Tips for finding Knowledge Articles

  • - Enter just a few key words related to your question or problem
  • - Add Key words to refine your search as necessary
  • - Do not use punctuation
  • - Search is not case sensitive
  • - Avoid non-descriptive filler words like "how", "the", "what", etc.
  • - If you do not find what you are looking for the first time,reduce the number of key words you enter and try searching again.
  • - Minimum supported Internet Explorer version is IE9
Home  >
article

KB-3137: DirectControl agent fails to retreive any group policy settings if the GP "Sever SPN target name validation level" is enabled

Centrify DirectControl ,   Centrify Identity Service, Mac Edition ,  

12 April,16 at 11:09 AM

Applies to: Centrify DirectControl version 5.1.0 or below on all platforms
 
Problem:
 
DirectControl fails to retrieve any group policies when the following group policy is enabled:
 
"Computer Configuration" -> 
  "Windows Settings"  ->
    "Local Policies" ->
      "Security Settings"  -> 
        "Microsoft network server: Server SPN target name validation level"
 

Cause:
 
Microsoft adds a new registry settings "smbservernamehardeninglevel=1" when the above GP is enabled.
 
This configuration causes any SMB authentication to the Windows Domain Controller to fail if the service ticket "host/<DC DNS Name>" is used instead of service ticket "cifs/<DC DNS Name>". By default, Centrify DirectControl version 5.1.0 and below uses "host/<DC FQDN>" service tickets to access SMB servers for retrieving group policy settings - and therefore group policy cannot be retrieved.
 
This can be verified with the following Powershell command :
 
Get-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Services\LanmanServer\Parameters"  | findstr smbservernamehardeninglevel
 
e.g.
 
PS C:\Users\administrator> Get-ItemProperty -Path  "HKLM:\SYSTEM\CurrentControlSet\Services\LanmanServer\Parameters" | findstr smbservernamehardeninglevel
 
smbservernamehardeninglevel   : 1

 
Workaround:
 
On each domain controller:
 
1) Start Registry Editor.
 
2) Locate and click on the following registry subkey:
 
 HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\LanmanServer\Parameters
 
3) On the Edit menu, right click and create a Multi-String Value named "SrvAllowedServerNames"
 
4) Modify the Multi-String Value and add host/<Domain Controller's FQDN>
 
e.g: host/dc2.iltest.net
 
Resolution:
 
This will be fixed in Centrify DirectControl 5.1.2
 
REF:
http://support.microsoft.com/default.aspx?scid=kb;en-US;2345886
 
Additional information:
 
The smbservernamehardeninglevel setting is an optional extended protection for authentication introduced by Microsoft in this non-security update for SMB servers (http://support.microsoft.com/default.aspx?scid=kb;en-US;2345886).
 
By setting this to :
  • 0, means when connecting to SMB server using Kerberos authentication, the SMB client can use any valid ServicePrincipalName(SPN)
    (i.e. those listed 
    in the serviceprincipalname attribute in the AD computer object) to connect to the server. 
  • 1, means when connecting to SMB session using Kerberos authentication, the SMB client can only use allowable SMB SPN. e.g. cifs/<DC FQDN>
For details regarding extended protection for authentication implemented by Microsoft, please refer to the link below:
http://technet.microsoft.com/en-us/security/advisory/973811

(All links provided as courtesy)

Still have questions? Click here to log a technical support case, or collaborate with your peers in Centrify's Online Community.