This configuration parameter specifies that you want to force the Centrify agent to look up the complete principal name, including the Kerberos realm used as the key salt, from the KDC. Setting this parameter to true is required if you remove arcfour-hmac-md5 from the list of encryption types specified for the adclient.krb5.tkt.encryption.types parameter and if you change a userPrincipalName attribute in Active Directory without changing the user’s password.

The parameter value can be true or false. The default value is true. For example:

adclient.force.salt.lookup: false

Note:   When this parameter value is set to true it may cause “pre-auth required” warning messages to appear in the Active Directory event log.