Question: In the event that a Centrify tenant is unreachable or during an internet/WAN outage, what does Centrify recommend to keep a Centrify Client (CClient) available for login?


Answer: If a tenant is unreachable, the Centrify Client for Windows can still be accessible via the offline OTP. In order to generate the offline OTP, users must have "Offline Rescue" permissions on the system. OTP would protect all system logins, even for local accounts. For local accounts this can be turned off with a registry setting.

On Linux (Centrify Client for Linux) there is no OTP, users just have to be in the local system cache. For Linux machines, if the tenant went off line, the root account would have to disable MFA and then users in the cache can login with password only. When the tenant is back on-line, root would have to re-enable MFA. The command to disable MFA is the following:


# cedit -s pam.mfa.disabled:true

Then restart cclient (# service cagent restart)