Tips for finding Knowledge Articles

  • - Enter just a few key words related to your question or problem
  • - Add Key words to refine your search as necessary
  • - Do not use punctuation
  • - Search is not case sensitive
  • - Avoid non-descriptive filler words like "how", "the", "what", etc.
  • - If you do not find what you are looking for the first time,reduce the number of key words you enter and try searching again.
  • - Minimum supported Internet Explorer version is IE9
Home  >
article

KB-11057: Members of an Active Directory Group Do Not Ever Realize a Tenant Role Assigned to the AD Group

Privileged Access Service ,  

17 September,18 at 03:34 PM

Problem:    
  
Active Directory users are added to an Active Directory Group and that AD group is assigned to a role assigned in the Centrify Infrastructure tenant. When the user logs into the Infrastructure Portal, the tenant role is not assigned.

For example, the AD user, testAdmin, is assigned to AD group cfyA_Global_CentrifyAdmins, and the group is assigned to the tenant role System Administrator:
  
User-added image

User-added image

 
When testAdmin logs into the Infrastructure Portal, the System Administrator role is not assigned.

 
User-added image

Cause:
  
The connector machine searches for the AD user attribute "tokenGroupsGlobalAndUniversal" to determine group membership of the AD user.  This is done for performance on the connector so the connector does not have to loop through group memberships to locate all the correct members.

If the connector machine does not have "read" access to this constructed AD attribute, the group membership is not expanded and the connector does not see the user as a member of the group.

Workaround:
  
The tenant administrator can "reload" the user information from AD.
 
User-added image

 
User-added image
 
Solution:
  
Add the tenant connector machines to the Builtin AD groups “Pre-Windows 2000 Compatible Access Security” and/or “Windows Authorization Access Group” 

See the follow KB for details on adding the connector to the builtin groups:
KB-9622: Active Directory user no longer has permissions to access an application that was previously assigned.

Still have questions? Click here to log a technical support case, or collaborate with your peers in Centrify's Online Community.