Applies to: All versions of Centrify DirectControl.
Question:
How can an AD User's credentials be "pre-cached" so that a Centrify system can be set up and joined onto the domain from the office, shipped out to a user in a remote location and they will have immediate offline login access without having to first be connected to the network?
Answer:
This can be achieved via the prevalidation feature.
=== Pre-requisite: Registering AD Users to the Preval Service ===
Any user who is going to be prevalidated will first need to be registered into the 'preval' service in Active Directory:
1. On a Windows AD server, open the command prompt and run:
setspn -A preval/[ad_username] [ad_username]
For example, for the user 'john_doe' the command would be:
setspn -A preval/john_doe john_doe
2. Repeat this for each user that is going to be prevalidated (this is required even if prevalidation by Group is going to be used).
=== Configuring Centrify systems to allow prevalidation ===
There are two options for setting up prevalidation on Centrify systems. Note that these methods cannot combined - if the GP is enabled, it will overwrite any changes made to those parameters in centrifydc.conf.
- Option 1.
Group Policy (to pre-validate a set of users on multiple machines) under:
/ Computer Configuration / Centrify Settings / DirectControl Settings / Account Prevalidation /
- Option 2.
Directly editing the /etc/centrifydc/centrifydc.conf file and setting either one or both of the following parameters (for specific users to specific machines):
adclient.prevalidate.allow.users
adclient.prevalidate.allow.groups
To edit the centrifydc.conf file directly:
1. On the Centrify system that the user is going to be prevalidated on, login as root and open up the /etc/centrifydc/centrifydc.conf file for editing.
2. Search for the "adclient.prevalidate.allow.users" section and either uncomment the example parameters, or create a clean new line below and enter:
adclient.prevalidate.allow.users: ad_username
or
adclient.prevalidate.allow.groups: ad_groupname
To prevalidate more than one user for that computer, enter the names as a comma-separated list, for example:
3. Save the centrifydc.conf file. Make sure the system is in Connected mode and run the commands:
sudo adreload
sudo adflush
Note 1:
To ensure their validity, the credentials for prevalidated users and groups are periodically retrieved from Active Directory. The credentials are refreshed whenever the following is performed:
- The computer is rebooted.
- Centrify DirectControl agent is started or restarted.
- adflush is run while connected to the network.
- The user password is changed from the local system.
Note 2:
When using prevalidation by group, make sure that the AD group is recognised by the Centrify agent. To check which groupnames can be seen for a specific user, run the following command from the Centrify system:
adquery user --groups ad_username
For further background reading on prevalidation in Centrify, please refer to the KB article: