AWS EC2 the trust relationship between this workstation and the primary domain failed

Question

Hello,

The EC2 instance Window Server 2022 started to have problems after we installed the Windows Security Updates for July/2023.

The EC2 instance did not respond to RDP remote connect.

```
"The remote computer that you are trying to connect to requires Network Level Authentication (NLA), 
but your Windows domain controller cannot be contacted to perform NLA. 
If you are an administrator on the remote computer, you can disable NLA by using the options 
on the Remote tab of the System Properties dialog box."
```

I followed this AWS article.

https://repost.aws/knowledge-center/ec2-windows-rdp-authentication-errors

After these registry keys were added to the system the RDP remote connect started to work again.

```
reg add "HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp" /v SecurityLayer /t REG_DWORD /d 0 /f
reg add "HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp" /v UserAuthentication /t REG_DWORD /d 0 /f
reg add "HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp" /v fAllowSecProtocolNegotiation /t REG_DWORD /d 0 /f
```

I can now RDP remote connect to the EC2 instance with the domain login and even open the *Active Directory Users and Computers* and see all the domain information.

However the Windows Remote Desktop Services (RDS) Remote Applications now fail to launch because of the issue below.

**AWS EC2 the trust relationship between this workstation and the primary domain failed.**

I have tested with PowerShell Test-ComputerSecureChannel and this is the error message.

```
**PowerShell**
PS C:\Users\Administrator.TOPODEMO> Test-ComputerSecureChannel -verbose
VERBOSE: Performing the operation "Test-ComputerSecureChannel" on target "EC2AMAZ-A1BRCLC".
False
VERBOSE: The secure channel between the local computer and the domain **topo.demo** is broken.
PS C:\Users\Administrator.TOPODEMO>
```

Note, topo.demo domain is "AWS Simple AD".

I tried this workaround, remove the computer from the domain, reboot and then connect the computer to the domain again, reboot again, but the issue persists.

https://support.microsoft.com/en-us/topic/-the-trust-relationship-between-this-workstation-and-the-primary-domain-failed-error-when-you-log-in-to-windows-7-48124cd3-bae2-2428-f362-bf8da683e59c

https://docs.aws.amazon.com/directoryservice/latest/admin-guide/join_windows_instance.html

Do you know how to fix this issue between the AWS EC2 instance and the AWS Simple AD ???

I appreciate your assistance.

Thanks,

Answer

I would look at these 2 articles https://learn.microsoft.com/en-us/answers/questions/1328910/after-update-kb5028166-trust-relationship-broken

And  the enforcement here https://support.microsoft.com/en-us/topic/kb5021130-how-to-manage-the-netlogon-protocol-changes-related-to-cve-2022-38023-46ea3067-3989-4d40-963c-680fd9e8ee25

Answer

Hello,

I opened a support case with AWS.

But the issue cleared by itself today, July 22, 2023.

```
PS C:\Users\Administrator.TOPODEMO> Test-ComputerSecureChannel -verbose
VERBOSE: Performing the operation "Test-ComputerSecureChannel" on target "EC2AMAZ-A1BRCLC".

**VERBOSE: The secure channel between the local computer and the domain topo.demo is in good condition.**
PS C:\Users\Administrator.TOPODEMO>
```

Please, do not ask me how.

Now my Windows Remote Desktop Services (RDS) Remote Applications are working fine.

Thanks,

Marcelo Marques

AWS EC2 the trust relationship between this workstation and the primary domain failed

관련 콘텐츠