Centrify DirectAuthorize for Windows on 3.4.x version and lowerProblem:
Windows agent running DirectAuthorize Windows (DZWin) immediately enter rescue mode after joining to the zone and connection is online.
The following maybe observed in the Windows Agent log:[2016-02-08 17:35:29.787 -0600] dzagent.exe[2100,5] Error: MemoryRoleProvider.GetAccessTokenInfo: Unable to initialize a WindowsIdentity for upn firstname.lastname@example.org. System.Security.SecurityException: Logon failure: the user has not been granted the requested logon type at this computer.
Launch Command Prompt to verify:
When a Windows agent is joined to a domain with strict Group Policy security controls that go beyond the default, this may render the agent unable to download the Centrify Zone data and result in what appears to be in a disconnected or rescue mode state even if the connection to Active Directory is fine.Workaround:
Please grant an exception to the strict GPO policy as suggested below to allow the computer access to Centrify zone information.
1) Create an AD group that will be use to gather all DZWin computers (ex: Centrify_Computers)
2) Either use an existing GPO or create a new one in the Centrify OU to override the one coming from the parent OU.
3) Edit this OU and navigate to the >Computer Configuration>Policies>Windows Settings>Security Settings>Local Policies>User Rights Assignment
a) Locate the "Access this computer from the network" settings
Add the following principals to this setting:
- The Computer account itself - so agent can download zone information and apply it to it's local machine.
Note: You may use an AD group from step 1 populated with the computers as members instead of directly listing them in the GPO.
- Logon user accounts - so users can invoke their roles to open privileged desktops and applications.
- The "runas" target user accounts from any application and desktop rights - otherwise, users cannot use the role which contains the right.
b) Locate the setting "Deny access to this computer from the network"
- By default, this setting has only Guest. Make sure to not block the AD Users/Admins and Computer account.
For the combination of these two policies ("Access this computer from the Network" and "Deny access to this computer from the Network"), we need to make sure the computer account can access.
4) Save the changes & wait for Active Directory replication. Then run "gpupdate" or reboot the computer and the DZWin should now be able to connect and work properly.Resolution:
This will be addressed in an upcoming release of Centrify Server Suite.