Centrify

Tips for finding Knowledge Articles

  • - Enter just a few key words related to your question or problem
  • - Add Key words to refine your search as necessary
  • - Do not use punctuation
  • - Search is not case sensitive
  • - Avoid non-descriptive filler words like "how", "the", "what", etc.
  • - If you do not find what you are looking for the first time,reduce the number of key words you enter and try searching again.
  • - Minimum supported Internet Explorer version is IE9
Home  >
article

KB-3317: Troubleshooting steps for when the ZPA isn't working properly

Authentication Service ,   Mac & PC Management Service ,  

10 August,18 at 02:33 PM

Question:
 
The Zone Provisioning Agent may sometimes give unexpected results, such as users/groups not being added to the Zone.

What can be done to troubleshoot such issues?

 
Answer:
  1. The ZPA monitored container is set to the entire domain by default. However, if a specific container is defined for Zone Provisioning Agent instead; make sure it is set to the container ABOVE the Zone to be auto-provisioning and nothing else (i.e. It should not be an AD group). See the screenshot below for the steps on how to do so:
     
    User-added image
     
     
  2. If nothing appears in "Groups" even after enabling auto-provisioning for group profiles, make sure the source group is set to the AD group that contains the list for group profiles.
     
    E.g. AD group "CheeseBurger" is a member of AD group "Burgers". To have "CheeseBurger" in the group list of the auto-provisioned Zone, put "Burgers" as the source group as seen from the screenshot below:
     
    User-added image
     
     
  3. If an Active Directory group for "Primary group" is defined under "Enable auto-provisioning for user profiles", make sure that the group is included in the "Groups" list for that Zone (Take a look at the screenshot below for more information).
     
    If the group does not appear in the list, add the target group manually by right-clicking "Groups" after disabling auto-provisioning on that Zone. Re-enable auto-provisioning after adding the group.
     
    User-added image
     
     
  4. If you cannot add a user and the console keeps telling you that a user name with that UNIX name already exists, make sure there are no orphaned UNIX objects in the zone:
     
     
     
  5. If the user’s Unix login name automatically truncates itself to 8 characters:
     
    This was a known issue with older versions of Centrify
     
     
  6. If you keep getting the error message “Server is NOT operational”:
     
     
     
  7. If ZPA stopped provisioning user with error “The group’s SID couldn’t be resolved”:
     
    Make sure there are no users/groups with unresolvable SIDs
 

Still have questions? Click here to log a technical support case, or collaborate with your peers in Centrify's Online Community.

Related Articles

 articleKB-20210: Common Questions Regarding Centrify DirectControl and CoreOS article[HOWTO] Setup the Zone Provisioning Agent articleConfiguring RADIUS MFA to work for DUO, RSA SecurID, SecureAuth or others. articleKB-6041: How to show current license type in use by adclient articleKB-6040: How to change the license type in use after adclient successful joined to the AD? articleCentrify's Privileged Identity Management Solution for Big Data articleKB-6073: How to join the Linux/Unix Centrify Server to Active Directory with specific Computer Role? articleTesting and Troubleshooting Centrify's DB2 plugin articleKB-3925: How to add Centrify parameter to a group policy