Centrify Privileged Services can be used to managed systems in the enterprise, but first these systems need to get added to the Centrify Privileged Services portal. Centrify Privileged Services gives you four different ways to add your enterprise systems to the Centrify Privileged Services Portal, these are;

 

  • Adding systems Manually: In this format, you can add one system at a time.
  • Running a discovery Job: In this format, you can create a discovery profile to identify the types of systems in which you are interested-such as Windows or UNIX computers then proceed to run the Discovery job to scan the network for the systems that match the criteria you have specified.
  • Bulk Import method: This format will let you download a CSV file template that you can populate with the systems that you want to add to your Centrify Privileged Services Portal. 
  • The Windows PowerShell import script: For this method, you will run an interactive Windows PowerShell script and use it to import systems to your Centrify Privileged Services portal. To read more about this, please see this TechBlog

 

In this article, we will focus on Option 3-adding systems to the Centrify Privileged Services portal using the Bulk Import method.

 

The steps in this article assume that you already have an existing Centrify Privileged Services portal set up :

 

 

Navigate to the Infrastructure> Systems section of the portal and click the Import button at the top of the page:

 

Systems.PNG

 

 

 

Upon clicking the import button, a new "Import" window opens, please click the "Bulk System Import Template" and download the file

 

importbutton.PNG

 

 

 

Proceed to open the CSV template file, notice that it has template fields already populated, please edit the file with the systems you want to import. For my case, I want to import 6 systems, 3 Unix and 3 Windows systems along with the local accounts on the systems.

 

 

csvfilesample.PNG

 

 

 

After saving the file, please upload the CSV file to your Centrify Portal, the import process runs in the background and depending on the number of systems and accounts you are importing, the process might take some time to complete. When the process completes, you will receive an email notification of the results when the import process is complete.

 

The notification email looks something like this:

 

 

emailofimportfinish.PNG

 

As you can tell from the email above, only 5 of the 6 systems got imported successfully, the email is helpful enough to tell which system did not get imported by looking at the row referenced in the email. In my case it is row 7 which is the windows machine, please see the image below to see why it failed to get imported

 

 

row7.PNG                             

 

 

 

Notice that the import job process could not find a Computer class type "Wlndows" so, proper spelling matters in this csv file, in order to fix this, I corrected the spelling error and re-imported the system. For the systems that successfully got imported you should be able to see them listed under the systems tab

 

 

 

successfulimport.PNG

 

 

If you also imported local accounts in addition to the systems, you should see the successful accounts listed under the Accounts tab, in the image below, the imported accounts have been marked, please see:

 

 

 

successfulimportedaccounts.PNG

 

 

 

Once the import is done, we now focus on the really visible Red exclamation signs that are listed along the systems, and if you notice we see that the systems that have this Red exclamation sign have the "Unreachable" status in the "Last Test Result" column.  We want our systems to be reachable, otherwise whats the point of adding them to the Centrify Privileged Services portal? 

 

 

unreachable.PNG

 

 

 

For the systems that are showing unreachable status, please click into the system itself, select "Test Connection" If the test connection test fails, the first thing I check is the status of the connectors, to make sure they are all up and running.

 

For my case, the Connector was in connected mode but the "Test connection" test was still failing.

 

- I clicked into the machine, clicked "Settings" tab and replaced the DNS Name with the IP Address of the machine under the DNS Name/IP Address field. After saving the changes and re-running the Test Connection test, the test connection was successful.

 

 

replacewithIpaddress.PNG

 

 

 

 

 

 

Since I also added accounts along with the systems to my Centrify Portal, I want to make sure that the accounts I added along with the systems can be used to log into the machines via the Centrify Privileged Services Portal. 

 

This can be done by either navigating to the Infrastructure>Accounts tab and then locating the accounts you imported here OR we could navigate to Infrastructure> Systems tab and click into the system itself then click "accounts", in the accounts section we see the account that was imported with the system.

 

Click into the account and select "Verify credential" option, this "Verify credential" test verifies whether the user account and password of the machine imported is the correct one. 

 

For my case the "verify credential" test failed for my "discovery" user account, The other test I tried is to; click the user account> click actions> select "Login" 

 

The user account "discovery" is able to login to the machine successfully, so we know that the credential is fine and the "Verify credential" test should have passed successfully.  

 

 

In my case, the Domain network settings firewall was turned on, I turned off the windows firewall for the Domain network settings and was able to pass the "Verify Credential" test successfully.

 

 

successfullverifycredential.PNG

 

 

To learn more about Centrify Privileged Services, please see the Centrify Privileged Services administrator's guide

 

 

 

Enable Service

 

After installation, we will show the following "Centrify Agent Configuration" window instead of the old configuration wizard:

 

In this window, we simply show a "Add service" button, with description to explain for different Centrify services and features.

Enabled services section will be empty for the first time.

 

 service_1.png

  

 

When "Add service" button is clicked, we will search for available services (Centrify Identity Services Platform, Centrify Privilege Elevation Service, Centrify Auditing and Monitoring Service) and list it in next dialog. We will also verify (via reg) whether DZ/DA agent is installed on local machine and disable related services:

 

service_2.jpg

 

This will list all the available services which can be enabled on this client, with a list of features that will be available after a certain service is enabled.

Users can simply click on one service and it will bring another dialog to input the service entry.

 

There are 3 different services for now:

 

Centrify Privilege Elevation Service

 

 

 service_3.jpg

 

 

Users can type in the zone name (short or full) and it will also load all available zones into the list. Once a zone is specified, click on Next button to join to the zone, a general progress page will be shown with summary/error on finish. It will require reboot once finished to activate the Access features.

If a zone is already configured with a tenant, it will detect and also show "Centrify Identity Services Platform" enabled after the zone is joined, but this Identity Services Platform will be managed by zone and shown as read-only.

Centrify Auditing and Monitoring Service

 

service_4.jpg

 

It will load all the available audit stores in current forest into the list. Users can select one and click on Next button to connect.

A general progress page will be shown with summary/error on finish.

Centrify Identity Services Platform 

 

service_5.jpg

 

Users can type in the identity platform URL and it will also load regesitered platform instances in current forest into the drop-down box.

Once the URL is specified, click on Next button to enroll into the platform. It will show the same enrollment progress bar as we have now and once succeeded it will bring another dialog to ask for MFA login options:

 

service_6.jpg

 

This is the same settings dialog as we have now, by default all AD accounts are enabled for MFA login. Users can use Add/Remove buttons to add/remove users/groups accounts from standard AD object picker. Click on Next button to save the settings. Users can also close this dialog to ignore MFA login settings and set it later in control panel.

 

Once a service is enabled, it will be shown in the Enabled services section in the main page:

 

service_7.jpg

 

Users can click on "Add service" button to enable another service. After search, if there is no more service available, it will prompt info that all available services are currently enabled.

Enabled services are list with the data source name.

 

Users can click on each enabled service to modify the additional Settings or Remove the service.

 

 

Creating a DNS role assignment

By Centrify ‎12-27-2018 01:44 PM

This article contains the instructions for creating a role assignment to allow a non-admin user to launch the DNS management console from a machine other than the DNS server. This will also enable the user to edit DNS settings but will not provide access to the DNS server itself. This may be useful in cases where a contractor may be employed to edit DNS settings or if you want to delegate DNS administrative duties to a standard user.

Read more...

In this article, we are going to cover the Centrify License Service from installation to set up for the Infrastructure Services.

 

The installation is very simple, but typically there is a piece of the setup that a lot of users miss. Then they end up getting warnings like the one below:audit_manager.PNG

 

 

Read more...

Download Postmanhttps://www.getpostman.com/

 

Authenticate before calling other API
 

 

1. StartAuthentication https://developer.centrify.com/docs/starting-the-authentication-process

POST https://aap0825.my.centrify.com/Security/StartAuthentication
Header: X-CENTRIFY-NATIVE-CLIENT:true
             Content-Type: application/json

 

Read more...

This article walks through the steps to back up and migrate a Report Services database to a new server.

 

In most instances, because the data in the Report Services database is not live data, it is easier to rerun the Report Services Installer, do a fresh install of Report Services, create a new db instance on a new SQL server, and then resync the data.

 

In the rare occurrence that a new database cannot be installed and resynced, below are the steps that can be used to back up, migrate, and restore the Report Services to a new SQL server.

Read more...

This article walks you through the basic configuration of setting up B2B federation from Azure AD to the Centrify Privilege Service. The benefit is that users can authenticate with Azure AD and then be granted access to Centrify Privilege Service where their authorizations can be controlled separately. 

Read more...

This article walks through the configurations for controlling which privileged accounts users can see in the Centrify Admin Portal. A common use case would be to grant developers or third party vendors access to the privileged accounts they are only allowed to use.

Read more...

This article walks through the configurations for controlling which server(s) or network appliance(s) users can see in the Centrify Admin Portal's list of Systems. A common use case would be to grant developers or third party vendors access to only the system(s) they are allowed to see, and without exposing all the other system names in your environment.

Read more...

This article will show you how Centrify can enable Linux to accept Google credentails for login, without having to add users locally. 

Read more...

This article introduces the concept of B2B federation from Azure AD to Centrify Privilege Service and why some businesses are choosing this form of federation. 

Read more...

Introduction:

This article is the third part of a series to show how to integrate Symantec VIP with the Centrify Identity Platform. The first part of this series discussed the value of this integration and walked through the end user experience at a high level. The second part of the series covered the pre-requisites, architecture, and setting up the Symantec VIP solution to act as the RADIUS server for this integration. Please review parts I and II before you read this article to get the full context of the integration and the value it provides to the business.

 

To review the first article in the series you can view it here.
To review the second article in this series you can go here.

 

Part III will cover the following:

  • Setting up Centrify Identity Platform to act as the RADIUS client to the Symantec Enterprise Gateway RADIUS server.
  • Testing the MFA at portal login to ensure it uses Symantec VIP


Disclaimers:

  • This posting is provided "AS IS" with no warranties and confers no rights.
  • This is a lab entry. It is only meant to show the reader one method for this integration and to provide an informal how-to guide on setting it up.
  • It's not meant for production design and does not address things like high availability and separation of duties.
  • Production designs require planning for people, process and technology.
  • Symantec VIP is a registered trademark of Symantec.
  • The versions of software used in this guide are supported as of 2018. There is no guarantee that future versions of the software released by the vendors will be compatible for this integration. Its always best practice to validate new versions of the software through official support channels.

Pre-requisites:

  • Please review the pre-requisites in part II of this blog series here

Assumptions:
This article focuses on the configuration of Symantec VIP to provide MFA (multi-factor authentication) for the Centrify platform policies and assumes that you have familiarity with Symantec VIP Access manager and the Centrify Identity platform. The article does not go into detail on how to set up the Centrify platform or Symantec VIP because there is a lot of documentation publicly available that covers these topics. This article also assumes that you read parts I and II of this series.

Let's get started by presenting the same diagram we showed you in part II as a refresher. We are going to be configuring the Centrify side of the diagram in this article.
diagram.png

 

Step 1

  • Let's set up the Centrify portal side of the integration. This step is assuming you have valid Centrify tenant created and you have already installed a Centrify connector that has a line of sight to your Symantec Enterprise Gateway server. Refer back to the architecture diagram above to see what I mean. 
  • Create a test Authentication profile that is going to use a 3rd party RADIUS server for authentication.Screenshot 2018-05-21 22.12.13.png

     

Step 2

  • Give the authentication profile a name and select 3rd party RADIUS authentication as one of the challenges. Configure the profile to challenge for the VIP token first and the password 2nd to prevent account lockouts.

 

Screenshot 2018-05-21 22.12.43.png

 

Step 3

 

  • Next, create a connection to the Symantec RADIUS validation server that we will be fulfilling the authentication request. You can do this under the Authentication section in Settings as shown below.

 

 

Screenshot 2018-05-21 22.13.57.png

 

 

Step 4

  • Give the RADIUS server a name and enter in the hostname or IP address of the Symantec Enterprise Gateway (which is going to be listening for RADIUS connections)
  • Specify the RADIUS port that the RADIUS server is listening on and input the server secret that was used in the Symantec Enterprise gateway configuration
  • Select a user identifier attribute of EmailAddress. The user identifier attribute is what enables Symantec Enterprise Gateway to look up your user to validate that they are entering the right code. So this setting is important to ensure the lookup occurs accurately. In my case, my user attribute mapped to my Symantec VIP service is my email address in my Active Directory.
  • Note: You can use other user attributes and you can configure Symantec Enterprise Gateway to look up an attribute in AD directly. These alternate configuration options are not covered in this blog but there is some flexibility in how you perform the user mapping between the 2 solutions. 

 

radius server settings Screenshot 2018-05-21 22.14.33.png

 

Checkpoint

 

At this point, you have created a Centrify authentication profile that will use a 3rd party RADIUS server (i.e. Symantec Enterprise Gateway) and you have also created a 3rd party RADIUS server connection (also Symantec Enterprise Gateway) that is listening for RADIUS authentication requests on the port that we specified. Next, we will create the Centrify authentication policy that will generate the authentication request when we want to use Symantec VIP for authentication. 

 

Step 5

 

  • Create a new policy that will challenge the user with the new authentication profile we created.
  • Under Core Services, create a new policy and under policy settings, apply the policy to a test role in your environment. The members of this test role should have a Symantec VIP token available and registered in the VIP Access manager service. An example policy is shown below:

 

 

 policy settings Screenshot 2018-05-21 22.16.38.png

 

 

 Step 6

 

  • Next, under the same policy, find the “Login Policies” section as shown below.
  • You have the option of configuring a login policy for login to the Centrify portal, UNIX and Windows Servers, and Windows Workstations.
  • We will configure the login policy for the Centrify Portal as an example. Simply enable authentication policy controls and define the Default Profile as the VIP authentication profile that we created earlier.
  • NOTE: The Authentication Rules can further define when the user will be challenged using situational awareness. This is also known as adaptive authentication. You can use static rules (i.e. the user is not coming from my corporate IP) or you can use dynamic risk scores (i.e. the user is coming from the right IP and the same machine we registered with the user, but he is logging into an application he has never used before) to adaptively challenge the user for MFA. This is the real power of using the Centrify platform to drive the policy with a 3rd party MFA provider.  

 

Screenshot 2018-05-21 22.17.37.png

 

Step 7

 

  • Configure the User security policy to enable 3rd party RADIUS authentication as an available option for the users that this policy applies to. 
  • With this setting, you are telling Centrify that the specific users that this policy applies to are allowed to use the 3rd party RADIUS authentication server (Symantec VIP in this case). This ensures that not everyone is driven to this authentication server if they don't need to be. 

 

Screenshot 2018-05-21 22.19.17.png

 

Checkpoint

 

Ok, that's it! Now you should be ready to test. Get your Symantec VIP token out and go to the Centrify portal login page and login with your test user.

 

portal login Screenshot 2018-05-21 22.25.17.png

 

Press Next and you should see the option to login with the Symantec VIP authenticator. Enter the passcode displayed by the Symantec VIP authenticator token.

 symantec vip IMG_0004.pngvip code entry Screenshot 2018-05-21 22.25.43.png

 

Press Next and you will now be challenged for a password (since this is the order that we set in our authentication profile above).

 

password entry Screenshot 2018-05-21 22.26.08.png

 

Press Next after entering your password and voila! If everything worked, you should now be logged into the Centrify portal and you were able to authenticate with the Symantec VIP token for MFA. Now you can go about using single sign on to your corporate applications or go into the Administration section to manage your privileged identity management systems and resources.

 

infrastructure homepage Screenshot 2018-05-21 22.27.07.png

 

 

Conclusion

 

Thanks for following along with this three-part blog series. To recap, this blog series walked through the process of using the Centrify Identity platform to drive the authentication policy that leveraged the Symantec VIP infrastructure for MFA. The benefit of this integration is that if you are a Symantec VIP customer, you can maximize your existing Symantec VIP tokens for MFA to provide identity assurance to applications and infrastructure by driving the policy through the Centrify identity platform. This allows you to use a common set of security policy to provide MFA for web applications, server login, workstation login, privilege elevation, password checkout, and much more. It also allows you to take advantage of the Centrify platform without having to rip and replace your existing MFA provider. I hope this blog was helpful. 

Centrify's App Gateway provides the ability to access internal web apps or intranet sites without a VPN. This help to provide just the right amount of access to third party vendors, or convenient access to internal resources from a non-work computer. This article will walk through the steps to enable App Gateway.

Read more...

The following Techblog details how to configure People HR  with SAML for federation to Centrify Application Services.  Also covered in this techblog are options to enhance the security posture using Centrify Multi Factor Authenticaion when users access people HR. The techblog finishes with a video clip showing the end user experience. 

Read more...

Working With Keytabs

By Centrify Contributor II on ‎07-09-2018 02:10 PM

Learn the basics of Kerberos and how keytabs can be created, with examples for common scenarios.

Read more...

Introduction:

This article is the second part of a series to show how to integrate Symantec VIP with the Centrify Identity Platform. Part II will cover the following:

  • Pre-requisites for setting up the test environment
  • High-level architecture of the solution
  • Configure Symantec VIP Manager hosted service
  • Install Symantec Enterprise Gateway on our Windows Server
  • Establish Trusted communications between the Enterprise Gateway and the Symantec VIP Manager service
  • Configure a RADIUS validation server to listen to RADIUS requests
  • Test the RADIUS validation server to ensure it was fulfilling the RADIUS requests sent to it. 

 

The first part of this series discussed the value of this integration and walked through the end user experience at a high level. To review the first article in the series you can view it here.

Let's start configuring a test environment so you can try this out yourself. 

Disclaimers:

  • This posting is provided "AS IS" with no warranties and confers no rights.
  • This is a lab entry. It is only meant to show the reader one method for this integration and to provide an informal how-to guide on setting it up.
  • It's not meant for production design and does not address things like high availability and separation of duties.
  • Production designs require planning for people, process and technology.
  • Symantec VIP is a registered trademark of Symantec.
  • The versions of software used in this guide are supported as of 2018. There is no guarantee that future versions of the software released by the vendors will be compatible for this integration. Its always best practice to validate new versions of the software through official support channels.


Now that the disclaimers are out of the way, let's get started.

 

Pre-requisites:

  1. Obtain VIP Manager Account
    1. You need this to configure VIP Authentication, download Symantec Enterprise Gateway, and download documentation.
  2. Obtain Centrify tenant
    1. You need this to configure Centrify Identity Platform and download the Centrify Connector. You can obtain a free trial for Centrify Application Services or Centrify Infrastructure services here.
  3. A SmartPhone for Testing
    1. You need a smartphone to download the Symantec VIP Authenticator application and to register it with Symantec VIP.
  4. A Windows 2012 R2 Server
    1. You need this system to download and install the Symantec Enterprise Gateway and the Centrify Connector. This should be a domain joined server which will allow the Centrify connector to connect your on-premise Active Directory to perform user authentication services. The server will also need to allow outbound https traffic to the respective Symantec VIP and Centrify hosted services. Details of ports and settings can be found on each vendor's documentation. 
  5. Microsoft Active Directory Environment
    1. You will need a test Active Directory environment to follow along with the example below. I am using domain functional level 2012 R2. Note that this process can be accomplished with any LDAP directory. 

 

Assumptions:

This article focuses on the configuration of Symantec VIP to provide MFA (multi-factor authentication) for the Centrify platform policies and assumes that you have familiarity with Symantec VIP Access manager and the Centrify Identity platform. The article does not go into detail on how to set up the Centrify platform or Symantec VIP because there is a lot of documentation publicly available that covers these topics.

Diagram.

The high-level flow diagram for this setup is as follows:

 

Screenshot 2018-05-28 22.21.25.png

 

The diagram above shows the Centrify and Symantec SaaS-based identity platforms, the Centrify Connector, the Symantec Enterprise Gateway, and Active Directory as the main components used in this example. The flow for this use case is as follows:

 

  1. The end user logs into the Centrify Portal or Centrify protected application/resource.
  2. Centrify will determine via policy that the user needs to be challenged for MFA by the Symantec VIP platform.
  3. The Centrify connector will pass the authentication to the Symantec Enterprise Gateway using RADIUS.
  4. Symantec Enterprise Gateway will leverage the VIP cloud service to authenticate the user with her VIP soft token.
  5. The VIP service will authenticate the VIP token code and send the result to Symantec Enterprise Gateway.
  6. Symantec Enterprise Gateway will pass the result back to the Centrify Connector.
  7. If MFA is successful, the Centrify Connector will then authenticate the user's AD credentials as per authentication policy.
  8. Active Directory will verify the user's credentials and send the result to the Centrify connector.
  9. The Centrify connector will pass the result back to the web application or resource server.
  10. Centrify will confirm the result and redirect the user appropriately.

Note:

  • This configuration does not take into account high availability.
  • The Active Directory LDAP authentication can be performed by Symantec VIP or Centrify but I have configured Centrify to perform the AD authentication so that we can challenge for MFA first through Symantec VIP, and AD authentication second with Centrify.

