permissions to publish new installation in AD

Showing results for 
Search instead for 
Do you mean 
Reply
Participant III
Posts: 6
Registered: ‎02-19-2016
#1 of 2 453
Accepted Solution

permissions to publish new installation in AD

Hello all,

I'm creating new Audit installations in our DEV spaces for testing upgrades, etc. and I occasionally get errors indicating I don't have permissions to publish to /path/to/AD/folder.  I've done some searching on the centrify site and found one KB that indicated I need to have permission to publish SPN's in AD.  Is that the only permission that I need granted?

 

Thanks in advance for your help!

 

 

Centrify Guru I
Posts: 2,262
Registered: ‎07-26-2012
#2 of 2 448

Re: permissions to publish new installation in AD

[ Edited ]

@bp78254,

 

You are partially correct.

For a first time deployment, there are two "advanced" objects that you need to be able to write to AD:

  • Server: The ServicePrincipalName(s) (SPN) are for the DirectAudit server(s) object in AD.  If detected as missing.
  • Service (Installation Publication):  The serviceConnectionPoint (SCP) required for DirectAudit, need to be able to write them in the target OU or AD Container.

The key here is if you're getting delegated access, you have to get it via the "Advanced" button in ADUC, not just the typical check of the Full Control list.

 

Ideally (to maintain security discipline), this is done by another team member or if you get delegated access, it's removed after you're done with your changes.

 

Note that the SQL server scripts will be offered to you by the configuration wizard if you don't have rights to do the operation.

 

Tip: Make sure the Centrify Licensing Service is up-and-running in your DEV environments.

 

R.P

Want to learn more about practical Centrify examples? Check out my blog at http://centrifying.blogspot.com
Follow Centrify: