Thank you for choosing Centrify!
Centrify would like to share another feature: multi-factor authentication on Windows workstation login. With the Centrify Identity Service solution, you can enforce multi-factor authentication to users attempting to access Windows workstations, with 2-factor options such as telephone call, email and Centrify's mobile authenticator (TOTP) utility. The solution works in both an online and offline mode, so workstations disconnected from the internet are also able to authenticate with multi-factor authentication to their machine.
This guide is a basic demonstration of how to setup multi-factor authentication for the following use cases.
- MFA at interative login
- MFA on RDP access
- MFA on screen saver unlock
- MFA in offline mode
Configuration time ~ 1 hour
1) Centrify Identity Service license
2) Domain joined Windows machine
Lets get started!
1) Logged in as administrator to your Centrify Identity Service console, start by creating a Centrify role. This role will contain the Windows workstations you want to enforce multi-factor authentication on.
2) Add the workstations you want to enforce multi-factor authentication on by searching for the resource and clicking 'Add'.
3) Under 'Administrative Rights', assign the Centrify role the "Computer Login and Privilege Elevation" right. This allows the service to deliver a multi-factor authentication profile (created in the next step), to the workstations you've added to the role.
4) Next, create an 'Authentication Profiles' that contains the available factors that are appropriate for users to authenticate with.
5) Assign the 'Authentication Profile' to the 'Login Authentication Profile' and 'Privilege Elevation Authentication Profile' fields.
6) Next, download the Centrify agent from the 'Downloads' dropdown within the Centrify Administrator's portal.
7) Download the 'Centrify Agent for Windows' .msi file.
8) Install the Centrify agent on each workstation you would like to enforce multi-factor authentication on. Note: The workstation must exist within a Centrify role for the Centrify Identity Service solution to deliver the multi-factor authentication profile to the machine (refer to step 2).
9) Review and accept the Centrify End-User License Agreement.
10) The Centrify agent can be enabled with 'Audit'; a feature that allows for recording of sessions for future playback. If you have purchased the audit feature, you can enable this feature in addition to the default 'Access' option. If you do not have the audit feature, keep the default settings and click 'Next'.
11) Once the installation is completed in step 10, click 'Next' to continue setup of the agent on the workstation/server.
12) The following step is applicable if you are using Centrify Server Suite, designed for securing privileges and requiring multi-factor authentication at server logins or privilege elevation. If you are a Server Suite user, the following post will guide you through configurations at this step http://community.centrify.com/t5/TechBlog/HowTo-Co
For purposes of this guide, keep the default settings by leaving the 'Join to a Zone' unchecked and click 'Next' to continue.
13) Ensure that the 'Enable multi-factor authentication on Windows login' is selected. You also have the option of enforcing multi-factor authentication for all active directory users or selectd active directory users logging into the machine. Click 'Next' to continue.
14) Click 'Finish' to complete the installation and setup.
15) A restart is required to complete installation and setup of the service.
16) Upon restart, login to the workstation. During login, you will now see a drop down with the multi-factor authentication options required for login. Login to the machine with one of the factors.
Note: The user must have the available attributes in their user profile for the option to be available to them during login. For example, if a user does not have a telephone number in their active directory profile, and the telephone number is selected as one of the available factors, the telephone option will not be displayed to the user in the drop down.
17) After logging into the workstation, 'Setup Centrify Offline Passcode' will display. This allows a user to successfully authenticate, with multi-factor authentication, to the workstation when the machine is offline. Click on the 'Click here to create your offline passcode'.
18) Click 'Next' to setup offline mode.
19) The Centrify mobile application can be leveraged for the creation of a passcode for offline mode. More generally, you can use utilities that supports OATH to also setup your passcode using existing utilities of preference in your organization. Examples of such utilities are the Centrify mobile app and Google Authenticator.
20) Click 'Finish' to complete the offline passcode setup.
21) Test the offline mode by taking the workstation offline and using the offline passcode to log back into the machine.
The following guide is intended to demonstrate the steps required for enforcing multi-factor authentication on Windows workstations using the Centrify Identity Service solution. Centrify strongly encourages deployment and administrative guides along with testing the solution prior to enterprise deployments.
We hope this guide was helpful and welcome questions you may have in this thread.