Tips for finding Knowledge Articles

  • - Enter just a few key words related to your question or problem
  • - Add Key words to refine your search as necessary
  • - Do not use punctuation
  • - Search is not case sensitive
  • - Avoid non-descriptive filler words like "how", "the", "what", etc.
  • - If you do not find what you are looking for the first time,reduce the number of key words you enter and try searching again.
  • - Minimum supported Internet Explorer version is IE9
Home  >
article

KB-3162: Using a Active directory selective (as opposed to domain-wide) 2-way trust for provisioning users

Centrify DirectControl ,  

12 April,16 at 11:09 AM

Applies to: All versions of Centrify Zone Provisioning Agent
 
Question: 
 
Can an Active directory selective (as opposed to domain-wide) 2-way trust be used for provisioning users?

 
Answer: 
 
Provisioning with a two-way selective trust is possible. 
 
First, grant the service account to "Allow to authenticate" for the domain controller in the User Domain. 
 
Second, grant the service account to "Logon as service" in the User Domain. 
 
If the "Authenticated Users" permission has already been granted to read the users domain object, the following steps can be skipped. Otherwise please grant the service account with the following rights in the User Domain: 
 
Under the container of the user objects: 
 
Click the Properties tab and select Allow to apply the following properties to this object only: 
  • ReadobjectCategory 
  • ReadobjectClass 
  • ReadobjectGUID 
  • ReadobjectSid 
  • ReaduserAccountControl 
Under the container of group objects: 
 
Click the Properties tab and select Allow to apply the following properties to this object only: 
  • ReadgroupType 
  • ReadobjectCategory 
  • ReadobjectClass 
  • ReadobjectGUID 
  • ReadobjectSid 
Please refer to p.256 of the following guide for more details: 
http://www.centrify.com/downloads/products/documentation/suite2013/centrify-unix-evalguide.pdf 
 
If fine grained permissions are not needed, grant the service account with read permissions for the users and groups container/OU in the User Domain. 
 
Please Note:
This is for ZPA only, and it is a restricted authenticate.
 
For adclient, this will still be an issue - It knows it is a 2-way trust, but adclient using machine credentials cannot connect to DC to read any groups. 
It is effectively a 1-way trust - It will not be able to resolve any user domain groups, therefore all DZ role-assignments must be DLG in the machine domain. 

Still have questions? Click here to log a technical support case, or collaborate with your peers in Centrify's Online Community.