User or admin is unable to login to a computer remotely using a domain account and sees this error: 
"The security database on the server does not have a computer account for this workstation trust relationship."

The above mentioned sample code is provided to you as is with no representations, warranties or conditions of any kind. You may use, modify and distribute it at your own risk. CITRIX DISCLAIMS ALL WARRANTIES WHATSOEVER, EXPRESS, IMPLIED, WRITTEN, ORAL OR STATUTORY, INCLUDING WITHOUT LIMITATION WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE, TITLE AND NONINFRINGEMENT. Without limiting the generality of the foregoing, you acknowledge and agree that (a) the sample code may exhibit errors, design flaws or other problems, possibly resulting in loss of data or damage to property; (b) it may not be possible to make the sample code fully functional; and (c) Citrix may, without notice or liability to you, cease to make available the current version and/or any future versions of the sample code. In no event should the code be used to support ultra-hazardous activities, including but not limited to life support or blasting activities. NEITHER CITRIX NOR ITS AFFILIATES OR AGENTS WILL BE LIABLE, UNDER BREACH OF CONTRACT OR ANY OTHER THEORY OF LIABILITY, FOR ANY DAMAGES WHATSOEVER ARISING FROM USE OF THE SAMPLE CODE, INCLUDING WITHOUT LIMITATION DIRECT, SPECIAL, INCIDENTAL, PUNITIVE, CONSEQUENTIAL OR OTHER DAMAGES, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGES. Although the copyright in the code belongs to Citrix, any distribution of the sample code should include only your own standard copyright attribution, and not that of Citrix. You agree to indemnify and defend Citrix against any and all claims arising from your use, modification or distribution of the sample code.

Before resetting the computer account (which may work to sort out the issue), test if the machine has both HOST\Netbios and HOST\FQDN SPN's.  A missing SPN can cause this error. 

Explanation:  
Host name:  MACHINE1.bigcompany.local
SPN's should include:   HOST\MACHINE1  and  HOST\MACHINE1.bigcompany.local

On a Domain Controller or any server with ldap access, list the SPN for MACHINE1:
setspn -L MACHINE1

If any HOST\SPN is missing, use setspn (or GET-ADCOMPUTER in Powershell) to reset the SPN: 
For example, from an elevated command prompt on an Active Directory server: 
setspn -R MACHINE1 




 

---

Problem Cause

Why the SPN would be missing is not known. 
-- If a machine is joined to the domain from a console or RDP session, the host spn's are created automatically.
-- If a machine account is created by PVS or MCS wizards, the spn's are created automatically.
However,
--If a machine account is created from the Active Directory Users and Computers console it does not have any SPN's.
--If a machine account with missing SPN's is imported by PVS or MCS, it will not get any SPN's created.
--An administrator can delete SPN's using the setspn utility or through Get--ADCOMPUTER PowerShell cmdlt.
 

If administrators are experiencing this issue, and have verified that the automatic password support is working properly, may find that missing host spn's might be the cause of the error: "The security database on the server does not have a computer account for this workstation trust relationship."