Tips for finding Knowledge Articles

  • - Enter just a few key words related to your question or problem
  • - Add Key words to refine your search as necessary
  • - Do not use punctuation
  • - Search is not case sensitive
  • - Avoid non-descriptive filler words like "how", "the", "what", etc.
  • - If you do not find what you are looking for the first time,reduce the number of key words you enter and try searching again.
  • - Minimum supported Internet Explorer version is IE9
Home  >
article

KB-11071: Logging Into a Windows Machine that is MFA Enabled, the Message is Seen "Unable to load profile: Profile does not exist"

Privilege Elevation Service ,  

18 October,18 at 03:04 PM

Problem:

When logging into a Windows machine, the machine attempts to reach the authentication service. Instead of presenting the MFA challenge the following error appears:

Unable to load profile: Profile does not exist

User-added image



Entries in the Centrify Agent for Windows debug logfile show these errors:
 

[2018-08-17 13:18:32.569 -0500] dzagent.exe[3332,5] Verbose: CloudHttpService.GetCloudClient: Start NegoCert...
[2018-08-17 13:18:32.725 -0500] dzagent.exe[3332,5] Error: CloudHttpService.GetCloudClient: Cloud cert auth (negotiatecertsecurity) failed: System.Net.Http.HttpRequestException: An error occurred while sending the request. ---> System.Net.WebException: The request was aborted: Could not create SSL/TLS secure channel.
.....
  
[2018-08-17 13:18:33.708 -0500] LogonUI.exe[5964,4556] Verbose: StartAuthenticationReplyMessage Call Response:{ Success: 0 , Result <NULL> , Message: Unable to load profile : Profile does not exist , MessageId: _I18N_UIStorage , Exception: No additional diagnostic information is available. , ErrorId: 90206d89-a42a-47b1-8946-aeed4a9d2992:8d758441ca524d1789a0b28b43f81114 , ErrorCode: <NULL> , Inner Exceptions: <NULL> , }
  Challenge Response:<NULL>
  Authentication Response:<NULL>


Running the diagnostic check on the agent results in the following warning(s) and error(s):
 

Centrify Identity Platform Certificate Validation Check -- Warning
The diagnostic check is running ...

The connection to 'aat0579.my.centrify.com' cannot establish a trust relationship for the SSL/TLS. Please check that certificate is installed.

   
....
MFA Role and Permission Check -- Failure
The diagnostic check is running ...

No authentication profile was assigned in the Identity Platform.
     Unable to load profile.  Profile does not exist

     

User-added image 



Troubleshooting Technique:
 

Verify the IWA certificate is installed correctly by executing the sitecheck URL:

https://<connector.fqdn>:8443/iwa/sitecheck

User-added image

 


If the sitecheck test comes back with "Success", the IWA certificate is installed correctly.

Verify the Tenant role with the MFA profile.

 

1) Login to the machine as an AD user that does NOT require MFA. (i.e. dwirth)
2) Bring up the Centrify Identity Services Platform Settings -> Troubleshooting tab
  

User-added image

3) Leaving the diagnostic tool open, use a browser and login to the Centrify tenant.
4) Add the logged in Windows user to the MFA role that is setup for the machine.

 

User-added image

4) Run the diagnostic on the Windows machine.  

User-added image

  
If the MFA test come back with a Success, then the configuration of the MFA role on the tenant is correct. This indicates that the problem is with the trust between the Windows machine and the domain.

 

Once the test is confirmed, REMOVE the user from the MFA role on the tenant.


Cause:

After diagnostics on the IWA certificate and the tenant role pass successfully, it can be concluded that the problem is that the Windows machine has lost the trust relationship with the domain.  The Windows machine, in this case, is a Virtual Machine that was moved from one data center to a second data center at different location.  The machine name and IP address changed in the move.  These changes resulted in the trust relationship being broken.
 

Resolution:

The trust relationship must be re-established between the Windows host and the domain. This is a function of the domain and is not due to a Centrify configuration. It's possible the trust can be re-established by removing the Windows host from the domain and rejoining.

The link below is provided as a courtesy to give additional information about troubleshooting and correcting a lost trust situation

Error: The trust relationship between this workstation and the primary domain failed


For any solution implemented, time must be allowed to cache the information in the Cloud so that the Connector can work as expected.

KB-11077 provides an alternate technique to shorten the time for the cache to update.

 

Still have questions? Click here to log a technical support case, or collaborate with your peers in Centrify's Online Community.