Problem: When attempting MFA it takes a long time to get past the "connecting to authentication service" on Windows login.
Cause: This can happen if your Windows machines do not have access to the internet. The behavior of the agent is to authenticate the certificate against the cloud directly. If the internet is blocked or a firewall is in place this will timeout and cause a delay.
[2018-08-06 13:38:32.927 +0200] dzagent.exe[1796,10] Verbose: CloudHttpService.GetCloudClient: Start NegoCert... [2018-08-06 13:39:17.661 +0200] dzagent.exe[1796,10] Error: CloudHttpService.GetCloudClient: Cloud cert auth (negotiatecertsecurity) failed: System.Threading.Tasks.TaskCanceledException: A task was canceled. [2018-08-06 13:39:17.661 +0200] dzagent.exe[1796,10] Error: CloudHttpService.ConnectTenant: Failed to talk to cloud aaa0000.my.centrify.com, fallback to cloud connector connection: Centrify.DirectAuthorize.Mfa.CloudHttpService+WebProblemException: Connection Failure
Resolution: This behavior can be changed so that the agent skips the cloud check and instead checks against the connector directly. The flow will now look like this:
client <-> connector <-> cloud
This can be accomplished via Group Policy by using our Computer Configuration>Centrify Settings>Windows Settings>MFA Settings>"Skip client certificate authentication"
Or via Regedit:
Add the below registry key in HKLM > SOFTWARE > Centrify > DirectAuthorize > Agent:
SkipCertAuth (DWORD value 1)
Note: This DOES NOT mean that you are skipping a certificate check. It means that the certificate will now be validated against the connector. Again this is recommended only for environments where the Window's machine have no internet connectivity.