12 April,16 at 11:24 AM
Question:
If there are multiple trusted domains, Centrify-Enabled Putty takes a long time to obtain a host ticket. How do I optimize this issue?
Answer:
By default, Centrify-Enabled Putty tries to get the host ticket on the logon domain (Realm) only.
If the host is not in the same realm as the user, the user can go to Putty's Kerberos tab and select "Find machine from trusted domains". Putty will try to get the host ticket from other trusted domains when this checkbox is selected.
This function is a requirement when the host is from another forest or from an external trusted domain.
To speed up the process, specify the service principal name in the Kerberos tab. This will instruct Centrify-Enabled PuTTY to talk to the specified KDC only.
The SPN should be like this:
host/yourmachine.yourdomain.com@YOURREALM
KB-20210: Common Questions Regarding Centrify DirectControl and CoreOS
KB-8267: Basic Steps for Getting and Using a Host Ticket For Single Sign On
[How to] Force Kerberos SSH Authentication, and Disable SSH Public Key Authentication
KB-6044: How to configure users for automatic Kerberos Credentials for infinite renewal even after users have logged out?
Centrify's Privileged Identity Management Solution for Big Data
KB-7555: Unable to login as root after upgrade to Centrify Suite 2016 (CDC 5.3.0)
KB-6050: How to configure a group for automatic Kerberos Credentials for infinite renewal?
KB-6041: How to show current license type in use by adclient
Centrify 17.4 and 17.4 Hotfix Release Notes