Friday, June 19, 2015

Adding an account from an external domain with a forest trust configured throws the error: “The security identifer could not be resolved…”


You’ve successfully deployed a new Windows Server 2012 R2 Remote Desktop Services farm in your environment and have begun assigning permissions to users located in another forest that you are forest trust with:


While you are able to browse the domain in the separate forest and select a user or group, you quickly notice you receive the following error message when you attempt to apply the settings:

The security identifier could not be resolved. Ensure that a two-way trust exists for the domain of the selected users.

Exception: The network path was not found.



I’ve come across the same problem with a Windows Server 2008 R2 Remote Desktop Services deployment and it looks like this problem still persists in the newer Windows Server 2012 R2 version. To get around this issue, we would need to create a Domain local group in the domain where the RDS server is installed:


… then proceed and add the user or group from the federated forest domain into the Domain local group:


… and because we can’t add a Domain local group into any other type of group such as Global or Universal in the domain, we would have to assign it directly to the RDS Collection and RemoteApp:


Not exactly the most elegant solution but good enough for a workaround.


Unknown said...

We had the same issue and it was a DNS issue, specifically the server did not have anything in the DNS Suffix Search List.

Anonymous said...

@Daniel Friske
Interesting, It's been a week I try to resolve this problem...
In fact, the virtual machine who hosts RDS apps is part of the same domain that my Active Directory (quite logical). Moreover, this RDS VM can request the AD and see all the groups and users. However, I've still this security identifier error...
I'll post the solution if I found one...

Anonymous said...

Ok, so I found a workaround, I've got the error with GUI but with PS command, it works perfectly:

Set-RDSessionCollectionConfiguration -CollectionName "RDS_Apps" -UserGroup "MYDOMAIN\RDS-USERS"

Anonymous said...

See these:

Seems that RDS servers need the DNS suffix of the domain where the user is located in the NIC setup.