Centrify

Tips for finding Knowledge Articles

  • - Enter just a few key words related to your question or problem
  • - Add Key words to refine your search as necessary
  • - Do not use punctuation
  • - Search is not case sensitive
  • - Avoid non-descriptive filler words like "how", "the", "what", etc.
  • - If you do not find what you are looking for the first time,reduce the number of key words you enter and try searching again.
  • - Minimum supported Internet Explorer version is IE9
Home  >
article

KB-11057: Members of an Active Directory Group Do Not Ever Realize a Tenant Role Assigned to the AD Group

Privileged Access Service ,  

17 September,18 at 03:34 PM

Problem:    
  
Active Directory users are added to an Active Directory Group and that AD group is assigned to a role assigned in the Centrify Infrastructure tenant. When the user logs into the Infrastructure Portal, the tenant role is not assigned.

For example, the AD user, testAdmin, is assigned to AD group cfyA_Global_CentrifyAdmins, and the group is assigned to the tenant role System Administrator:
  
User-added image

User-added image

 
When testAdmin logs into the Infrastructure Portal, the System Administrator role is not assigned.
 
User-added image

Cause:
  
The connector machine searches for the AD user attribute "tokenGroupsGlobalAndUniversal" to determine group membership of the AD user.  This is done for performance on the connector so the connector does not have to loop through group memberships to locate all the correct members.

If the connector machine does not have "read" access to this constructed AD attribute, the group membership is not expanded and the connector does not see the user as a member of the group.

Workaround:
  
The tenant administrator can "reload" the user information from AD.
 
User-added image

 
User-added image
 
Solution:
  
Add the tenant connector machines to the Builtin AD groups “Pre-Windows 2000 Compatible Access Security” and/or “Windows Authorization Access Group” 

See the follow KB for details on adding the connector to the builtin groups:
KB-9622: Active Directory user no longer has permissions to access an application that was previously assigned.

Still have questions? Click here to log a technical support case, or collaborate with your peers in Centrify's Online Community.

Related Articles

 articleKB-6040: How to change the license type in use after adclient successful joined to the AD? articleKB-6041: How to show current license type in use by adclient articleKB-6073: How to join the Linux/Unix Centrify Server to Active Directory with specific Computer Role? articleKB-6038: How to specify the license type to use when joining the server to AD using adjoin? articleKB-6056: How to report the group policy settings that are in effect for the local computer? articleKB-7555: Unable to login as root after upgrade to Centrify Suite 2016 (CDC 5.3.0) articleKB-3925: How to add Centrify parameter to a group policy articleKB-11077: How to Reduce the Time to Update the Cloud Cache when Adding a Computer into the MFA Role articleKB-6050: How to configure a group for automatic Kerberos Credentials for infinite renewal?