The Centrify IWA root CA certificate is required for silent authentication into the Centrify User Portal or Admin Portal, and for computer MFA login. This article will walk through the steps for downloading the IWA root CA certificate for deployment.


Prerequisite: Install the Centrify Connector on a 64-bit system or VM inside your network.


1. Log into the Centrify Admin Portal. On the left column, navigate to Settings  > Network > Centrify Connectors.



2. Click on the name of any Centrify Connector listed in the right pane. The Centrify Connector Configuration window will popup. 



3. In the Centrify Connector Configuration window, click on IWA Service, then click on Download your IWA root CA certificate

download IWA root certificate.png


Make sure you select the link "Download your IWA root CA certificate" and not the Download button above the link.



 Next: Deploy the Centrify IWA root CA certificate using group policies


Here is a video on how to do it

Related article: [Howto] Spotting and Remediating issues with PKI Trust on MFA (UNIX/Linux/Windows) or Enrollment

Centrify Infrastructure Services 2017.3 - Support for Centrify Analytics




This is part of a series of articles showcasing what's new with Centrify Infrastructure Services (formerly Centrify Server Suite) version 2017.3.  In this article, we'll preview Centrify Analytics for Infrastructure Services Alpha.


Note: Applicable to versions 17.8 and above

  1. Log in to Admin Portal using your system admin account.
  2. In the user name drop down menu click about to get the version number.
  3. Once the version number is determined click Downloads (In the user name drop down menu)
  4. Click the link for the Firefox browser.
  5. In the pop-up window, click Allow.
  6. The browser displays a dialog box for installing the browser extension.
  7. Click Install Now.
  8. A dialog box appears for restarting the browser.
  9. Click Restart Now to restart the browser and finish installation.
  10. After the browser restarts, the Centrify Browser Extension icon is added to the Menubar as shown.

    ( older version would add the extension to the toolbar )

  11. CBE-5.png
  12. In this new version you no longer need to go to about:config to configure tenant url settings.  

  13. Options to add the tenant url is  under “Add ons”  

  14. CBE-2.png

15. Centrify Browser Extension \ Options .

16. CBE-3.png

17. Once you click on “Options” this page will be open in a new tab

18. CBE-4.png

19. The browser extension is configured to work with the default Centrify identity platform URL— 

20. If the value is something different, or if you are using a test version of the directory service that uses a different URL, type the correct value and click OK.

21. Restart your browser to effect the new URL


Through exposed Centrify APIs we're able to send our data to wherever it needs to go


OAuth 2.0 is the industry-standard protocol for authorization...


Centrify Infrastructure Services 2017.3 - Centrify Agent for Windows


This is a part of a series of articles showcasing what's new with Centrify Infrastructure Services (formerly Centrify Server Suite) version 2017.3.  In this article, we'll discuss what's new with the Centrify Agent for Windows including:

  • Self-Service Password Reset using the Windows Credential Provider.
  • Windows 10 MDM Enrollment.

These capabilities complement some of the platform benefits like Self-Service, Multi-Factor Authentication and Zero Sign-On.


I wanted to call attention to a feature you may not be aware of when configuring Priviledge applications for the Agent for Windows.  This feature further increases the security of Priviledge Applications by ensuring the executable is signed by the trusted publisher by validating the certificates. 


Below are the screenshots on where this feature is located in Access Manager.


Please see the documentation in the centrify-win-adminguide.pdf guide. 


All those commands you wish you had known when you first installed the DirectAudit agent.


Encrypting cache in adclient

By Centrify 3 weeks ago - last edited 2 weeks ago

How to enable adclient cache encrypting and some things to consider if you're thinking about making this change.




This visual step by step blog post to cover the setup of a new AWS tenant.  







Step 1) login into AWS Marketplace and search for Centrify. 


Screen Shot 2017-12-14 at 2.00.39 PM.png


Step 2) In the Centrify page select continue. Please note the pricing details as these may be different.


Screen Shot 2017-12-14 at 2.00.54 PM.png


Step 3) On the next page select using the Subscribe button.  


Screen Shot 2017-12-14 at 2.25.34 PM.png 


Step 4) Congratulations. Click the Setup your account. 


Screen Shot 2017-12-14 at 2.25.45 PM.png

Step 5) You will receive an email with your Administrator account information.


Screen Shot 2017-12-29 at 2.44.38 PM.png

Step 6) Click the link in your email and use your login information form the email.


Screen Shot 2017-12-29 at 2.05.51 PM.png


Step 7) Login and change your password.


Step 8) Enjoy.















This walkthrough is intended for CPS tenant admins who are not database admins but would like a basic understanding of what is needed to add a SQL/ORACLE DB. The example in this blog will be using a SQL database. 


Centrify Infrastructure Services 2017.3 - Container Linux by CoreOS is now supported!

This is a series of articles showcasing what's new with Centrify Infrastructure Services (formerly Centrify Server Suite) version 2017.3.  In this article, we'll discuss Centrify's support for Container Linux by CoreOS.

Find out how Centrify has integrated to this stripped down OS to facilitate Centralized Administration, Access Control, Privilege Management, Multi-Factor Authentication, Session Capture and Replay and Attestation Reports.

Also learn how we an assist Privilege Management in the Docker lifecycle and if needed, extend Centrify capabilities inside a container.


This technical blog post will cover the various scenarios when silently installing the Centrify agent for Windows using msiexec. 


One of the great things about Centrify approach to deploying agents, is that Centrify’s approach provides multiple options to install a Centrify agent onto a Linux or UNIX computer. While enterprises are welcome to use popular software deployment tools such as Chef, Puppet, and Ansible to deploy Centrify agents, Centrify intrinsically offers great flexibility to deploy agents as well.


Docker is the new thing the kids are doing these days.  It's pretty cool, but might need some security guardrails before handing it to your developers. 


Enforcing inactivity logout for Linux CLI

By Centrify Advisor III a month ago - last edited a month ago

Various security standards require the computer screen to be locked or logged off after a period of inactivity. This article will show you how to use Centrify to enforce an automatic log out from the Linux CLI after a period of inactivity.



  • The Linux system must have the Centrify Agent installed and bound to Active Directory.
  • You will need Group Policy Management on a Windows member server with the Centrify Infrastructure Services installed.


1. In Group Policy Management, edit or create a GPO for your Linux system.

2. Enable Computer Configuration > Policies > Centrify Settings > Common UNIX Settings > Specify commands to run 




2. Click Add.



3. Enter a custom command, then click OK.



For CentOS use:

grep -q -F TMOUT=900 /etc/bashrc || echo TMOUT=900 >> /etc/bashrc


For Ubuntu use:

grep -q -F TMOUT=900 /etc/bash.bashrc || echo TMOUT=900 >> /etc/bash.bashrc


Change the numbers in the command to your desired number in seconds. Please note the operating system might round up or down to the closest supported minute. 


4. Reboot the Linux system for the setting to apply.


The Centrify Agent will execute the script at every Active Directory group policy interval (default 90 minutes). 


 Please share if you have a better script or method.


Other related articles

Enforcing screen lock for MacOS

Neste artigo mostrarei como habilitar autenticação multi-fator (MFA, 2FA) em servidores Linux utilizando o Centrify Infrastructure Services.


Neste artigo mostrarei como habilitar autenticação multi-fator (MFA, 2FA) em servidores ou estações de trabalho Windows utilizando o Centrify Infrastructure Services.


How to manually set domainsid when SMBv1 is disabled

By Centrify on ‎12-16-2017 04:56 PM - last edited Wednesday

Centrify script cannot complete successfully after disabled SMBv1. Because disabling SMBv1 breaks all the 'net npc getsid' that Centrify use in


You will get the following error message after trying to execute


Are you looking for some data that just isn’t covered in the stock reports?


You’ve come to the right place!  In this blog, I want to show you some of the basics of writing your own custom reports.



Every now and then, this situation presents itself infront of me:  


-Is it possible for me to send one or more roles as a SAML attribute, inside of a SAML Assertion?


The answer to this question is yes, and here's how you do it:


  • Sending One Role:
    • Sending one role is much simpler than sending multiple roles.  It doesn't require an array, or any of that fancy stuff.  It requires one line of code:
      • setAttribute(‘role’ , “rolename”);   In this example, 'role' is the name of the SAML attribute, and 'rolename' is well, the name of the role in question.  Here's an example of a working piece of code, as well as a SAML assertion:
        setAttribute(‘role’ , “IT_Admins”);
        <Attribute Name="role" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic">
  • Sending Multiple Roles:
    • Sending multiple roles, is a bit more involved.  It does call for the above mentioned 'fancy stuff' such as an array.  In requires a few more lines of code, which I'll explain:
      // Create a variable for the current logged in user's role names
      var roleNames = LoginUser.RoleNames;
      // Create an empty array 
      var attrArray = [];
      //Find all roles containing "admin"
      for (var i=0; i < roleNames.Length; i++){
          if (roleNames[i].indexOf("Admin") != -1){
          var v = roleNames[i];
      //Push roles containing "admin" into the empty array    
          trace("Role containing 'Admin' for this user: " + v);
      //Set the array to role, with the values inside attrArray
      setAttributeArray('role', attrArray);
    • Right, so I've made this a little bit easier to explain here.  I've included comments (everything after //) that explains the logic of the above code.  Everything highlighted in red are the values that you, reader, might have to modify.  Starting from top to bottom:
      •  if (roleNames[i].indexOf("Admin") != -1)
        • This line of code simply checks all of the users roles, to see if they contain the string "admin".  Feel free to modify this to whatever you'd like.  Chances are if you're sending multiple roles to a SAML app, they should contain similar names.  Such as O365E1, O365E etc.  In this scenario, you could use 'O365' as your string. 
      • trace("Role containing 'admin' for this user: " + v);
        • This line of code simply gives you an output of which roles the user has, that matches your string.
      • setAttributeArray('role', attrArray);
        • As above, 'role' is the name of the attribute, attrArray is the value.  Feel free to change the former, but do not change the latter.
      • Here's an example of a SAML Assertion output:
        <Attribute Name="role" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic">
             <AttributeValue>System Administrator</AttributeValue>
      • Here's the trace output:
        Role containing 'admin' for this user: SAML_Admin
        Role containing 'admin' for this user: IT_Admin
        Role containing 'admin' for this user: System Administrator


I hope you found this article is helpful, and as always if you have any questions- comment below.




Employee on-boarding, transitions and departures often require manual and time consuming user administration tasks performed between HR and IT. Generally, identity originates in the HRIS system when the candidate becomes an employee. Coordinate between HR to IT is done such that, IT can create accounts for the new hire in Active Directory and every application required for their job. Similarly, during a transitin or departure, HR coordinates with IT to modify or disable access in Active Directory and every application. 


With an integration to Centrify, Workday can serve as the master employee database within the enterprise. New hires, transitions and departures are managed by HR within the HR system while Centrify automatically provisions or de-provisions accounts into Active Directory and downstream productivity applications. Specific benefits include: 


  • Automatic provisioning of new hires in Workday to Active Directory.
  • Randomly generated Active Directory password automatically emailed to new hire.
  • Automatic account updates (e.g. promotions, department changes) of employees in Workday to Active Directory.
  • Automatic disablement of users in Active Directory when terminated in Workday.

Here is a demo video of how the integration can help streamline user administration in your enterprise: 



See this work within your environment by registering for a free 30 day trial here.

custom login screen.png

Using a custom Centrify login URL offers a number of benefits, inlcuding branded login screen, Integrated Windows Authentication, and being able to log in using your short name or samAccountName. This article will walk you through configuring your custom login URL for your Centrify tenant.


1. Log into your Centrify Admin Portal.

2. In the left column, navigate to Settings > Customization > Tenant URLs, then click on the Add button.


3. Enter your preferred unique name that is not used by another Centrify customer, then press Save. For example

custom name.png


Once this is complete, you can log into the Centrify portal with your custom login URL.

Centrify User Portal:

Centrify Admin Portal:



Log into Centrify cloud tenant with an administrator account. Navigate to Settings > Authentication > RADIUS Connections. Under Clients tab, click Add.








In the RADIUS Client Settings window, enter a name, internal IP address of FortiGate and create a client secret. Save settings.











Navigate to Settings > Network > Centrify Connectors, double click connectors that you would like to accept RADIUS connections for VPN authentication from FortiGate, navigate to RADIUS section and click check box to enable incoming RADIUS connections. Save settings.












Navigate to Settings > Authentication > Authentication Profiles. Click Add Profile to create a new profile for VPN MFA.











For challenge 1, select Password. For challenge 2, select what you would like to use for authentication challenge.













Navigate to Core Services > Policies to modify current policy or add a new one. Under User Security Policies > RADIUS, need to set “Allow RADIUS connections” to Yes and check the box for “Require authentication challenge”, select VPN authentication profile you created earlier.











Now we will go over configuration on the FortiGate firewall. Log into FortiGate with an admin account. Navigate to users and device > RADIUS servers, click create new button to add a new entry.













Enter name, IP address of server running Centrify Cloud Connector and server secret.












Test to verify successful communication, click test connectivity button, enter a valid username and password to run test.












You should see successful result if settings are correct and RADIUS communication isn’t blocked. If not, check basic network communications between Centrify server running Cloud Connector and the FortiGate. Verify that firewalls are not blocking port 1812 used for RADIUS connections.










Next, we will create a RADIUS VPN user group. Navigate to User & Device > User Groups and click Create New. Give it a name and select Centrify RADIUS server under “Remote groups”.











If you don’t already have a client to site IPsec VPN profile setup, navigate to VPN > IPsec Wizard, select Remote Access and complete steps in wizard. Select RADIUS VPN user group when going through steps.










When a VPN user authenticates using FortiClient, they will be prompted for MFA.




First enter username and password.







Now prompted for second form of authentication.











On Centrify portal as an admin user, you can view Core Services > Reports > Built in Reports > Security and run the “MFA Events – Last 30 days” to verify and troubleshoot RADIUS authentication.




















How to secure shared web accounts

By Centrify Advisor III on ‎10-24-2017 09:39 AM - last edited 2 weeks ago

Securing shared web accounts such as the firewall web administration console's default admin account, AWS management console's root account, corporate FedEx account, or company social media accounts (eg. Twitter, Facebook) helps to meet regulatory compliance, improve security, prevent insider attacks, and deny access to former employees. Centrify can secure your shared web accounts by

  • Providing login access to shared web accounts to assigned users without exposing the password to users.
  • Limiting access to only specific users or group.
  • Requiring multi-factor authentication or blocking access based on time, location, device or user behavior.
  • Switching to SAML authentication


Provide login access without exposing the password

1. In the Centrify Web Portal console, select Apps in the left column, then click on the Add Web Apps button.

Add web apps.png

2. Search then add your web app. If you cannot find your web app, go to the Custom tab, scroll down until you see User-Password, click on the Add button next to it, then click Close.

custom user-password.png

3. Complete the required configurations for Applications Settings and Description.

4. Go to Account Mapping and select Everybody shares a single user name. Enter the shared username and password and press Save.

shared password.png

When you update the password in this setting, it updates the password for everyone without the need to tell users what the new password is, and minimizes password exposure risk.

5. Configure User Access and press Save. Assigned users can access the shared account from the Centrify User Portal, by clicking on the app icon without entering the shared username and password.


If your website is not in the Centrify app catalog and it does not work out of the box with the custom User-Password template, you can try using:

  • Infinite Apps to add sites that have additional login fields such as department or company ID.
  • Custom > Browser Extension for sites that have the username and password fields on different pages.


Limiting access to only specific users or group

In the Centrify Admin Portal, create a custom role in Roles (eg. DevOps, IT security, HR, Finance...) then assign the role to your web application. You can also assign the web app to roles by configuring User Access.


Assigning the web app to a role, enforced role-based access control to your shared password. Users not in the assigned role will not see the web application in the Centrify User Portal. Each role should see a different set of web applications.

different user portal view.png


Blocking access or require multi-factor authentication base on:

 Switch to SAML authentication

Take advantage of SAML authentication if the web application supports it. SAML offers many security benefits including:

  • Not storing or using a password to authenticate to prevent passwords from being compromised by malware, WiFi vulnerabilities, or attacks on the web application.
  • Logging in as yourself to provide better accountability to help track who logged in when, and who made what changes.
  • Not having to manage password changes. 

Other topics to consider:

Securing local or default administrator accounts on servers and network appliances.

Role-based access to the Centrify Identity Platform can be applied to help meet regulatory compliance and improve security by:

  • Customizing which web applications are displayed in the Centrify User Portal
  • Limiting access to privileged account passwords
  • And granting different levels of administrative rights to the Centrify Identity Platform

Roles in Centrify can be composed of users, groups and other Centrify roles from

To create and configure a Role in Centrify

1. Log into the Centrify Admin Portal, go to the left column and navigate to Core Services > Roles. 


2. Click on the Add Role button.

3. Enter a name for the Role.

4. Select Members, then click the Add button.

5. Enter keywords in the search field to display the desired user or group.

Adding users.png 

6. Select the desired user or group and click Add.

7. Select Administrative Rights to add Admin Portal rights to the role.

8. Select Assigned Applications to assign web applications to the role. 




Categories and Tags

By Centrify on ‎10-16-2017 07:09 PM

In the last post I mentioned naming conventions, which is a great way to organize your work and ensure you are doing the right thing. Another item you can do to make your administrative tasks easier is to use Application Categories, as well as to teach end users how to use tags to organize their own views.


This article discusses the different approaches to populate information into the Centrify Privilege Service vault.  The stage in process of implementing a PIM solution dictates many of the strategies to be used.  At the time of this writing, we are looking at version 17.8, but as you know, releases come every month, therefore, the strategies discussed in this post are subject to change as more capabilities, system types or accounts are added.


We will be focusing on the Linux CLI toolset and the PowerShell Samples.


The Lifecycle

A Shared Account strategy is part of what's needed to continuously overcome the challenges around PIM.  These bullets correspond to where many of our prospects or customers are:

  • Brand new to a shared account strategy.
  • No shared account solution, but a very mature process.
  • Migrating from an existing shared account solution.
  • Optimizing the day-today-operations of an existing shared account strategy.
  • Adjusting strategies (e.g. favored shared account, over least privilege).


Two Types of Activities

I think we can easily condense the strategies into two categories: population and onboarding:

  1. Population activities happen when the shared account strategy is brand new, or a migration is in place (maybe switching solutions or going through M&A activities).
  2. Onboarding activities relate to the orchestration and automation of the regular IT operations (adding systems, accounts, domains, databases, etc).

As of this writing, the tools included with privilege service are:

  • Wizard - manual way of onboarding resources and accounts (out of scope for this article).
  • Import - CSV import for systems and local accounts.
  • Discovery - AD-based for Windows or Linux computers, Scheduled Tasks, Services and their corresponding identities
    (will be briefly mentioned, but covered in depth in a different article).
  • CLI Tools for Linux - cenroll & csetaccount, included with Identity Broker.
  • PowerShell Samples for Windows(tm) - available at your request.
  • REST API - Learn all about them here (out of scope for this article).


The Import Tool

This tool is useful if you're populating a new vault, or if you have a CSV of  the sytsems and accounts that you want to onboard. The import tool is tied to the job system.


  • Name - name of the system in privilege service.
  • FQDN - fully qualified domain name (resolvable) or IP address for the system. If using IP, can't use for zone-role workflow.  
  • ComputerClass  - the type of system.  As of this writing:  UNIX, Windows, Generic SSH, CheckPointGAiA, IBM System i, Juniper , Cisco IOS, Cisco NX-OS, & HP NonStop.  This can potentially change every month.
  • Description - the description of the system.
  • ProxyUser -proxy account to be used.
  • ProxyUserPassword -self-descriptive.
  • ProxyUserIsManaged - determines if the proxy account's password is managed or unmanaged by privilege service.
  • User   -  local account.
  • Password - local account password.
  • Managed - If the account is managed or unmanaged by privilege service.
  • UseProxy - if a proxy account will be used to access this system.
  • UserDescription - description of the user.  
  • Domain - if the account is joined to an AD domain, this is the domain name.  .
  • DomainOperationsEnabled - this is to set if the zone-role workflow if needed.



Privilege Service provides an AD-based Discovery tool.  Discovery has the flexibility that it can be used to populate for the first time or in point occasions as well as ongoing.



From system launch to system termination - the process



Enrollment Codes

Enrollment codes allow for a system to automatically be added to privilege service with access control options like owner, # of systems allowed, IP restrictions and sets.
Enrollment codes are a great tool to enable automation or DevOps scenarios.


PowerShell Samples and Onboarding

The idea behind the PowerShell Samples is to be able to align newly-built Windows systems with the registration in the Privilege Service vault to protect shared accounts or to enable the secure access capability.  Alternatively, systems can be organized in sets.  The samples work with enrollment codes or interactively with user/password combinations.  The latter part is reserved for human interaction.


What you need:

  1. PKI Trust pre-requisite:
    The IWA root certificate for the service or tenant should be trusted (manually or via enterprise trust); same for the certificate used for SSL for the platform (not an issue with SaaS, but yes with customer managed if not following proper PKI practices).  This MFA-centric article, discusses the topic.
  2. Centrify Samples:  Available on github or attached to this post (see below).
  3. An administrative local Windows account to perform the system tasks.


