With Centrify Identity Service,TM Mac Edition, you can use Active Directory to centrally manage authentication, policy enforcement, single sign-on (SSO), and user self-service for popular endpoint devices running Mac OS X, iOS, and Android. A key component of Centrify Iden tity Service, Mac Edition is the Centrify agent for Mac OS X computers. Centrify Express makes it easy to join Mac OS X systems to Active Directory so users can login using their Windows credentials. For more information on Centr. Free Active Directory Integration and single sign-on for Linux and Mac OS X - Centrify Express is the No. 1 choice of IT professionals for Active Directory-based authentication and single sign-on to cross-platform systems. What does the end of life (EOL) for Centrify Express products entail? As of May 1 st, 2019, Centrify Express for SaaS and Mobile, Centrify Express for Mac and Centrify Express for Mac Smart Card users are no longer eligible to receive new security updates, non-security hotfixes, free assisted support options or online technical content updates from Centrify.
Background
Last month, with the release of Centrify Suite 2016.1, Centrify expanded on the MFA Everywhere strategy adding support for UNIX systems (AIX, HP-UX, Solaris) for Server Login and Privilege Elevation. In addition, Centrify added MFA login support for Auto Zone. This means that Centrify Express for UNIX/Linux customers can use the industry-recognized Centrify Identity Service tenants can implement MFA or Step-up Authentication on login.
Centrify Express For Mac Smart Card
This quick article covers the steps to implement MFA as an additional control to access systems integrated to AD with Centrify Express for UNIX/Linux. The information in this article can also be applied to Classic zones and Auto Zone (workstation mode).
For an in depth discussion on Centrify Server Suite MFA, you can read this lab entry.
For information on how to get started with Centrify Identity Service, visit the Getting Started page.
Planning
Potential Stakeholders- Centrify SMEs:
- Security Lead: The security lead can answer questions like these:
a) What servers require step-up authentication for login?
b) What users will be challenged for Multi-factor at login?
c) What users will have the rights to log in without multi-factor or for troubleshooting purposes? - IT/AD Infrastructure lead: This SME will help setting up a Windows Server to act as the cloud connector
- Active Directory
- A supported Centrify Express OS with Centrify DirectControl 5.3.1
- A Centrify Identity Service tenant (you can sign-up for a trial here) with a Cloud Connector
Cloud Connectors run on 64-bit Windows Servers and require outbound HTTPS connectivity (can be behind a proxy) - A user with a supported MFA or step-up method (Phone Number, Mobile Number (for SMS), Centrify Mobile Authenticator for Push MFA, OATH OTP (Google Authenticator, FreeOTP, YubiKey, DUO, etc).
- If using Centrify Mobile Authenticator or Google Authenticator you'll need an iOS or Android device
Centrify Parameters for MFA on Auto Zone
Centrify Express joins Active Directory in workstation mode. This allows for quick integration with AD for all users without worrying about UNIX identity. UNIX login, UID, primary group, GECOS, home and Shell are generated by the Centrify client. Configuration can be managed via parameters. The parameters introduced for MFA are the following:
- adclient.legacyzone.mfa.enabled: This parameter turns on MFA and it is set to false by default.
- adclient.legacyzone.mfa.cloudurl: This is the Centrify Identity Service tenant URL that is configured to grant MFA to the system.
- adclient.legacyzone.mfa.required.groups (or users): These parameters specify which users (or members of the AD group) that will be challenged for multi-factor on login.
- adclient.legacyzone.mfa.rescue.users: These are the users that can access the system in case no tunnel can be established with the MFA service.
- adclient.cloud.connector: This parameter can be used to specify a proxy server if in use.
Implementation
ScenarioWe will get started with a Centrify Identity Service that has the Cloud Connector set up with the AD Bridge enabled.
To learn how to set up a cloud connector you can always review the Getting Started guide.
First, we will enable MFA using information from a user in AD (e-mail, mobile phone, phone), then we will walkt the user through the process of enrolling a mobile device (to enable Centrify Mobile Authenticator for push MFA) and we'll also use Google Authenticator for OATH OTP.
Configuring a Cloud Connector
- In Cloud Manager, navigate to Settings > Network > Cloud Connectors
- Click the 'Add Cloud Cloud Connector'
- Download the bits and run setup. All you need is the cloud connector componetn.
- You have to authorize the Cloud Connector following the steps on the wizard. Refer to the link below for a video detailed steps.
There are 4 tasks to configure MFA for Servers in the Cloud Manager side:
- Role Creation
Create a role that has the 'Server Login and Privilege Elevation' right and contains the computer accounts that will be requiring multifactor authentication.
Cloud Manager > Roles > New Role > [Rights and Members] - Authentication Profile
Create an authentication profile that specifies the MFA methods to be used.
Cloud Manager > Settings > Authentication > Authentication Profiles
Notes: It is important to make the distinction between step-up authentication and multi-factor authentication (sometimes used interchangeably). In addition to the login password challenge, an e-mail link delivered to your inbox qualifies as step-up, but Push MFA from a registered mobile device (something you have).
Note that I've left out password and user-defined security question. Checking password will re-prompt the user for their AD password and the answer to a security question is just another secret that can be obtained by social-engineering. - Set up an Authentication profile for Server Suite Authentication
Cloud Manager > Settings > Authentication Profiles > Server Suite Authentication
For Centrify Express, only the Access Profile applies. - Verification of Methods
Make sure your users have the step-up methods populated in AD:
If looking to provide Step-up via email, the user has to have a valid e-mail address. For phone call, phone/mobile are required, for SMS mobile is required.
This is a parameter-based configuration. As defined above, you need at least 4 parameters in the /etc/centrifydc/centrifydc.conf file:
After these changes, save your work and restart the centrifydc service.
Use adcdiag to check your work:
In my case, I just need to make sure that ChallengeResponse is set, since I'm using stock SSH.
Verification
Centrify Express For Mac Download
Device enrollment for Push MFA with Centrify's Mobile AuthenticatorPush MFA enhances the experience and provides more meaningful information. This requires that the current policy allows the user to enroll an Android or iOS device.
OATH OTP (Google Authenticator, FreeOTP, Yubico Authenticator, Duo and more)
OATH OTP opens more possibilities with this open standard. Users are easy to onboard, and there are a variety of Authenticators that can be used.
Enhancements
For those using Centrify Standard Edition with classic zones or workstation mode, you can use GPOs to manage the settings (or DevOps tools)Centrify has also enhanced the documentation available for solutions like SecurID. Check out the Documentation Center.
Video Playlist
Background
Note: In this rare occasion I will discuss a capability related to Centrify Express. This product is limited to a number of systems and Centrify has added additional capabilities that enhance the value of the solution.Last month, with the release of Centrify Suite 2016.1, Centrify expanded on the MFA Everywhere strategy adding support for UNIX systems (AIX, HP-UX, Solaris) for Server Login and Privilege Elevation. In addition, Centrify added MFA login support for Auto Zone. This means that Centrify Express for UNIX/Linux customers can use the industry-recognized Centrify Identity Service tenants can implement MFA or Step-up Authentication on login.
This quick article covers the steps to implement MFA as an additional control to access systems integrated to AD with Centrify Express for UNIX/Linux. The information in this article can also be applied to Classic zones and Auto Zone (workstation mode).
For an in depth discussion on Centrify Server Suite MFA, you can read this lab entry.
For information on how to get started with Centrify Identity Service, visit the Getting Started page.
Planning
- Centrify SMEs:
- Security Lead: The security lead can answer questions like these:
a) What servers require step-up authentication for login?
b) What users will be challenged for Multi-factor at login?
c) What users will have the rights to log in without multi-factor or for troubleshooting purposes? - IT/AD Infrastructure lead: This SME will help setting up a Windows Server to act as the cloud connector
- Active Directory
- A supported Centrify Express OS with Centrify DirectControl 5.3.1
- A Centrify Identity Service tenant (you can sign-up for a trial here) with a Cloud Connector
Cloud Connectors run on 64-bit Windows Servers and require outbound HTTPS connectivity (can be behind a proxy) - A user with a supported MFA or step-up method (Phone Number, Mobile Number (for SMS), Centrify Mobile Authenticator for Push MFA, OATH OTP (Google Authenticator, FreeOTP, YubiKey, DUO, etc).
