Problem: MFA was working but is no longer working after changing the service account running the connectors.
Cause: By default the connectors run under Local System which has the correct permissions and SPNs to validate the certificates. If using a service account this might no longer be true and the below regedit will need to be added to the connector machines.
Resolution:
On the connector machines expand Regedit: HKEY_LOCAL_MACHINE>SOFTWARE>Centrify>Cloud
1. Add a String value type registry key:
Name: winAuthSvcClientCredType
Data: Windows
2. Add these two SPNs in Active Directory to the service account running the Centrify Connectors
HTTP/account
HTTP/account.mydom.com
3. Restart the Cloud Connector service on each connector machine