diff --git a/SOURCES/0003-Allow-for-HIDDEN_SERVICE-when-checking-ADTRUST-servi.patch b/SOURCES/0003-Allow-for-HIDDEN_SERVICE-when-checking-ADTRUST-servi.patch
new file mode 100644
index 0000000..14d5f36
--- /dev/null
+++ b/SOURCES/0003-Allow-for-HIDDEN_SERVICE-when-checking-ADTRUST-servi.patch
@@ -0,0 +1,118 @@
+From de2032487c73151e13812db78866ddd85d0f541c Mon Sep 17 00:00:00 2001
+From: Rob Crittenden <rcritten@redhat.com>
+Date: Mon, 28 Jun 2021 16:43:11 -0400
+Subject: [PATCH] Allow for HIDDEN_SERVICE when checking ADTRUST service
+
+If the host is a trust controller then the ADTRUST service
+must be enabled. This is defined as both ENABLED_SERVICE and
+HIDDEN_SERVICE.
+
+https://github.com/freeipa/freeipa-healthcheck/issues/217
+
+Signed-off-by: Rob Crittenden <rcritten@redhat.com>
+---
+ src/ipahealthcheck/ipa/trust.py |  6 ++--
+ tests/test_ipa_trust.py         | 54 ++++++++++++++++++---------------
+ 2 files changed, 33 insertions(+), 27 deletions(-)
+
+diff --git a/src/ipahealthcheck/ipa/trust.py b/src/ipahealthcheck/ipa/trust.py
+index 162a64c..27a2c86 100644
+--- a/src/ipahealthcheck/ipa/trust.py
++++ b/src/ipahealthcheck/ipa/trust.py
+@@ -23,9 +23,9 @@ except ImportError:
+     # be skipped
+     pass
+ try:
+-    from ipaserver.masters import ENABLED_SERVICE
++    from ipaserver.masters import ENABLED_SERVICE, HIDDEN_SERVICE
+ except ImportError:
+-    from ipaserver.install.service import ENABLED_SERVICE
++    from ipaserver.install.service import ENABLED_SERVICE, HIDDEN_SERVICE
+ try:
+     from ipapython.ipaldap import realm_to_serverid
+ except ImportError:
+@@ -476,7 +476,7 @@ class IPATrustControllerServiceCheck(IPAPlugin):
+             configs = entry.get('ipaconfigstring', [])
+             enabled = False
+             for config in configs:
+-                if config == ENABLED_SERVICE:
++                if config in [ENABLED_SERVICE, HIDDEN_SERVICE]:
+                     enabled = True
+                     break
+ 
+diff --git a/tests/test_ipa_trust.py b/tests/test_ipa_trust.py
+index 5eca9b5..c314b70 100644
+--- a/tests/test_ipa_trust.py
++++ b/tests/test_ipa_trust.py
+@@ -28,6 +28,11 @@ from ipahealthcheck.ipa.trust import (IPATrustAgentCheck,
+ from ipalib import errors
+ from ipapython.dn import DN
+ from ipapython.ipaldap import LDAPClient, LDAPEntry
++try:
++    from ipaserver.masters import ENABLED_SERVICE, HIDDEN_SERVICE
++except ImportError:
++    from ipaserver.install.service import ENABLED_SERVICE, HIDDEN_SERVICE
++
+ 
+ try:
+     from ipapython.ipaldap import realm_to_serverid
+@@ -795,31 +800,32 @@ class TestControllerService(BaseTest):
+         # Zero because the call was skipped altogether
+         assert len(self.results) == 0
+ 
+-    def test_principal_ok(self):
++    def test_service_enabled(self):
+         service_dn = DN(('cn', 'ADTRUST'))
+-        attrs = {
+-            'ipaconfigstring': ['enabledService'],
+-        }
+-        fake_conn = LDAPClient('ldap://localhost', no_schema=True)
+-        ldapentry = LDAPEntry(fake_conn, service_dn)
+-        for attr, values in attrs.items():
+-            ldapentry[attr] = values
+-
+-        framework = object()
+-        registry.initialize(framework, config.Config)
+-        registry.trust_controller = True
+-        f = IPATrustControllerServiceCheck(registry)
+-
+-        f.conn = mock_ldap(ldapentry)
+-        self.results = capture_results(f)
+-
+-        assert len(self.results) == 1
+-
+-        result = self.results.results[0]
+-        assert result.result == constants.SUCCESS
+-        assert result.source == 'ipahealthcheck.ipa.trust'
+-        assert result.check == 'IPATrustControllerServiceCheck'
+-        assert result.kw.get('key') == 'ADTRUST'
++        for type in [ENABLED_SERVICE, HIDDEN_SERVICE]:
++            attrs = {
++                'ipaconfigstring': [type],
++            }
++            fake_conn = LDAPClient('ldap://localhost', no_schema=True)
++            ldapentry = LDAPEntry(fake_conn, service_dn)
++            for attr, values in attrs.items():
++                ldapentry[attr] = values
++
++            framework = object()
++            registry.initialize(framework, config.Config)
++            registry.trust_controller = True
++            f = IPATrustControllerServiceCheck(registry)
++
++            f.conn = mock_ldap(ldapentry)
++            self.results = capture_results(f)
++
++            assert len(self.results) == 1
++
++            result = self.results.results[0]
++            assert result.result == constants.SUCCESS
++            assert result.source == 'ipahealthcheck.ipa.trust'
++            assert result.check == 'IPATrustControllerServiceCheck'
++            assert result.kw.get('key') == 'ADTRUST'
+ 
+     def test_principal_fail(self):
+         service_dn = DN(('cn', 'ADTRUST'))
+-- 
+2.31.1
+
diff --git a/SPECS/freeipa-healthcheck.spec b/SPECS/freeipa-healthcheck.spec
index 4b45132..d7017b4 100644
--- a/SPECS/freeipa-healthcheck.spec
+++ b/SPECS/freeipa-healthcheck.spec
@@ -17,7 +17,7 @@
 
 Name:           %{prefix}-healthcheck
 Version:        0.9
-Release:        2%{?dist}
+Release:        3%{?dist}
 Summary:        Health check tool for %{productname}
 BuildArch:      noarch
 License:        GPLv3
@@ -27,6 +27,7 @@ Source1:        ipahealthcheck.conf
 
 Patch0001:      0001-Remove-ipaclustercheck.patch
 Patch0002:      0002-Handle-files-that-don-t-exist-in-FileCheck.patch
+Patch0003:      0003-Allow-for-HIDDEN_SERVICE-when-checking-ADTRUST-servi.patch
 
 Requires:       %{name}-core = %{version}-%{release}
 Requires:       %{prefix}-server
@@ -156,6 +157,9 @@ PYTHONPATH=src PATH=$PATH:$RPM_BUILD_ROOT/usr/bin pytest-3 tests/test_*
 
 
 %changelog
+* Tue Oct 12 2021 Rob Crittenden <rcritten@redhat.com> - 0.9-3
+- IPATrustControllerServiceCheck doesn't handle HIDDEN_SERVICE (#1976878)
+
 * Mon Aug 09 2021 Mohan Boddu <mboddu@redhat.com> - 0.9-2
 - Rebuilt for IMA sigs, glibc 2.34, aarch64 flags
   Related: rhbz#1991688