Deciding to use agentless authentication

Normally, the adclient agent is installed locally on a computer to handle all account authentication and lookup requests that need to be passed to Active Directory. On computers and devices where you cannot install a Centrify agent locally, you may be able to use the Centrify Network Information Service (adnisd) to provide agentless authentication.

With agentless authentication, computers that have older or unsupported operating systems that can be, or already are, configured as NIS clients can submit NIS requests to the Centrify Network Information Service. The Centrify Network Information Service can then check its cached Active Directory information to verify whether a user or group has valid credentials and is authorized to log on.

The following figure provides a simplified view of this environment.

In this scenario, the Centrify zone acts as the NIS domain for a group of computers or devices that are configured as NIS clients. Those clients submit requests to the Centrify Network Information Service, adnisd, listening on the NIS port.

The Centrify Network Information Service periodically contacts the adclient agent to get updated information from Active Directory and generates a set of “maps” that it stores locally. The Centrify Network Information Service can then use the information in these maps to respond to NIS client requests for authentication or other services.

The user and group “maps” are generated automatically based on the users and groups that have profiles currently enabled in the zone. Network information and custom maps can also be published for a zone, but those maps must be manually imported or created. The maps for agentless authentication only require you to add and enable a profile for each Active Directory user and group who should have access to the zone. In this way, the Centrify Network Information Service can be used to service agentless authentication requests from computers or devices where adclient itself cannot be installed.