PowerShell Samples in Action

Long command lines are split


Enrollment and onboarding a local account

# This is a sample script that runs at POST; once the system is built, 
# patched and joined to Active Directory. # The assumptions are that an enrollment code has been issued and that
# the modules can be loaded (in this case from the X:\CIP drive # and that the proper sets have been put in place.
# Loading Modules Import-Module X:\CIP\cps\Centrify.Cloud.PowerShell.CIP.psm1 Import-Module X:\CIP\cps\Centrify.IdentityPlatform.Powershell.psm1 # E.g. Enroll code, FQDN, Name, and endpoint are required, sets are optional. # Enrollment Code: B8674D29-890C-4036-AEAB-682DBEF6CA78 # FQDN or IP: member.centrify.vms # Name: member-vault # Service Address: https://vault.centrify.vms # Sets: PCI and Engineering (JSON notation, attribute Name) $enrollcode = "YADAYADA-YADA-YADA-YADA-YADAYADAYADAYA" $computer = ($(Get-WmiObject Win32_Computersystem).name
| Out-String -Stream).ToLower() $computerfqdn = [System.Net.Dns]::GetHostByName(($env:computerName)).HostName
| Out-String -Stream $sets = "Engineering, PCI" $sets_json = "[ { 'Name': 'Engineering' }, { 'Name': 'PCI' }]" $vault = 'https://vault.centrify.vms' Enroll-CIPSystem -EnrollCode $enrollcode -FQDN $computerfqdn
-ResourceName $computer -Endpoint $vault -Sets $sets_json # Onboard the Local Administrator account. # This is a placeholder. Good script here:
# # Return the temporary random password to $localpasswd, this will be rotated
# automatically.
$localpwd = 'R@nd0mG%$56bagethatWILLC6ng3soon' $accountname = 'Administrator' Set-CIPAccount -AccountName $accountname -AccountPassword $localpwd
-isManaged $true # Set Centrify Vault Metadata in the Description of the AD Computer Object $joined = (Get-Date).DateTime | Out-String -Stream $desc = "Sets: $sets. Enrolled to CPS on $joined." Set-ADComputer $computer -Description $Desc


PowerShell Samples Usage

1. First, import modules
What's needed: path to the PowerShell modules

Import-Module C:\[insert-path-here]\Centrify.IdentityPlatform.Powershell.psm1
Import-Module C:\[insert-path-here]\Centrify.Cloud.PowerShell.psm1

2. Enroll a system
What's needed: An enrollment code, the name, the FQDN or IP and the endpoint 
(tenant URL). Enroll-CIPSystem -EnrollCode [code] -FQDN [fqdn/ip] -ResourceName [system-name]
-Endpoint [https://your-url-here] Example: Enroll-CIPSystem -EnrollCode "B8674D29-890C-4036-AEAB-682DBEF6CA78"
-FQDN 'member.centrify.vms' -ResourceName 'member-vault'
-Endpoint 'https://vault.centrify.vms' What happens when a system is enrolled? 1. The system is added to CPS. 2. A service account is created in CIP with the default suffix. 3. The system is added to a built-in role called "Centrify Agent Computers." 4. The service account is added with the grant, view, edit and delete"
permissions at the system level. Note that you can add a system to a set.
Another example: Adding a system to the Engineering and PCI Sets: Enroll-CIPSystem -EnrollCode "B8674D29-890C-4036-AEAB-682DBEF6CA78"
-FQDN 'member.centrify.vms' -ResourceName 'member-vault'
-Endpoint 'https://vault.centrify.vms'
-Sets "[ { 'Name': 'Engineering' }, { 'Name': 'PCI' }]" 3. Unenroll a system What's needed: an administrative account. Examples: Unenroll-CIPSystem -Delete $true
# proper way to leave CIP this will remove the service account. Unenroll-CIPSystem -cleanupOnly
#cleans locally in the system, equivalent to a forced adleave. 4. Vault an account What's needed: resource/domain/database, account name, password and if it's
managed or not; if other system, database or domain, the system must
be authorized to add accounts in the resource. Examples # Sets the local account opieadmin as managed Set-CIPAccount -AccountName 'opieadmin' -AccountPassword 'ThisStringwillChangeS00n!'
-isManaged $true # Sets the remote account testuser in the system engcen6 as unmanaged Set-CIPAccount -resourceName 'engcen6' -AccountName 'testuser'
-AccountPassword 'SecretsAreToBeProtected!' -isManaged $false What happens when a system is enrolled? 1. The account is added under the resource in question. 2. The system that performed the addition, is added with all account
permissions except portal login. 5. Check-out a password What's needed: credential type, name and checkout lifetime. If other system,
database or domain, the system must be authorized to view the top level resource
and view+checkout at the account level. Examples: Get-CIPAccount -AccountName 'opieadmin' -lifetime 2 Get-CIPAccount -domainName "" -AccountName "your-user" -lifetime 2 Get-CIPAccount -databaseName "db-name" -AccountName "your-db-account" -lifetime 2 Other Commandlets: - Remove-CIPAccount - removes a system/domain/database account. - Centrify-GetAccountID - gets the unique identifier for an account.


