Tips for finding Knowledge Articles

  • - Enter just a few key words related to your question or problem
  • - Add Key words to refine your search as necessary
  • - Do not use punctuation
  • - Search is not case sensitive
  • - Avoid non-descriptive filler words like "how", "the", "what", etc.
  • - If you do not find what you are looking for the first time,reduce the number of key words you enter and try searching again.
  • - Minimum supported Internet Explorer version is IE9
Home  >

KB-8961: MFA with DirectControl fails after upgrading to 5.4.1 or greater

Authentication Service ,  

14 December,18 at 12:24 AM


After upgrading Centrify Direct Control to 5.4.1 or greater MFA no longer works. 


Starting in Suite 2017.1 (5.4.1), Centrify added additional security enhancements with certificate checking. The DirectControl agent now validates the certificate of the Centrify Identity Platform (CIP) to prevent the possibility of a spoofed certificate. 


Please run the following to check for errors: 

Open the log created by this utilitiy and check for the following error message:
SSL certificate problem: unable to get local issuer certificate

For Centrify Privilege Service On-premise/Customer Managed:
A) Download and Add the Centrify Identity Platform Certificate
1. Log into the Portal
2. View/download the certificate:
For a Chrome browser:
Hit f12 -> select security -> Certification Path -> Select Root CA ->  view certificate -> details -> copy to file -> next -> DER format -> Next -> Name the cert and save. 
3. Import the certificate to GP:
Computer Configuration > Policies > Windows Settings > Security Settings > Public Key Policies > Trusted Root Certification Authorities.
4. Run adgpupdate

For Centrify Privilege Service Cloud:
A) Ensure you have a ca-bundle.crt to trust the issuer of the platform certificate.
If you do not have a ca-bundle.crt run the following:
curl --insecure -o /etc/pki/tls/certs/ca-bundle.crt
If you are running a older release or if your ca-bundle.crt is expired:
For example on RHEL:
cp /etc/pki/tls/certs/ca-bundle.crt /etc/pki/tls/certs/
curl --insecure -o /etc/pki/tls/certs/ca-bundle.crt
yum update ca-certificates
Download the attached cacert.pem and save it to your machine. Run the following to override the existing bundle with the updated CA certificates:
mv /tmp/cacert.pem /etc/pki/tls/certs/ca-bundle.crt

Note: adclient looks for the CA bundle in the following locations:

Make sure to move the downloaded file to one of the above locations. 


In /etc/centrifydc/centrifydc.conf add the location to the following parameter: <Location of CA cert> 
Note: adcdiag will not check the above override parameter and will still show as failed. Test the completion of the above parameter by attempting an MFA login.

*** The following method is insecure and should be used for Eval/testing/troubleshooting only ***
B) Skip check of local issuer certificate. 
1.  Run /usr/share/centrifydc/bin/adcdiag -K
  • -k will skip verification of CA cert for the cloud connector
  • -K will skip the check of the CIP host cert. 
​2. Add the following in /etc/centrifydc/centrifydc.conf: true