Tips for finding Knowledge Articles

  • - Enter just a few key words related to your question or problem
  • - Add Key words to refine your search as necessary
  • - Do not use punctuation
  • - Search is not case sensitive
  • - Avoid non-descriptive filler words like "how", "the", "what", etc.
  • - If you do not find what you are looking for the first time,reduce the number of key words you enter and try searching again.
  • - Minimum supported Internet Explorer version is IE9
Home  >
article

KB-16163:Fail to cenroll when machine is added to PAS portal by Discovery

Privileged Access Service ,  

15 July,19 at 08:32 AM

Applied to: Centrify Privilege Access Service

Problem:
After machines are added to the Centrify Privilege Acess Service (PAS) portal by discovery, when trying to perform "cenroll" with Centrify agent on Linux, it will fail with the following error:


Failed to enroll in Centrify identity platform: Failed to update agent
Verbose: Details: Failed to update agent
 
Answer: 

 
If the computer is joined and added to PAS by discovery. Cenroll will fail due to conflict unique ID although specifying other non-existent resource name.

Machine that was previously domain joined with Centrify Authentication Service (adjoin) will have an AD computer object existing in AD, and CPS discovery will add system objects (aka. resource) to PAS for computer objects "discovered" from AD. As Centrify needs a way to avoid creating yet another system object on PAS when the adjoined machine also enrolls to identity platform.

Solution:

Please grant the user that performing cenroll command to have "Grant", "Edit" and "Delete" permission on the targeted machine, then try the cenroll command again. As these are the permissions for the principal to become a resource owner.

User-added image

Still have questions? Click here to log a technical support case, or collaborate with your peers in Centrify's Online Community.