Solved

workstations getting trust relationship errors and Macbooks have to reboot multiple times to log in

Posted on 2016-11-11
1
74 Views
Last Modified: 2016-11-12
We had a power outtage at one of our three campuses. After the power came on, we started seeing users not able to log in. The Macbooks, couldn't log in with the login window shaking as though it was a bad password. The Macbook users for the most part, are able to log in if they reboot their Macbook.  There are not as many Windows PC users on this domain, but they get an actual error message        " The trust relationship failed...." I have redacted the domain name and ip addresses to post this.  Outside the power outtage, there hasn't been anything changed to have caused this.

Please note, the domain and ip address information was changed in the log below. The rest of the information is directly from a log entry.
==================================

Log Name:      Security
Source:        Microsoft-Windows-Security-Auditing
Date:          11/11/2016 8:42:59 AM
Event ID:      4771
Task Category: Kerberos Authentication Service
Level:         Information
Keywords:      Audit Failure
User:          N/A
Computer:      Papabear3.domainname.org
Description:
Kerberos pre-authentication failed.

Account Information:
      Security ID:            ACADEMIC\macbookname
      Account Name:            macbookname

Service Information:
      Service Name:            krbtgt/domainname.ORG

Network Information:
      Client Address:            10.20.30.40
      Client Port:            57688

Additional Information:
      Ticket Options:            0x40000000
      Failure Code:            0x18
      Pre-Authentication Type:      2

Certificate Information:
      Certificate Issuer Name:            
      Certificate Serial Number:       
      Certificate Thumbprint:            

Certificate information is only provided if a certificate was used for pre-authentication.

Pre-authentication types, ticket options and failure codes are defined in RFC 4120.

If the ticket was malformed or damaged during transit and could not be decrypted, then many fields in this event might not be present.
Event Xml:
<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
  <System>
    <Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-A5BA-3E3B0328C30D}" />
    <EventID>4771</EventID>
    <Version>0</Version>
    <Level>0</Level>
    <Task>14339</Task>
    <Opcode>0</Opcode>
    <Keywords>0x8010000000000000</Keywords>
    <TimeCreated SystemTime="2016-11-11T14:42:59.136315900Z" />
    <EventRecordID>467467624</EventRecordID>
    <Correlation />
    <Execution ProcessID="552" ThreadID="6644" />
    <Channel>Security</Channel>
    <Computer>Papabear3.domainname.org</Computer>
    <Security />
  </System>
  <EventData>
    <Data Name="TargetUserName">macbookname</Data>
    <Data Name="TargetSid">S-1-5-21-2135040803-2001415408-48716514-36973</Data>
    <Data Name="ServiceName">krbtgt/domainname.ORG</Data>
    <Data Name="TicketOptions">0x40000000</Data>
    <Data Name="Status">0x18</Data>
    <Data Name="PreAuthType">2</Data>
    <Data Name="IpAddress">10.20.30.40</Data>
    <Data Name="IpPort">57688</Data>
    <Data Name="CertIssuerName">
    </Data>
    <Data Name="CertSerialNumber">
    </Data>
    <Data Name="CertThumbprint">
    </Data>
  </EventData>
</Event>

===================================
0
Comment
Question by:BlakeISS
1 Comment
 
LVL 25

Accepted Solution

by:
Mohammed Khawaja earned 500 total points
ID: 41884574
You could go to the affected computer properties, click on change domain membership and re-enter the the domain name (i.e. if domain name is xyz.local then enter xyz and if domain shows xyz then enter xyz.local) and this will reset the trust relationship.  Your other option would be to remove PC from domain (i.e. join it to a workgroup) and then rejoin the domain.

Don't know what happened but this should fix it.
1

Featured Post

Netscaler Common Configuration How To guides

If you use NetScaler you will want to see these guides. The NetScaler How To Guides show administrators how to get NetScaler up and configured by providing instructions for common scenarios and some not so common ones.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

This script can help you clean up your user profile database by comparing profiles to Active Directory users in a particular OU, and removing the profiles that don't match.
In 2017, ransomware will become so virulent and widespread that if you aren’t a victim yourself, you will know someone who is.
This tutorial will walk an individual through the process of transferring the five major, necessary Active Directory Roles, commonly referred to as the FSMO roles from a Windows Server 2008 domain controller to a Windows Server 2012 domain controlle…
This tutorial will walk an individual through the process of transferring the five major, necessary Active Directory Roles, commonly referred to as the FSMO roles to another domain controller. Log onto the new domain controller with a user account t…

911 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

15 Experts available now in Live!

Get 1:1 Help Now