Centrify

Tips for finding Knowledge Articles

  • - Enter just a few key words related to your question or problem
  • - Add Key words to refine your search as necessary
  • - Do not use punctuation
  • - Search is not case sensitive
  • - Avoid non-descriptive filler words like "how", "the", "what", etc.
  • - If you do not find what you are looking for the first time,reduce the number of key words you enter and try searching again.
  • - Minimum supported Internet Explorer version is IE9
Home  >
article

KB-2455: How to configure ZPA to provision cross forest users with two-way trust

Authentication Service ,  

12 April,16 at 11:37 AM

Applies to:

All versions of Centrify Zone Provisioning Agent on Windows platforms

 

Question:

How do you configure or set up ZPA to provision users cross forest in a two-way trust with unique gid?

 

Answer:

This is a basic set up for ZPA to provision cross forest users.  Follow the steps below:

 

1. In Domain 1, create a Domain Local Security Group call it Group_domain1

 

2. In Domain 2, Create another group with Domain Local Security Group call it Group_domain2
 

3. Add users from both Domains into Group_domain1, i.g. user1@domain1.com and user2@domain2.com

 

4. Add users that you want to provision from Domain2 into Group_domain2 - if you don't do this, ZPA will error with "No primary group found".

 

5. In the ZPA zone, go to Groups, and add both Group_domain1 and Group_domain2.

 

6. Add Group_domain1 into an AD group called ZPA_MasterGroup.  Meaning, in the ZPA source group, you would select ZPA_MasterGroup which contains Group_domain1.

 

7. In ZPA, add ZPA_Mastergroup to Source Group.

 

Related Articles

 articleKB-20210: Common Questions Regarding Centrify DirectControl and CoreOS articleA Primer on Centrify and Active Directory External One-Way Trusts articleKB-4214: ZPA cannot find user's primary group for provisioning article[HOWTO] Setup the Zone Provisioning Agent articleKB-7555: Unable to login as root after upgrade to Centrify Suite 2016 (CDC 5.3.0) articleKB-6041: How to show current license type in use by adclient articleKB-1638: How to configure DirectControl running inside a firewall DMZ for user authentication with cross-forest trust? articleKB-6040: How to change the license type in use after adclient successful joined to the AD? articleKB-2434: Why does ZPA allow groups to be added from accounts domain in a 1-way trust?