- If using Centrify Mobile Authenticator or Google Authenticator you'll need an iOS or Android device
Centrify Parameters for MFA on Auto Zone
Last month, with the release of Centrify Suite 2016.1, Centrify expanded on the MFA Everywhere strategy adding support for UNIX systems (AIX, HP-UX, Solaris) for Server Login and Privilege Elevation. In addition, Centrify added MFA login support for Auto Zone. This means that Centrify Express for UNIX/Linux customers can use the industry-recognized Centrify Identity Service tenants can implement MFA or Step-up Authentication on login.
Centrify Express For Mac Smart Card
This quick article covers the steps to implement MFA as an additional control to access systems integrated to AD with Centrify Express for UNIX/Linux. The information in this article can also be applied to Classic zones and Auto Zone (workstation mode).
For an in depth discussion on Centrify Server Suite MFA, you can read this lab entry.
For information on how to get started with Centrify Identity Service, visit the Getting Started page.
Planning
Potential Stakeholders- Centrify SMEs:
- Security Lead: The security lead can answer questions like these:
a) What servers require step-up authentication for login?
b) What users will be challenged for Multi-factor at login?
c) What users will have the rights to log in without multi-factor or for troubleshooting purposes? - IT/AD Infrastructure lead: This SME will help setting up a Windows Server to act as the cloud connector
- Active Directory
- A supported Centrify Express OS with Centrify DirectControl 5.3.1
- A Centrify Identity Service tenant (you can sign-up for a trial here) with a Cloud Connector
Cloud Connectors run on 64-bit Windows Servers and require outbound HTTPS connectivity (can be behind a proxy) - A user with a supported MFA or step-up method (Phone Number, Mobile Number (for SMS), Centrify Mobile Authenticator for Push MFA, OATH OTP (Google Authenticator, FreeOTP, YubiKey, DUO, etc).
- If using Centrify Mobile Authenticator or Google Authenticator you'll need an iOS or Android device
Centrify Parameters for MFA on Auto Zone
Centrify Express joins Active Directory in workstation mode. This allows for quick integration with AD for all users without worrying about UNIX identity. UNIX login, UID, primary group, GECOS, home and Shell are generated by the Centrify client. Configuration can be managed via parameters. The parameters introduced for MFA are the following:
- adclient.legacyzone.mfa.enabled: This parameter turns on MFA and it is set to false by default.
- adclient.legacyzone.mfa.cloudurl: This is the Centrify Identity Service tenant URL that is configured to grant MFA to the system.
- adclient.legacyzone.mfa.required.groups (or users): These parameters specify which users (or members of the AD group) that will be challenged for multi-factor on login.
- adclient.legacyzone.mfa.rescue.users: These are the users that can access the system in case no tunnel can be established with the MFA service.
- adclient.cloud.connector: This parameter can be used to specify a proxy server if in use.
Implementation
ScenarioWe will get started with a Centrify Identity Service that has the Cloud Connector set up with the AD Bridge enabled.
To learn how to set up a cloud connector you can always review the Getting Started guide.
First, we will enable MFA using information from a user in AD (e-mail, mobile phone, phone), then we will walkt the user through the process of enrolling a mobile device (to enable Centrify Mobile Authenticator for push MFA) and we'll also use Google Authenticator for OATH OTP.
Configuring a Cloud Connector
Cloud connector configuration steps are outlined here. However, the steps are as follows:
- In Cloud Manager, navigate to Settings > Network > Cloud Connectors
- Click the 'Add Cloud Cloud Connector'
- Download the bits and run setup. All you need is the cloud connector componetn.
- You have to authorize the Cloud Connector following the steps on the wizard. Refer to the link below for a video detailed steps.
