Many governmental and commercial organizations have implemented smart cards as their preferred method for Multi-factor Authentication. This post explains how to configure Centrify Identity Service or Centrify Privilege Service to provide authentication using Smart Cards. This article provides the configuration steps to enable Smartcard (certificate)-based authentication for CIS or CPS.
How it works
Generally, cryptographic credentials (user certificates) are stored in the smartcard (PIV or CAC card) and the system has a dedicated reader. Upon successful authentication (credentials verified and PIN submitted) the operating system or application will use a standard protocol (like Kerberos) or a one-time-code to grant access to the system or application.
For example, Centrify Server Suite allows the user of Kerberos for SSO to applications like Secure Shell (SSH). Our DirectAuthorize can enforce if the user is allowed to log in with a password or with Kerberos/GSSAPI only.
In the case of Identity Service and Privilege Service, we use a Centrify capability called Zero Sign-on (SZO). SZO provides a one-time token to use for authentication if the Authentication Profile that applies to the user is configured for Certificate-based Authentication. All the user needs to do is navigate to the CIS/CPS site, select the smart card certificate and PIN.
This setup provides strong authentication to access Apps or for Privileged Identity Management scenarios.
What you'll need:
- An instance of Centrify Identity Service App+ or Privilege Service (CPS can be SaaS or On-Prem)
- Public Key Infrastructure Infrastructure (Enterprise CA, Revocation Infrastructure, well-configured PKI clients) and understanding of how the subject name is being provisioned.
- A copy of the Certificate Chain (or Root CA) for your PKI infrastructure.
- A SmartCard or Yubikey configured for authentication into your environment.
This post contains instructions to set up a lab. See "Lab - Base Setup"
Strong Disclaimer: This is a PKI-related topic. You should always be workign with your PKI SME with anything related to certificates, trust chains, revocations, etc.
The configuration depends on the deployment option of the service.
- Configuring the Root CA in Identity Service App+ or Privilege Service
- Configuring a Policy that allows for Integrated Windows Authentication
- Testing the configuration
- Appendix: Configure Privilege Service On-Premises CNAME and Zero Sign-on SSL Certificate
Configuring the Root CA in Identity Service App+ or Privilege Service (SaaS)
- Sign-in to Cloud Manager
- Go to Settings > Authentication > Certificate Authorities
Note: If you can't see the Certificate Authorities option, you're not running the App+ edition or in the case of Privilege Service on-premises, you have to perform the activation steps (see below).
- Press Add and complete the follwing information:
Name: descriptive name of the CA
Extract login name from: The options are
a) Principal Name from Subject Alternate Name
b) E-mail address field from Subject Alternate Name
c) Username from Subject
- Click Browse and select the location of the root ca certificate.
- If you are confident that you have a highly-distributed (Internal & Internet facing) Certificate revocation infrastructure, check the "Enable Client Certificate Revocation Check" if you are not sure un-check the box for now.
Note: If you don't know what PKI certificate revocation is, it's time to find your in-house PKI expert and get him or her involved. This is a serious topic.
- Press Save
Configuring a Policy that allows for Integrated Windows Authentication
- Sign-in to Cloud Manager
- Go to Policies > [Select your Test Policy] > Expand User Security Policies > Login Authentication
- Set the "Enable authentication policy controls" setting to Yes, if not selected.
- Scroll down to "Other Settings" and make sure that the "Allow IWA connections..." is checked. Then note the following:
Note: Certificate-based authentication bypasses the login authentication rules set up for that profile. The key settings are:
The first setting "Use certificates for authentication..." is the main switch. If you un-check this box, the users in scope for this policy won't be able to use smart cards for authentication. This bypasses any controls set under "Login Authentication" in the preceding section.
The second setting "Set identity cookie..." controls whether the cookie is set for the browser. I would not set this flag if you expect users to access via non-managed systems.
The third setting "Accept connections using certificate..." defines whether if users logging in with smart cards or certs are treated as "strongly-authenticated"
Make your selections based on your desired security posture.
- Press Save.
Testing your configuration
- Navigate to your Identity Service or Privilege Service URL
- Depending if your browser is configured correctly, you'll see any of the following pop-ups will come up:
- After selecting the Certificate on the Smart Card, you'll be prompted for the PIN:
- Once you type-in the PIN, you'll be redirected to the appropriate portal (User | Cloud Manager | Privilege Manager).
Quick Setup Video
Appendix 1: Enabling Certificate Authorities for Centrify Privilege Service (On-Premises)
Background: Centrify Privilege Service can be deployed on premises on a Windows Server 2012 R2 system. You need a CNAME record for the Zero Sign-On website and a x.509 certificate with that DNS name.
a) Set-up a DNS CNAME record to with the name hostname[zso].domain.name pointing to the hostname.domain.name. E.g. if your system name is app1.corp.contoso.com, create a CNAME record to app1zso.corp.contoso.com and point it to the original host name.
b) You need an SSL Certificate with the DNSname for the SZO special host.
