Tips for finding Knowledge Articles

  • - Enter just a few key words related to your question or problem
  • - Add Key words to refine your search as necessary
  • - Do not use punctuation
  • - Search is not case sensitive
  • - Avoid non-descriptive filler words like "how", "the", "what", etc.
  • - If you do not find what you are looking for the first time,reduce the number of key words you enter and try searching again.
  • - Minimum supported Internet Explorer version is IE9
Home  >

KB-2265: How is Kerberos used with Centrify?

Authentication Service ,   Mac & PC Management Service ,  

12 April,16 at 11:47 AM


How is Kerberos used with Centrify with regard to UNIX-to-Active Directory authentications? 


Centrify does not provide specific documentation describing how Kerberos works in general, as this is assumed prerequisite knowledge which can be acquired through textbooks or MIT documentation (Reference links have been provided at the end of this KB). Centrify also does not perform any special custom actions in its implementation of Kerberos.

The CentrifyDC involvement is as follows:
  • On adjoin, krb5.keytab is automatically created.
  • On a user interactive login, adclient will do a Kerberos authentication on behalf of the application (sshd) and create the user Kerberos cache.
  • On adclient startup and also periodically, it will update krb5.conf to reflect the Kerberos realm topology.
  • adclient will periodically update the system krb5.keytab.
  • adclient can automatically renew an active user's credential cache.
  • adkeytab is a tool to help the process of various krb5.keytab creation/maintenance operations.
NOTE: The adclient involvement ends after it creates the user credential cache and places the tickets on the system. 

For external applications to use Kerberos authentication, it is entirely up to the third-party application to already have the underlying code (and be configured) to use standard Kerberos protocols properly.

For further reading on Kerberos and its implementation in Active Directory, please see the following links: (Provided as a courtesy)