× Welcome to the Centrify Community! Looking for Express & Smart Card Help? Click Here

[How To] - Windows MFA with Centrify Identity Service

[How To] - Windows MFA with Centrify Identity Service

By Centrify Contributor III on ‎01-20-2017 09:09 AM - last edited yesterday

Do you have needs for securing workstations with multi-factor authentication? 


Screenshot 2017-06-14 12.10.43.png


Using lightweight agent based technology, workstations can be secured with multi-factor authentication. Options such as email, telephone call, text, security question and tools that support OATH (Google Authenticator) or RADIUS (RSA key fobs) can be leveraged by a user to confirm their identity. When a device does not have a connection to the internet, offline mode can still be used to secure access, with multi-factor authentication, to the workstation. 


Architecture Diagram

Screenshot 2017-06-14 12.17.42.png


This guide is a basic demonstration of how easy it is to setup multi-factor authentication for the following use cases. 


   - MFA at interative login

   - MFA on RDP access

   - MFA on screen saver unlock

   - MFA in offline mode


Configuration time ~ 1 hour



1) Centrify Identity Service license

2) Domain joined Windows machine

3) Centrify Connector


Lets get started!



1) Install the Centrify Connector on a domain joined Windows server by following this guide:  http://community.centrify.com/t5/TechBlog/How-To-Installing-the-Centrify-Connector/ba-p/27840


1) Logged in as administrator to your Centrify Identity Service console, start by creating a Centrify role. This role will contain the Windows workstations you want to enforce multi-factor authentication on.


1 - create centrify role.png


2) Add the workstations you want to enforce multi-factor authentication on by searching for the resource and clicking 'Add'. 


2 - adding desktop.png


3) Under 'Administrative Rights', assign the Centrify role the "Computer Login and Privilege Elevation" right. This allows the service to deliver a multi-factor authentication profile (created in the next step), to the workstations you've added to the role.  


3 - administrative right.png


4) Next, create an 'Authentication Profiles' that contains the available factors that are appropriate for users to authenticate with. 


3.1 - authentication profile.png


5) Assign the 'Authentication Profile' to the 'Login Authentication Profile' and 'Privilege Elevation Authentication Profile' fields. 



3.1 - authentication enforcement.png


6) Next, download the Centrify agent from the 'Downloads' dropdown within the Centrify Administrator's portal. 


4 - downloads.png


7) Download the 'Centrify Agent for Windows' .msi file. 


5 - download agent.png


8) Install the Centrify agent on each workstation you would like to enforce multi-factor authentication on. Note: The workstation must exist within a Centrify role for the Centrify Identity Service solution to deliver the multi-factor authentication profile to the machine (refer to step 2). 


6 - install 1.png


9) Review and accept the Centrify End-User License Agreement.


7 - install 2 eula.png


10) The Centrify agent can be enabled with 'Audit'; a feature that allows for recording of sessions for future playback. If you have purchased the audit feature, you can enable this feature in addition to the default 'Access' option. If you do not have the audit feature, keep the default settings and click 'Next'. 


8 - install 3.png


11) Once the installation is completed in step 10, click 'Next' to continue setup of the agent on the workstation/server. 


9 - install 4.png


12) The following step is applicable if you are using Centrify Server Suite, designed for securing privileges and requiring multi-factor authentication at server logins or privilege elevation. If you are a Server Suite user, the following post will guide you through configurations at this step http://community.centrify.com/t5/TechBlog/HowTo-Configuring-MFA-for-Windows-Login/ba-p/26126


For purposes of this guide, keep the default settings by leaving the 'Join to a Zone' unchecked and click 'Next' to continue.  


10 - install 5.png


13) Ensure that the 'Enable multi-factor authentication on Windows login' is selected. You also have the option of enforcing multi-factor authentication for all active directory users or selectd active directory users logging into the machine. Click 'Next' to continue. 


11 - install 6.png


14) Click 'Finish' to complete the installation and setup. 


12 - install 7.png


15) A restart is required to complete installation and setup of the service. 


13 - install 8.png


16) Upon restart, login to the workstation. During login, you will now see a drop down with the multi-factor authentication options required for login. Login to the machine with one of the factors. 


Note: The user must have the available attributes in their user profile for the option to be available to them during login. For example, if a user does not have a telephone number in their active directory profile, and the telephone number is selected as one of the available factors, the telephone option will not be displayed to the user in the drop down. 


14 - login MFA.png


17) After logging into the workstation, 'Setup Centrify Offline Passcode' will display. This allows a user to successfully authenticate, with multi-factor authentication, to the workstation when the machine is offline. Click on the 'Click here to create your offline passcode'. 



15 - offline mode.png


18) Click 'Next' to setup offline mode. 


16 - offline mode setup.png


19) The Centrify mobile application can be leveraged for the creation of a passcode for offline mode. More generally, you can use utilities that supports OATH to also setup your passcode using existing utilities of preference in your organization. Examples of such utilities are the Centrify mobile app and Google Authenticator. 


17 - offline code setup.png


20) Click 'Finish' to complete the offline passcode setup. 


18 - offline code finish.png


21) Test the offline mode by taking the workstation offline and using the offline passcode to log back into the machine. 


19 - offline mode login.png


The following guide is intended to demonstrate the steps required for enforcing multi-factor authentication on Windows workstations using the Centrify Identity Service solution. Centrify strongly encourages deployment and administrative guides along with testing the solution prior to enterprise deployments.


We hope this guide was helpful and welcome questions you may have in this thread. 




Showing results for 
Search instead for 
Do you mean 

Community Control Panel