ASP.NET 2.0 web app authentication problems

tferro82
tferro82 used Ask the Experts™
on
My AD is setup with a single forest and 4 child domains.  3 of the child domains replicate with DCs that are in our main location as well as a separate physical location connected via a VPN tunnel.

I have a web app that runs on a machine joined to the 4th domain, lets call it "CORP".  The corresponding DNS zone for the CORP domain is replicated throughout the forest, but the two DCs for CORP are both in the primary location and do not depend on the tunnel being up or down.

The CORP domain has two outgoing trusts for "Domain1" and "Domain2" which do have replication partners out in the remote secondary location.  

On to the question....

For some reason, when our tunnel goes down, AD users cannot login to our .Net 2.0 webapp configured for windows auth.  The server hosting the web app is joined to the "CORP" domain and points to the local CORPDC1 and CORPDC2 for DNS.  Is the error below caused by the lack of connectivity with the DCs out in our remote location?  If so, why does this dependency exist since the server hosting the webapp (as well as the users connecting to it) are set to use the 2 local DCs?

Below is the error.....

SystemException: The trust relationship between the primary domain and the trusted domain failed.
]
   System.Security.Principal.NTAccount.TranslateToSids(IdentityReferenceCollection sourceAccounts, Boolean& someFailed) +1185
   System.Security.Principal.NTAccount.Translate(IdentityReferenceCollection sourceAccounts, Type targetType, Boolean& someFailed) +44
   System.Security.Principal.NTAccount.Translate(IdentityReferenceCollection sourceAccounts, Type targetType, Boolean forceSuccess) +47
   System.Security.Principal.WindowsPrincipal.IsInRole(String role) +101
   UserInfo..ctor(IPrincipal oUser) +222
   BasePage.get_LoggedInUser() +44
   BasePage.Page_Init(Object sender, EventArgs e) +44
   System.Web.Util.CalliHelper.EventArgFunctionCaller(IntPtr fp, Object o, Object t, EventArgs e) +14
   System.Web.Util.CalliEventHandlerDelegateProxy.Callback(Object sender, EventArgs e) +35
   System.Web.UI.Control.OnInit(EventArgs e) +99
   System.Web.UI.Page.OnInit(EventArgs e) +12
   System.Web.UI.Control.InitRecursive(Control namingContainer) +333
   System.Web.UI.Page.ProcessRequestMain(Boolean includeStagesBeforeAsyncPoint, Boolean includeStagesAfterAsyncPoint) +378
Comment
Watch Question

Do more with

Expert Office
EXPERT OFFICE® is a registered trademark of EXPERTS EXCHANGE®
Top Expert 2011
Commented:
Yes, the link between them appears broken and this is going to continue to be an issue but the following fixed mine when I had similar problem.

The problem is that AD forest that the user was running in did not have sufficient privileges to access the AD forest where the groups were defined.

Hopefully, it will fix your issues too.

http://social.technet.microsoft.com/Forums/en/sharepointgeneral/thread/07207109-0450-47cf-b6ee-467a58eaa887

You can also try this link.

http://stackoverflow.com/questions/1260153/windows-authentication-in-iis-7-5-fails-with-trust-relationship-exception

Good luck.

Do more with

Expert Office
Submit tech questions to Ask the Experts™ at any time to receive solutions, advice, and new ideas from leading industry professionals.

Start 7-Day Free Trial