I recently ran across a problem with an application using .NET's System.Security.Principal.WindowsPrincipal's IsInRole() function failing with error "The trust relationship between the primary domain and the trusted domain failed". The application was looking for local group memberships on the workstations to validate access to the application. To give a quick background, I'm not a developer and its the first time I have seen this object in use. A simplified idea of the domain structure can be shown as:
The application was receiving this error in child domain #2, but working in child 1. Legacy domain dc's had just be decommissioned.
When digging through the history of the machines, user accounts involved, group object metadata, etc...the users were found to have not been a member of any of the local groups the code was looking for. Tracing the exception with some basic Powershell tests from the effected domain...
$me = [system.security.principal.windowsidentity]::getcurrent()
$up = new-object system.security.principal.windowsprincipal($me)
$up.isinrole("Administrators") **can be local or domain group, not specified, account is both**
True
$up.isinrole("blah") **can be local or domain group, group does not exist
Exception calling "IsInRole" with "1" argument(s): "The trust relationship between the primary domain and the trusted domain failed."
Here we have success, or failure depending on perspective. As we have not specified the domain in any of our code, the code is checking local and trusted groups. I'm not digging deeply into finding out how it does it or what order. Netmon traces suggest some system calls for group membership to domain controllers, and showed name resolution attempts to the decomissioned trusted domain.
If we try the same test from Child domain 1
$up.isinrole("blah")
False
If we try the same test from child domain 2 with domain specified
$up.isinrole("Child1\blah")
False
No exceptions now. How do we find local groups when the machine name is not known?
$up.isinrole("\users")
True
$up.isinrole("\blah")
False
This seems to work for me for specifying a local group. Eventually a fix for this type of problem involves code being able to handle intermittent domain trust problems , but also removing any legacy trusts along with a decommissioning of domain. Having code that better specifies the scope of the group or domain of the group would also improve reliability. I hope this post helps for anyone that encounters this error with this particular .NET class.
No comments:
Post a Comment