Use this configuration parameter, adclient.one-way.x-forest.trust.force, to specify a list of two-way trusted domains that need to be treated as one-way trusted domains. This is useful when two-way trusted domains are not accessible from currently joining machine, for example, they are behind a firewall. Configuring this parameter allows x-forest users to authenticate onto the trusting machines.
The options are:
- An empty list (default)
A list of forests or domains to be treated as one-way trusted.
Specify a list of two-way trusted forests, and domains that have two-way external trust relationship with the local domain, to be treated by DirectControl Agent as one-way trusted forests or domains.
This parameter is likely to be used together with the configuration parameters, pam.ntlm.auth.domains and adclient.ntlm.domains, if these forests and domains are not accessible from the currently joining machine.
- Use the pam.ntlm.auth.domains parameter to specify the list of domains that use NTLM authentication instead of Kerberos authentication.
- Use the adclient.ntlm.domains parameter to map AD domains to NTLM domains.
Alternatively, you can set the group policy Computer Configuration > Centrify Settings > DirectControl Settings > Adclient Settings > Force domains and forests to be one-way trusted.