• Published
  • 1 min

The trust relationship between the primary domain and the trusted domain failed

Keywords: Trust, domain, SystemException, System.Security.Principal.NTAccount.TranslateToSids,  EPiServer.Security.UnifiedPrincipal.IsInRole

The solution to this failure message is pretty well described both on EPiServer forum and on EPiServer labs:
1.
EPiServer developer forum | Problems and bugs |        Login using Active Directory accounts fail after upgrade to 4.61 and ASP.NET 2.0 (Read Steve Celius' comment, and you will get the big picture!)
2. EPiServer Labs

In my project we got t
his error because one of the domains were down, and .NET tried to locate the local EPiServer groups (WebEditors, WebAdmins and WebPartAdmins) in every available domain. But when one of the domains were down, .NET 2.0 threw an exception causing the site to crash. We didn't need these local groups anymore so we simply removed them, and almost everything was ok..: 

But one thing that never has been shared in any of the blog posts I've been reading is the necessity to remove WebEditors, WebAdmins and all possible local groups from web.config also. It's not enought just to remove the groups from the EPiServer database. Another importent part of this, and the whole reasion for this blogpost, is that if you have a load balanced system you use webservices to clear cache on the remote site(s). Then it is important that you also remove all groups/users that have no domain specified, like 'WebServices', from the allow roles section of the location path for WebServices in web.config:

<
locationpath="WebServices">
<
system.web
>
<
pagestheme=""
/>
<
authorization
>
<
allowroles="Administrators, machinename/webserviceuser"
/>
<
denyusers="*"
/>
</
authorization
>
</
system.web
>
</
location
>

<allowroles="WebServices, Administrators, machinename/webserviceuser" />
would cause the loadbalancing to fail if one domain is down.