[How To] - Windows MFA with Centrify Identity Platform

[How To] - Windows MFA with Centrify Identity Platform

By JChow on ‎01-20-2017 09:09 AM - last edited ‎05-23-2018 09:20 AM

Multi-factor authentication (MFA) at OS login provides an extra layer of protection and helps to meet compliance for regulations such as PCI DSS 3.2, NIST 800-171, 23 NYCRR 500, and more. Centrify enables MFA when logging into Windows locally or remotely via RDP.


Screenshot 2017-06-14 12.10.43.png


Using lightweight agent based technology, workstations can be secured with multi-factor authentication. Options such as email, telephone call, text, security question and tools that support OATH (Google Authenticator) or RADIUS (RSA key fobs) can be leveraged by a user to confirm their identity. When a device does not have a connection to the internet, offline mode can still be used to secure access, with multi-factor authentication, to the workstation. 


Architecture Diagram

Screenshot 2017-06-14 12.17.42.png


This guide is a basic demonstration of how easy it is to setup multi-factor authentication for the following use cases. 


   - MFA at interative login

   - MFA on RDP access

   - MFA on screen saver unlock

   - MFA in offline mode


Configuration time ~ 1 hour



1) Centrify Application Service license

2) Domain joined Windows machine

3) Centrify Connector

4) Integrated Windows Authentiation (IWA)




Install Centrify Connector

Install the Centrify Connector on a domain joined Windows server by following this guide:  http://community.centrify.com/t5/TechBlog/How-To-Installing-the-Centrify-Connector/ba-p/27840


Integrated Windows Authentication (IWA) Setup

Integrated Windows Authentication (IWA) is required for multi-factor authentication. IWA requires you to have a port available for secure HTTP (HTTPS) communication and a trusted certificate for mutual authentication between the connector and the authentication server. To use the IWA service over an HTTPS-enabled port, you must either download a host certificate issed by Centrify or upload a host certificate issued by a certificate authority that is trusted by your organization. 


1) For purposes of this guide, navigate to your Centrify Connector and select the 'IWA Services' menu. Click the 'Download your IWA root CA certificate' link. 


Screenshot 2017-09-16 17.54.19.png


2) There are two options to deploy the certificate. (1) Install the certificate to the 'Trusted Root Certificate Authorities' store locally on the machine or (2) use group policy to distribute the certificate file as a trusted root certificate to other computers. For purposes of this guide, we will illustrate how to install the certificate to the local machine's 'Trusted Root Certificate Authorities' store. To begin, double click on the certificate on the desktop and click 'Install'. 


Screenshot 2017-09-16 16.31.46.png



3) Choose the 'Local Machine' to install the certificate on the local workstation, then click 'Next' to continue. 

Screenshot 2017-09-16 16.31.56.png


4) Choose the 'Trusted Root Certification Authorities' folder for the certificate. Click 'Next' to continue. 


Screenshot 2017-09-16 16.32.14.png


5) Confirm the installation, the click 'Finish' to continue. 

Screenshot 2017-09-16 16.32.25.png


6) Click 'OK' to complete the installation. 


Screenshot 2017-09-16 16.32.40.png



Lets get started!



1) Logged in as administrator to your Centrify Application Service console, start by creating a Centrify role. This role will contain the Windows workstations you want to enforce multi-factor authentication on.


Screenshot 2017-09-16 16.57.28.png



2) Add the workstations you want to enforce multi-factor authentication on by searching for the resource and clicking 'Add'. 


2 - adding desktop.png


3) Under 'Administrative Rights', assign the Centrify role the "Computer Login and Privilege Elevation" right. This allows the service to deliver a multi-factor authentication profile (created in the next step), to the workstations you've added to the role.  


Screenshot 2017-09-16 16.59.10.png



4) Next, create an 'Authentication Profiles' that contains the available factors that are appropriate for users to authenticate with. 


Screenshot 2017-09-16 17.01.58.png



5) Assign the 'Authentication Profile' to the 'Authentication Policy for Windows Workstations' within the 'Policies' menu. 


