Centrify

Tips for finding Knowledge Articles

  • - Enter just a few key words related to your question or problem
  • - Add Key words to refine your search as necessary
  • - Do not use punctuation
  • - Search is not case sensitive
  • - Avoid non-descriptive filler words like "how", "the", "what", etc.
  • - If you do not find what you are looking for the first time,reduce the number of key words you enter and try searching again.
  • - Minimum supported Internet Explorer version is IE9
Home  >
article

KB-11957: Why is the trustworthy flag required to be enabled on the audit databases? Is it possible to function without it?

Auditing and Monitoring Service ,  

18 September,19 at 09:27 PM

Question:
Why is the trustworthy flag required to be enabled on the audit databases? Is it possible to function without it?

User-added image

Answer:
The way DirectAudit authorization/query engine works is by deploying a .NET assembly (a.k.a. DLL) inside the databases using a well-known technique called SQL CLR integration. The .NET assembly that Centrify deploys is responsible for accessing external resource (e.g. to make a connection from the DA management database to a DA Audit Store database, access local registry to enable database trace etc. etc.) and as a result, this assembly has to be deployed with EXTERNAL ACCESS permission set and to deploy an assembly in EXTERNAL ACCESS mode the database must be marked as TRUSTWORTHY (which is a Microsoft requirement).  Therefore it is not possible for DA to function without the Audit Store databases being marked as trustworthy.

Still have questions? Click here to log a technical support case, or collaborate with your peers in Centrify's Online Community.

Related Articles

 articleKB-20210: Common Questions Regarding Centrify DirectControl and CoreOS articleKB-2727: How to migrate SQL databases associated with a Centrify_DirectManage Audit installation from one database server to another articlehow to migrate databases associated with a Centrify DirectManage Audit 3.x installation articleKB-3394: Is it possible to purge audit sessions older than 'x' number of days articleKB-10203 How to rename DirectAudit Database? articleKB-6041: How to show current license type in use by adclient articleKB-6040: How to change the license type in use after adclient successful joined to the AD? article[How To] Enable Symantec VIP MFA for Centrify Server Suite on Linux Part I articleKB-1983: Is it possible to customize the message "Account cannot be accessed at this time"