Tips for finding Knowledge Articles

  • - Enter just a few key words related to your question or problem
  • - Add Key words to refine your search as necessary
  • - Do not use punctuation
  • - Search is not case sensitive
  • - Avoid non-descriptive filler words like "how", "the", "what", etc.
  • - If you do not find what you are looking for the first time,reduce the number of key words you enter and try searching again.
  • - Minimum supported Internet Explorer version is IE9
Home  >
article

KB-1842: Servers behind a firewall are running in disconnected mode several times per day.

Centrify DirectControl ,  

12 April,16 at 11:37 AM

Applies to:
 
All versions of Centrify DirectControl.
 
Problem:
 
It is noticed that in a couple of Centrify servers behind a firewall, the Centrify adclient "disconnects" several times per day. Is there any reason?
 
For example:
 
$ adinfo
Local host name: server2
Joined to domain: xyz.com
Joined as: server2.xyz.com
Pre-win2K name: server2
Current DC: dc.xyz.com
Preferred site: Charlotte
Zone: IM/UNIX/Zones/Customer_Websphere_Internal_PCI
CentrifyDC mode: connected
 
These servers are behind a firewall that is only is allowed connectivity to 4 domain controllers all in the same site.
 
The following lines were added to /etc/centrifydc/centrifydc.conf file to limit its attempt to use other Domain controllers:
 
dns.dc.xyz.com: dc1.xyz.com dc2.xyz.com dc3.xyz.com dc4.xyz.com
dns.gc.xyz.com: dc1.xyz.com dc2.xyz.com dc3.xyz.com dc4.xyz.com
adclient.server.try.max: 4
 
The Firewall team determined the there were no DNS query drops on across the firewall. They noted, however, they are seeing attempts to connect to Domain Controllers outside of the four that are specified. Any reason?
 
Cause:
 
The reason why Centrify disconnects or creates those unwanted connections to other DCs is because of a parameter called "adclient.ldap.trust.enabled" in /etc/centrifydc/centrifydc.conf file.This configuration parameter specifies whether you want to allow Centrify DirectControl to query trusted domains and forests for transitive trust information. The parameter’s value can be true or false. If you set this parameter to true, Centrify DirectControl generates a krb5.conf that includes information from all trusted forests and can be used to authenticate cross-forest users to Kerberos applications. If you set this parameter to false, Centrify DirectControl does not query external trusted domains or forests for information. In the above scenario, Centrify tried to reach other DCs in trusted domains and since they were not hardcoded, it got disconnected momentarily.
 
Workaround:
 
By default, the parameter adclient.ldap.trust.enabled is set for true in /etc/centrifydc/centrifydc.conf. You need to edit the centrifydc.conf file (you can also use Group Policies too), uncomment & make it false. 
 
Additionally, you can block the unwanted domains as reported in the debug logs using the below parameters in the /etc/centrifydc/centrifydc.conf file. 
 
dns.dc.yourdomain_to_be_blocked.com: nosuchhost 
dns.dc.yourdomain_to_be_blocked.com: nosuchhost 
 
Other parameters like adclient.dns.response.maxtime & adclient.ldap.timeout can also be bumped to higher values across slow networks.
 
Changes to /etc/centrifydc/centrifydc.conf will require the issuance of the command adreload (to re-read the parameters) and adflush (to clear cache)
 
Resolution:
 
None. 
 
For more details on the above parameters, please refer to the Centrify DirectControl Config reference guide.
 

Still have questions? Click here to log a technical support case, or collaborate with your peers in Centrify's Online Community.