There are 4 tasks to configure MFA for Servers in the Cloud Manager side:
- Role Creation
Create a role that has the 'Server Login and Privilege Elevation' right and contains the computer accounts that will be requiring multifactor authentication.
Cloud Manager > Roles > New Role > [Rights and Members] - Authentication Profile
Create an authentication profile that specifies the MFA methods to be used.
Cloud Manager > Settings > Authentication > Authentication Profiles
Notes: It is important to make the distinction between step-up authentication and multi-factor authentication (sometimes used interchangeably). In addition to the login password challenge, an e-mail link delivered to your inbox qualifies as step-up, but Push MFA from a registered mobile device (something you have).
Note that I've left out password and user-defined security question. Checking password will re-prompt the user for their AD password and the answer to a security question is just another secret that can be obtained by social-engineering. - Set up an Authentication profile for Server Suite Authentication
Cloud Manager > Settings > Authentication Profiles > Server Suite Authentication
For Centrify Express, only the Access Profile applies. - Verification of Methods
Make sure your users have the step-up methods populated in AD:
If looking to provide Step-up via email, the user has to have a valid e-mail address. For phone call, phone/mobile are required, for SMS mobile is required.
This is a parameter-based configuration. As defined above, you need at least 4 parameters in the /etc/centrifydc/centrifydc.conf file:
After these changes, save your work and restart the centrifydc service.
Use adcdiag to check your work:
In my case, I just need to make sure that ChallengeResponse is set, since I'm using stock SSH.
Verification
Centrify Express For Mac Download
Device enrollment for Push MFA with Centrify's Mobile AuthenticatorPush MFA enhances the experience and provides more meaningful information. This requires that the current policy allows the user to enroll an Android or iOS device.
OATH OTP (Google Authenticator, FreeOTP, Yubico Authenticator, Duo and more)
OATH OTP opens more possibilities with this open standard. Users are easy to onboard, and there are a variety of Authenticators that can be used.
Enhancements
For those using Centrify Standard Edition with classic zones or workstation mode, you can use GPOs to manage the settings (or DevOps tools)Centrify has also enhanced the documentation available for solutions like SecurID. Check out the Documentation Center.
Video Playlist
Background
Note: In this rare occasion I will discuss a capability related to Centrify Express. This product is limited to a number of systems and Centrify has added additional capabilities that enhance the value of the solution.Last month, with the release of Centrify Suite 2016.1, Centrify expanded on the MFA Everywhere strategy adding support for UNIX systems (AIX, HP-UX, Solaris) for Server Login and Privilege Elevation. In addition, Centrify added MFA login support for Auto Zone. This means that Centrify Express for UNIX/Linux customers can use the industry-recognized Centrify Identity Service tenants can implement MFA or Step-up Authentication on login.
This quick article covers the steps to implement MFA as an additional control to access systems integrated to AD with Centrify Express for UNIX/Linux. The information in this article can also be applied to Classic zones and Auto Zone (workstation mode).
For an in depth discussion on Centrify Server Suite MFA, you can read this lab entry.
For information on how to get started with Centrify Identity Service, visit the Getting Started page.
Planning
Potential Stakeholders- Centrify SMEs:
- Security Lead: The security lead can answer questions like these:
a) What servers require step-up authentication for login?
b) What users will be challenged for Multi-factor at login?
c) What users will have the rights to log in without multi-factor or for troubleshooting purposes? - IT/AD Infrastructure lead: This SME will help setting up a Windows Server to act as the cloud connector
- Active Directory
- A supported Centrify Express OS with Centrify DirectControl 5.3.1
- A Centrify Identity Service tenant (you can sign-up for a trial here) with a Cloud Connector
Cloud Connectors run on 64-bit Windows Servers and require outbound HTTPS connectivity (can be behind a proxy) - A user with a supported MFA or step-up method (Phone Number, Mobile Number (for SMS), Centrify Mobile Authenticator for Push MFA, OATH OTP (Google Authenticator, FreeOTP, YubiKey, DUO, etc).
