Hi,
I am trying to install Centrfy MDM on a Samsung Galaxy S7. I am receiving an error that shows "Network Unavailable" when I enter my credentials. What kind of troubleshooting could be done to fix this issue?
Thanks.
TW
↧
"Network Unavailable" for Centrfiy MDM
↧
Centrify server licenses
Recently found out our servers are reporting as using workstation licenses.
Attempting to fix the issues results in
"Error: server license type is not supported for Auto Zone."
Creating a zone and swapping everything over would be quite the task for our environment. Is there another work around to change the license type but allow the servers to stay in Auto Zone?
Thank you.
↧
↧
Express error with 5.2.3-429: Could not get the domain prefix map in allotted time.
Hi,
When I tried joining a domain as below, I keep getting the following error.
Could not get the domain prefix map in allotted time.
Aftermath of this error is that this server ended up joining a domain controller in a different region within my Company.
Anyone know how to resolve this?
It happens after I upgrade Centrify to 5.2.3-429.
# adjoin -w mycompany.com -s ad007.sf.priv -u myserviceaccount myserviceaccount@mycompany.com's password: Using domain controller: ad007.mycompany.com writable=true Join to domain:mycompany.com, zone:Auto Zone successful Centrify DirectControl started. Loading domains and trusts information ............................... ............................. Could not get the domain prefix map in allotted time. If there are conflicts it could cause two or more users to have the same UID. You can increase the parameter "adjoin.adclient.wait.seconds" to wait longer. See /etc/centrifydc/centrifydc.conf. Initializing cache . You have successfully joined the Active Directory domain: mycompany.com in the Centrify DirectControl zone: Auto Zone You may need to restart other services that rely upon PAM and NSS or simply reboot the computer for proper operation. Failure to do so may result in login problems for AD users.
Thanks in advance.
- Learner
↧
In ActiveDirectory What is the Best practice for Certificate Deployment to MACOSX
Having a issue in our infrastructure where the Radius Server and Centrify is disconnected and is not speaking to NAC Server. We currently have to hard wire after a password reset because the Mac OSx users cannot see the certificate behind the login on the wireless Radius connection. What is the Best way to Deploy and check certificates upon login of the Mac servers so that they authenticate correctly with the AD servers....and dropped the cached authenticated login info.
↧
problem with disconnects mac end users
When Passwords expire and come time for users to change their passwords on MACBooks, Centrify gets disconnected from our Nextjump.com Domain. Now I’ve tried troubleshooting various different ways
Troubleshooting:
- Tried to default the Wifi to our internal domain making sure the computer got an internal IP address
- Connected via Ethernet to Make sure the Macbook got an Internal IP address
- Flushed DNS and forced IP release/renew
- Checked to see in AD version issues
- Checked Firewalls and Allowing Centrify to allow connections
- Assigned Static IP’s for IP/DNS
Only way we have been able to resolve this current issue was to disconnect from the domain and reconnect.
We have a certificate that is used to authenticate to the Radius server and have it install on the local Mac Accounts allowing us to connect to the Corporate Wifi with Corporate IP address’s. Still having the issue here.
↧
↧
Known browser issues with Express for Mac 5.4.2 using High Sierra 10.13.6?
I am a US federal employee (non-military). We use Express (not Direct Control) for authenticating to VPN and web sites. I've noticed some odd behavior when trying to use our PIV cards with brand new installs of Mac High Sierra 10.13.6.
The problem is that web browsers (Safari, Chrome, and Firefox) are unable to recognize the Certificates we are trying to pass from our cards. I don't even get a chance to authenticate, just a browser error saying, "no card inserted". But I do see the Certificate in KeyChain Access, and it works for VPN.
What I mean by a brand new install is, a brand new machine out of the box that has high Sierra already on it, and nothing else. I install Centrify Express 5.4.2, and everything works fine except for authenticating in browsers. (Previous versions of express do not work with High Sierra.)
The weird thing is, I have machines that were running older OSs, and after upgrading them to High Sierra, I have no problems. I also have a brand-new machine that I performed a time-machine restore of an old desktop that was running OS El Capitan 10.11. That one worked just fine after upgrading Express to 5.4.2. Both of these types of installs have no problems at all. But if I try to start with a brand new laptop, I cant get browser authentication to work.
To reiterate, I am able to see the card's certificates in KeyChain access, and I am also able to use the card to authenticate to our VPN (we are at a University-infrastructure site and use VPN to access federal websites). So I know I have a functional login, just not for all applications.
I already reviewed a lot of posts on this and other sites, so I have already tried an uninstall, then clearing all the files from /var/db/TokenCache/tokens, and clearing /Library/Security/tokend, then reinstalling.
