Windows Authentication in IIS 7.5 Fails with Trust Relationship Exception

Question

I have an ASP.Net 2.0 application that uses integrated Windows Authentication to authenticate/authorize users. The application works fine on Windows XP/IIS 5.1, Windows Server 2008/IIS 7, and Windows Vista/IIS 7. When I try to run this application on Windows 7/IIS 7.5, I get the following exception: The trust relationship between this workstation and the primary domain failed.

The stack trace is as follows:

[SystemException: The trust relationship between this workstation and the primary domain failed.
]
   System.Security.Principal.NTAccount.TranslateToSids(IdentityReferenceCollection sourceAccounts, Boolean& someFailed) +1085
   System.Security.Principal.NTAccount.Translate(IdentityReferenceCollection sourceAccounts, Type targetType, Boolean forceSuccess) +46
   System.Security.Principal.WindowsPrincipal.IsInRole(String role) +128
   System.Web.Configuration.AuthorizationRule.IsTheUserInAnyRole(StringCollection roles, IPrincipal principal) +229
   System.Web.Configuration.AuthorizationRule.IsUserAllowed(IPrincipal user, String verb) +354
   System.Web.Configuration.AuthorizationRuleCollection.IsUserAllowed(IPrincipal user, String verb) +245
   System.Web.Security.UrlAuthorizationModule.OnEnter(Object source, EventArgs eventArgs) +11153304
   System.Web.SyncEventExecutionStep.System.Web.HttpApplication.IExecutionStep.Execute() +80
   System.Web.HttpApplication.ExecuteStep(IExecutionStep step, Boolean& completedSynchronously) +171

The web.config file contains the following information related to authentication/authorization:

<authentication mode="Windows" />
<authorization>
  <!--Deny anonymous users-->
  <deny users="?"/>
  <allow roles="domain\GroupWithAccess"/>
  <deny users="*"/>
</authorization>

Most of the results I found when researching this error state that the problem is related to a broken computer account in the domain and list the solution as re-joining the domain. I've done this but the error still appears. "Normal" domain operations work fine (accessing UNC shares, logging in, etc.).

This application runs in the Classic .Net AppPool for compatibility reasons. I tried changing the identity of the AppPool to "NetworkService" but the error still persists.

Any help is greatly appreciated.

Answer 1

I finally found an answer to this after experiencing the same problem on Windows Server 2008 R2. From this article :

Disable the following policies on the Windows 2008 R2 server, run gpupdate /force and restart the server.

"Computer Configuration\\Windows Setting\\Security Settings\\Local Policies\\Security Option"

Domain Member: Digitally encrypt or sign secure channel data (always)
Domain Member: Digitally encrypt secure channel data (When possible)
Domain Member: Digitally sign secure channel data (When possible)

I can confirm that this fixed the problem on Windows 7 as well.

Answer 2

I'm adding this for future reference:

"Error 1789 when you use the LookupAccountName function on a computer that is running Windows 7 or Windows Server 2008 R2"

http://support.microsoft.com/kb/976494

That might be a solution to the problem as well.