[How To] Basic Windows MFA with Centrify Identity Service Guide

By Centrify Contributor III on ‎01-20-2017 09:09 AM - last edited ‎01-23-2017 10:26 AM

Thank you for choosing Centrify!


Centrify would like to share another feature: multi-factor authentication on Windows workstation login. With the Centrify Identity Service solution, you can enforce multi-factor authentication to users attempting to access Windows workstations, with 2-factor options such as telephone call, email and Centrify's mobile authenticator (TOTP) utility. The solution works in both an online and offline mode, so workstations disconnected from the internet are also able to authenticate with multi-factor authentication to their machine. 


This guide is a basic demonstration of how to setup multi-factor authentication for the following use cases. 


   - MFA at interative login

   - MFA on RDP access

   - MFA on screen saver unlock

   - MFA in offline mode


Configuration time ~ 1 hour



1) Centrify Identity Service license

2) Domain joined Windows machine


Lets get started!


1) Logged in as administrator to your Centrify Identity Service console, start by creating a Centrify role. This role will contain the Windows workstations you want to enforce multi-factor authentication on.


1 - create centrify role.png


2) Add the workstations you want to enforce multi-factor authentication on by searching for the resource and clicking 'Add'. 


2 - adding desktop.png


3) Under 'Administrative Rights', assign the Centrify role the "Computer Login and Privilege Elevation" right. This allows the service to deliver a multi-factor authentication profile (created in the next step), to the workstations you've added to the role.  


3 - administrative right.png


4) Next, create an 'Authentication Profiles' that contains the available factors that are appropriate for users to authenticate with. 


3.1 - authentication profile.png


5) Assign the 'Authentication Profile' to the 'Login Authentication Profile' and 'Privilege Elevation Authentication Profile' fields. 



3.1 - authentication enforcement.png


6) Next, download the Centrify agent from the 'Downloads' dropdown within the Centrify Administrator's portal. 


4 - downloads.png


7) Download the 'Centrify Agent for Windows' .msi file. 


5 - download agent.png


8) Install the Centrify agent on each workstation you would like to enforce multi-factor authentication on. Note: The workstation must exist within a Centrify role for the Centrify Identity Service solution to deliver the multi-factor authentication profile to the machine (refer to step 2). 


6 - install 1.png


9) Review and accept the Centrify End-User License Agreement.


7 - install 2 eula.png


10) The Centrify agent can be enabled with 'Audit'; a feature that allows for recording of sessions for future playback. If you have purchased the audit feature, you can enable this feature in addition to the default 'Access' option. If you do not have the audit feature, keep the default settings and click 'Next'. 


8 - install 3.png


11) Once the installation is completed in step 10, click 'Next' to continue setup of the agent on the workstation/server. 


9 - install 4.png


12) The following step is applicable if you are using Centrify Server Suite, designed for securing privileges and requiring multi-factor authentication at server logins or privilege elevation. If you are a Server Suite user, the following post will guide you through configurations at this step http://community.centrify.com/t5/TechBlog/HowTo-Configuring-MFA-for-Windows-Login/ba-p/26126


For purposes of this guide, keep the default settings by leaving the 'Join to a Zone' unchecked and click 'Next' to continue.  


10 - install 5.png


13) Ensure that the 'Enable multi-factor authentication on Windows login' is selected. You also have the option of enforcing multi-factor authentication for all active directory users or selectd active directory users logging into the machine. Click 'Next' to continue. 


11 - install 6.png


14) Click 'Finish' to complete the installation and setup. 


12 - install 7.png


15) A restart is required to complete installation and setup of the service. 


13 - install 8.png


16) Upon restart, login to the workstation. During login, you will now see a drop down with the multi-factor authentication options required for login. Login to the machine with one of the factors. 


Note: The user must have the available attributes in their user profile for the option to be available to them during login. For example, if a user does not have a telephone number in their active directory profile, and the telephone number is selected as one of the available factors, the telephone option will not be displayed to the user in the drop down. 


14 - login MFA.png


17) After logging into the workstation, 'Setup Centrify Offline Passcode' will display. This allows a user to successfully authenticate, with multi-factor authentication, to the workstation when the machine is offline. Click on the 'Click here to create your offline passcode'. 



15 - offline mode.png


18) Click 'Next' to setup offline mode. 


16 - offline mode setup.png


19) The Centrify mobile application can be leveraged for the creation of a passcode for offline mode. More generally, you can use utilities that supports OATH to also setup your passcode using existing utilities of preference in your organization. Examples of such utilities are the Centrify mobile app and Google Authenticator. 


17 - offline code setup.png


20) Click 'Finish' to complete the offline passcode setup. 


18 - offline code finish.png


21) Test the offline mode by taking the workstation offline and using the offline passcode to log back into the machine. 


19 - offline mode login.png


The following guide is intended to demonstrate the steps required for enforcing multi-factor authentication on Windows workstations using the Centrify Identity Service solution. Centrify strongly encourages deployment and administrative guides along with testing the solution prior to enterprise deployments.


We hope this guide was helpful and welcome questions you may have in this thread. 




Showing results for 
Search instead for 
Do you mean 

Community Control Panel