Error with a one-way trust in Windows Server 2012 R2: Security identifier could not be resolved

Article
12/26/2023

This article provides help to fix an error "Security identifier could not be resolved" that occurs with a one-way trust.

Applies to: Windows Server 2012 R2
Original KB number: 3212982

Symptoms

Consider the following scenario:

Remote Desktop Connection Broker (RDCB) and Remote Desktop Virtualization Host (RDVH) are in Domain A.
Remote Desktop users are in DomainB\RD_USER_GROUP.
RD_USER_GROUP is a "Security Group - Universal" group.
Domain A and Domain B are in different forests.
Domain A one-way trusts Domain B.

When you try to add DomainB\RD_USER_GROUP directly to the VDI collection in Domain A, you receive the following error message:

The security identifier could not be resolved. Ensure that a two-way trust exists for the domain of selected users.

Cause

A two-way trust is required in this scenario.

Resolution

To resolve this issue, change the one-way trust to a two-way trust.

Feedback

Coming soon: Throughout 2024 we will be phasing out GitHub Issues as the feedback mechanism for content and replacing it with a new feedback system. For more information see: https://aka.ms/ContentUserFeedback.

Submit and view feedback for

This product This page

View all page feedback