Centrify

Tips for finding Knowledge Articles

  • - Enter just a few key words related to your question or problem
  • - Add Key words to refine your search as necessary
  • - Do not use punctuation
  • - Search is not case sensitive
  • - Avoid non-descriptive filler words like "how", "the", "what", etc.
  • - If you do not find what you are looking for the first time,reduce the number of key words you enter and try searching again.
  • - Minimum supported Internet Explorer version is IE9
Home  >
article

KB-9006: "Change default zone container" failed in Access Manager Setup Wizard

Authentication Service ,  

8 May,18 at 10:09 AM

Applies to: 
Centrify DirectManage Access Manager Suite 2017.1 or earlier

Problem:

AD user has following permissions granted on target AD container in order to change Centrify's default zone container location.
Allow – Create/Delete classStore objects
Allow – Full Control on descending classStore objects

This 'Change default zone container' task is unsuccessful with error received "You do not have permission to create the zone container at domain.com/Centrify/Zones"

User-added image

Cause:

Access Manager Centrify Suite 2017.1 and earlier requires AD user has permission 'create container objects' on given target zone container, while this permission should not checked if the specified target container already exists. 
This is a bug of Access Manager Suite 2017.1 and earlier. 

Besides when changing the default zone container on Access Manager the previous zone container identifier will be deleted, therefore permission to delete classStore object on previous zone container is also required. Centrify will need to enhance the document guide about this in future release. 

zone container identifier is a classStore object stored in the zone container named as $CentrifyZoneContainer
User-added image
The zone container identifier is an AD object created as:
- Type = classStore;
- Name = $CentrifyZoneContainer;
- DisplayName = $CimsZoneContainerVersion2

Workarounds:

Option 1 - Grant 2 more permissions to the operator (AD user). 
- On target zone container 
• Create Container objects (Applied to this object only)
- On previous zone container  
• Delete classStore objects (Applied to this object and descendant objects)

Option 2 - Create a new zone container identifier within target zone container with powershell command and remove the previous zone container identifier.

New-ADObject -Name `$CentrifyZoneContainer -DisplayName `$CimsZoneContainerVersion2 -Type classStore -Path "OU=targetcontainer,DC=domain,DC=com"

* Replace "OU=targetcontainer,DC=domain,DC=com" with the real target zone container's  distinguished name. 

Option 3 - Move the old zone container identifier to the target container with proper administrative privilege. 
i) Right click on the old zone container identifier and go to 'Move';
ii) Select the target zone container from the promoted list;
iii) Click 'OK' to save the change.

Then the current zone container will be shown as the target one in launched Setup wizard. 

Resolution:
This issue has been fixed in Suite 2017.2. Access Manager will not check user's container creation permission if target container already exists. 

Still have questions? Click here to log a technical support case, or collaborate with your peers in Centrify's Online Community.

Related Articles

 articleKB-4838: Why is Enterprise/Domain admin privileges required when running the setup wizard for Access Manager?. articleKB-20210: Common Questions Regarding Centrify DirectControl and CoreOS articleKB-6402: Console should allow for creation of target OU/container during the Access Manager setup wizard article[HOWTO] Setup the Zone Provisioning Agent articleKB-3926: Unexpected error occurred when loading domain "Object reference not set to an instance of an object" articleKB-9414: Centrify Report Services Wizard Fails In Three Computer Deployment articleKB-7555: Unable to login as root after upgrade to Centrify Suite 2016 (CDC 5.3.0) article[How To] Enable Symantec VIP MFA for Centrify Server Suite on Linux Part I articleKB-6050: How to configure a group for automatic Kerberos Credentials for infinite renewal?