MFA Role and Permission Check - FAIL

Showing results for 
Search instead for 
Do you mean 
Reply
Participant II
Posts: 5
Registered: ‎10-13-2018
#1 of 2 249
Accepted Solution

MFA Role and Permission Check - FAIL

 

After installing the agent and restarting, it fails with these two items. What can it be? How to correct?

 

https://ibb.co/hejdWV

 

Agent Service Connectivity Check -- Success
The diagnostic check is running ...
Test passed (zone joined).


MFA Configuration Check -- Success
The diagnostic check is running ...
MFA is supported and compiles with the zone configuration.


Centrify Identity Platform Certificate Validation Check -- Success
The diagnostic check is running ...
The Identity Platform Certificate can be issued and is valid.

Property Information :
Identity Platform Instance : https://aax0611.my.centrify.com:443/
Is Identity Platform Certificate Valid : True
Identity Platform Instance Override : Not available
Centrify Connector Override : Not available
Proxy Server URL : Not available


Centrify Identity Platform Connectivity Check -- Success
The diagnostic check is running ...
The Identity Platform can communicate.


MFA Role and Permission Check -- Failure
The diagnostic check is running ...
The computer role is not set correctly in the Identity Platform.
You are not authorized to perform this operation. Please contact your IT helpdesk.


Centrify Connector Connectivity Check -- Failure
The diagnostic check is running ...
All Centrify connectors in the domain will be checked.

Centrify Connector (1 of 1): MeganFox.lindas.local
Centrify Connector test : Fail.
The computer role is not set correctly in the Identity Platform.
You are not authorized to perform this operation. Please contact your IT helpdesk.

Property Information :
FQDN : MeganFox.lindas.local
Tenant : https://aax0611.my.centrify.com/
Last Known Availability : Yes
Last Access Time : -
IWA Enabled : Yes
IWA HTTPS Port : 8443
Proxy Enabled : Yes
Proxy Server : MeganFox.lindas.local:8080
AD Site : Default-First-Site-Name

All Centrify connectors in the domain have been checked.

Endpoint Corporate Device Enrollment Check -- NotApplicable
The endpoint corporate enrollment diagnostic check is running ...
The enrollment is not allowed for the device's operating system.


Endpoint Personal Device Enrollment Check -- NotApplicable
The endpoint user enrollment diagnostic check is running ...
The enrollment is not allowed for the device's operating system.

 

Done.

Centrify Guru I
Posts: 2,349
Registered: ‎07-26-2012
#2 of 2 238

Re: MFA Role and Permission Check - FAIL

[ Edited ]

@TiagoToledo01,

 

Basic pre-requisites for MFA with Centrify (on Windows+UNIX+Linux)

  • PKI Trust:  system trusts the IWA root cert for the cloud instance - this deals with Encryption of the SPNEGO (IWA over HTTPS) channel.   [you passed]
    Centrify Identity Platform Certificate Validation Check -- Success
    The diagnostic check is running ...
    The Identity Platform Certificate can be issued and is valid.
  • Authentication + Authorization:  System should be able to authenticate to a connector (or directly) + be authorized to use the MFA APIs.  [you passed authentication, but failed authorization].
    MFA Role and Permission Check -- Failure
    The diagnostic check is running ...
    The computer role is not set correctly in the Identity Platform.
    You are not authorized to perform this operation. Please contact your IT helpdesk.
    
    Centrify Connector Connectivity Check -- Failure
    The diagnostic check is running ...
    All Centrify connectors in the domain will be checked.
    
    Centrify Connector (1 of 1): MeganFox.lindas.local
    Centrify Connector test : Fail.
    The computer role is not set correctly in the Identity Platform.

How to solve?

Add the computer object to a Centrify Identity Platform role that has the "Computer Login and Privilege Elevation" rights.

Typically what most organizations do is have an AD group, e.g. "Centrify MFA Computers" and systems are added to that group if their posture requires MFA (e.g. computers subject to PCI 3.2).  This can be also part of the system buildout post installation tasks.

 

If you are testing, just search for computers and add directly to the CIP role.

Note:  If using AD group in a large environment you have to wait for replication of the membership, plus the Centrify connector picks up the change.

 

Additional info here:  https://community.centrify.com/t5/TechBlog/Howto-Spotting-and-Remediating-issues-with-PKI-Trust-on-M...

 

What NOT to do

Unfortunately, I've seen too many environments where (perhaps in the process of troubleshooting), the lead has nested the "Domain Computers" built-in role.  This is only acceptable if ALL systems are bound by MFA.  Computers are just like users and must be secured and least privilege has to be applied to them too.  No need for a system to be able to pass AuthN+AuthZ to the platform if this is not required.

 

R.P

Want to learn more about practical Centrify examples? Check out my blog at http://centrifying.blogspot.com
Follow Centrify: