Users cannot log on to a system using Active Directory credentials and the following error message appears: “The trust relationship between this workstation and the primary domain failed.”
Users/Citrix Admins might see this error on VDIs or App servers. Below are the solutions for the same:
This issue is seen when the session logon is attempted through Remote Desktop Protocol, ICA, or directly at the console. Only logons using local accounts are successful. The underlying problem when this error is seen is that the machine you are trying to access can no longer communicate securely with the Active Directory domain to which it is joined.
DO NOT DISJOIN AND REJOIN THE MACHINE TO THE DOMAIN.
This will change the SID in AD but the Site/farm database will still contain the old SID. This can cause many issues and leave your site and database in an inconsistent state. Instead, just try to reset the AD computer account password using one of the following methods.
First, determine which component is having the issue. Then use the repair method that works best for your environment.
Provisioning Services Server, XenDesktop or XenApp Delivery Controller or XD/XA VDA:
There are a number of different ways this can be done via PowerShell from the local machine and from an AD DC.Here are a couple options:
ii) Open the Windows System properties
iii) Change: “domain.net” to just “domain”
Option 4) CMD line using NETDOM tool:
- Logon to the machine with a local administrator account.
- Obtain the tool netdom.exe from Windows Server 2008 or Windows Server 2008 R2 CD to enable the Active Directory Domain Services role.
Note: For Windows Vista and Windows 7, utilize the Remote Server Administration Tools (RSAT) to enable the Active Directory Domain Services role.
- Run netdom.exe to change the password.
- Open command prompt with administrator rights.
- Execute the command: netdom.exe resetpwd /s:<server> /ud:<user> /pd:*
- Restart the machine
Provisioning Services Target Device
Make sure that you have configured the PVS environment properly.
Reference the following article: https://support.citrix.com/article/CTX132289
Once that is confirmed. Shut the target device down and reset the machine account password for the affected target device in the PVS console.
This can happen for a number of reasons. This article address the situations where the machine account password needs to be reset. These are the non-destructive methods for fixing the most common causes for the trust relationship issue.
- Machine was restored to a system restore point or to a snapshot that is old enough to have a different machine account password than the one currently in use by AD.
- More than one machine on a network with the same hostname.
- AD Machine account object corruption.
- AD policy that would disable a computer after x number of days of not authenticating.
- Computer object in AD is deleted.
Out of all these solutions, Reset-ComputerMachinePassword and Test-ComputerSecureChannel –Repair worked for me in my real time issue. Login to the server/VDI where we have the issue with local user id. open command prompt as admin with elevated rights. Run above two commands and restart the server/VDI.