Tips for finding Knowledge Articles

  • - Enter just a few key words related to your question or problem
  • - Add Key words to refine your search as necessary
  • - Do not use punctuation
  • - Search is not case sensitive
  • - Avoid non-descriptive filler words like "how", "the", "what", etc.
  • - If you do not find what you are looking for the first time,reduce the number of key words you enter and try searching again.
  • - Minimum supported Internet Explorer version is IE9
Home  >
article

KB-2505: How to set up prevalidation (pre-caching) of the AD cache.

Centrify DirectControl ,   Centrify Identity Service, Mac Edition ,  

12 April,16 at 11:11 AM

Applies to: All versions of Centrify DirectControl.
 
Question:  
How can an AD User's credentials be "pre-cached" so that a Centrify system can be set up and joined onto the domain from the office, shipped out to a user in a remote location and they will have immediate offline login access without having to first be connected to the network?
 
Answer:
This can be achieved via the prevalidation feature.
 
 
=== Pre-requisite: Registering AD Users to the Preval Service === 
 
Any user who is going to be prevalidated will first need to be registered into the 'preval' service in Active Directory:
 
1. On a Windows AD server, open the command prompt and run: 
 
  setspn -A preval/[ad_username] [ad_username] 
 
For example, for the user 'john_doe' the command would be: 
 
 setspn -A preval/john_doe john_doe 
 
 
 
 
 
 
 
 
 
 
 
 
2. Repeat this for each user that is going to be prevalidated (this is required even if prevalidation by Group is going to be used). 
 
 
 
=== Configuring Centrify systems to allow prevalidation === 
 
There are two options for setting up prevalidation on Centrify systems. Note that these methods cannot combined - if the GP is enabled, it will overwrite any changes made to those parameters in centrifydc.conf
 
- Option 1. 
Group Policy (to pre-validate a set of users on multiple machines) under: 
 
  / Computer Configuration / Centrify Settings / DirectControl Settings / Account Prevalidation / 
 
 
- Option 2. 
Directly editing the /etc/centrifydc/centrifydc.conf file and setting either one or both of the following parameters (for specific users to specific machines): 
 
  adclient.prevalidate.allow.users 
  adclient.prevalidate.allow.groups 
 
 
To edit the centrifydc.conf file directly:
 
1. On the Centrify system that the user is going to be prevalidated on, login as root and open up the /etc/centrifydc/centrifydc.conf file for editing. 
 
2. Search for the "adclient.prevalidate.allow.users" section and either uncomment the example parameters, or create a clean new line below and enter: 
 
  adclient.prevalidate.allow.users: ad_username
 
or 
 
  adclient.prevalidate.allow.groups: ad_groupname
 
To prevalidate more than one user for that computer, enter the names as a comma-separated list, for example: 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
3. Save the centrifydc.conf file. Make sure the system is in Connected mode and run the commands: 
 
  sudo adreload 
  sudo adflush 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
Note 1: 
 
To ensure their validity, the credentials for prevalidated users and groups are periodically retrieved from Active Directory. The credentials are refreshed whenever the following is performed: 
 
- The computer is rebooted. 
- Centrify DirectControl agent is started or restarted. 
- adflush is run while connected to the network. 
- The user password is changed from the local system.
 
Note 2: 
 
When using prevalidation by group, make sure that the AD group is recognised by the Centrify agent. To check which groupnames can be seen for a specific user, run the following command from the Centrify system:
 
  adquery user --groups ad_username
 
 
 
 
For further background reading on prevalidation in Centrify, please refer to the KB article:

Still have questions? Click here to log a technical support case, or collaborate with your peers in Centrify's Online Community.