Tips for finding Knowledge Articles

  • - Enter just a few key words related to your question or problem
  • - Add Key words to refine your search as necessary
  • - Do not use punctuation
  • - Search is not case sensitive
  • - Avoid non-descriptive filler words like "how", "the", "what", etc.
  • - If you do not find what you are looking for the first time,reduce the number of key words you enter and try searching again.
  • - Minimum supported Internet Explorer version is IE9
Home  >

KB-11102: MFA Authentication Is Slow During "connecting to authentication service"

Authentication Service ,  

16 May,19 at 12:23 PM

Problem: When attempting MFA it takes a long time to get past the "connecting to authentication service" on Windows login. 

Cause: This can happen if your Windows machines do not have access to the internet. The behavior of the agent is to authenticate the certificate against the cloud directly. If the internet is blocked or a firewall is in place this will timeout and cause a delay. 

[2018-08-06 13:38:32.927 +0200] dzagent.exe[1796,10] Verbose: CloudHttpService.GetCloudClient: Start NegoCert...
[2018-08-06 13:39:17.661 +0200] dzagent.exe[1796,10] Error: CloudHttpService.GetCloudClient: Cloud cert auth (negotiatecertsecurity) failed: System.Threading.Tasks.TaskCanceledException: A task was canceled.
[2018-08-06 13:39:17.661 +0200] dzagent.exe[1796,10] Error: CloudHttpService.ConnectTenant: Failed to talk to cloud, fallback to cloud connector connection: Centrify.DirectAuthorize.Mfa.CloudHttpService+WebProblemException: Connection Failure

Resolution: This behavior can be changed so that the agent skips the cloud check and instead checks against the connector directly. The flow will now look like this:

client <-> connector <-> cloud

This can be accomplished via Group Policy by using our Computer Configuration>Centrify Settings>Windows Settings>MFA Settings>"Skip client certificate authentication"

Or via Regedit:

Add the below registry key in
HKLM > SOFTWARE > Centrify > DirectAuthorize > Agent:
(DWORD value 1)

Note: This DOES NOT mean that you are skipping a certificate check. It means that the certificate will now be validated against the connector. Again this is recommended only for environments where the Window's machine have no internet connectivity. 

Please ensure that all ports to the connectors are open: 
KB-8911: Firewall port settings for Centrify Privilege Service