Using the adlicense command to change/fix the license type on Linux desktops and (possibly) correct License Reports within Centrify Infrastructure Services.


IT infrastructure leads have the need to perform automation activities beyond what's exposed in the  graphical user interface.  This post discusses (with an example) how we can leverage the Centrify Developers site, the Centrify PowerShell Samples, novice scripting ability and  and a bit of infrastructure knowledge to automate this task:  interactively populate a system set with computers with an Active Directory OU.


Configuring Centrify Platform for Radius MFA support for Symantec Validation and Identity Protection (VIP).


There are several pre-requisites required to set this up in your environment.


  1. Access to a working instance of the Symantec VIP service (VIP Authentication Service.
  2. Access to a Centrify Environment, for this technical tutorial we will be primarily using Centrify Application Services.
  3. Centrify Connector installed.
  4. A Symantec VIP Enterprise Gateway setup to communicate from your network to the Symantec VIP service. In this guide, I set this up on a Windows 2012 server using Symantec VIP Enterprise Gateway 9.8.
  5. Ensure you have the appropriate ports/firewalls configured for network communication to occur between the different components of this integration.

In this blog post we outline how you can enroll a new Windows Server system (on prem or IaaS) to Centrify Infrastructure Services.  This lab entry covers:

  • Enroll a Windows system in Infrastructure Service
  • Apply local settings, policy or permissions
  • Add the Windows instance to a system set.

We'll illustrate with Amazon AWS but the building-blocks can be used on premises or with any other IaaS provider like Microsoft's Azure or Google's GCP.


[How To] FIDO U2F Security Key as an MFA mechanism

By Centrify a month ago - last edited 4 weeks ago

FIDO U2F (Fast IDentity Online Universal 2nd Factor) is an authentication standard hosted by FIDO Alliance ( that uses USB or NFC devices based on similar security technology to those found in smart cards (


FIDO U2F provides a fast and convenient authentication mechanism for authenticating to web applications using multi factor authentication (MFA) with Centrify Application Services


Note: FIDO U2F is designed for web application authentication and should not be used for Server or Workstation authentication.




Beef up your Phone-call based MFA with Centrify

By Centrify a month ago - last edited 4 weeks ago By Community Manager Community Manager

MFA is becoming a necessity these days and Centrify makes it easy for you to deploy “MFA Everywhere”. You can support authentication factors like phone-call, SMS, Push notification, Yubikey, FIDO U2F, Smartcards, OATH OTP, and the list goes on. For many of these authentication mechanisms, your user’s can simply leverage their own smartphone. But what if some of your users don’t have smartphones? Can you convince your CIO to purchase and manage hardware tokens? Many organizations want to get away from the overhead of managing tokens. You can see why MFA using a good old-fashioned phone call is a good option for these types of scenarios. The concept is easy, first, the user registers his/her phone number in the self-service portal. Then, at authentication time, the user confirms the receipt of a phone call to his/her mobile device by pressing the # or * key (in addition to another knowledge-based factor). There you go, 2 factors of authentication completed. But there’s a catch.


Use this blog post to learn how to deploy the Centrify Agent for Windows™ automatically with Windows cloud instances.  Learn how to:

  • Deploy the software
  • Automatically configure it for Zoneless MFA (Console, RDP and screen unlock)
  • Audit Trail

We'll illustrate with Amazon AWS.  This article can be combined with other building blocks in the series.


In this blog post we outline how you can enroll a new Windows Server system (on prem or IaaS) to Centrify Infrastructure Services and secure a local account credential password.  This lab entry covers:

  • Enroll a Windows system in Infrastructure Service
  • Apply local settings, policy or permissions
  • Add the Windows instance to a system set.
  • Create a local user and secure the credential password in Infrastructure Service

We'll illustrate with Amazon AWS but the building-blocks can be used on premises or with any other IaaS provider like Microsoft's Azure or Google's GCP.


Centrify Agent for Windows™ Deployment Options - Introduction

By Centrify Guru I on ‎02-17-2018 10:06 AM - last edited 3 weeks ago

The Centrify Agent for Windows provides organizations with the ability to secure Windows systems.  This article's goal is to introduce the basic information (pre-requisites, communications), deployment scenarios and tools available for each deployment option.  The next articles in the series focus on specialized topics or use cases.


This is the second article on a series around Centrify's role to participate or enhance the Microsoft Enhanced Security Administrative environment.

The first article on the series covered MS ESAE in FAQ form and introduces 10 Principles derived from this environment.

In this article, we provide information about how centrify can enable the implementation of the general principles and recommendations. 


Plesase read the original article (link below) to get the full context of the information:


Interested in deploying the Centrify Agent for Windows silently using Group Policy?

This article shows you how.


In this series we discuss Microsoft's Enhanced Security Administrative Environment (ESAE) and how Centrify participates and provides additional capabilities in this model.


The first article on the series is an introductory post on the topic.


Security questions are like a second password prompt. Just like passwords, users tend to create weak or easy to guess answers. Unlike passwords, security questions usually do not have policies to enforce complexity, uniqueness and guessability.


Here are some tips to help make your security question answers stronger:

1. Use a non-corresponding answer.

Using an answer that does not correspond to the question will make it harder for unauthorized users to guess or find your answer. For example, if the question is your first car model, answer with "blankcowblueYogurt". If the question is your mother's maiden name, don't use your mother's maiden name as the answer. Your mother's maiden name might be easily acquired through social media, social engineering, stolen records, public records, malware, easily guessed or many other methods.


2. Avoid answers that are vulnerable to social engineering.

Even if you use a non-corresponding answer to a security question, unauthorized users may still randomly attempt to use information that could be acquired through social media or social engineering such as the name of your child, pet, school, or company.


3. Follow password complexity rules for your answers.

Security questions are just like a second password. Hackers may use brute force or dictionary attacks on a security question. Following password complexity rules can help to make your security question answers more secure.


An easy to remember and yet complex answer is to use four random words like "blankcowblueYogurt".




4. Use spaces if possible.

Older generation brute force and dictionary attacks don't account for spaces. For modern tools, it can make it longer and harder to crack if there are spaces. Add a space in your answer if allowed. "blank cow blue Yogurt"  


Centrify MFA can use security questions for:

  • AD password reset / account unlock
  • Computer login (Windows / Linux / Unix)
  • Privilege elevation (Windows / Linux / Unix)
  • Remote access through Centrify's password vault.
  • Password checkout for shared privileged accounts.
  • AWS Workspaces
  • Horizon View
  • Accessing a web application
  • Accessing the Centrify User and Admin Portals. 
  • VPN access

Centrify users can set up their security question(s) through the Account tab in the Centrify User portal.

I've been asked from potential customers, Does our Centrify Cloud Platform integrate with Apple's OpenDirectory LDAP server?  Or more specifically, can I authenticate users from my OpenDirectory Server into the Centrify Cloud Portal and assign those users to roles, apps, MFA, etc.


Answer: Yes you can !


What does this all mean then ?  Well, you can execute self-service password resets for your user accounts, portal password changes, MFA for user and application SSO access; in short, all the benefits you might get from an Active Directory integration.  You lose nothing by integrating with a directory like Apple's OpenDirectory, and that's the beauty of our Centrify Identity Platform.  


To be able to authenticate and utilize users from your OpenDirectory server into the Centrify Cloud Platform is the purpose of this guide.


A little history first...

OpenDirectory has been around since MacOS 10.2.  It was introduced as part of Apple's attempt to provide it's Enterprise customers with a network-visible NetInfo directory domain with a corresponding authentication manager service for storing passwords outside of the directory.  To sum that technical sentence up, It's basically an OpenLDAP-based LDAPv3 (lightweight directory access protocol) server. Which is more common than you think in many corporate environments.  Many Law offices and Educational institutions are OpenDirectory shops, since lawyers and students are very common Mac customers and users.  


To start, a very convenient tool to use for this process is a tool that runs on Windows called Softerra LDAP Browser.  You can download a free browser version from Softerra's website here: .  Not the administration software, but the browser.


We will use this tool to do look-ups of the common name of our server baseDN, and some of it's corresponding user object attributes.  It just makes our lives easier, and I'll be using it in some of the pictures for the setup and configuration.


This guide assumes that you have setup an OpenDirectory Server already


This guide will not go into the setup and creation of the OpenDirectory Server.  It's assumed that you know the hostname of your server, that if it's a public facing directory, that all the relevant host records have been created and are currently working.  This also assumes that you have a valid host certificate from the OpenDirectory domain and that you can communicate over secure LDAP.  A server certificate is not required for the setup, but it will make the connection between your cloud and OpenDirectory server secure.


  1. Let's open up the Centrify Administrator Console, login with an administrator for your Centrify Cloud Platform
  2. Navigate to Settings > Users > Directory Services.  You should see this:

    Admin Console - Settings > Users > Directory ServicesAdmin Console - Settings > Users > Directory Services
  3. Click on Add LDAP Directory, and you should see this dialogue:

     Add LDAP Directory ServerAdd LDAP Directory Server
  4. Let's give it a name like "Apple OpenDirectory Server"
  5. Let's give it a description, "Apple's OpenDirectory for the Law Office.."
  6. Add the hostname of your OpenDirectory server, in the case of my OpenDirectory server, it was macserver.test, but this will be whatever you have setup in your OpenDirectory hostname, as seen here:

              Mac Server hostnameMac Server hostname
  7. Let's get the baseDN from the server. This is where having an LDAP Browser comes in real handy.  I will be using this tool to show you how to get this value
    1. Open up your LDAP Directory Browser Tool (you don't need this if you're savvy enough to get this from the Directory Utility in MacOS Server, or another way)
    2. Add the Server connection to your LDAP Browser
    3. Navigate to the root of your Mac OpenDirectory Server as seen here:

      baseDN from LDAP browserbaseDN from LDAP browser
  8. Type in your baseDN in the baseDN field, in my case "DC=macserver, DC=test"
  9. Type in your hostname for the suffix for the users that will be provisioned under, in my case "macserver.test"
  10. For the bindDN, you will need the administrator account you setup initially when you created your OpenDirectory user.  THIS IS NOT the local admin user on the Mac OpenDirectory Server.  It's the user that you created when you setup the OpenDirectory. It's normally called "diradmin" or whatever you might have chosen. You can find it by using your LDAP browser and selecting users, here you will see a list of LDAP users that are part of OpenDirectory.  Make sure you note the DN for the user and enter it here.  
    1. For example, it might be diradmin, in this case the Common Name would be "uid=diradmin,cn=users,dc=macserver,dc=test" . This tells our platform the UID, and the location of the user.  here is a picture from the LDAP browser (right click on the user object in the navigation tree and select properties):

       Common nameCommon name
  11. Type in the password for the user in the form
  12. UN-CLICK the Verify Server Certificate selector.  We will go back and test secure communication later on, but for now, you can just test the connection.
  13. If all went well, you should have a Connection Successful and a Green Check-mark:

  14. If not, go back and check the data entries and make sure you follow exactly what was written down here and that the cloud can see the Mac OpenDirectory Server.  Again, it's assumed that you can see the server either privately inside your Corporate subnet, or publicly.  
  15. If the name cannot be resolved, try to enter the name in the hosts table or use the IP address of the machine.
  16. If the latter, you will likely need to un-check Verify Server Certificate on the Add LDAP Directory page.
  17. If the server is NOT listening on port 636, append the port to the DNS hostname; for example: <dns hostname>:3269 Note: We only support LDAP over SSL.
  18. We do not support clear LDAP.  If we can communicate over this port and can resolve the hostname, we will be able to verify the server certificate. 
  19. One last piece is to choose a connector that the OpenDirectory Server can talk to and has communciation with.  Click on the Connectors menu item in the "add LDAP directory" dialogue: 

  20. Make sure you select a connector that your OpenDirectory server will and can talk to on an ongoing basis and retest your connection.
  21. Once you've integrated the OpenDirectory Server, there are a few oddities that need to be discussed.
  22. OpenDirectory does not natively support Phone Number, Mobile Phone, and other attributes that are crucial to the Centrify Platform and MFA.  Without these attributes, it will be impossible to authenticate the OpenDirectory Users using MFA.  If you're only using passwords, then this will be easy, but most organizations do not rely on passwords alone, and it's not a good security principle.
  23. To fix this problem, we can add attributes to the user accounts via Apple's Directory Utility. 
  24. To do this, go back to your Apple Server with OpenDirectory and open up the Directory Utility, which can be opened and found via Spotlight.
  25. Once open, click on Directory Editor
  26. Select the correct Directory to edit from the drop-down, usually /LDAPv3/ for example, this will be your main directory.  It might not be, but make sure when you select the proper node that a list of users is presented when you select the users drop-down in the editor, like this:

    Directory UtilityDirectory Utility
  27. Authenticate as the diradmin by clicking the lock icon at the top
  28. Once authenticated, you can begin to admen the user objects and add important attributes to the user object.
  29. There are ways you can have these added by default, but this guide is not designed to show you how to amend your LDAP directory structure.  However, it is possible to do this, such that phone numbers, mobile numbers, and other Centrify Cloud platform attributes are default inside the user objects
  30. Click the "+" sign and search for MobileNumber or PhoneNumber and then enter in the value you want reflected in the field
  31. Once you add these attributes, they will automagically show up in the user object in the Centrify Platform after you reload the user object.  You can refresh the user object in the Centrify Portal by select the user in the admin portal, and then from the action menu selecting "reload" and the user object will populate with the data you added in the directory utility on the MacOS server: 

            Reload a User ObjectReload a User Object
  32. Keep in mind, we can use our LDAP browser to connect to an Active Directory domain and view the various user attributes in AD that are stored for the user and add those same attributes to the users in OpenDirectory. It's not a hard process, the trick is to configure OpenDirectory to have those fields in the user creation process, which can be difficult to do.  That said, the attributes are all common to all LDAP directories, as such, you can add these to the Mac OpenDirectory Server user object and have them reflected in the user object in the cloud.

This concludes the OpenDirectory Integration guide for the Centrify Identity Platform.  We try to make our solution open to all sources of truth, and many companies use OpenDirectory as their directory of choice. Good luck and thanks for reading.

The Centrify IWA root CA certificate is required for silent authentication into the Centrify User Portal or Admin Portal, and for computer MFA login. This article will walk through the steps for downloading the IWA root CA certificate for deployment.


Prerequisite: Install the Centrify Connector on a 64-bit system or VM inside your network.


1. Log into the Centrify Admin Portal. On the left column, navigate to Settings  > Network > Centrify Connectors.



2. Click on the name of any Centrify Connector listed in the right pane. The Centrify Connector Configuration window will popup. 



3. In the Centrify Connector Configuration window, click on IWA Service, then click on Download your IWA root CA certificate

download IWA root certificate.png


Make sure you select the link "Download your IWA root CA certificate" and not the Download button above the link.



 Next: Deploy the Centrify IWA root CA certificate using group policies


Here is a video on how to do it

Related article: [Howto] Spotting and Remediating issues with PKI Trust on MFA (UNIX/Linux/Windows) or Enrollment

Centrify Infrastructure Services 2017.3 - Support for Centrify Analytics




This is part of a series of articles showcasing what's new with Centrify Infrastructure Services (formerly Centrify Server Suite) version 2017.3.  In this article, we'll preview Centrify Analytics for Infrastructure Services Alpha.


Note: Applicable to versions 17.8 and above

  1. Log in to Admin Portal using your system admin account.
  2. In the user name drop down menu click about to get the version number.
  3. Once the version number is determined click Downloads (In the user name drop down menu)
  4. Click the link for the Firefox browser.
  5. In the pop-up window, click Allow.
  6. The browser displays a dialog box for installing the browser extension.
  7. Click Install Now.
  8. A dialog box appears for restarting the browser.
  9. Click Restart Now to restart the browser and finish installation.
  10. After the browser restarts, the Centrify Browser Extension icon is added to the Menubar as shown.

    ( older version would add the extension to the toolbar )

  11. CBE-5.png
  12. In this new version you no longer need to go to about:config to configure tenant url settings.  

  13. Options to add the tenant url is  under “Add ons”  

  14. CBE-2.png

15. Centrify Browser Extension \ Options .

16. CBE-3.png

17. Once you click on “Options” this page will be open in a new tab

18. CBE-4.png

19. The browser extension is configured to work with the default Centrify identity platform URL— 

20. If the value is something different, or if you are using a test version of the directory service that uses a different URL, type the correct value and click OK.

