Tips for finding Knowledge Articles

  • - Enter just a few key words related to your question or problem
  • - Add Key words to refine your search as necessary
  • - Do not use punctuation
  • - Search is not case sensitive
  • - Avoid non-descriptive filler words like "how", "the", "what", etc.
  • - If you do not find what you are looking for the first time,reduce the number of key words you enter and try searching again.
  • - Minimum supported Internet Explorer version is IE9
Home  >

KB-1797: Secondary Group membership not resolving across Forest in 1-way trust.

Authentication Service ,   Mac & PC Management Service ,  

11 August,17 at 09:37 PM

Applies to:
All versions of Centrify DirectControl ZPA
It is noticed that in a 1-way trust where resource domain trust accounts domain,  ZPA (Zone Provisioning agent) allows groups to be added from accounts domain into a zone in resource domain. The Console shows the groups to be zone-enabled however secondary groups are not resolving across 1-way forest. Commands like adquery group or lsgroup (AIX) fail to work for secondary groups. Is there any reason?
This is a known limitation of ZPA and will be addressed in future releases of the product. There is a known Microsoft limitation. In a 1-way trust, its not possible to add groups from accounts domain. Without ZPA (ie. manually adding groups into zones),  you will not be able to even browse to the resource domain.