Linux Client CLI Tools

The help topic contains all the commands included with the client. Let's focus on the same sequence above, but for Linux.

What you need:

  1. PKI Trust pre-requisite
    The IWA root certificate for the service or tenant should be trusted (manually or via enterprise trust); same for the certificate used for SSL for the platform (not an issue with SaaS, but yes with customer managed if not following proper PKI practices).  This MFA-centric article, discusses the topic.
  2. CentrifyCC bits
    These can be obtained from the Infrastructure > Linux Agent section of the Admin Portal, from the Centrify Repo, or distributed via RPM.
  3. Sudo or superuser-like privileges.


CLI in Action

Enrollment with cenroll

# E.g. Enroll code, FQDN, Name, and endpoint are required, sets are optional.
# Enrollment Code: B8674D29-890C-4036-AEAB-682DBEF6CA78
# FQDN or IP: centos7.centrify.vms
# Name: centos7-v
# Service Address:  https://vault.centrify.vms
# Sets:  PCI and Engineering 

$ sudo cenroll --tenant vault.centrify.vms 
--code B8674D29-890C-4036-AEAB-682DBEF6CA78 --verbose --features all
--agentauth identity-broker-users --name centos7
--address centos7.centrify.vms --resource-set PCI, Engineering Enrolling in Centrify identity platform https://vault.centrify.vms/
using enrollment code... Feature enabled: Application-to-Application Password Management Feature enabled: Centrify Agent Authentication Starting Centrify agent... Centrify agent started. [output truncated]


Adding account passwords to the vault with csetaccount

# Set the account password to something random 
# Send it as a parameter for csetaccount using the --stdin option
# Always clean-up.

# Creating random string
sudo cat /dev/urandom | tr -dc 'a-zA-Z0-9' | fold -w 32 | head -n 1 
> /tmp/temp.file # Changing account password sudo yes `cat /tmp/temp.file` | passwd root # Vaulting the credential sudo csetaccount --verbose --managed=true --stdin root < /tmp/temp.file verbose: setting account through cclient # Housekeeping sudo rm -f /tmp/temp.file


The account and password are onboarded under the system in question.



The system rotates the password immediately.


The system can read and delete the password (ready for the EoL use case).


Deleting an account and unenrolling a system

# Deleting an account from the vault
$ sudo cdelaccount --silent root

# Unenrolling a system (e.g. prior to decommision or termination) using the 
# system account $ sudo cunenroll --delete --machine

The Linux agent allows for the onboarding of database (Oracle, SQL Server) or Active Directory domain retrieval for CLI or machine to machine scenarios (see cgetaccount).


AWS and GCP Automation

In AWS and GCP, the lifecycle (launch instance/terminate instance) can be automated using the methods above and Centrify has provided some assets also available via GitHub.


Below are the variables that require information (to vault systems automatically):

# Specify the customer tenant URL to enroll in cenroll CLI

# Specify the enrollment code to use in cenroll CLI

# Specify the roles to grant "AgentAuth" right in cenroll CLI

# Specify the features to enable in cenroll CLI

# Specify the type of network address. Possible values:
# "PublicIP" (default), "PrivateIP" or "HostName"

# Specify the prefix of the login name to use for this computer in the Centrify
# identity platform. The format is <prefix>-<AWS instance ID>.


Expect the methods to continue to evolve, just like the system types and capabilities are added monthly.


We want to hear from you

What can we improve?  Always use the comments or leverage the idea exchange and community.

In this post, I cover some of the key audit events Centrify captures, where one can find them if they want to send these logs to SIEMs and other tools.


Showing results for 
Search instead for 
Do you mean 

Community Control Panel