 

Setting up Symantec VIP Manager:

 

Step 1
The first step is to Setup up Cloud-based VIP Manager

  • Login to VIP Manager with your credentials and VIP credential

Screenshot 2018-05-21 21.45.33.png

 

Screenshot 2018-05-21 21.46.47.png

 

  • Download Enterprise Gateway installation bits and install guide.

Screenshot 2018-05-28 23.07.30.png

 

Screenshot 2018-05-28 23.12.29.png

 

  • Download the Enterprise Gateway bits to the Windows Server where your Centrify connector is running, or on a server where it can communicate with the Centrify connector using RADIUS. We will come back to the Enterprise Gateway in a bit but for now, let's finish setup in the VIP manager.

Step 2

Next, we're going to create a test user. Note that the user id is the email address because this is how we will later lookup the user for AD validation. Also, note that you need to download and register a Symantec VIP soft token credential for this user.

 

  • Create a test user (RADIUS - email address) with an email address and register a VIP credential.

 Screenshot 2018-05-28 23.23.02.png

 

Step 3

Next, you need to Create a VIP Certificate to establish a trusted connection between Enterprise Gateway and Symantec VIP.

      • Click on the Account Tab at the top of the screen and then select “Manage VIP Certificates”

manage vip certs.png

 

 

  • Create a new Certificate by clicking on “Request a Certificate”. This certificate will be needed on the Enterprise Gateway in order to establish a secure connection with the VIP manager.

Step 4

  • Our next step is to Install Enterprise Gateway. Symantec provides detailed instructions on how to do this in this document. Its also relatively easy to click through without reading the documentation.
  • Run the setup wizard to install the Enterprise Gateway software to run as a Windows Service.

Step 5

  • Next, you need to Login to Enterprise Gateway (once it is launched in a web browser).
  • Once Enterprise Gateway is running, you need to configure the VIP certificate to secure communications to VIP manager. 
  • The screenshot below shows where you need to add the VIP certificate that you downloaded in Step 3. This will establish mutually authenticated (trusted) communication between your Enterprise Gateway and your Symantec VIP service. 

 

add vip cert.png

Step 6

Create a Radius Validation Server

      • We need to create a RADIUS validation server object in Symantec Enterprise Gateway to accept RADIUS connections from a RADIUS client. This is a key step because the Symantec RADIUS validation server will be listening for authentication requests from the RADIUS client. The Centrify connector will be the RADIUS client we will set up in the next blog article. Refer back to the architecture document at the beginning to get a visual reminder of how this will work if you're getting lost.
      • Create a Radius Validation Server object as shown below. You need to define where the RADIUS authentication requests will be coming from. This requires that you configure the server name that the RADIUS requests will be coming from, the server IP, an open port, and a shared secret. Note: We will use this information in the next blog article when we tell the RADIUS client where to send it's authentication requests. The rest of the options can be left default for this simple test.

 

radius validation server.png

 

Step 7

  • Once this is setup we need to test the Validation Server. Symantec includes a nice test tool to help you double check that your RADIUS connectivity is all setup.
  • The Symantec RADIUS tool is located in the Enterprise Gateway files under the tools directory The syntax is shown below to test connectivity to the Enterprise Gateway acting as the RADIUS server.
  • Note: You can also use NTRadPing which is a great tool to test RADIUS client-server communication. 

RADIUS test.png

 

Checkpoint

 

Once the RADIUS validation test works, you are in good shape. We know that the Symantec Enterprise Gateway RADIUS validation server is listening, accepting authentication requests, and fulfilling those requests. Now the only thing left to do is to set up the Centrify Connector to act as the RADIUS client to the Enterprise Gateway. 

 

Note: If the test above did not work, make sure you have ports correct, shared secrets correct, make sure firewalls are open on appropriate ports, and make sure you are testing with the right username/password and Symantec VIP credential.

This concludes part II of this blog. As a review, we completed the following:

  • Covered the Pre-requisites for setting up the test environment
  • Provided a High-level architecture of the solution
  • Configured Symantec VIP Manager hosted service
  • Installed Symantec Enterprise Gateway on our Windows Server
  • Established Trusted communications between the Enterprise Gateway and the Symantec VIP Manager service
  • Configured a RADIUS validation server to listen to RADIUS requests
  • Tested the RADIUS validation server to ensure it was fulfilling the RADIUS requests sent to it. 

 

 

In the next article, I will go through the setups on the Centrify Portal to complete the setup. 

 

You can find the next article (part III) in this blog here

To review part I of this article go here

A DirectManage Audit 3.x installation typically creates and deals with two types of databases i.e. an Audit Server database (also known as the Management database) and Audit Store database. The Audit Server database stores DirectManage Audit 3.x application specific settings whereas the Audit Store database is used to store the actual audited user sessions. A typical DirectManage Audit 3.x installation consists of one Audit Server database and one or more Audit Store database(s).

 

In a nutshell, here are the steps involved when migrating database from one database server to another:

 

Step 1  - Stop all the collectors

 

Step 2  - Take backup of existing databases (optional but recommended)

 

Step 3 -  Detach the existing databases and attach them to the new database server

 

Step 4  -  Ensure that CLR integration is enabled on the new database server and login for NT AUTHORITY\SYSTEM exists on the server

 

Step 5  -  Restore the TRUSTWORTHY flag and owner of the database

 

Step 6  - Modify the newly attached Audit Server database

 

Step 7 -  Restoring connection between Audit Server database and Audit Store database

 

Step 8  -  Update the database entries in Active Directory

 

Step 9  -  Start all the collectors

 

Attached document explains in details each step above should be taken in case if database migration is inevitable in order to keep the impact on the DirectManage Audit system as minimal as possible.

 

How to configure SSO for Inormatica Intelligent Cloud Services using SAML...

Read more...

How to:
Centrify provides the following scripts to enable/disable debug logging:

  • Centrify Agent for Linux:  /usr/share/centrifycc/bin/cdebug
  • DirectControl:  /usr/share/centrifydc/bin/addebug
  • DirectAudit: /usr/sbin/dadabug

Enable debugging in journald environment

Read more...

Do you want to give an individual remote access without giving it to all users then this blog is for you!

Read more...

Using the IS-CPS Bulk Import Tool

By Centrify ‎06-27-2018 04:09 PM

This article describes the basic steps to obtain and configure the necessary tools used to import objects into the privilege service vault. This feature was added in Centrify Privilege Service 18.4 and allows admins to import systems, domains, databases and their accounts. This is a powershell module that will be released in github.

Read more...

In the documentation for Centrify Report Services, it mentions setting up permissions in SSRS for user accounts that need to access Report Services to view (Report Viewer) and write (Report Writer) reports. 

 

This article goes over the section for "Required SSRS permissions" (Report Admin, Report Viewer, Report Writer)

Read more...

This blog goes over the Regular Expression, or REGEX for short, when creating a new command. Some tips and things to watch out for when using REGEX commands. 

REGEX.PNG

Read more...

A Centrify Connector on an AWS private subnet allows you to:

  • Gain better accountability of who is accessing the private subnet,
  • Apply role-base access to the private subnet,
  • Password vault local and domain service accounts being used in the private subnet,
  • Provide MFA login for Windows or Linux servers
  • Integrate with an Active Directory domain that is associated with the private subnet, 
  • Provide MFA for other AWS services such as AWS Workspaces. 

This article will go over the AWS and Centrify configurations you will need to use a Centrify Connector on an AWS private subnet.

Read more...

How to allow users to log into a remote Linux machine via SSH, using Active Directory credentials that require smart card authentication

Read more...

This TechBlog describes how to create a scheduled task that will automatically rotate the Centrify Auditing database on the first day of each month. You can easily modify the command outlined to suit your requirements.

Read more...

Maximize your Symantec VIP investment with Centrify

Many organizations are using Symantec VIP to provide MFA (multi-factor authentication) services for identity assurance, but (often times) their use cases are narrow in scope. For example, MFA may only be used at VPN Login or for a specific application login. I want to demonstrate how organizations can maximize their investment in Symantec VIP to provide MFA Everywhere by combining it with the Centrify Identity Platform. This includes MFA for web applications, server login, workstation login, privilege elevation, password checkout, and more. The key is to use the Centrify Identity Platform as the policy engine that drives MFA when needed. This empowers organizations to use a single source of policy to drive MFA Everywhere and take advantage of having a single platform to provide identity assurance for single sign-on, enterprise mobility management, and privileged identity management. Not only does this maximize the investment in their existing MFA solution (Symantec in this example), but it also allows them to leverage centralized administration, reporting, and risk-based analytics to drive logical access across the enterprise.

