Applies to: All versions of Centrify DirectControl.
How can an AD User's credentials be "pre-cached" so that a Centrify system can be set up and joined onto the domain from the office, shipped out to a user in a remote location and they will have immediate offline login access without having to first be connected to the network?
This can be achieved via the prevalidation feature.
=== Pre-requisite: Registering AD Users to the Preval Service ===
Any user who is going to be prevalidated will first need to be registered into the 'preval' service in Active Directory:
1. On a Windows AD server, open the command prompt and run:
setspn -A preval/[ad_username] [ad_username]
For example, for the user 'john_doe' the command would be:
setspn -A preval/john_doe john_doe
2. Repeat this for each user that is going to be prevalidated (this is required even if prevalidation by Group is going to be used).
=== Configuring Centrify systems to allow prevalidation ===
There are two options for setting up prevalidation on Centrify systems. Note that these methods cannot combined - if the GP is enabled, it will overwrite any changes made to those parameters in centrifydc.conf.
- Option 1.
Group Policy (to pre-validate a set of users on multiple machines) under:
/ Computer Configuration / Centrify Settings / DirectControl Settings / Account Prevalidation /
- Option 2.
Directly editing the /etc/centrifydc/centrifydc.conf file and setting either one or both of the following parameters (for specific users to specific machines):
To edit the centrifydc.conf file directly:
1. On the Centrify system that the user is going to be prevalidated on, login as root and open up the /etc/centrifydc/centrifydc.conf file for editing.
2. Search for the "adclient.prevalidate.allow.users" section and either uncomment the example parameters, or create a clean new line below and enter:
To prevalidate more than one user for that computer, enter the names as a comma-separated list, for example:
3. Save the centrifydc.conf file. Make sure the system is in Connected mode and run the commands:
To ensure their validity, the credentials for prevalidated users and groups are periodically retrieved from Active Directory. The credentials are refreshed whenever the following is performed:
- The computer is rebooted.
- Centrify DirectControl agent is started or restarted.
- adflush is run while connected to the network.
- The user password is changed from the local system.
When using prevalidation by group, make sure that the AD group is recognised by the Centrify agent. To check which groupnames can be seen for a specific user, run the following command from the Centrify system:
adquery user --groups ad_username
For further background reading on prevalidation in Centrify, please refer to the KB article: