Centrify DirectControl 5.x and below on All OS platformsQuestion:
After upgrading the domain functional level from Win2003 to Win2008R2, AD users are not able to login.
' command returns that the agent is Connected and talking to AD.
If the AD user first login fails and tries again a second time, the login may become successful.
Why does this happen? Answer:
When upgrading the domain functional level from Win2003 to Win2008R2 there are two critical changes made in AD:
- By default, Win2008R2 no longer supports DES encryption and instead uses AES. Therefore all DES tickets will fail.
- It also changes the KRBTGT password hash, so tickets that were issued before the upgrade will no longer be valid.
- When upgrading domain functional level to Win2012, the changeover is less traumatic with regard to compatibility and Centrify has adapted to the changes in CDC 5.2.3 and up (Suite 2015.1 onwards).
- When upgrading from 2003 to 2008 or later, a restart of the Centrify agent is needed to get new a KRBTGT (A restart is not needed if upgrading from 2008 to a later version):
- /usr/share/centrifydc/bin/centrifydc restart