Applies to: Centrify Identity Service, Mac Edition
Why does Operating System version start with 6.1:10.x.x in Active Directory Users and Computers (ADUC) for Mac computers?
All Windows systems have 6.1 (or higher) in operatingSystemVersion, in order to use AES.
Without this prefix, Active Directory (AD) will NOT use AES for this machine (which is default on Windows Server 2008+) and it will fall back to use lower and less secure encryption mechanism.
Then, if the client requires AES, then authentication will simply fail due to unsupported encryption types. FIPs mode will also fail.
It is strongly discouraged, but if needed, this can be removed in one of the following methods;
1. Use centrifydc.conf and add the following and then reboot the Mac: adclient.os.version.use.win7prefix: 0
This can be done using Group Policy, or directly on the centrifydc.conf file located on the Mac.
A) Group policy object located at "Computer Configuration>>Policies>>Centrify Settings>>Direct Control Settings>Add centrifydc.conf properties"
B) To do this directly on the Mac, an Administrator will need to edit the centrifydc.conf file using some Unix based text editor (TextEdit on Mac is native).
This file is located at /etc/centrifydc/centrifydc. Here, and Administrator can paste this entry at the bottom:
Once complete, reboot the Mac to take effect.
2. Additionally, an Administrator can always "fix" the permission of the computer object to remove the permission for the computer to update itself (thus the ability to report OS information). Note that this is not supported by Centrify and any issues or questions with this process should be addressed with Microsoft directly.
For additional information not covered in this guide or troubleshooting assistance, please review Centrify Online Help or visit the Customer Support Portal at https://www.centrify.com/support/customer-support-portal/