 

In our example below, we will leverage Symantec VIP to provide MFA to a web-based application. Additionally, I wrote an article a while back that explains how you can extend Symantec VIP to provide MFA in conjunction with Centrify Infrastructure Services (formerly known as Centrify Server Suite) at server login and privilege elevation. This solution allows you to centralize non-windows identities to Active Directory and use Symantec VIP to provide identity assurance for specific server related tasks.

Let us take a look at the high-level overview of what this looks like for the end user. If you would like to skip ahead to the setup, go to part II of this blog here

Step 1:

When an Active Directory user logs into the Centrify end user portal, he/she would be challenged with Symantec VIP as shown below:
portal login Screenshot 2018-05-21 22.25.17.png

 

Step 2:

The first authentication method is going to ask the user to provide the access code on his/her VIP token:

 

symantec vip IMG_0004.pngvip code entry Screenshot 2018-05-21 22.25.43.png

Step 3:

The second authentication will validate the user's LDAP directory password. We're using Microsoft Active Directory in our example. Once completed, the user will be taken to the user portal page.

 

password entry Screenshot 2018-05-21 22.26.08.png

The order of authentication (i.e. challenging for LDAP password second) can be controlled by policy. Challenging for the one-time passcode from the Symantec VIP token first prevents an attacker from locking out the end user's Active Directory account by ensuring the possession of the Symantec VIP token before allowing the user to enter her Active Directory password. It is a handy policy to have for an internet facing web application.


This is just one example of how an organization can leverage a Centrify policy while facilitating MFA with an MFA provider of their choice. Taking this further, organizations configure adaptive authentication rules and take advantage of the Centrify machine learning analytics engine to dynamically decide when a user's access is risky before challenging for MFA.


The benefits of this approach are that the organization can leverage an enterprise-wide access policy engine and make context-based decisions on when to authenticate with Symantec VIP for MFA. Additionally, this enables an organization to Centrify without having to rip and replace their existing MFA provider and re-issue MFA tokens to all end users. This approach will maximize your investment for any MFA provider that can integrate to 3rd party solutions using standards like RADIUS and SAML federation. 

To see more information on how to integrate the two Centrify and Symantec solutions to provide this functionality, please see the How-To articles in this series:

 

Part II - Configuring Symantec VIP

Part III - Configuring Centrify

 

How to configure the integration between Infrastructure Service (Auditing and Monitoring Service) and Splunk

Part2 - Integration between Infrastructure Service (Auditing and Monitoring Service) and Splunk

 

Summary
The configuration of a profile will be made to start the recordings of the sessions from the elevation of privileges and the integration will be made with splunk so that the auditing sessions can be viewed directly from the Splunk Portal.

Read more...

Como configurar la integración entre Infrastructure Service (Auditing and Monitoring Service) y Splunk

Parte2 - Configuración de integración entre Infrastructure Service (Auditing and Monitoring Service) y Splunk

Resumen
Se realizará la configuración de un perfil para iniciar las grabaciones de las sesiones a partir de la elevación de privilegios y se realizará la integración con splunk de forma que se puedan visualizar las sesiones de auditoria directamente desde el Portal de Splunk.
Read more...

Centrify Infrastructure Services (Privilege Access Service) has the ability to store secrets. These secrets can be free-form text or files (currently up to 5mb in size). 

 

There will be use cases where the contents of these secrets need to be programmatically accessed EG from inside an application or as part of orchestration/DevOps processes. 

 

By leveraging Centrify's OAuth2 authorization framework, this article will describe how to configure OAuth2 to enable a PowerShell script to obtain the contents of a text-based secret from the Centrify platform.

 

However, it does not stop there. Using this methodology (Oauth2 apps & scopes) and the example script as a base, any programmatic call to the Centrify Identity Platform required for automation may be achieved. Including writing objects such as systems, shared accounts, secrets ETC. Pretty much everything that can be done via the portal can be automated/configured programmatically. 

 

Whilst this example is in PowerShell any compliant code can leverage this methodology (Java, C#, Go ETC). For example, I have Python code to run SQL queries against the Centrify Identity Platform from LINUX, but that's for another post Smiley Happy

 

For more detail on the Centrify Identity Platform API's see https://developer.centrify.com

Bed Time reading on OAuth2 : https://tools.ietf.org/html/rfc6749

Read more...

Showing results for 
Search instead for 
Do you mean 
Labels
Leaderboard

Community Control Panel