adclient.prevalidate.allow.groups

This configuration parameter specifies the groups that are prevalidated to access the local UNIX computer using Active Directory credentials when the computer is offline even if users in the group have not previously logged onto the computer.

Under normal circumstances, only users who have previously logged on to a computer can be authenticated when the computer is disconnected from the network. For those users, authentication is based on the password hashes stored during the previous log-on. In some cases, however, you may require users who have never logged on to a particular computer to be authenticated when the computer is disconnected from the network. For example, you may have an administrative group that requires access to computers that are disconnected from the network but on which they have never previously logged in. To accommodate the users in that group, you can configure the group for prevalidation.

In most cases, you set this configuration parameter using group policy.

If you are manually setting this parameter, the parameter value must be a comma-separated list of UNIX group names. Enclose group names with spaces in double quotes, for example:

adclient.prevalidate.allow.groups: performx,qualtrak,"domain admins

Using this parameter with other prevalidation parameters

If you do not specify any groups for this parameter, then no group accounts are prevalidated to access the local computer. If you specify either the adclient.prevalidate.allow.users or adclient.prevalidate.allow.groups parameters, only those users and groups are prevalidated, with the exception of any users or groups specified by adclient.prevalidate.deny.users and adclient.prevalidate.deny.groups parameters. For example, to allow all users in the admins group to be prevalidated, except the users who are also members of the outsource group, you could set the adclient.prevalidate.allow.groups and adclient.prevalidate.deny.groups parameters like this:

adclient.prevalidate.allow.groups: admins
adclient.prevalidate.deny.groups: outsource

To allow prevalidation for all users in the zone without any exceptions, you can set the adclient.prevalidate.allow.groups parameter to all@zone. For example:

adclient.prevalidate.allow.groups: all@zone

For users or groups of users to be prevalidated, their accounts must be active accounts with permission to log on to the local computer and have a service principal name (SPN) set in the form of:

preval/username

Where preval is the service name specified by the adclient.prevalidate.service parameter and username is the user logon name, which can be either of the following:

  • the name part of the user's UPN, if the domain part matches the user's domain

  • samAccountName, if the UPN is empty or the UPN's domain part is different from the user's domain

Registering service principal names

To enable prevalidation for a user, you can use the Windows setspn.exe utility to add a service principal name for the user. For example, to register the service principal name for the user kai@arcade.com using preval as the service name, you could type a command similar to the following in a Windows Command Prompt window:

setspn -A preval/kai kai

This setspn command registers the SPN in Active Directory for the preval service for the specified user account, the Active Directory user kai. On the computers where this user is allowed to be prevalidated, the user can be authenticated without having logged on previously.

If you are allowing prevalidation for an administrative group, you must register a service principal name (SPN) for each member of the group. For example, if you are allowing prevalidation for the admins group and this group has five members, you would use the setspn.exe utility to register a Service Principal Name for each of those members.

Specifying the supported encryption types

All prevalidated users must have their Active Directory msDSSupportedEncryptionTypes attribute set to 0x18 (for just AES128 and AES256 support) or above to be able to login when disconnected. The parameter value represents the sum of the encryption types supported. Use the sum of the following encryption type values to determine the parameter value:

DES_CBC_CRC = 0x01
DES_CBC_MD5= 0x02
RC4_HMAC_MD5 = 0x4
AES128_CTS_HMAC_SHA1_96 = 0x08
AES256_CTS_HMAC_SHA1_96 = 0x10

For example, 0x1c indicates support for RC4_HMAC-MD5, AES128_CTS_HMAC_SHA1_96, and AES256_CTS_HMAC_SHA1_96.

Refreshing prevalidated credentials

To ensure their validity, the credentials for prevalidated users and groups are periodically retrieved from Active Directory. For example, the credentials are refreshed whenever you do the following:

  • Reboot the local computer.

  • Start or restart the adclient process.

  • Run the adflush command to clear the cache.

  • Changes a password from the local system.

The credentials are also periodically refreshed at the interval defined by the adclient.prevalidate.interval parameter to ensure that prevalidation will continue working after password changes.