Quantcast
Channel: All Centrify Express posts
Viewing all 1833 articles
Browse latest View live

Re: Ubuntu 18.04 login issue

June 29, 2018, 8:33 pm
$
0
0

Hello, Robertson

 

I have tried with Direct manage 5.5.0 but the problem is the samne. There is authentication failure of AD users, sometime the login is successfull some times login will fail.

 

There is a problem with latest Ubuntu 18.04 gdm3 or is a problem with direct manage 5.5.0 version because there is no problem found in login with local user of Ubuntu 18.04.

 

Do you have any solution for that, I think Centrify already tested Ubuntu 18.04 before launching the direct manage 5.5.0 for latest OS releases.

Search

Re: Ubuntu 18.04 login issue

July 3, 2018, 3:06 am
$
0
0

I resolved the issue.

 

Thanks for not helping :-)

centrifydc not a zone user in docker

July 5, 2018, 8:40 am
$
0
0

I followed this document https://centrify.force.com/support/Article/KB-8928-How-to-set-up-Centrify-in-a-Docker-container/ and set up Centrify Express in my docker.

I can verify the user using both "adinfo -v username" and "kinit username" command. adinfo shows centrifydc mode is connected and the License feature is enabled.

However, when I tried "adquery user username" command, it gave the message that the user is not a zone user in docker, the same command works in host environment.

adinfo shows the same zone information on both host and docker. 

 

What else did I missed?

 

The difference that I found is the host centrifydc version is 5.3.1 and the docker version is 5.5.0

 

Thanks

 

 

Re: Ubuntu 18.04 login issue

July 5, 2018, 11:04 am
$
0
0

Hi ,

 

I am glad to hear that the issue has been resolved. Please note that community volunteers spend their own time to help other members here on a best effort basis, and most of them probably took some well deserved time off over the long holiday weekend.

 

For guaranteed support SLA via phone and web support, you may want to consider purchasing a support package with Centrify's paid product offerings: https://www.centrify.com/resources/dsh-en-centrify-technical-support-plans-and-policies/

 

Regards,

Re: centrifydc not a zone user in docker

July 5, 2018, 11:42 am

Installation error saying Each SPN must be unique across the forest

July 9, 2018, 2:40 pm
$
0
0

 

 

Hi,

 

 

Trying to install Centrify 5.2.3-429 on Solaris 10, I'm getting the following error toward the end of the installation and the server cannot join the domain.

 

With an older version of Centrify, I had no problem on the same server to join the domain, etc.

 

 

Accounts that contain same SPNs is:
CN=dc4orapc5n4,CN=Computers,DC=mycompany,DC=priv

Each SPN must be unique across the forest. Please make sure the SPNs listed above are unique across the forest before joining.

Join to domain 'phx.mycompany.priv', zone 'Auto Zone' failed.
join failed


Error detected. More information may be found in the logfile
(location is /var/log/centrifydc-install.log).
Exiting ...

 

 

 

Any advice on what to do to fix the issue?

 

Thank you in advance!

 

 

 

Re: Installation error saying Each SPN must be unique across the forest

July 9, 2018, 2:45 pm
$
0
0

,

 

Welcome back.

 

This message means that somewhere in your environment there's a servicePrincipalName (SPN) that is conflicting with the ones that are being registered by your system.

 

What to do:

a) Read about SPNs and Centrify here:  https://community.centrify.com/t5/Centrify-Infrastructure-Services/FAQ-Centrify-DirectControl-and-servicePrincipalNames-SPNs/td-p/22121

 

b) With the knowledge from (a) now you can pinpoint what's the offending system, determine if it's still needed and or make a decision to rename the new system.

 

R.P

Re: Installation error saying Each SPN must be unique across the forest

July 9, 2018, 3:23 pm
$
0
0

 

Thanks, Robertson!

 

If I go back to the original old version the server had, Centrify can join the domain without this issue at all.

 

After reading the page, I tried adjoin with --force and also -n to rename the local hostname but no luck with the same error.

 

Do you know of any way to remove the SPN on the localhost side only, without the AD administrator getting involved?

 

Thanks again!

 

 

 

 

 

Search

Re: Installation error saying Each SPN must be unique across the forest

July 9, 2018, 3:31 pm
$
0
0

,

 

You can "leave" the domain on the offending system (using adleave with the --delete option) but depending on the environment it may be a no-no because you may compromise the availability of a production system.

 

If your environment is doing the right thing (enforcing separation of duties) it's time to walk over to the Windows or Active Directory side of the house and ask for help.

 

The "setspn -L [system-name]" command in Windows allows you to query Active Directory for the offending system.

 

Also if you rename your system correctly (depending on the distro, this may not be very trivial) or use the "-n" option you can get around this.

 

R.P

 

Re: Installation error saying Each SPN must be unique across the forest

July 10, 2018, 10:54 am
$
0
0

 

Hi again Robertson,

 

I don't see the "--delete" option for the "adleave" command.

