Tips for finding Knowledge Articles

  • - Enter just a few key words related to your question or problem
  • - Add Key words to refine your search as necessary
  • - Do not use punctuation
  • - Search is not case sensitive
  • - Avoid non-descriptive filler words like "how", "the", "what", etc.
  • - If you do not find what you are looking for the first time,reduce the number of key words you enter and try searching again.
  • - Minimum supported Internet Explorer version is IE9
Home  >
article

KB-6306: DirectAuthorize for Windows enters rescue mode

Centrify DirectControl ,  

25 August,16 at 09:43 PM

Applies to: Centrify DirectAuthorize for Windows on 3.4.x version and lower

Problem:
Windows agent running DirectAuthorize Windows (DZWin) immediately enter rescue mode after joining to the zone and connection is online.  

The following maybe observed in the Windows Agent log:

[2016-02-08 17:35:29.787 -0600] dzagent.exe[2100,5] Error: MemoryRoleProvider.GetAccessTokenInfo: Unable to initialize a WindowsIdentity for upn computer$@domain.com. System.Security.SecurityException: Logon failure: the user has not been granted the requested logon type at this computer.

Launch Command Prompt to verify:
C:> dzinfo
C:> dzdiag​

Cause:
When a Windows agent is joined to a domain with strict Group Policy security controls that go beyond the default, this may render the agent unable to download the Centrify Zone data and result in what appears to be in a disconnected or rescue mode state even if the connection to Active Directory is fine.

Workaround:
Please grant an exception to the strict GPO policy as suggested below to allow the computer access to Centrify zone information.

1)  Create an AD group that will be use to gather all DZWin computers (ex: Centrify_Computers)

2)  Either use an existing GPO or create a new one in the Centrify OU to override the one coming from the parent OU.

3)  Edit this OU and navigate to the >Computer Configuration>Policies>Windows Settings>Security Settings>Local Policies>User Rights Assignment

a) Locate the "Access this computer from the network" settings
 
Add the following principals to this setting:
  • The Computer account itself - so agent can download zone information and apply it to it's local machine.
Note: You may use an AD group from step 1 populated with the computers as members instead of directly listing them in the GPO.
  • Logon user accounts - so users can invoke their roles to open privileged desktops and applications.
  • The "runas" target user accounts from any application and desktop rights - otherwise, users cannot use the role which contains the right.
 
User-added image



b) Locate the setting "Deny access to this computer from the network"
  • By default, this setting has only Guest.  Make sure to not block the AD Users/Admins and Computer account.

For the combination of these two policies ("Access this computer from the Network" and "Deny access to this computer from the Network"), we need to make sure the computer account can access.
 
User-added image


 
4)  Save the changes & wait for Active Directory replication.  Then run "gpupdate" or reboot the computer and the DZWin should now be able to connect and work properly.

Resolution:
This will be addressed in an upcoming release of Centrify Server Suite.

Still have questions? Click here to log a technical support case, or collaborate with your peers in Centrify's Online Community.