Tips for finding Knowledge Articles

  • - Enter just a few key words related to your question or problem
  • - Add Key words to refine your search as necessary
  • - Do not use punctuation
  • - Search is not case sensitive
  • - Avoid non-descriptive filler words like "how", "the", "what", etc.
  • - If you do not find what you are looking for the first time,reduce the number of key words you enter and try searching again.
  • - Minimum supported Internet Explorer version is IE9
Home  >

KB-1638: How to configure DirectControl running inside a firewall DMZ for user authentication with cross-forest trust?

Auditing and Monitoring Service ,   Authentication Service ,   Mac & PC Management Service ,  

12 April,16 at 11:12 AM

Applies to: Centrify DirectControl 4.x or above

How to configure DirectControl running inside a firewall DMZ for user authentication with cross-forest trust?

Kerberos cannot be used to authenticate users in this case due to the referral-ticket nature of Kerberos and firewall blocks. However NTLM authentication will work because the Windows domain controllers completely handle the referral process and eventually channel the authentication requests from the DMZ root domain controller to the corporate root domain controller where it can make it across the firewall. Hence DirectControl needs to know the list of domains that use the NTLM authentication method rather than Kerberos. This helps with users that are behind a firewall where the Kerberos ports are blocked, but a trust relationship exists between domains inside and outside the firewall.  The domain names must be AD domain names (not NTLM names).

Edit /etc/centrifydc/centrifydc.conf, modify the following 2 parameter:

A list of AD to NTLM domain mappings should be specified with this parameter as the firewall also prevents the automatic discovery of AD to NTLM domain mappings.

You can specify a file of colon separated values of the form as an example below:


or directly specify the values inside centrifydc.conf


Note: This assumes the environment is allowing NTLM traffic to flow through the firewall. One way to accomplish this is to setup a VPN between the root domain controllers inside and outside the firewall.

When modifying centrifydc.conf file, restart adclient or run 'adreload' command.