Tips for finding Knowledge Articles

  • - Enter just a few key words related to your question or problem
  • - Add Key words to refine your search as necessary
  • - Do not use punctuation
  • - Search is not case sensitive
  • - Avoid non-descriptive filler words like "how", "the", "what", etc.
  • - If you do not find what you are looking for the first time,reduce the number of key words you enter and try searching again.
  • - Minimum supported Internet Explorer version is IE9
Home  >
article

KB-3936: Unable to login after upgrading domain functional level from Win 2003 to Win 2008 R2

Centrify DirectControl ,   Centrify Identity Service, Mac Edition ,  

12 April,16 at 11:45 AM

Applies to: Centrify DirectControl 5.x and below on All OS platforms

Question:

After upgrading the domain functional level from Win2003 to Win2008R2, AD users are not able to login. 
The 'adinfo' command returns that the agent is Connected and talking to AD.
If the AD user first login fails and tries again a second time, the login may become successful.

Why does this happen?
 

Answer:

When upgrading the domain functional level from Win2003 to Win2008R2 there are two critical changes made in AD:
  1. By default, Win2008R2 no longer supports DES encryption and instead uses AES. Therefore all DES tickets will fail.
  2. It also changes the KRBTGT password hash, so tickets that were issued before the upgrade will no longer be valid.

Notes:
  • When upgrading domain functional level to Win2012, the changeover is less traumatic with regard to compatibility and Centrify has adapted to the changes in CDC 5.2.3 and up (Suite 2015.1 onwards).
  • A restart of the Centrify agent is needed to get new a KRBTGT:
    • /usr/share/centrifydc/bin/centrifydc restart

Still have questions? Click here to log a technical support case, or collaborate with your peers in Centrify's Online Community.