Screen Shot 2018-01-18 at 11.35.27 AM.png




6) Next, select 'Downloads' from the left column and download the Centrify Agent for Windows agent. 




7) Install the Centrify agent on each workstation you would like to enforce multi-factor authentication on. Note: The workstation must exist within a Centrify role for the Centrify Application Service solution to deliver the multi-factor authentication profile to the machine (refer to step 2). 


Screenshot 2017-09-16 08.37.43.png



9) Review and accept the Centrify End-User License Agreement.


Screenshot 2017-09-16 08.37.54.png



10) Select the location for the Centrify Agent to install, then click 'Next'. 


Screenshot 2017-09-16 08.38.05.png



11) Click 'Install' to begin installation of the Centrify agent. 


Screenshot 2017-09-16 08.38.18.png


12) Ensure the 'Run Agent Configuration Wizard' is selected, then click 'Finish' to continue. 


Screenshot 2017-09-16 08.39.09.png



13) When the configuration wizard appears, choose the 'Centrify Identity Services Platform' option. The following option enrolls the workstation to Centrify where services such as workstation login multi-factor authentication services can be enabled.  


Screenshot 2017-09-16 16.27.29.png


14) Select the Centrify tenant for the device to enroll to. The authentication profile created in Steps 1-5 in this guide will be enforced on the workstation during login. 


Screenshot 2017-09-16 16.27.58.png


15) To enforce multi-factor authentication for Windows login, ensure the option 'Enable multi-factor authentication on Windows login' is selected. Additionally, you have the option of enforcing multi-factor authentication for all active directory accounts that login to the workstation or for specific accounts. For purposes of this guide, 'All Active Directory accounts' option will be used. Click 'Next' to continue. 


Screenshot 2017-09-16 16.28.34.png

Note: For multi-factor authentication at Windows login, the workstation must be enrolled to the Centrify platform. During enrollment, a Centrify certificate is deployed to the machine to ensures secure communication between the Centrify connector and the authentication server. If the device is not enrolled, the following prompt will appear. See below for setting up Integrated Windows Authentication. 


Screenshot 2017-09-16 16.29.19.png


16) Click 'Finish' to complete the configuration wizard setup. 


12 - install 7.png


17) You will be prompted to restart the workstation. Choose 'Yes' to continue. 


13 - install 8.png



18) Upon restart, login to the workstation. During login, you will now see a drop down with the multi-factor authentication options required for login. Login to the machine with one of the factors. 


Note: The user must have the available attributes in their user profile for the option to be available to them during login. For example, if a user does not have a telephone number in their active directory profile, and the telephone number is selected as one of the available factors, the telephone option will not be displayed to the user in the drop down. 


14 - login MFA.png


19) After logging into the workstation, 'Setup Centrify Offline Passcode' will display. This allows a user to successfully authenticate, with multi-factor authentication, to the workstation when the machine is offline. Click on the 'Click here to create your offline passcode'. 



15 - offline mode.png


20) Click 'Next' to setup offline mode. 


16 - offline mode setup.png


21) The Centrify mobile application can be leveraged for the creation of a passcode for offline mode. More generally, you can use utilities that supports OATH to also setup your passcode using existing utilities of preference in your organization. Examples of such utilities are the Centrify mobile app and Google Authenticator. 


17 - offline code setup.png


22) Click 'Finish' to complete the offline passcode setup. 


18 - offline code finish.png


23) Test the offline mode by taking the workstation offline and using the offline passcode to log back into the machine. 


19 - offline mode login.png




The following guide is intended to demonstrate the steps required for enforcing multi-factor authentication on Windows workstations using the Centrify Identity Service solution. Centrify strongly encourages deployment and administrative guides along with testing the solution prior to enterprise deployments.


We hope this guide was helpful and welcome questions you may have in this thread. 




Other related articles



Showing results for 
Search instead for 
Do you mean 

Community Control Panel