Tips for finding Knowledge Articles

  • - Enter just a few key words related to your question or problem
  • - Add Key words to refine your search as necessary
  • - Do not use punctuation
  • - Search is not case sensitive
  • - Avoid non-descriptive filler words like "how", "the", "what", etc.
  • - If you do not find what you are looking for the first time,reduce the number of key words you enter and try searching again.
  • - Minimum supported Internet Explorer version is IE9
Home  >

KB-2505: How to set up prevalidation (pre-caching) of the AD cache.

Authentication Service ,  

11 April,19 at 07:33 PM

Applies to: All versions of Centrify DirectControl.
How can an AD User's credentials be "pre-cached" so that a Centrify system can be set up and joined onto the domain from the office, shipped out to a user in a remote location and they will have immediate offline login access without having to first be connected to the network?
This can be achieved via the prevalidation feature.
=== Pre-requisite: Registering AD Users to the Preval Service === 
Any user who is going to be prevalidated will first need to be registered into the 'preval' service in Active Directory:
1. On a Windows AD server, open the command prompt and run: 
  setspn -A preval/[ad_username] [ad_username] 
For example, for the user 'john_doe' the command would be: 
 setspn -A preval/john_doe john_doe 
2. Repeat this for each user that is going to be prevalidated (this is required even if prevalidation by Group is going to be used). 
=== Configuring Centrify systems to allow prevalidation === 
There are two options for setting up prevalidation on Centrify systems. Note that these methods cannot combined - if the GP is enabled, it will overwrite any changes made to those parameters in centrifydc.conf
- Option 1. 
Group Policy (to pre-validate a set of users on multiple machines) under: 
  / Computer Configuration / Centrify Settings / DirectControl Settings / Account Prevalidation / 
- Option 2. 
Directly editing the /etc/centrifydc/centrifydc.conf file and setting either one or both of the following parameters (for specific users to specific machines): 
To edit the centrifydc.conf file directly:
1. On the Centrify system that the user is going to be prevalidated on, login as root and open up the /etc/centrifydc/centrifydc.conf file for editing. 
2. Search for the "adclient.prevalidate.allow.users" section and either uncomment the example parameters, or create a clean new line below and enter: 
  adclient.prevalidate.allow.users: ad_username
  adclient.prevalidate.allow.groups: ad_groupname
To prevalidate more than one user for that computer, enter the names as a comma-separated list, for example: 
3. Save the centrifydc.conf file. Make sure the system is in Connected mode and run the commands: 
  sudo adreload 
  sudo adflush 
Note 1: 
To ensure their validity, the credentials for prevalidated users and groups are periodically retrieved from Active Directory. The credentials are refreshed whenever the following is performed: 
- The computer is rebooted. 
- Centrify DirectControl agent is started or restarted. 
- adflush is run while connected to the network. 
- The user password is changed from the local system.
Note 2: 
When using prevalidation by group, make sure that the AD group is recognised by the Centrify agent. To check which groupnames can be seen for a specific user, run the following command from the Centrify system:
  adquery user --groups ad_username
For further background reading on prevalidation in Centrify, please refer to the KB article: