Launching PowerShell Sessions via Centrify Identity Service

Launching PowerShell Sessions via Centrify Identity Service

By Centrify Contributor II ‎06-26-2017 11:17 AM

Talking about our supported local clients for remote sessions, one of the quetions I often get back is, "What about PowerShell?".  In this post I will demonstrate how to launch PowerShell sessions from the Centrify cloud platform using PowerShell Web Access (PSWA).




Credit for the inspiration of this post goes to master Centrify guru @David McNeely.  Please also read this Microsoft TechNet article before you begin.


Here's what we're going to do:

  1. Install PowerShell Web Access (PSWA)
  2. Configure PSWA and IIS
  3. Configure a PSWA app tile within Centrify Identity Service (CIS)
  4. Proxy PSWA outside of the network using CIS's Application Gateway feature


I used the Windows PowerShell ISE as administrator to install and configure PSWA programatically:



Install-WindowsFeature –Name WindowsPowerShellWebAccess –Computername <server_name> -IncludeManagementTools –Restart






Security alert!  For purposes other than testing you should secure the installation with certificates.  (You can use the -UseTestCertificate parameter or configure the bindings in IIS).


Next, we need to define an authorization rule to allow users to access PSWA and resources.  What I am about to do is default allow all FOR TESTING PURPOSES ONLY, and it is NOT A GOOD IDEA FOR PRODUCTION!  


Add-PswaAuthrorizationRule * * *




Finally I validated that I can see PSWA in a browser by navigating to https://<servername>/pswa and logging in with my test account's credentials.  (After validating this step, we're going to use this address to define the PSWA application as a tile within Centriy Identity Service).






Now that the PSWA configuration is done, let's link it to our Centrify Identity Service deployment for use by our users.


Define a custom web application in the Centrify Identity Service Admin Portal as follows:



Here I've added a custom icon I found on the web: 



Don't forget to assign the User Access Role to determine who can use it.  In my environment I assigned it to my admin team.


Also, to proxy the internal access outbound, we'll rely on Centrify's Application Gateway feature.  Configure it in the App Gateway tab.  A testing configuration is as follows:



 After completing the configuration, the application will be available for assigned users in the Centrify Identity Service portal. 

Users can click on this icon to launch PowerShell sessions to servers within the network!

The application tile:




Credentialled login:





Remote session!




...and since we're using Centrify Identity Service portal, this means your administrators can even launch PowerShell sessions from their mobile phone or tablet using the Centrify app for IOS or Android!


on ‎09-15-2017 03:25 AM

do you have plans to omplemet

1. http session recording?

2. commands auditing?

3. RBAC for remote powershell sessions?

Showing results for 
Search instead for 
Do you mean 

Community Control Panel