MFA is disabled after silent install using mst

Showing results for 
Search instead for 
Do you mean 
Reply
Participant II
Posts: 2
Registered: 3 weeks ago
#1 of 3 194
Accepted Solution

MFA is disabled after silent install using mst

Hello, 

 

We are working on getting a deployment package together for silently deploying and configuring Identity Services on workstations. I used this as a reference: 

 

https://community.centrify.com/t5/TechBlog/HOWTO-Silently-Install-Centrify-Agent-for-Windows-using-m...

 

I am able to deploy this package with transforms to a workstation. When I check the Agent settings, I see the Identity Services under the Enabled Services section. When I check the settings, I see the correct Instance set. The certificate is installed. The AD groups are configured correctly. However, I never get prompted for 2FA. When I go to the Troubleshooting tab on the agent and click Diagnostics, I see a Warning on MFA saying MFA is disabled. We do not use zones currently. 

 

This only happens when I deploy the package. I can use the installer to click through, everything works as intended. It seems as though MFA is not getting enabled from the MST for some reason. 

 

Any feedback would be appreciated. 

 

Thanks, 

 

Justus

Centrify Guru I
Posts: 2,295
Registered: ‎07-26-2012
#2 of 3 185

Re: MFA is disabled after silent install using mst

[ Edited ]

Hello @jniemeyer and welcome to the Centrify community.

 

Looks like you're in the right track, only a few steps away from getting this completed.

 

Also, FYI, there's an enhanced article also here:  https://community.centrify.com/t5/TechBlog/HOWTO-Silently-install-the-Centrify-Agent-for-Windows-usi...

 

Here is a summary of the minimum GPOs that need to be configured for this to work as expected:

  • Specify the platform URL to use:  The cloud or on premises instance to use (this is the one that we set with PKI trust earlier) – use the default URL; e.g. https://abb00540.my.centrify.com:443/  (Not, the vanity URL.)

    Based on your feedback, looks like this is set.

  • Specify whether to enable multi-factor authentication for Windows login when the agent is not joined to a zone:  This is required to enable MFA.

    Based on your feedback from the diagnostics tool output, this GPO may not be enabled.  Please make sure you enable this GPO and do a gpupdate /force after the change has replicated.

 

  • Specify the Active Directory users that require multi-factor authentication on Windows login when the agent is not joined to a zone:  This is required if enabling MFA for all or specific users. 

    If you set up this GPO correctly, the users or groups specified in this GPO will be requires to sign-in with MFA. 
    We recommend that you start your deployment, and as you add users to the MFA-challenged group, make sure that they onboard their offline passcode.

 

 

Please let us know your findings.

 

R.P

Want to learn more about practical Centrify examples? Check out my blog at http://centrifying.blogspot.com
Follow Centrify:
Participant II
Posts: 2
Registered: 3 weeks ago
#3 of 3 168

Re: MFA is disabled after silent install using mst

Thanks Roberson! 

 

I did confirm that the GPO was not set, and you were correct. From the link you sent: 

 

    • The first on "turns on" MFA:  Specify whether to enable multi-factor authentication for Windows login when the agent is not joined to a zone usually set to "enabled."
    • The second one: Specify Active Directory users that require multi-factor authentication on Windows login (when the agent is not joined to a zone is populated with the users or groups that contain users to be challenged for MFA.

Neither of those settings were configured. Once I configured them, I got prompted for MFA. Thank you very much!