- If using Centrify Mobile Authenticator or Google Authenticator you'll need an iOS or Android device
Centrify Parameters for MFA on Auto Zone
Centrify Express joins Active Directory in workstation mode. This allows for quick integration with AD for all users without worrying about UNIX identity. UNIX login, UID, primary group, GECOS, home and Shell are generated by the Centrify client. Configuration can be managed via parameters. The parameters introduced for MFA are the following:
- adclient.legacyzone.mfa.enabled: This parameter turns on MFA and it is set to false by default.
- adclient.legacyzone.mfa.cloudurl: This is the Centrify Identity Service tenant URL that is configured to grant MFA to the system.
- adclient.legacyzone.mfa.required.groups (or users): These parameters specify which users (or members of the AD group) that will be challenged for multi-factor on login.
- adclient.legacyzone.mfa.rescue.users: These are the users that can access the system in case no tunnel can be established with the MFA service.
- adclient.cloud.connector: This parameter can be used to specify a proxy server if in use.
Implementation
ScenarioWe will get started with a Centrify Identity Service that has the Cloud Connector set up with the AD Bridge enabled.
To learn how to set up a cloud connector you can always review the Getting Started guide.
First, we will enable MFA using information from a user in AD (e-mail, mobile phone, phone), then we will walkt the user through the process of enrolling a mobile device (to enable Centrify Mobile Authenticator for push MFA) and we'll also use Google Authenticator for OATH OTP.
Configuring a Cloud Connector
Cloud connector configuration steps are outlined here. However, the steps are as follows:
- In Cloud Manager, navigate to Settings > Network > Cloud Connectors
- Click the 'Add Cloud Cloud Connector'
- Download the bits and run setup. All you need is the cloud connector componetn.
- You have to authorize the Cloud Connector following the steps on the wizard. Refer to the link below for a video detailed steps.
There are 4 tasks to configure MFA for Servers in the Cloud Manager side:
- Role Creation
Create a role that has the 'Server Login and Privilege Elevation' right and contains the computer accounts that will be requiring multifactor authentication.
Cloud Manager > Roles > New Role > [Rights and Members] - Authentication Profile
Create an authentication profile that specifies the MFA methods to be used.
Cloud Manager > Settings > Authentication > Authentication Profiles
Notes: It is important to make the distinction between step-up authentication and multi-factor authentication (sometimes used interchangeably). In addition to the login password challenge, an e-mail link delivered to your inbox qualifies as step-up, but Push MFA from a registered mobile device (something you have).
Note that I've left out password and user-defined security question. Checking password will re-prompt the user for their AD password and the answer to a security question is just another secret that can be obtained by social-engineering. - Set up an Authentication profile for Server Suite Authentication
Cloud Manager > Settings > Authentication Profiles > Server Suite Authentication
For Centrify Express, only the Access Profile applies. - Verification of Methods
Make sure your users have the step-up methods populated in AD:
If looking to provide Step-up via email, the user has to have a valid e-mail address. For phone call, phone/mobile are required, for SMS mobile is required.
This is a parameter-based configuration. As defined above, you need at least 4 parameters in the /etc/centrifydc/centrifydc.conf file:
After these changes, save your work and restart the centrifydc service.
Use adcdiag to check your work:
In my case, I just need to make sure that ChallengeResponse is set, since I'm using stock SSH.
Verification
Device enrollment for Push MFA with Centrify's Mobile Authenticator
Centrify Express For Mac
Push MFA enhances the experience and provides more meaningful information. This requires that the current policy allows the user to enroll an Android or iOS device.OATH OTP (Google Authenticator, FreeOTP, Yubico Authenticator, Duo and more)
OATH OTP opens more possibilities with this open standard. Users are easy to onboard, and there are a variety of Authenticators that can be used.
Enhancements
For those using Centrify Standard Edition with classic zones or workstation mode, you can use GPOs to manage the settings (or DevOps tools)Centrify Express For Mac Smart Card
Centrify has also enhanced the documentation available for solutions like SecurID. Check out the Documentation Center.