I can provide any other details or screenshots needed, but first I'm just wondering if anyone else is aware of known issues with 10.13.6 and how to resolve them.
Thanks,
Jerry
Dr. Jerry L. Johnson
Biological Science Laboratory Technician/LITS
USDA-ARS Cereal Disease Laboratory
↧
Centrify Express + Samba
The documentation for Centrify Express states that it states the adbindproxy package. Is this a download that is available to Centrify Express users? Or is it only available to paid users?
↧
Account Verification mail issue
Hello,
We are using Centrify with MFA for corporate email access. We have created rule to restrict access for users when browsing outside corporate IP address.
Centrify does show MFA prompt and send verification email to alternate email, when browsed in India. But the verification email does not come to the alternate email, when browsed in the US (United States).
Can anyone shed light on this?
Regards,
Ganesan
↧
CentrifyDC Express won't start after upgrade to Ubuntu 18.04
- Using Centrify express on Ubuntu 14.04
- Upgraded system in-place to Ubuntu 18.04.
- Prior to OS upgrade I upgraded Centrify Express to the latest version.
- Now, Centrify Express *service* won't start. Error I see via "journalctl -xe" is
Aug 10 18:35:32 netops01b systemd[1]: centrifydc.service: Start operation timed out. Terminating. Aug 10 18:35:32 netops01b systemd[1]: centrifydc.service: Failed with result 'timeout'. Aug 10 18:35:32 netops01b systemd[1]: Failed to start LSB: CentrifyDC adclient daemon for AD services. -- Subject: Unit centrifydc.service has failed -- Defined-By: systemd -- Support: http://www.ubuntu.com/support -- -- Unit centrifydc.service has failed. -- -- The result is RESULT.
Additional details
- Centrify Express version: adinfo (CentrifyDC 5.5.0-200)
- If I run "adclient" on CLI manually, it works. It dumps some warnings into /var/log/auth.log but otherwise starts up.
I was considering removing the init.d script and replacing it with a systemd control unit, but really, for starters, I'd just like help figuring out why this is happening. I can't find anything useful in any logs.
Thanks!
↧
↧
Centrify and IE portal compatibility
Hello,
We would like to know about the IE version compatibility for Centrify portal and other associated pages. When browsed from IE 10, the Centrify MFA login page failed to proceed further after entering the credential. Due to this, our applications using IE cookie fails to work since error in loading via IE.
Please share the required info.
Regards,
Ganesan
↧
Centrify Express breaks Oracle ODA
We have an Oracle ODA that has been deployed. All cluster, etc software starts and works as expected.
I then installed Centrify Express. The install appears to complete without issue and AD logins work as expected.
However, once Express is installed, the Oracle software (ASM, etc) does not start correctly. There are some oracle processes running, but the cluster asm and other processes never start.
Upon removal of Centify Express, the Oracle software once again starts up correctly.
Has anyone run into this? If so, how did you resolve?
↧
Where is the adbindproxy.pl script download for Ubuntu located?
I'm looking at the download page and can see that we can still download Integration with Samba for Debian 64-bit packages for most systes, except for Ubuntu.
How can I get the latest version of the script so I can integrate centrifydc with Samba 4?
Many thank,
Louis
↧
API permission for Multi Factor Authentication (MFA)
To Start the Authentication process first /StartAuthentication is called.
Once this /StartAuthentication is called, Response is received with SessionID and MechanismID. For Multi Factor Authentication(MFA), two or more mechanismID will we availble in the response.
For example, I have one login verfication using password and email verification in which OTP is sent to my email which must be entered for my Login to be success. So, when /StartAuthentication is called. Two MechanismID will be generated in response
Next, /AdvanceAuthentication is called. In which session ID and both Mechanism ID are included using MultipleOperations. Along with the password of the user
Once /AdvanceAuthentication is called, "StartOOB" sends an email with OTP.
Next, /AdvanceAuthentication is called AGAIN. In which MechanismID of the email verification is included along with OTP.
Authentication is complete, "Login Success" will be shown in the response.
↧
↧
SSO Not Allowing any Sign-Ins
Starting on August 11, 2018, our AD Connector stopped synchronizing users into Samanage. When I logged in about a week later (after discovering the issue), I was prompted to change the password on our administrator account for the Centrify admin portal. After doing so, I was able to log in.
I did some troubleshooting for a couple days, but was not able to get the connector running again. After attempting to change to a different admin account (Samanage admin account vs. Centrify), we have now found that none of our users can authenticate against the Centrify SSO page, and must instead log in through the Samanage local login.
Centrify support has told me that our use of Centrify with Samanage was never supposed to be a long-term solution, but rather a 30-day trial, after which we were supposed to buy a support contract in order to use the full application and gain access to support. However, our Samanage rep has said that, although support is limited to Community Support only, we should be able to use Centrify with Samanage on an ongoing basis for no cost.
↧
Getting started with setting up Centrify Express - Questions
Looking at the PDF here, the very first step has me a bit confused.
"Run the setup program for Authentication & Privilege components on a Windows administrator’s workstation. The setup program simply copies the necessary files to the local Windows computer, so there are no special permissions required to run the setup program other than permission to install files. Follow the prompts displayed to select which components to install."
It is not clear what "Authentication & Privilege components" are or where I can locate them. The downloads available on the express download page are the following:
Centrify DirectManage Express
Centrify DirectControl Express Agents
Centrify PuTTY
The Community section of that same download page says that there are install videos in the Express forum (this forum,) but I don't see them anywhere. They certainly aren't pinned to the top of the forum.
I did install DirectManage Express on a Windows machine, but when I point it to the Ubuntu machine I set up to test with, I click "analyze," it gives a quick progress bar and then provides zero indication that there was any kind of success or failure. <sigh>
So, if videos exist, I'd be happy to watch it/them (I also checked YouTube,) or alternatively, I'd like to have my hand held for just a short while.
↧
Able to log in to terminal but not SSH
I've found several other posts about this but none of the solutions presented solved the issue for me. The short version is that I have centrifydc installed on a RHEL 7.4 server and while I can log in with Active Directory credentials on the console, I am unable to do so with SSH. This seems like it's a simple configuration problem with PAM, but I don't know enough about centrify (or PAM, for that matter) to know for sure. Has anyone run into this before?
↧
Getting a ERR_BAD_SSL_CLIENT_AUTH_CERT when accessing certain sites requiring EMAIL certificate
Hi,
When trying to access a Navy website, I am receiving a ERR_BAD_SSL_CLIENT_AUTH_CERT error from Chrome. I'm only prompted to select one of my certificates, I get asked for a PIN, and then I get that error. If I use the same card in the same reader on the same MacBook Pro, but in a Windows VM, it works fine.
What am I potentially misconfiguring with Centrify that would cause it to fail? I disabled the High Sierra built-in reader. I installed and trusted all the root certs from militarycac.com, plus all the additional certificates. My CAC certificates are all listed as valid.
Any ideas?
↧
↧
CentrifyDC startup slow, Ubuntu 18.04
Hi folks,
We are having problems with the startup of CentrifyDC Express 5.5.1-400, currently installed on our Ubuntu 18.04 systems.
When we power on the system, it takes about 30 seconds to startup the client "adclient" and then it appears Connected, occasionally it never starts the adclient and then it appears as Disconnected for a while.
We have tried with the latest version of Centrify Express: centrify-infrastructure-services-18.8-deb8-x86_64, and also with previous versions, and the problem persists.
Thanks.
↧
Centrify Express 5.4.3-887 can't SSH. Only on 1 out of 45 servers.
adinfo shows:
CentrifyDC mode: connected
Licensed Features: Enabled
If I do:
ID cnoyes (my user) it returnes correct AD information.
/var/log/secure shows:
Invalid user DOMAIN\\cnoyes from vpn-ip
input_userauth_request: invalid user DOMAIN\\cnoyes
pam_unix(sshd:auth): check pass; user unknown
pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=vpn-ip
pam_succeed_if(sshd:auth): error retrieving information about user domain\cnoyes
Failed password for invalid user DOMAIN\\cnoyes from vpn-ip port 58498 ssh2
Connection closed by vpn-ip
The wierd thing is I have another server that was cloned from this server that works fine.
the difference I see if I compare adinfo -diag information with the cloned system is this:
BAD SYSTEM
Init context: system_u:system_r:init_t:s0
/sbin/mingetty system_u:system_r:getty_t:s0
/usr/sbin/sshd unconfined_u:system_r:sshd_t:s0-s0:c0.c1023
GOOD SYSTEM
Init context: system_u:system_r:init_t:s0
/sbin/mingetty system_u:system_r:getty_t:s0
/usr/sbin/sshd system_u:system_r:sshd_t:s0-s0:c0.c1023
Can anyone help me troubleshoot SSHD?
↧
Chrome on Mac - browser restart required
This is more of an anoyance than a bug, but I thought there might be a solution?
I'm on latest OS X (10.13.6) with current Google Chome (69.0.3497.100). Everything works as it should, but if I remove my card, I need to completely restart my browser in order for things to work properly again.
With the default High Sierra smart card support this does not occur, but the default smart card support doesn't work with Kerberized SSH (KRB/OSSH). Centrify Express makes the kerberized SSH work and my card is always seen as a CACNG.
Is there any way to either (1) force Chrome to use the built-in High Sierra smart card support, or (2) get Chrome to work so that I don't have to restart my browser each time I remove my card?
↧