18 September,19 at 09:27 PM
Question:
Why is the trustworthy flag required to be enabled on the audit databases? Is it possible to function without it?
Answer:
The way DirectAudit authorization/query engine works is by deploying a .NET assembly (a.k.a. DLL) inside the databases using a well-known technique called SQL CLR integration. The .NET assembly that Centrify deploys is responsible for accessing external resource (e.g. to make a connection from the DA management database to a DA Audit Store database, access local registry to enable database trace etc. etc.) and as a result, this assembly has to be deployed with EXTERNAL ACCESS permission set and to deploy an assembly in EXTERNAL ACCESS mode the database must be marked as TRUSTWORTHY (which is a Microsoft requirement). Therefore it is not possible for DA to function without the Audit Store databases being marked as trustworthy.
KB-20210: Common Questions Regarding Centrify DirectControl and CoreOS
KB-2727: How to migrate SQL databases associated with a Centrify_DirectManage Audit installation from one database server to another
how to migrate databases associated with a Centrify DirectManage Audit 3.x installation
KB-6041: How to show current license type in use by adclient
KB-6040: How to change the license type in use after adclient successful joined to the AD?
KB-10203 How to rename DirectAudit Database?
[How To] Enable Symantec VIP MFA for Centrify Server Suite on Linux Part I
KB-6073: How to join the Linux/Unix Centrify Server to Active Directory with specific Computer Role?
[How To] Enable Symantec VIP MFA for Centrify Server Suite on Linux Part III