"Trust relationship between ... and the primary domain failed" in MVC5 Authentication
Solution 1
So, based on my EDIT, I've modified my _Layout.cshtml
so that instead of having
@if(User.IsInRole("Admin")) {...}
I have
@if(User.Identity.IsAuthenticated && User.IsInRole("Admin")) {...}
which seems to solve the problem.
I believe the problem was that ASP .NET Identity
uses an empty WindowsIdentity
when no user is authenticated and when I try to check for the User.IsInRole, then it will try to check the roles of a WindowsIdentity against an Active Directory that I don't have. Obviously I should first check if the user is even logged in before attempting to check its roles, so mea culpa.
But, even though the change above seems to fix my code, I'd be very interested in knowing more about this behavior: why is it using an empty System.Security.Principal.WindowsIdentity
when no user is authenticated. I'll accept any answer which explains that.
Solution 2
I've had this issue - It failed for me if I tested an active directory group that didn't exist.
Make sure you're using a group that exists!
Solution 3
I was having this issue with Asp.Net Core 3.1 with Windows Authentication, but this thread came up first when searching the internet. I ended up resolving the issue by decorating the controller class declaration with the following:
using Microsoft.AspNetCore.Authorization;
[Authorize]
public class SetupController : Controller
Hope this is helpful for someone that is using Windows Authentication and is having the same error.
Solution 4
We were having this same issue on a new production server. Using the Identity Framework and restricting access to a specific directory with a web.config file denying any unauthenticated users. When unauthenticated users tried to access a page in this directory that contained any User.IsInRole("RoleName")
code, they were getting the "Trust relationship..." error.
None of the fixes mentioned in other SO answers worked for us.
Turns out we just had to enable Forms Authentication in IIS - problem solved.
user1987392
Updated on August 05, 2020Comments
-
user1987392 over 3 years
I have a ASP .NET MVC5 application in which I am not using Windows Authentication.
Everything was working fine until I tried running the application outside of the Domain in which it was being developed and (for whatever reason) got a:
The trust relationship between this workstation and the primary domain failed.
when I'm trying to do
User.IsInRole("Admin")
.I am using custom
Identity
,Role
,IdentityStore
,RoleStore
, etc. from .NET'sIdentity
and I can see that the User and Role data is being retrieved from the (MongoDB) database correctly.There are plenty of questions regarding this issue, but they're from people who want to use Windows Auth. and impersonation in their MVC applications:
How to configure Windows Authentication / Impersonation + IIS 7 + MVC
The trust relationship between the primary domain and the trusted domain failed
My.User.IsInRole("Role Name") throws a Trust Relationship error on Windows 7
So why exactly am I getting this
SystemException
if I'm not using Active Directory and (as far as I know) not doing anything that might depend on the PC's domain? Am I missing some configuration (either in myWeb.config
or IIS Express)?EDIT:
Ok, so narrowing it down a bit...
My
User.IsInRole("Admin")
line is inside anif()
statement in my_Layout.cshtml
View (i.e., to know what to show in the nav. bar depending on the role).I now know I only get the error above when no user is authenticated and I'm not in the domain I used for dev. If I place a breakpoint on that line, I can see that the
User
object is is aSystem.Security.Principal.WindowsIdentity
and its underlyingIdentity
isSystem.Security.Principal.WindowsIdentity
.On the other hand, if the user is authenticated, then the
User
object and tsIdentity
areSystem.Security.Claims.ClaimsPrincipal
andSystem.Security.Claims.ClaimsIdentity
.Why is it using Windows Identity at all (when unauthenticated) and how can I disable it?
-
JoeBrockhaus over 9 yearsI ran into a similar issue regarding this. The trust relationship error results from calling
IsInRole('somerole')
when the Claims on the Identity does not contain that role, the Identity is Windows, and that group does not exist in the primary domain, and some trust issue between another domain exists. I never resolved my issue. stackoverflow.com/questions/22518243/… -
user1987392 over 9 years@JoeBrockhaus if I recall correctly, in my case the problem was that doing
User.IsInRole()
if the user wasn't authenticated would throw an error. I wasn't using Active Directory at all so unfortunately I don't really know how to help. -
JoeBrockhaus over 9 yearsno worries. Was just providing the link back to the other question in case others found this one instead.
-
user1987392 over 9 yearsI wasn't using Active Directory, but thanks for your answer - it may be useful for people who do and get here with the same error message.
-
Micah Armantrout over 9 yearsFor others ...this error seems to be a generic message that Microsoft uses it doesn't always mean it needs to be rejoined
-
Dan about 9 yearsYup, MVC5 seems to use a windows identity when the user is unauthenticated, checking for isAuthenticated fixes this
-
Daniel Jackson about 5 yearsDidn't fix for me.
-
torendil about 3 yearsThanks for trying, and I upvoted for that, but it didn't work for me