Running any CVAD Powershell command results in message " Insufficient administrative privilege"
Article ID: CTX265641
Updated On:
Description
Running any CVAD Powershell command results in message " Insufficient administrative privilege"
In addition message "You do not have sufficient permissions to administer this site" is seen when launching Studio.
Resolution
A CDF Trace taken at the time of the error will show the following.
17:44:07:04172,11024,8976,1,DelegatedAdminFiltering,,0,,1,Error,"CommonGetLogic: Unexpected exception System.SystemException: The trust relationship between the primary domain and the trusted domain failed.
at System.Security.Principal.SecurityIdentifier.TranslateToNTAccounts(IdentityReferenceCollection sourceSids, Boolean& someFailed)
at System.Security.Principal.SecurityIdentifier.Translate(IdentityReferenceCollection sourceSids, Type targetType, Boolean forceSuccess)
at System.Security.Principal.SecurityIdentifier.Translate(Type targetType)
at Citrix.Fma.Sdk.Win32NTAccountSidFactory.Win32IdentityReference.Translate(Type targetType)
at Citrix.DelegatedAdmin.Logic.SidHelper.ConvertSidToName(String sid)
at Citrix.DelegatedAdmin.Logic.SidHelper.ConvertAdministratorSidsToNames(IEnumerable`1 objects)
at Citrix.DelegatedAdmin.Logic.DelegatedAdminDal.CommonGetLogicDispatcher(String operationName, IDictionary`2 arguments, String groupByProperty, Guid[] gettableScopeIds, Int32 skip, Int32 maximumResultCount, Boolean returnTotalAvailableResultCount, Int32& totalAvailableResultCount, Object[]& records)
at Citrix.Fma.Sdk.ServiceCore.CommonCmdlets.CommonCmdletsDal.CommonGetLogic(String operationName, IDictionary`2 arguments, String groupByProperty, Guid[] gettableScopeIds, Int32 skip, Int32 maximumResultCount, Boolean returnTotalAvailableResultCount, Int32& totalAvailableResultCount, Object[]& records)",""
285,1,2019/11/04 17:44:07:04518,11024,8976,1,DelegatedAdminLog,,0,,1,Error,"Converting to a return code, an exception of type: System.SystemException and message: The trust relationship between the primary domain and the trusted domain failed.
.",""
286,1,2019/11/04 17:44:07:04521,11024,8976,1,DelegatedAdminLog,,0,,1,Error,"The exception name is SystemException",""
287,1,2019/11/04 17:44:07:04530,11024,8976,1,DelegatedAdminLog,,0,,1,Information,"Failed with unexpected exception: System.SystemException: The trust relationship between the primary domain and the trusted domain failed.
On the SQL site database observe the DAS.Administrators table.
This will list all the administrators added in Studio.
One of these will have a faulty SID and it will cause logons to fails for any administrator - even an administrator with a correct SID.
To find the faulty account test each SID with below PS commands which will attempt to translate the SID to a username.
At least of these will fail with the same error as seen in the CDFTrace.
e.g
PS C:\Users\Administrator.BRIANMC> $sid="S-1-5-21-1134881016-329966098-1620257386-500"
PS C:\Users\Administrator.BRIANMC> $securityId = New-Object System.Security.Principal.SecurityIdentifier($sid)
PS C:\Users\Administrator.BRIANMC> $securityId.Translate([System.Security.Principal.NTAccount])
Exception calling "Translate" with "1" argument(s): "The trust relationship between the primary domain and the trusted
domain failed.
"
At line:1 char:1
+ $securityId.Translate([System.Security.Principal.NTAccount])
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ CategoryInfo : NotSpecified: (:) [], MethodInvocationException
+ FullyQualifiedErrorId : SystemException
Then delete the faulty SID(s) only.
e.g.
delete FROM [CitrixBrianmc-LTSRSite].[DAS].[Administrators] where id=2
Do not delete all SIDs ,otherwise there will be no more administrators and nobody will be able to connect to Studio.
