Tips for finding Knowledge Articles

  • - Enter just a few key words related to your question or problem
  • - Add Key words to refine your search as necessary
  • - Do not use punctuation
  • - Search is not case sensitive
  • - Avoid non-descriptive filler words like "how", "the", "what", etc.
  • - If you do not find what you are looking for the first time,reduce the number of key words you enter and try searching again.
  • - Minimum supported Internet Explorer version is IE9
Home  >
article

KB-0408: Troubleshooting 1 Way trust

Centrify DirectControl ,  

12 April,16 at 10:57 AM

Applies to: Version cdc 3.0.4 and above

Question: How do I troubleshoot 1 way trust. 

Answer: 

1) Please check the following before troubleshooting problems with why the user is unable to login even after performing all the configuration steps. 

Using the ADSI Edit Tool, Expand the Domain NC [dc=your domain name,dc=com] node in the left pane of the MMC console. Continue to expand this node until you can locate and expand the node named CN=System. 
Now in the right pane, use the Class column to identify all objects with a type of trustedDomain. 

To get more information regarding the specifics of a given trust, right-click the object, and then click Properties. Look for property called "trustType" which contains the type of trust relationship established to the domain. Here is what each value represents: 
1=Downlevel Trust 
2=Windows 2000 (Uplevel) Trust 
3=MIT 4=DCE 

If the value of the trustType for the trustedDomain is 1 then user's will not be able to login because Centrify does not support trustType 1 as per design. So in such cases please upgrade your trust. 


2) If the step 1 does not apply to you but still the users are not able to login. Please verify your trusts on both the domain as follows. 

Using AD domains and trusts snap-in: - In the left pane, right click on the trusting domain and select properties. - Click trusts tab. - Click on the domain that is associated with the trust you want to verify. - Click on the properties button. - Click on the Validate button.
If this fails then you will see following error messages in the Centrifydc.log file: Dec 29 11:02:38 rhel adclient[10845]: WARN base.aduser Can't find service host/rhel.centrify-vm.com. 

Check for multiple computer accounts with the same SPN in the directory. Replication error? 

Dec 29 11:02:38 rhel adclient[10845]: DEBUG base.osutil while getting service credentials: Server not found in Kerberos database (reference base/aduser.cpp:575 rc: -1765328377) 
Dec 29 11:02:38 rhel adclient[10845]: WARN base.aduser Unable to verify user's credentials: while getting service credentials: Server not found in Kerberos database 
Dec 29 11:02:38 rhel adclient[10845]: DEBUG daemon.execute validate password caught exception: while getting service credentials: Server not found in Kerberos database 
Dec 29 11:02:38 rhel adclient[10845]: DEBUG daemon.execute doValidatePlain: user sumana not OK: while getting service credentials: Server not found in Kerberos database 

Please fix your trusts and try login again. 

Note: In a 1-way or 2-way trust, also check if the there is a logon restriction on the AD user. You can check the AD user's permissions or do a quick check of logging in the AD user on a Windows machine in the same domain as the Unix machine. If this is the cause, you will see the following Logon Message after entering your credentials on the Windows machine: 

The system cannot log you on due to the following error: Logon Failure: The machine you are logging onto is protected by an authentication firewall. The specified account is not allowed to authenticate to the machine. Please try again or consult your system administrator. 

If these instructions still does not help troubleshoot the problems, please contact us with details.

Still have questions? Click here to log a technical support case, or collaborate with your peers in Centrify's Online Community.