This article outlines a scenario where users that exist within a Cross forest or Multi Forest two way trust may be unable to reset their password or unlock their account successfully.
When self-service password reset or unlock is implemented, and a Cross-Forest or Multi-Forest trusts exists, often password reset will fail or seem to work and then not take effect. Additionally, account unlock does not work as expected either.
This can happen if the Cloud Connector services are running as the Local System account (default), and try to reset a password or unlock an account across the trust. (Domain A Cloud Connector, running as Local System, tries to reset a password on Domain B, via the trust). Authentication is successful, but password reset and unlock will still fail. This is because the Local System account does not have the correct permissions to do so on the other domain across the Trust (where the User is sourced from).
Solution: There can be three solutions to this issue. All will require at least one Domain Admin account (or comparable).
1. Create a single service account (Domain Admin or comparable) in one (primary) AD, and grant them permission to the "Account Operators" built-in group in AD for each Domain. Be sure to specify the correct location when searching for this new account on the other domains.
2. Once the new service account has been added to the subsequent Domain Built-in "Account Operators" group, next, the Administrator will want to go to the policy (or policies) used in the Centrify Cloud Manager (https://cloud.centrify.com/manage) for the Account Self Service settings. (Policies>Select policy name>User Security Policies>Self Service.)
Here, we will switch the configuration from the default, “Use cloud connector running on privileged account" to instead "Use these credentials." We will enter the new service account here, which if properly added to the Account Operators group for each domain, should be able to perform the reset or unlock.
1. Follow step 1 from Option 1 above.
2. On the Cloud Connector hosts across all domains, the Administrator will want to change the account used for the Centrify Cloud Connector service to use this new Service account from step 1.
3. On the Cloud Connector host, open services.msc from the Run Command (Windows Key+R)
4. Find “Centrify Cloud Connector” service and right click to select “Properties”
5. On the “Log On” tab, choose the radio button called “This account.” Use the “Browse” button to find the new Service account that was created in step 1. Add the password and then click “Apply” and “Ok”
6. Stop and Restart the service from the "General" tab to update.
7. Proceed with this change on all hosts running the Cloud Connector Service.
1. For this option, we will need a separate Domain admin user for each separate AD source.
2. Next, in the Centrify Cloud Manager, the Administrator will need to create a role for each AD source. Here the Administrator will scope the Users from the source AD via some security group membership in the domain (Users@ is a built-in group)
3. The Administrator will next create a policy for each Role that was created. The new policy will only be applied to the Users from the Role they belong to. This should equate to 1 Role per 1 Policy.
4. For each policy, specific to the domain AD source, follow step 2 for Option 1 to add the new Service account to be used for that policy. This way, the Administrator account for the domain AD source will be used for the Users which belong to the same AD source.
5. Last, since policies are applied top-down in Centrify Cloud Manager, the Administrator will want to make sure that these policies have no other settings or restrictions in place, and then move them to the top of the list in the Policies section. The Administrator will also likely want to remove any other settings which may be in place for Account Self Service.