source trustee list configured on Audit Trail Configuration site. All trustees on the list, including both user and group, are involved. I think it could be helpful to exam every trustee even though some are irrelevant to the logon user.

1 0
replied on April 7, 2024

Thank you for that information. I found a user in the Audit Trail trustee list that had left the company and removed them. That has resolved the issue.

Can the behavior of this be changed in a future version? Having an invalid user should not prevent all other users from accessing Audit Trail.

1 0
replied on April 8, 2024

Yeah, we'll file a bug and reply back with the bug #. 

Was the offending user account in a different AD domain than the one the Audit Trail server was joined to? If Audit Trail login broke any time a user in the Permissions list was invalid, I suspect we would have had more reports about the issue.

Perhaps there is handling for the System.Security.Principal.NTAccount exception that occurs when an invalid user is on the same domain, but not the "trust relationship between the primary domain and the trusted domain failed." one that appears to happen when they're not.

0 0
replied on April 8, 2024

Yes, the account was in a different AD domain that the one the Audit Trail server was joined to. There was a trust between them, but they were different.

0 0
You are not allowed to follow up in this post.

Sign in to reply to this post.

Details
Related Posts
Loading ...