Then attempt to logon via Studio again .
Note - Before running any SQL command to modify the database ensure that a backup is taken of the CVAD site database.
17:44:07:04172,11024,8976,1,DelegatedAdminFiltering,,0,,1,Error,"CommonGetLogic: Unexpected exception System.SystemException: The trust relationship between the primary domain and the trusted domain failed.
at System.Security.Principal.SecurityIdentifier.TranslateToNTAccounts(IdentityReferenceCollection sourceSids, Boolean& someFailed)
at System.Security.Principal.SecurityIdentifier.Translate(IdentityReferenceCollection sourceSids, Type targetType, Boolean forceSuccess)
at System.Security.Principal.SecurityIdentifier.Translate(Type targetType)
at Citrix.Fma.Sdk.Win32NTAccountSidFactory.Win32IdentityReference.Translate(Type targetType)
at Citrix.DelegatedAdmin.Logic.SidHelper.ConvertSidToName(String sid)
at Citrix.DelegatedAdmin.Logic.SidHelper.ConvertAdministratorSidsToNames(IEnumerable`1 objects)
at Citrix.DelegatedAdmin.Logic.DelegatedAdminDal.CommonGetLogicDispatcher(String operationName, IDictionary`2 arguments, String groupByProperty, Guid[] gettableScopeIds, Int32 skip, Int32 maximumResultCount, Boolean returnTotalAvailableResultCount, Int32& totalAvailableResultCount, Object[]& records)
at Citrix.Fma.Sdk.ServiceCore.CommonCmdlets.CommonCmdletsDal.CommonGetLogic(String operationName, IDictionary`2 arguments, String groupByProperty, Guid[] gettableScopeIds, Int32 skip, Int32 maximumResultCount, Boolean returnTotalAvailableResultCount, Int32& totalAvailableResultCount, Object[]& records)",""
285,1,2019/11/04 17:44:07:04518,11024,8976,1,DelegatedAdminLog,,0,,1,Error,"Converting to a return code, an exception of type: System.SystemException and message: The trust relationship between the primary domain and the trusted domain failed.
.",""
286,1,2019/11/04 17:44:07:04521,11024,8976,1,DelegatedAdminLog,,0,,1,Error,"The exception name is SystemException",""
287,1,2019/11/04 17:44:07:04530,11024,8976,1,DelegatedAdminLog,,0,,1,Information,"Failed with unexpected exception: System.SystemException: The trust relationship between the primary domain and the trusted domain failed.
On the SQL site database observe the DAS.Administrators table.
This will list all the administrators added in Studio.
One of these will have a faulty SID and it will cause logons to fails for any administrator - even an administrator with a correct SID.
To find the faulty account test each SID with below PS commands which will attempt to translate the SID to a username.
At least of these will fail with the same error as seen in the CDFTrace.
e.g
PS C:\Users\Administrator.BRIANMC> $sid="S-1-5-21-1134881016-329966098-1620257386-500"
PS C:\Users\Administrator.BRIANMC> $securityId = New-Object System.Security.Principal.SecurityIdentifier($sid)
PS C:\Users\Administrator.BRIANMC> $securityId.Translate([System.Security.Principal.NTAccount])
Exception calling "Translate" with "1" argument(s): "The trust relationship between the primary domain and the trusted
domain failed.
"
At line:1 char:1
+ $securityId.Translate([System.Security.Principal.NTAccount])
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ CategoryInfo : NotSpecified: (:) [], MethodInvocationException
+ FullyQualifiedErrorId : SystemException
Then delete the faulty SID(s) only.
e.g.
delete FROM [CitrixBrianmc-LTSRSite].[DAS].[Administrators] where id=2
Do not delete all SIDs ,otherwise there will be no more administrators and nobody will be able to connect to Studio.
Then attempt to logon via Studio again .
Note - Before running any SQL command to modify the database ensure that a backup is taken of the CVAD site database.
Was this article helpful?
Yes
No
Powered by