- Log in to the server hosting Centrify Privilege Service
- Open an Administrative PowerShell and navigate to %Programfiles%\Centrify\Centrify Identity Platform\Scripts
- Run the setup_certauth.ps1 script. The program will ask if the pre-requisites have been met.
- Confirm and you'll be prompted to provide the x.509 (SSL) cert for the SZO site.
- Once completed, you can return to Cloud Manager and perform the steps outlined above in the: "Configuring the Root CA in Identity Service App+ or Privilege Service (SaaS)" section.
Other Resources and Related Topics
Centrify's support for Derived Credentials:
- Blog: https://www.centrify.com/products/identity-service
Announcing a new series!!!
I recently got some YubiKeys from HQ (thanks @Peter) and since they provide all-in-one smart card (PIV) and OTP (OATH) capabilities plus they work great with Centrify products.
Here are the series links:
About the Series
This new series showcases our MFA Everywhere initiative and we'll be posting a series of HOWTO labs to cover several scenarios:
Strong Authentication (PKI) Smart Card / Yubikey
- Leverage what you have: Active Directory, Microsoft CA, Group Policies
- Enforcing Smart Card access to UNIX/Linux/Mac systems (Windows systems support this natively)
- Use DirectAuthorize roles to limit access to strongly authenticated sessions
Strong Authentication for Windows Privilege Elevation
We already covered Access and Privilege Elevation For UNIX/Linux using Centrify MFA here: http://community.centrify.com/t5/Community-Tech-Bl
Strong Authentication (Smartcard/Yubikey) & OATH OTP access
- IdP Portal Access
- OnPrem or SaaS Application Access
- Privilege Portal Access
- Privilege Password Manager (Shared Account Password Manager)
- Privilege Session Manager (Jump Box)
Here's a quick overview/demo
Lab - Base Setup
The base setup is the pre-requisite for all the Yubikey/SmartCard related labs.
What you'll need
- Active Directory with Certificate Services
- A domain joined member server with Centrify Server Suite 2016
- .NET 3.x features enabled
- Feature RSAT: Active Directory, Group Policy Management and Certificate Services tools
- One or two UNIX/Linux systems with Centrify Standard Edition 2016 (5.3+) (if testing UNIX/Linux)
- Access to Centrify Standard Edition installation files (evaluation or licensed)
- Yubikey PIV Manager (download link)
- Yubikey 4, NANO or NEO
- You need working knowledge of Active Directory and Centrify Zones
Tip: To set up a base configuration, you can build on the Microsoft Test Lab Guide.
Create Test Users and AD Group
On the member server
- Open Active Directory Users and Computers and navigate to your desired OU
- Right click and select New > User and follow the wizard until the user is created.
- Right click the newly-created user and select properties. In the general tab, update the Email to match the user principal name.
e.g. email@example.com and press OK.
- Right click the OU and select New > Group and make it a Global/Security group. Call it "Smart Card Users"
- Right click the Group, select properties, go to the Members tab, press Add and add the user created in step 2.
- On the member server, grant the group or user the ability to log on remotely.
Computer > Properties > Remote Settings > Remote Desktop > Select Users > Add > [select user or group] press OK twice.
Modify the Smart Card User template
- Open the Certification Authority console (Start > Search > Certification Authority)
If you get an error, retarget the console to the appropriate server (e.g. DC1)
- On the left pane, right click "Certificate Templates" and select Manage. This will open the Certificate Templates console.
- In the template list, right-click the SmartCard User template and select "Duplicate Template"
- In the General tab, give the template a descriptive name. I used "Smart card User V2" (this is the display name, the actual template name is SmartcardUserV2)
- Click on the Security tab, press Add, select the newly-created Smart Card Users group, check the Enroll and Autoenroll boxes, then press OK and close the Certificate Templates console.
Publish the Newly-Created Template
- In the Certification Authorities console, on the left pane, right click "Certificate Templates" and select New > Certificate Template to Issue
- Select the newly-created version of the Smart Card User template (e.g. Smart Card User v2) and press OK.
Provision the Smart Card User Certificate into your Yubikey
- Log on to your member system with the test user.
- Open the Yubikey PIV manager tool with the Test User (shift+right click > run as different user)
- If you're using a VM, connect the Yubikey to your virtual machine.
Note: If you're using VMWare, you need to add the parameter below for the Yubikey to be available to your VM.
usb.generic.allowHID = "TRUE"This step is performed by editing the .vmx file and editing it with your current text editor while the VM is off.
- Initialize the Yubikey if brand new. Do not forget the PIN.
- In Yubikey PIV manager, press Certificates > Generate New Key and make sure you type the Certificate Template name (not the display name) and press OK.
- Type the PIN when challenged, and select your existing CA. In my case I use the non HTTP link and press OK
- To test the smart card authentication, either lock your screen or logoff. If you can unlock or login successfully, you should be ready for the next steps.
Lab Verification Video