Force password salt lookup from KDC

Force Centrify DirectControl Agent to look up the complete principal name, including the Kerberos realm used as the key salt, from the KDC.

Enabling this policy is only required if you remove arcfour-hmac-md5 from the list of encryption types specified for the adclient.krb5.tkt.encryption.types parameter in the Centrify DirectControl configuration file and if you change a userPrincipalName attribute in Active Directory without changing the user's password.

Enabling this policy may cause "pre-auth required" warning messages to appear in the Active Directory event log.

This group policy modifies the adclient.force.salt.lookup setting in the Centrify DirectControl configuration file.


Supported on:
Registry HiveHKEY_LOCAL_MACHINE
Registry PathSoftware\Policies\Centrify\CentrifyDC\Settings\Adclient
Value Nameadclient.force.salt.lookup
Value TypeREG_SZ
Enabled Valuetrue
Disabled Valuefalse

Skip items whose name contains

Registry HiveHKEY_LOCAL_MACHINE
Registry PathSoftware\Policies\Centrify\CentrifyDC\Settings\Adclient
Value Name{number}
Value TypeREG_DWORD
Default Value

centrifydc_settings.admx

Administrative Templates (Computers)

Administrative Templates (Users)