KB-5205: Device enrollment fails even when using a service account with full permissions to run the Cloud Connector

Tips for finding Knowledge Articles

- Enter just a few key words related to your question or problem
- Add Key words to refine your search as necessary
- Do not use punctuation
- Search is not case sensitive
- Avoid non-descriptive filler words like "how", "the", "what", etc.
- If you do not find what you are looking for the first time,reduce the number of key words you enter and try searching again.
- Minimum supported Internet Explorer version is IE9

Home >

KB-5205: Device enrollment fails even when using a service account with full permissions to run the Cloud Connector

Product:

App Access Service ,

Published:

12 April,16 at 11:14 AM

Rating:

Applies to: Centrify for Mobile

Problem:

When using a Service Account that has been granted full permissions to the OU specified for enrollment, device enrollment fails with the the following error found in the Cloud Connector log:

CreateMachineForDevice Exception: System.UnauthorizedAccessException: Access is denied.

Cause:

This error is presented due to a lack of permissions for the Service Account to the OU. When a service account is specified to run the Cloud Connector service, the account is not automatically configured for proxy permissions on the OU.

Resolution:

In order to grant the missing permissions for the account to the OU, the following steps will need to be taken:

Open up ADSI Edit:
- Start > All Programs > Administrative Tools > ADSI
Navigate to the OU in question, right-click on the OU and choose "Properties"
Navigate to > "Security" > "Advanced"
Under the "Permissions" tab navigate to the Service Account and click "Edit..."
In the "Apply to:" drop-down box, choose "This object and all descendant objects"
Click "OK" and then "Apply" on the Advanced Security Settings window.