21. Restart your browser to effect the new URL


Through exposed Centrify APIs we're able to send our data to wherever it needs to go


OAuth 2.0 is the industry-standard protocol for authorization...


Centrify Infrastructure Services 2017.3 - Centrify Agent for Windows


This is a part of a series of articles showcasing what's new with Centrify Infrastructure Services (formerly Centrify Server Suite) version 2017.3.  In this article, we'll discuss what's new with the Centrify Agent for Windows including:

  • Self-Service Password Reset using the Windows Credential Provider.
  • Windows 10 MDM Enrollment.

These capabilities complement some of the platform benefits like Self-Service, Multi-Factor Authentication and Zero Sign-On.


Considering adding Publisher Verification to your Privilege Windows Application

By Centrify on ‎12-29-2017 03:05 PM - last edited ‎01-19-2018 10:41 AM

I wanted to call attention to a feature you may not be aware of when configuring Privilege applications for the Agent for Windows.  This feature further increases the security of Privilege Applications by ensuring the executable is signed by the trusted publisher by validating the certificates. 


Below are the screenshots on where this feature is located in Access Manager.


Please see the documentation in the centrify-win-adminguide.pdf guide. 


All those commands you wish you had known when you first installed the DirectAudit agent.


Encrypting cache in adclient

By Centrify ‎12-29-2017 02:20 PM

How to enable adclient cache encrypting and some things to consider if you're thinking about making this change.


[HOW TO] Setup a Centrify Identity Services for AWS tenant

By Centrify on ‎12-29-2017 01:56 PM - last edited ‎01-19-2018 10:42 AM



This visual step by step blog post to cover the setup of a new AWS tenant.  







Step 1) login into AWS Marketplace and search for Centrify. 


Screen Shot 2017-12-14 at 2.00.39 PM.png


Step 2) In the Centrify page select continue. Please note the pricing details as these may be different.


Screen Shot 2017-12-14 at 2.00.54 PM.png


Step 3) On the next page select using the Subscribe button.  


Screen Shot 2017-12-14 at 2.25.34 PM.png 


Step 4) Congratulations. Click the Setup your account. 


Screen Shot 2017-12-14 at 2.25.45 PM.png

Step 5) You will receive an email with your Administrator account information.


Screen Shot 2017-12-29 at 2.44.38 PM.png

Step 6) Click the link in your email and use your login information form the email.


Screen Shot 2017-12-29 at 2.05.51 PM.png


Step 7) Login and change your password.


Step 8) Enjoy.















This walkthrough is intended for CPS tenant admins who are not database admins but would like a basic understanding of what is needed to add a SQL/ORACLE DB. The example in this blog will be using a SQL database. 


Centrify Infrastructure Services 2017.3 - Container Linux by CoreOS is now supported!

This is a series of articles showcasing what's new with Centrify Infrastructure Services (formerly Centrify Server Suite) version 2017.3.  In this article, we'll discuss Centrify's support for Container Linux by CoreOS.

Find out how Centrify has integrated to this stripped down OS to facilitate Centralized Administration, Access Control, Privilege Management, Multi-Factor Authentication, Session Capture and Replay and Attestation Reports.

Also learn how we an assist Privilege Management in the Docker lifecycle and if needed, extend Centrify capabilities inside a container.


This technical blog post will cover the various scenarios when silently installing the Centrify agent for Windows using msiexec. 


Many Ways to Install Centrify Agent

By Centrify on ‎12-27-2017 08:29 AM

One of the great things about Centrify approach to deploying agents, is that Centrify’s approach provides multiple options to install a Centrify agent onto a Linux or UNIX computer. While enterprises are welcome to use popular software deployment tools such as Chef, Puppet, and Ansible to deploy Centrify agents, Centrify intrinsically offers great flexibility to deploy agents as well.


Docker is the new thing the kids are doing these days.  It's pretty cool, but might need some security guardrails before handing it to your developers. 


Showing results for 
Search instead for 
Do you mean 

Community Control Panel