"The trust relationship between this workstation and the primary domain failed" error message when users try to log on to the domain

Applies to: Windows 7 Service Pack 1Windows Server 2008 R2 Service Pack 1

Symptoms


Intermittently, users cannot log on to the domain. Additionally, users receive the following error message:

The trust relationship between this workstation and the primary domain failed.


Notes
  • Restarting the workstation or server resolves the problem.
  • When you check the computer object in Active Directory, you notice that the computer account password was recently changed for the workstation or server.

Cause


This behavior occurs because of the issue that is fixed in the following article in the Microsoft Knowledge Base:
2545850 Users cannot access an IIS-hosted website after the computer password for the server is changed in Windows 7 or in Windows Server 2008 R2

Resolution


To resolve this issue, install the hotfix that is described in the following article in the Microsoft Knowledge Base:
2545850 Users cannot access an IIS-hosted website after the computer password for the server is changed in Windows 7 or in Windows Server 2008 R2

More Information


When the computer is in the problem state, a network trace of the problem shows that Kerberos did not obtain a computer account Kerberos ticket (TGT). The error that is returned by the domain controller is "KDC_ERR_PREAUTH_FAILED."

Example network traffic is as follows:

Request (from client to domain controller): KerberosV5:AS Request Cname: Machine1$ Realm: Contoso.com Sname: krbtgt/Contoso.com

Response (from domain controller to client): KerberosV5:KRB_ERROR - KDC_ERR_PREAUTH_FAILED (24)