adclient.prevalidate.allow.users

This configuration parameter specifies the users that are prevalidated to access the local UNIX computer using Active Directory credentials when the computer is offline even if they have not previously logged onto the computer.

Under normal circumstances, only users who have previously logged on to a computer can be authenticated when the computer is disconnected from the network. For those users, authentication is based on the password hashes stored during a previous log on. In some cases, however, you may require users who have never logged on to a particular computer to be authenticated when the computer is disconnected from the network. For example, you may have administrative users who require access to computers that are disconnected from the network but on which they have never previously logged in. To accommodate those users, you can configure them for prevalidation.

In most cases, you set this configuration parameter using group policy.

If you are manually setting this parameter, the parameter value must be a comma-separated list of UNIX user names. Enclose user names with spaces in double quotes, for example:

adclient.prevalidate.allow.users: jesse,rae,tai,"sp1 user"

Using this parameter with other prevalidation parameters

If you do not specify any users for this parameter, then no specific user accounts are prevalidated to access the local computer. If you specify either the adclient.prevalidate.allow.users or adclient.prevalidate.allow.groups parameters, only those users and groups are prevalidated, with the exception of any users or groups specified by adclient.prevalidate.deny.users and adclient.prevalidate.deny.groups parameters. For example, to allow all users in the admins group and the users ali, kai, and tanya who are not members of the admins group to be prevalidated, but prevent the users jorge and maurice from being prevalidated, you could set the allow and deny parameters like this:

adclient.prevalidate.allow.groups: admins
adclient.prevalidate.allow.users: ali,kai,tanya
adclient.prevalidate.deny.users: jorge,maurice

For users or groups to be prevalidated, their accounts must be active accounts with permission to log on to the local computer and have a Service Principal Name (SPN) set in the form of:

preval/username

Where preval is the service name specified by the adclient.prevalidate.service parameter and username is the user logon name, which can be either of the following:

  • the name part of the user's UPN, if the domain part matches the user's domain

  • samAccountName, if the UPN is empty or the UPN's domain part is different from the user's domain

Registering service principal names

To enable prevalidation for a user, you can use the Windows setspn.exe utility to add a service principal name for the user. For example, to register the Service Principal Name for the user kai@arcade.com using preval as the service name, you could type a command similar to the following in a Windows Command Prompt window:

setspn -A preval/kai kai

This setspn command registers the SPN in Active Directory for the preval service for the specified user account, the Active Directory user kai. On the computers where this user is allowed to be prevalidated, the user can be authenticated without having logged on previously.

Specifying the supported encryption types

All prevalidated users must have their Active Directory msDSSupportedEncryptionTypes attribute set to 0x18 (for just AES128 and AES256 support) or above to be able to login when disconnected. The parameter value represents the sum of the encryption types supported. Use the sum of the following encryption type values to determine the parameter value:

DES_CBC_CRC = 0x01
DES_CBC_MD5= 0x02
RC4_HMAC_MD5 = 0x4
AES128_CTS_HMAC_SHA1_96 = 0x08
AES256_CTS_HMAC_SHA1_96 = 0x10

For example, 0x1c indicates support for RC4_HMAC-MD5, AES128_CTS_HMAC_SHA1_96, and AES256_CTS_HMAC_SHA1_96.

Refreshing prevalidated credentials

To ensure their validity, the credentials for prevalidated users and groups are periodically retrieved from Active Directory. For example, the credentials are refreshed whenever you do the following:

  • Reboot the local computer.

  • Start or restart the adclient process.

  • Run the adflush command to clear the cache.

  • Changes a password from the local system.

The credentials are also periodically refreshed at the interval defined by the adclient.prevalidate.interval parameter to ensure that prevalidation will continue working after password changes.