18 October,18 at 03:04 PM
Problem:
When logging into a Windows machine, the machine attempts to reach the authentication service. Instead of presenting the MFA challenge the following error appears:
Unable to load profile: Profile does not exist
Entries in the Centrify Agent for Windows debug logfile show these errors:
[2018-08-17 13:18:32.569 -0500] dzagent.exe[3332,5] Verbose: CloudHttpService.GetCloudClient: Start NegoCert...
[2018-08-17 13:18:32.725 -0500] dzagent.exe[3332,5] Error: CloudHttpService.GetCloudClient: Cloud cert auth (negotiatecertsecurity) failed: System.Net.Http.HttpRequestException: An error occurred while sending the request. ---> System.Net.WebException: The request was aborted: Could not create SSL/TLS secure channel.
.....
[2018-08-17 13:18:33.708 -0500] LogonUI.exe[5964,4556] Verbose: StartAuthenticationReplyMessage Call Response:{ Success: 0 , Result <NULL> , Message: Unable to load profile : Profile does not exist , MessageId: _I18N_UIStorage , Exception: No additional diagnostic information is available. , ErrorId: 90206d89-a42a-47b1-8946-aeed4a9d2992:8d758441ca524d1789a0b28b43f81114 , ErrorCode: <NULL> , Inner Exceptions: <NULL> , }
Challenge Response:<NULL>
Authentication Response:<NULL>
Running the diagnostic check on the agent results in the following warning(s) and error(s):
Centrify Identity Platform Certificate Validation Check -- Warning
The diagnostic check is running ...
The connection to 'aat0579.my.centrify.com' cannot establish a trust relationship for the SSL/TLS. Please check that certificate is installed.
....
MFA Role and Permission Check -- Failure
The diagnostic check is running ...
No authentication profile was assigned in the Identity Platform.
Unable to load profile. Profile does not exist
Troubleshooting Technique:
https://<connector.fqdn>:8443/iwa/sitecheck
If the sitecheck test comes back with "Success", the IWA certificate is installed correctly.
Verify the Tenant role with the MFA profile.
1) Login to the machine as an AD user that does NOT require MFA. (i.e. dwirth)
2) Bring up the Centrify Identity Services Platform Settings -> Troubleshooting tab
3) Leaving the diagnostic tool open, use a browser and login to the Centrify tenant.
4) Add the logged in Windows user to the MFA role that is setup for the machine.
4) Run the diagnostic on the Windows machine.
If the MFA test come back with a Success, then the configuration of the MFA role on the tenant is correct. This indicates that the problem is with the trust between the Windows machine and the domain.
Once the test is confirmed, REMOVE the user from the MFA role on the tenant.
Cause:
After diagnostics on the IWA certificate and the tenant role pass successfully, it can be concluded that the problem is that the Windows machine has lost the trust relationship with the domain. The Windows machine, in this case, is a Virtual Machine that was moved from one data center to a second data center at different location. The machine name and IP address changed in the move. These changes resulted in the trust relationship being broken.
Resolution:
The trust relationship must be re-established between the Windows host and the domain. This is a function of the domain and is not due to a Centrify configuration. It's possible the trust can be re-established by removing the Windows host from the domain and rejoining.
The link below is provided as a courtesy to give additional information about troubleshooting and correcting a lost trust situation
Error: The trust relationship between this workstation and the primary domain failed
For any solution implemented, time must be allowed to cache the information in the Cloud so that the Connector can work as expected.
KB-11077 provides an alternate technique to shorten the time for the cache to update.