Multi-factor authentication (MFA) at OS login provides an extra layer of protection and helps to meet compliance for regulations such as PCI DSS 3.2, NIST 800-171, 23 NYCRR 500, and more. Centrify enables MFA when logging into Windows locally or remotely via RDP.
Using lightweight agent based technology, workstations can be secured with multi-factor authentication. Options such as email, telephone call, text, security question and tools that support OATH (Google Authenticator) or RADIUS (RSA key fobs) can be leveraged by a user to confirm their identity. When a device does not have a connection to the internet, offline mode can still be used to secure access, with multi-factor authentication, to the workstation.
This guide is a basic demonstration of how easy it is to setup multi-factor authentication for the following use cases.
- MFA at interative login
- MFA on RDP access
- MFA on screen saver unlock
- MFA in offline mode
Configuration time ~ 1 hour
1) Centrify Application Service license
2) Domain joined Windows machine
3) Centrify Connector
4) Integrated Windows Authentiation (IWA)
Install Centrify Connector
Install the Centrify Connector on a domain joined Windows server by following this guide: http://community.centrify.com/t5/TechBlog/How-To-Installing-the-Centrify-Connector/ba-p/27840
Integrated Windows Authentication (IWA) Setup
Integrated Windows Authentication (IWA) is required for multi-factor authentication. IWA requires you to have a port available for secure HTTP (HTTPS) communication and a trusted certificate for mutual authentication between the connector and the authentication server. To use the IWA service over an HTTPS-enabled port, you must either download a host certificate issed by Centrify or upload a host certificate issued by a certificate authority that is trusted by your organization.
1) For purposes of this guide, navigate to your Centrify Connector and select the 'IWA Services' menu. Click the 'Download your IWA root CA certificate' link.
2) There are two options to deploy the certificate. (1) Install the certificate to the 'Trusted Root Certificate Authorities' store locally on the machine or (2) use group policy to distribute the certificate file as a trusted root certificate to other computers. For purposes of this guide, we will illustrate how to install the certificate to the local machine's 'Trusted Root Certificate Authorities' store. To begin, double click on the certificate on the desktop and click 'Install'.
3) Choose the 'Local Machine' to install the certificate on the local workstation, then click 'Next' to continue.
4) Choose the 'Trusted Root Certification Authorities' folder for the certificate. Click 'Next' to continue.
5) Confirm the installation, the click 'Finish' to continue.
6) Click 'OK' to complete the installation.
Lets get started!
1) Logged in as administrator to your Centrify Application Service console, start by creating a Centrify role. This role will contain the Windows workstations you want to enforce multi-factor authentication on.
2) Add the workstations you want to enforce multi-factor authentication on by searching for the resource and clicking 'Add'.
3) Under 'Administrative Rights', assign the Centrify role the "Computer Login and Privilege Elevation" right. This allows the service to deliver a multi-factor authentication profile (created in the next step), to the workstations you've added to the role.
4) Next, create an 'Authentication Profiles' that contains the available factors that are appropriate for users to authenticate with.
5) Assign the 'Authentication Profile' to the 'Authentication Policy for Windows Workstations' within the 'Policies' menu.
6) Next, select 'Downloads' from the left column and download the Centrify Agent for Windows agent.
7) Install the Centrify agent on each workstation you would like to enforce multi-factor authentication on. Note: The workstation must exist within a Centrify role for the Centrify Application Service solution to deliver the multi-factor authentication profile to the machine (refer to step 2).
9) Review and accept the Centrify End-User License Agreement.
10) Select the location for the Centrify Agent to install, then click 'Next'.
11) Click 'Install' to begin installation of the Centrify agent.
12) Ensure the 'Run Agent Configuration Wizard' is selected, then click 'Finish' to continue.
13) When the configuration wizard appears, choose the 'Centrify Identity Services Platform' option. The following option enrolls the workstation to Centrify where services such as workstation login multi-factor authentication services can be enabled.
14) Select the Centrify tenant for the device to enroll to. The authentication profile created in Steps 1-5 in this guide will be enforced on the workstation during login.
15) To enforce multi-factor authentication for Windows login, ensure the option 'Enable multi-factor authentication on Windows login' is selected. Additionally, you have the option of enforcing multi-factor authentication for all active directory accounts that login to the workstation or for specific accounts. For purposes of this guide, 'All Active Directory accounts' option will be used. Click 'Next' to continue.
Note: For multi-factor authentication at Windows login, the workstation must be enrolled to the Centrify platform. During enrollment, a Centrify certificate is deployed to the machine to ensures secure communication between the Centrify connector and the authentication server. If the device is not enrolled, the following prompt will appear. See below for setting up Integrated Windows Authentication.
16) Click 'Finish' to complete the configuration wizard setup.
17) You will be prompted to restart the workstation. Choose 'Yes' to continue.
18) Upon restart, login to the workstation. During login, you will now see a drop down with the multi-factor authentication options required for login. Login to the machine with one of the factors.
Note: The user must have the available attributes in their user profile for the option to be available to them during login. For example, if a user does not have a telephone number in their active directory profile, and the telephone number is selected as one of the available factors, the telephone option will not be displayed to the user in the drop down.
19) After logging into the workstation, 'Setup Centrify Offline Passcode' will display. This allows a user to successfully authenticate, with multi-factor authentication, to the workstation when the machine is offline. Click on the 'Click here to create your offline passcode'.
20) Click 'Next' to setup offline mode.
21) The Centrify mobile application can be leveraged for the creation of a passcode for offline mode. More generally, you can use utilities that supports OATH to also setup your passcode using existing utilities of preference in your organization. Examples of such utilities are the Centrify mobile app and Google Authenticator.
22) Click 'Finish' to complete the offline passcode setup.
23) Test the offline mode by taking the workstation offline and using the offline passcode to log back into the machine.
The following guide is intended to demonstrate the steps required for enforcing multi-factor authentication on Windows workstations using the Centrify Identity Service solution. Centrify strongly encourages deployment and administrative guides along with testing the solution prior to enterprise deployments.
We hope this guide was helpful and welcome questions you may have in this thread.
Other related articles
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.