Tips for finding Knowledge Articles

  • - Enter just a few key words related to your question or problem
  • - Add Key words to refine your search as necessary
  • - Do not use punctuation
  • - Search is not case sensitive
  • - Avoid non-descriptive filler words like "how", "the", "what", etc.
  • - If you do not find what you are looking for the first time,reduce the number of key words you enter and try searching again.
  • - Minimum supported Internet Explorer version is IE9
Home  >

KB-3936: Unable to login after upgrading domain functional level from Win 2003 to Win 2008 R2

Authentication Service ,   Mac & PC Management Service ,  

8 May,19 at 03:42 PM

Applies to: Centrify DirectControl 5.x and below on All OS platforms


After upgrading the domain functional level from Win2003 to Win2008R2, AD users are not able to login. 
The 'adinfo' command returns that the agent is Connected and talking to AD.
If the AD user first login fails and tries again a second time, the login may become successful.

Why does this happen?


When upgrading the domain functional level from Win2003 to Win2008R2 there are two critical changes made in AD:
  1. By default, Win2008R2 no longer supports DES encryption and instead uses AES. Therefore all DES tickets will fail.
  2. It also changes the KRBTGT password hash, so tickets that were issued before the upgrade will no longer be valid.

  • When upgrading domain functional level to Win2012, the changeover is less traumatic with regard to compatibility and Centrify has adapted to the changes in CDC 5.2.3 and up (Suite 2015.1 onwards).
  • When upgrading from 2003 to 2008 or later, a restart of the Centrify agent is needed to get new a KRBTGT (A restart is not needed if upgrading from 2008 to a later version):
    • /usr/share/centrifydc/bin/centrifydc restart