Applies to: Centrify DirectControl 4.x or above

Question:
How to configure DirectControl running inside a firewall DMZ for user authentication with cross-forest trust?

Answer:
Kerberos cannot be used to authenticate users in this case due to the referral-ticket nature of Kerberos and firewall blocks. However NTLM authentication will work because the Windows domain controllers completely handle the referral process and eventually channel the authentication requests from the DMZ root domain controller to the corporate root domain controller where it can make it across the firewall. Hence DirectControl needs to know the list of domains that use the NTLM authentication method rather than Kerberos. This helps with users that are behind a firewall where the Kerberos ports are blocked, but a trust relationship exists between domains inside and outside the firewall.  The domain names must be AD domain names (not NTLM names).

Edit /etc/centrifydc/centrifydc.conf, modify the following 2 parameter:

pam.ntlm.auth.domains: acme.com xyz.com

A list of AD to NTLM domain mappings should be specified with this parameter as the firewall also prevents the automatic discovery of AD to NTLM domain mappings.

You can specify a file of colon separated values of the form as an example below:

ADDomain:NtlmDomain

adclient.ntlm.domains 

or directly specify the values inside centrifydc.conf

Example:

adclient.ntlm.domains: ACME.COM:ACME XYZ.COM:XYZ


Note: This assumes the environment is allowing NTLM traffic to flow through the firewall. One way to accomplish this is to setup a VPN between the root domain controllers inside and outside the firewall.

When modifying centrifydc.conf file, restart adclient or run 'adreload' command.