Chat now with support
Chat with Support

Safeguard Authentication Services 4.1.3 - Administration Guide

One Identity Privileged Access Suite for Unix Introducing One Identity Authentication Services Unix administration and configuration Identity management Migrating from NIS Managing access control Managing local file permissions Certificate Autoenrollment Integrating with other applications Managing Unix hosts with Group Policy
Authentication Services Group Policy
Group Policy Concepts Unix policies One Identity policies
Integrating with GPMC
Display specifiers Troubleshooting

Getting help from technical support

If you are unable to determine the solution to a problem, contact Technical Support for help.

Before you contact Support, please collect the following information:

  1. Take a system information snapshot. To do this, run the following command as root:

    This produces an output file in /tmp.

  2. Make note of the Unix attributes for the user that cannot log in (if applicable). To do this, capture the output from the following commands:
    vastool -u host/ attrs <username>
    id <username>

    Note: Depending on your platform, you may need to run id -a instead of id.

  3. Copy the text from any error messages that you see.
  4. Save the results of running a "double su". To do this, log in as root and run su <username> note any error messages. Then run su <username> again and note any error messages.

Once you have collected the information listed above, contact Support at

Disaster recovery

Since Authentication Services relies on Active Directory, follow Microsoft’s best practices for keeping the database highly available. The Management Console for Unix and other administration tools, are not critical to the operation of Authentication Services and can quickly be reinstalled from scratch if needed.

Long startup delays on Windows

You may experience long delays (over a minute) when starting the Authentication Services Windows installer or certain Windows management tools such as Control Center. All Authentication Services Windows binaries are Authenticode-signed so that you can be sure that the binaries are authentic and have not been tampered with. This problem occurs when the .NET runtime attempts to verify the Authenticode signature by checking against certificate revocation lists (CRLs) at If this site cannot be reached, the .NET framework check will time out (up to 60 seconds). This timeout occurs every time a signed assembly is loaded which can lead to very long load times. You can fix this problem by allowing access to See Microsoft KB article Microsoft KB article 936707 for background information.

If the computer is not connected to the internet, you can disable CRL checks for the entire system in Internet Explorer. Go to Options, select the Advanced tab, under Settings clear the Check for publisher's certification revocation option.

It is also possible to specify a generatePublisherEvidence element in an <app>.exe.config that will disable CRL checks for the specific application that you are running. Keep in mind that if you are using Authentication Services components in PowerShell or MMC, you would need to add this configuration for the powershell.exe.config and/or mmc.exe.config. Refer to <generatePublisherEvidence> Element for details.

Pointer Record updates are rejected

If Pointer Record (PTR) updates are being rejected, it may be because the DHCP server is doing the update already. Refer to the documentation for the DHCP server used in your environment. The Microsoft DHCP server does updates on behalf of the host and this is controlled by the FQDN option. Please refer to the Microsoft Active Directory DNS/DHCP documentation.

Related Documents