Tips for finding Knowledge Articles

  • - Enter just a few key words related to your question or problem
  • - Add Key words to refine your search as necessary
  • - Do not use punctuation
  • - Search is not case sensitive
  • - Avoid non-descriptive filler words like "how", "the", "what", etc.
  • - If you do not find what you are looking for the first time,reduce the number of key words you enter and try searching again.
  • - Minimum supported Internet Explorer version is IE9
Home  >
article

KB-9942: How to allow special character username to perform offline login when adclient.cache.upn.index is defined?

Mac & PC Management Service ,  

27 February,18 at 04:40 PM

Applies to: All version of Centrify Identity Service, Mac Edition

Problem:
 
AD users with special character in their username (For example: abc#domain) are able to login when Centrify agent is in “Connected” mode, but fail when performing offline login?
 
Cause:

When offline login is performed, Centrify agent is authenticating user credential against the cache that was stored on the machine.
 
However, when special characters are detected in the username, while the two parameters below are defined in /etc/centrifydc/centrifydc.conf, Centrify agent will substitute the special character into “_” symbol and store into cache.
 
adclient.cache.upn.index
adclient.preferred.login.domains

 
Therefore, user with special characters in their name will not able to perform an offline login.
 
Workaround:
 
To allow special character users to perform offline login even when the parameters defined above, please remove the specific character from the disallow conf parameter below at /etc/centrifydc/centrifydc.conf:
 
Default on Mac OS X
:
auto.schema.unix.name.disallow.chars: \t\n/\\><?|\"\'`[]{},:;~!@#$%^&*()=

Example:
Enable parameter without the "#" to allow username with "#" to perform offline login (jsmith#local):

auto.schema.unix.name.disallow.chars: \t\n/\\><?|\"\'`[]{},:;~!@$%^&*()=
("#" removed from the list)

The parameter define the user name disallowed characters. The values should be careful set not only unsavory chars but also the substitute chars, in order to avoid that the substituted unixname have been existed already.

After editing the parameter above, please run "adreload" and "adflush" to make change effective.


Resolution:
Avoid using the disallow characters that already defined in user naming as it is not suggested. 

Still have questions? Click here to log a technical support case, or collaborate with your peers in Centrify's Online Community.