Tips for finding Knowledge Articles

  • - Enter just a few key words related to your question or problem
  • - Add Key words to refine your search as necessary
  • - Do not use punctuation
  • - Search is not case sensitive
  • - Avoid non-descriptive filler words like "how", "the", "what", etc.
  • - If you do not find what you are looking for the first time,reduce the number of key words you enter and try searching again.
  • - Minimum supported Internet Explorer version is IE9
Home  >
article

KB-2447: One way trust won't allow login from the trusted domain

Centrify DirectControl ,  

12 April,16 at 11:11 AM

Applies to: Centrify DirectControl 4.4.3 and above on all platforms.
 
Problem:
 
A 1-way trust environment has been setup and trusted domain user authentications worked fine until the agent was upgraded to version 4.4.3. 
 
The below messages were observed in the Centrify debug log when authentication fails:
 
Sep 21 20:13:36 testmachine auth|security:debug adclient[10682400]: DEBUG <fd:24 PAMVerifyPassword> base.adagent Domain Level for 'DEF.COM' is not PreW2K8
Sep 21 20:13:36 testmachine auth|security:debug adclient[10682400]: DEBUG <fd:24 PAMVerifyPassword> base.adagent Domain Level for 'abc.com' is not PreW2K8
Sep 21 20:13:36 testmachine auth|security:debug adclient[10682400]: DEBUG <fd:24 PAMVerifyPassword> dns.findkdc KDC locator for DEF.COM
Sep 21 20:13:36 testmachine auth|security:debug adclient[10682400]: DEBUG <fd:24 PAMVerifyPassword> dns.findsrv FindSrvFromDns(0): _kerberos._tcp._sites.DEF.COM
Sep 21 20:13:36 testmachine auth|security:debug adclient[10682400]: DEBUG <fd:24 PAMVerifyPassword> network.state skipping known badKPasswd port
Sep 21 20:13:36 testmachine auth|security:debug last message repeated 15 times
 
Cause:
 
In the above log, the kpassword port is blocked. 
 
Starting from Centrify DirectControl 4.4.3, Centrify has implemented a new DC locator and DNS code. The requirement for a KDC to be useable is now enforced, kpasswd(464) has to be available for the computer password change. 
 
This requirement is not new, just that it is now explicitly enforced.
 
Resolution:
 
The kpasswd (TCP and UDP 464) has to be opened on the firewall.
 
For a complete list of ports, please see KB-0029.

Still have questions? Click here to log a technical support case, or collaborate with your peers in Centrify's Online Community.