Applies to: All versions of ZPA

Question:

When do I need to use ZPA in fall back mode and How do I enable it ?

Answer:

Use ZPA in fallback mode if one of the listed scenarios is true:

1) ZPA fails to retrieve valid unix attributes. For example, users set the unix name option to “Source Zone”, but there is no profile for this user defined in the source zone, then ZPA will fail and stop to provision this user.

2) If there are two AD users that generate same Unix name then ZPA fails to provision the second AD user.

With “Fall back mechanism”, it will always retrieve a reasonable unix attribute by following rules and also appends a number to the unix username string when duplicate is encountered:

User
---------

Uid: RFC2307->Source Zone-> Auto generate from SID
Username: RFC2307->Source zone-> samAccountName

If the retrieved attribute is a valid UNIX name string but duplicated in zone. It will append numbers at the end of string.(It will try 100 times, if it is still duplicated, the provision of this user will fail, to increase the max trial numbers, modify this registry key: HKLM\Software\Centrify ZPA\MaxDupTrial)

Shell: RFC2307 -> Target zone’s default home -> /bin/bash
Home: RFC2307 -> Target zone’s default -> /home/${user}
Primary group: RFC2307->Source Zone-> Target Zone Default (Primary GID) -> private group

Group
----------

Gid: RFC2307->Source Zone-> Auto gen from SID
Groupname: Source Zone->RFC2307

If the retrieved attribute is a valid UNIX name but duplicated. It will append numbers at the end of string. The same as user’s UNIX name.

To enable FallbackMode, follow the below instructions on the machine running ZPA service:

   1. Open Registry Editor
   2. Go to HKKEY_LOCAL_MACHINE\SOFTWARE\Centrify ZPA\
   3. Create a registry key with DWORD type "FallbackMode" and set the vale to 1
   4. Open ZPA configuration panel and then restart ZPA service.