Tips for finding Knowledge Articles

  • - Enter just a few key words related to your question or problem
  • - Add Key words to refine your search as necessary
  • - Do not use punctuation
  • - Search is not case sensitive
  • - Avoid non-descriptive filler words like "how", "the", "what", etc.
  • - If you do not find what you are looking for the first time,reduce the number of key words you enter and try searching again.
  • - Minimum supported Internet Explorer version is IE9
Home  >
article

KB-4181 After upgrade to 5.1.2 if a .k5login exists, SSO is not possible with Centrify's OpenSSH

Centrify DirectControl ,  

12 April,16 at 11:07 AM

Problem:
After upgrading Centrify DirectControl from 5.1.1 or 5.0.x  to 5.1.2, if a .k5login exists in the AD user's home directory, SSO (Kerberos) is not possible with Centrify's OpenSSH. Is there any reason for this?

Cause:
This is by design to prevent a security hole. 
From windows the ticket is from samaccountname (which is not necessarily all lower case) if this does not match the ticket presented (case sensitivity), it is rejected. This is normal behavior for MIT Kerberos.

When we create user home directory, we create .k5login as part of the process. Now, if user had .k5login there, and it is not correct, the upgrade will expose the issue.

In CDC 5.1.2, we  fixed openssh to honor .k5login (first) if present.

Resolution:
Delete or rename existing .k5login file. The contents should have the upn (user principal name) of the AD user account. This should fix SSO/Kerberos for that account.

Addendum:
10/9/2014


Centrify DirectControl does added one more check:

A) We try to locate the Unix profile of the AD user (zone enabled) of the presented credential (UPN).
If the found profile shows the same unix user name matching the login account, then it is allowed. 
This is by and larger for convenience of customer that has mixed case samaccountname. 

B) The precedence is that if .k5login is present, it wins (this is the part that we fixed). Centrify Direct Control hook is not invoked at all. 
Otherwise, CDC hook gets its say after all other Kerberos checks have failed. 

Note:
CDC used to take precedence over .k5login. This causes issues and so, it is fixed so that now .k5login takes precedence.

Still have questions? Click here to log a technical support case, or collaborate with your peers in Centrify's Online Community.