Centrify

Tips for finding Knowledge Articles

  • - Enter just a few key words related to your question or problem
  • - Add Key words to refine your search as necessary
  • - Do not use punctuation
  • - Search is not case sensitive
  • - Avoid non-descriptive filler words like "how", "the", "what", etc.
  • - If you do not find what you are looking for the first time,reduce the number of key words you enter and try searching again.
  • - Minimum supported Internet Explorer version is IE9
Home  >
article

KB-43801: LogOnHours is Incorrectly Determined During Daylight Savings Time

Privileged Access Service ,  

10 November,20 at 11:13 PM

Problem:
  
When LogOnHours hours is set with Daylight Savings Time (DST) enabled, the LogOn hours calculation can go out of sync between DC and Connector.

Cause:
  
The connector does the calculation based on UTC (Universal Time Coordinate) time. But ADUC (Active Directory Users and Computers) sets the value of LogOnHours differently when Daylight Savings Time is ON and OFF.  This can make AD logon hour checking and connector logon hour checking go out of sync.

Resolution:
  
This resolution is applicable to the connector version 20.4 and later.
If the LogOnHour is set while DST ON there are two options to correct the time difference:
 
Option 1: Create and set the following DWORD registry key:
  
HKEY_LOCAL_MACHINE\SOFTWARE\Centrify\CloudLogOnHour.DSTOffset 
  
User-added image
  
The connector will take the offset value and make the adjustment while calculating LogOnHour.

 

Option 2: Create and set the following DWORD registry key:
  
HKEY_LOCAL_MACHINE\SOFTWARE\Centrify\LogOnHour.CheckWithDCEnabled
  
User-added image
  
  
With this setting, instead of calculating LogOn hours locally,  the connector will make an inert logon call, with an incorrect password, to AD and check the error code for invalid logon hour.   In this case, the Domain Controller, not the connector, is determining if the login is within the allotted time.  The downside of this setting is that the login call with an incorrect password will be counted against the number of failed login attempts.

Related Articles

 articleKB-7555: Unable to login as root after upgrade to Centrify Suite 2016 (CDC 5.3.0) articleKB-0419: How does Centrify handle daylight savings time? articleKB-20210: Common Questions Regarding Centrify DirectControl and CoreOS article[How To] Enable Symantec VIP MFA for Centrify Server Suite on Linux Part I article[How To] Enable Symantec VIP MFA for Centrify Server Suite on Linux Part II article[How To] Enable Symantec VIP MFA for Centrify Server Suite on Linux Part III articleCentrify 17.10 Release Notes articleKB-6041: How to show current license type in use by adclient articleKB-6040: How to change the license type in use after adclient successful joined to the AD?