All versions of Centrify Zone Provisioning agentProblem:
ZPA fails to provision users with error "The user name or password is incorrect" or "server not operational"
This happens on a Windows server 2012 with Domain Functional Level 2012.
The ZPA service account has been delegated zone authority and set up to login as a service on the server.
Snippet of the error:[2014-07-09 03:00:18.946 +0000] Centrify.Provisioning.Agent.exe[1100,6] Error: DomainPoller.Poll: Failed to update zone support.centrify.local/Centrify/Zones/Test01 : System.Runtime.InteropServices.COMException (0x8007203A): The server is not operational.
DNS issues were ruled out by pinging the qa.centrify.local and the DCs in root forest.Cause:
The log clearly says that we cannot reach the server when trying to bind to RootDSE.
After providing a debug build of ZPA and other logs, it was observed that ADSIEdit/ADUC had trouble using the ZPA service account in the child domain (support.centrify.local) to talk to rootDSE. It just cannot bind to rootDSE.
The Domain Admin in root has blocked access permission to any user in child domain. They are only 2 choices - either make the DomainAdmin of rootDSE to give permission or use delegation.
When delegation is performed, the following error will appear:"Failed to get the DC DNS name for the domain centrify.local"Workaround:
The workaround is to redirect parent domain access to child domain Domain controller.
On the machine where ZPA is installed, the Windows hosts file needs to be edited and the below info needs to be added. ip address parent-domain-name
Where ip address
is that of the domain controllers for the child domain where ZPA machine joins to.
Reason for this workaround:
1) Contact to the parent domain is a requirement for our product to work. This works because the things that we need from the parent domain RootDSE should also be able to be found from child domain RootDSE.
2) Since we are redirecting all parent domain traffic to child domain, this workaround may cause some issues on some other software which require contacting the parent domain.
3) Customers should thoroughly test it in their sand environment.
Centrify will fix this issue in a future release as this is not a trivial fix. This fix is on Access Manager and ZPA.