 

Perhaps, did you mean the "--remove" option?

If so, please excuse for my ignorance but what does the "computer account from AD" mean?

Not my service account from AD but my local server, right?

Just want to make sure.

 

 

# adleave --help
usage: adleave [options]
options:
  -u, --user user[@domain] user name, default is administrator
  -p, --password pw        user password, prompts if absent
  -s, --server ds          domain server for leave operations
  -Z, --zoneserver ds      domain server for zone operations                           useful if zone is in another domain
  -C, --noconf             do not restore PAM or NSS config
  -G, --nogp               do not restore Group Policy
  -f, --force              force local leave, no network activity
  -v, --version            print version information
  -V, --verbose            print debug information for each operation
  -r, --remove             remove computer account from Active Directory
  -R, --restore            restore system configuration files without leaving the domain
  -t, --reset              using the machine credentials, reset
                           computer to pre-created/unjoined state.
  -h, --help               print this help information and exit.

 

Thank you!

 

 

 

Re: Installation error saying Each SPN must be unique across the forest

July 10, 2018, 12:28 pm
$
0
0

,

 

1.  You are correct, it's the --remove option.

 

2.  "Computer Accounts" in Active Directory are the objects that represent the system.  In an AD environment, computer accounts are treated as user accounts (they authenticate using Kerberos against the domain, the password is maintained by the client software -in this case Centrify's-).  In the context of your issue, the ServicePrincipalNames are tied to the computer objects, so when you run the setspn -L or adinfo -C commands, you're basically asking "What SPNs are registered under this computer account?" for example, the HTTP SPN, allows a web application that supports Kerberos to provide SSO services to end-users in the same realm.

 

For example, my CentOS 6 system (engcen6) is joined to Active Directory with Centrify software:

1. The computer account is under the Centrify\Computers OU

2. Note that the system properties report the Operating System and version plus the Centrify software version.

3. Since I joined this system using the defaults (as per my original link to you), the setspn command shows the nfs, ipp, http, host, ftp, cifs and afp SPNs using the system shortname and FQDN.

setspn.PNG

 

What does this mean?

Let's say I wanted to add another system with the same name.  There is a naming conflict (all system names must be unique within a domain), same with SPNs.  

What are the actions I can take:

 

I can remove the old system if it's meant to be terminated (using adleave --remove) and join a new one with the same name.

I can rename the new system if the old one is meant to be maintained.

I could remove the offending SPNs in question and register them under another system.

I could  have a load-balanced application and have two systems register the same SPN, in that case I can merge the Kerberos keytabs.

 

Does this make sense?

 

R.P

 

 

 

 

 

"Network Unavailable" for Centrfiy MDM

July 23, 2018, 9:30 am
$
0
0

Hi,

 

I am trying to install Centrfy MDM on a Samsung Galaxy S7. I am receiving an error that shows "Network Unavailable" when I enter my credentials. What kind of troubleshooting could be done to fix this issue?

 

Thanks.

TW

Re: "Network Unavailable" for Centrfiy MDM

July 24, 2018, 7:38 pm
$
0
0

Hi TW,

 

Welcome to Centrify Community! 

 

There are various reasons to cause 'Network Unavailable'. One of the reason is blocked by user policy. 

Here is the example:

https://centrify.force.com/support/Article/KB-9610-Getting-Network-unavailable-error-when-a-User-is-trying-to-enroll-a-device-with-a-QR-code

Beside 'invite based enrollment', would you please confirm if you have permitted device enrollment? It is suggested to check all items listed in 'Device Enrollment Settings' policy. In addition, would you please check client app settings to see login URL? Please modify to 'https://cloud.centrify.com" if this is different.  If it still not working even everything is configured nicely,  please try to enroll on other device using the same user account to see if this is device problem (ie. network issue or proxy)?

 

Hope this will help. 

 

Kind Regards,

Yeny

Centrify server licenses

July 31, 2018, 11:22 am
$
0
0

 

Recently found out our servers are reporting as using workstation licenses.

Attempting to fix the issues results in 

 

"Error: server license type is not supported for Auto Zone."

 

Creating a zone and swapping everything over would be quite the task for our environment. Is there another work around to change the license type but allow the servers to stay in Auto Zone?

 

Thank you.

Re: Installation error saying Each SPN must be unique across the forest

August 1, 2018, 2:08 pm
$
0
0

 

Hi Robertson,

 

Thanks for the excellent explanation!

 

I ended up my AD administrator colleague to remove the SPN in AD and joining my domain worked after waiting for 5 minutes.

 

 

Thank you again.

 

 

- Learner

 

Search

Re: Installation error saying Each SPN must be unique across the forest

August 1, 2018, 2:09 pm
$
0
0

 

Correction:

 

I ended up asking my AD administrator colleague to remove the SPN in AD and joining my domain worked after waiting for 5 minutes.

 

 

Express error with 5.2.3-429: Could not get the domain prefix map in allotted time.

