Tips for finding Knowledge Articles

  • - Enter just a few key words related to your question or problem
  • - Add Key words to refine your search as necessary
  • - Do not use punctuation
  • - Search is not case sensitive
  • - Avoid non-descriptive filler words like "how", "the", "what", etc.
  • - If you do not find what you are looking for the first time,reduce the number of key words you enter and try searching again.
  • - Minimum supported Internet Explorer version is IE9
Home  >

KB-9203: How to Restrict or Allow User Logins in Classic Zone

Authentication Service ,  

26 September,17 at 10:16 PM

Classic zone will allow all provisioned users in Active Directory to login to any machine that is joined to the domain.  This is the default behavior for classic zone.  How can a classic zone be restricted so that only specific provisioned users are allowed to login while other provisioned users are denied login?

To configure a classic zone to allow a specific provisioned user to login (and exclude other provisioned users), edit the /etc/centrifydc/centrifydc.conf file and set the parameter pam.allow.users file. This parameter can be either a file or a list of sAMAccountNames. Once the parameter is set, it will allow login by the configured provisioned users and exclude all others.
case 1: the pam.allow.users parameter is pointing to a file which contains a list of allowed provisioned users
i.e. In /etc/centrifydc/centrifydc.conf
pam.allow.users: file:/etc/centrifydc/users.allow

In /etc/centrifydc/users.allow
User-added image

case 2: the parameter value is the list of users that will be allowed login
i.e. In /etc/centrifydc/centrifydc.conf
pam.allow.users: tetsu,dean@centrifyimage.vms,darrell@centrifyimage.vms

After making a change to centrifydc.conf, or after adding a new name to the users.allow file, the adclient needs to be reloaded
# adreload
adquery user for an included provisioned user (tetsu in the image below) will show zoneEnabled:true
adquery user for a restricted provisioned user (donald in the image below) will show zoneEnabled:false

User-added image