Using local security groups on the web servers running EPiServer has been a recommendation since forever, but in the past it has not affected much else except performance. Therefore partners and customers have not been focusing on this. Now, with new versions of .Net, they are getting into strange problems and the EPiServer CMS is naturally blamed, consuming a high amount of our support resources.
The Research team got a support case regarding an EPiServer 4 site escalated to us a couple of weeks ago:
When the customer network connection between Sweden and Denmark goes down their AD domain controllers cannot communicate for obvious reasons. In the past, running older versions of EPiServer 4, this was not a problem since earlier versions of .Net was kind of forgiving. However, after upgrading to the latest version of EPiServer 4 and .Net 2.0 their intranet stopped completely as soon as there was the slightest problem in the AD. This affected some 1300 users, as the intranet is the default start page.
Ruwen solved this by simply adding the AD groups to local server groups. That way we created a sort of "security proxy" that could prevent the "ugly" AD errors from interfering with .Net 2.0 (and IIS/EPiServer).
Works great and also improved the speed for bringing up the right click menu by some 30% (probably even better with more load added).
Even though this was tied to version 4 I think the same lesson can be applied to EPiServer CMS 5.
It might also be the cause for fuzzy problems in complex intranet installations.
In EPiServer CMS 4 and 5, this problem manifests itself by generating the following error when you don’t have contact with your DC:
“The trust relationship between this workstation and the primary domain failed.”
By creating local groups the problem is solved.
Please note that these groups do not have to include any users, just include the AD groups (that contains the EPiServer editors, the EPiServer adminsitrators etc). That way you will keep the administration to a minimum.
Please note that this is not tied to EPiServer, it affects all web applications running .Net version 2.0 and up.
rgds
Mike (& Ruwen)
PS: Here is the article about the problems DS
The trust relationship between the primary domain and the trusted domain failed
This information applies to:
- EPiServer 4.60
- EPiServer 4.61
Reference:
Q8802
Created:
9/25/2006
Updated:
9/25/2006
Article From version:
4.60
Article To version:
4.62
This error message appears on machines running EPiServer 4.60 (or later) in a .NET Framework 2.0 environment when trying to log on to an EPiServer site using a windows account when not connected to your main domain.
The reason behind the error lies within code changes made to the ASP.NET framework in version 2.0. This problem will primarily occur on laptop machines since they are frequently detached from the domain network. Stationary workstations and servers should rarely be affected by this error as they are more or less permanently connected to the domain.
If you wish to set up an EPiServer installation in a .NET Framework 2.0 environment on a machine that you know will be detached from the domain network from time to time, you should not rely on windows accounts for authentication on the EPiServer site. Instead you should use pure EPiServer accounts, i.e. accounts that have been created in EPiServer and exist only in the EPiServer database.
We consider this error to be an issue with .NET 2.0 rather than a bug in EPiServer.
Workarounds
We currently know of two ways to work around this issue.
1 - Change the unhandled exception policy back to the default behavior of previous .NET Framework versions.
Add the following code to the Aspnet.config file located in
%WINDIR%\Microsoft.NET\Framework\v2.0.50727
<configuration>
<runtime>
<legacyUnhandledExceptionPolicy enabled="true" />
</runtime>
</configuration>
2 - Create local WebEditors and WebAdmins groups on the web server. These will disable the domain checks and when authenticating EPiServer users, these local windows groups will not be used.