August 1, 2018, 2:16 pm
$
0
0

 

Hi,

 

When I tried joining a domain as below, I keep getting the following error.

 

Could not get the domain prefix map in allotted time.

 

Aftermath of this error is that this server ended up joining a domain controller in a different region within my Company.

 

Anyone know how to resolve this?

 

It happens after I upgrade Centrify to 5.2.3-429.

 

# adjoin -w mycompany.com -s ad007.sf.priv -u myserviceaccount
myserviceaccount@mycompany.com's password:

Using domain controller: ad007.mycompany.com writable=true
Join to domain:mycompany.com, zone:Auto Zone successful

Centrify DirectControl started.
Loading domains and trusts information
...............................
.............................

Could not get the domain prefix map in allotted time.
If there are conflicts it could cause two or more users to have the same UID.
You can increase the parameter "adjoin.adclient.wait.seconds" to wait longer.
See /etc/centrifydc/centrifydc.conf.

Initializing cache
.
You have successfully joined the Active Directory domain: mycompany.com
in the Centrify DirectControl zone: Auto Zone


You may need to restart other services that rely upon PAM and NSS or simply
reboot the computer for proper operation.  Failure to do so may result in
login problems for AD users.

 

Thanks in advance.

 

 

- Learner

 

 

In ActiveDirectory What is the Best practice for Certificate Deployment to MACOSX

August 2, 2018, 1:49 pm
$
0
0

Having a issue in our infrastructure where the Radius Server and Centrify is disconnected and is not speaking to NAC Server. We currently have to hard wire after a password reset because the Mac OSx users cannot see the certificate behind the login on the wireless Radius connection. What is the Best way to Deploy and check certificates upon login of the Mac servers so that they authenticate correctly with the AD servers....and dropped the cached authenticated login info.

Re: Express error with 5.2.3-429: Could not get the domain prefix map in allotted time.

August 2, 2018, 10:09 pm
$
0
0

Hi, 

 

To investigate the issue, May I ask a couple of questions to understand the issue in depth?

 

1.)OS version

2.)adcheck -s <domain controller>

3.)adinfo -T <domain>

4.)adinfo -t 

 

Thanks.

Re: In ActiveDirectory What is the Best practice for Certificate Deployment to MACOSX

August 5, 2018, 3:36 am
$
0
0

Hi ,

 

Welcome to Centrify community!

 

The reason you are seeing the issue is because you are configured to use User certificate to authenticate the Radius Server which requires users to actually login to to the machine in order to see the certificate.

 

To wrokaround this issue, you can choose to use Machine Certificate to authenticate the Radius Server instead, which make the machine to have Wifi connection even if it's at the login windows and does not require user to login.

 

Here is an KB article that covers the steps on the configuration:

 

KB-2798: How to setup a workstation authentication certificate for autoenrollment or Mac OS X

 

https://centrify.force.com/support/Article/KB-2798-How-to-setup-a-workstation-authentication-certificate-for-auto-enrollment-for-Mac-OS-X

 

Hope it helps. Thank you!

 

BR

Ivan

Viewing all 1833 articles
Browse latest View live
Search

Latest Images

7 clever tricks Primark does to keep you walking & buying more than you need...

7 clever tricks Primark does to keep you walking & buying more than you need...

July 20, 2025, 5:14 am
Art for Everyone! Autism advocacy, local stories, and indigenous pride in one...

Art for Everyone! Autism advocacy, local stories, and indigenous pride in one...

July 20, 2025, 5:06 am
Paintings of English Downs 2

Paintings of English Downs 2

July 20, 2025, 4:30 am
How Kerala Women Rescued a Dying Forest and Turned It Into a Safe Haven for...

How Kerala Women Rescued a Dying Forest and Turned It Into a Safe Haven for...

July 20, 2025, 3:30 am
Met Eireann warns of heavy rain & spot flooding for DAYS before big...

Met Eireann warns of heavy rain & spot flooding for DAYS before big...

July 20, 2025, 1:14 am
Who is Kevin Lerena’s wife Geraldine?

Who is Kevin Lerena’s wife Geraldine?

July 20, 2025, 12:57 am
Man stabs woman, baby to death inside Queens home, police say

Man stabs woman, baby to death inside Queens home, police say

July 19, 2025, 11:00 pm
Ang papel ni whistleblower Julie Patidongan sa kaso ng mga nawawalang sabungero

Ang papel ni whistleblower Julie Patidongan sa kaso ng mga nawawalang sabungero

July 19, 2025, 9:45 pm
Telangana Human Rights Commission (TGHRC) seeks report from revenue dept on...

Telangana Human Rights Commission (TGHRC) seeks report from revenue dept on...

July 19, 2025, 7:29 pm
Crisis-hit NHS fat cats raking in MASSIVE salaries as frontline services cry...

Crisis-hit NHS fat cats raking in MASSIVE salaries as frontline services cry...

July 19, 2025, 2:11 pm
<script src="https://jsc.adskeeper.com/r/s/rssing.com.1596347.js" async> </script>