permissions to publish new installation in AD
06-07-2018 12:20 PM
I'm creating new Audit installations in our DEV spaces for testing upgrades, etc. and I occasionally get errors indicating I don't have permissions to publish to /path/to/AD/folder. I've done some searching on the centrify site and found one KB that indicated I need to have permission to publish SPN's in AD. Is that the only permission that I need granted?
Thanks in advance for your help!
Solved! Go to Solution.
06-08-2018 04:40 AM
You are partially correct.
For a first time deployment, there are two "advanced" objects that you need to be able to write to AD:
- Server: The ServicePrincipalName(s) (SPN) are for the DirectAudit server(s) object in AD. If detected as missing.
- Service (Installation Publication): The serviceConnectionPoint (SCP) required for DirectAudit, need to be able to write them in the target OU or AD Container.
The key here is if you're getting delegated access, you have to get it via the "Advanced" button in ADUC, not just the typical check of the Full Control list.
Ideally (to maintain security discipline), this is done by another team member or if you get delegated access, it's removed after you're done with your changes.
Note that the SQL server scripts will be offered to you by the configuration wizard if you don't have rights to do the operation.
Tip: Make sure the Centrify Licensing Service is up-and-running in your DEV environments.