This article walks you through the basic configuration of setting up B2B federation from Azure AD to the Centrify Privilege Service. The benefit is that users can authenticate with Azure AD and then be granted access to Centrify Privilege Service where their authorizations can be controlled separately. 

Read more...

This article walks through the configurations for controlling which privileged accounts users can see in the Centrify Admin Portal. A common use case would be to grant developers or third party vendors access to the privileged accounts they are only allowed to use.

Read more...

This article walks through the configurations for controlling which server(s) or network appliance(s) users can see in the Centrify Admin Portal's list of Systems. A common use case would be to grant developers or third party vendors access to only the system(s) they are allowed to see, and without exposing all the other system names in your environment.

Read more...

This article will show you how Centrify can enable Linux to accept Google credentails for login, without having to add users locally. 

Read more...

This article introduces the concept of B2B federation from Azure AD to Centrify Privilege Service and why some businesses are choosing this form of federation. 

Read more...

Introduction:

This article is the third part of a series to show how to integrate Symantec VIP with the Centrify Identity Platform. The first part of this series discussed the value of this integration and walked through the end user experience at a high level. The second part of the series covered the pre-requisites, architecture, and setting up the Symantec VIP solution to act as the RADIUS server for this integration. Please review parts I and II before you read this article to get the full context of the integration and the value it provides to the business.

 

To review the first article in the series you can view it here.
To review the second article in this series you can go here.

 

Part III will cover the following:

  • Setting up Centrify Identity Platform to act as the RADIUS client to the Symantec Enterprise Gateway RADIUS server.
  • Testing the MFA at portal login to ensure it uses Symantec VIP


Disclaimers:

  • This posting is provided "AS IS" with no warranties and confers no rights.
  • This is a lab entry. It is only meant to show the reader one method for this integration and to provide an informal how-to guide on setting it up.
  • It's not meant for production design and does not address things like high availability and separation of duties.
  • Production designs require planning for people, process and technology.
  • Symantec VIP is a registered trademark of Symantec.
  • The versions of software used in this guide are supported as of 2018. There is no guarantee that future versions of the software released by the vendors will be compatible for this integration. Its always best practice to validate new versions of the software through official support channels.

Pre-requisites:

  • Please review the pre-requisites in part II of this blog series here

Assumptions:
This article focuses on the configuration of Symantec VIP to provide MFA (multi-factor authentication) for the Centrify platform policies and assumes that you have familiarity with Symantec VIP Access manager and the Centrify Identity platform. The article does not go into detail on how to set up the Centrify platform or Symantec VIP because there is a lot of documentation publicly available that covers these topics. This article also assumes that you read parts I and II of this series.

Let's get started by presenting the same diagram we showed you in part II as a refresher. We are going to be configuring the Centrify side of the diagram in this article.
diagram.png

 

Step 1

  • Let's set up the Centrify portal side of the integration. This step is assuming you have valid Centrify tenant created and you have already installed a Centrify connector that has a line of sight to your Symantec Enterprise Gateway server. Refer back to the architecture diagram above to see what I mean. 
  • Create a test Authentication profile that is going to use a 3rd party RADIUS server for authentication.Screenshot 2018-05-21 22.12.13.png

     

Step 2

  • Give the authentication profile a name and select 3rd party RADIUS authentication as one of the challenges. Configure the profile to challenge for the VIP token first and the password 2nd to prevent account lockouts.

 

Screenshot 2018-05-21 22.12.43.png

 

Step 3

 

  • Next, create a connection to the Symantec RADIUS validation server that we will be fulfilling the authentication request. You can do this under the Authentication section in Settings as shown below.

 

 

Screenshot 2018-05-21 22.13.57.png

 

 

Step 4

  • Give the RADIUS server a name and enter in the hostname or IP address of the Symantec Enterprise Gateway (which is going to be listening for RADIUS connections)
  • Specify the RADIUS port that the RADIUS server is listening on and input the server secret that was used in the Symantec Enterprise gateway configuration
  • Select a user identifier attribute of EmailAddress. The user identifier attribute is what enables Symantec Enterprise Gateway to look up your user to validate that they are entering the right code. So this setting is important to ensure the lookup occurs accurately. In my case, my user attribute mapped to my Symantec VIP service is my email address in my Active Directory.
  • Note: You can use other user attributes and you can configure Symantec Enterprise Gateway to look up an attribute in AD directly. These alternate configuration options are not covered in this blog but there is some flexibility in how you perform the user mapping between the 2 solutions. 

 

radius server settings Screenshot 2018-05-21 22.14.33.png

 

Checkpoint

 

At this point, you have created a Centrify authentication profile that will use a 3rd party RADIUS server (i.e. Symantec Enterprise Gateway) and you have also created a 3rd party RADIUS server connection (also Symantec Enterprise Gateway) that is listening for RADIUS authentication requests on the port that we specified. Next, we will create the Centrify authentication policy that will generate the authentication request when we want to use Symantec VIP for authentication. 

 

Step 5

 

  • Create a new policy that will challenge the user with the new authentication profile we created.
  • Under Core Services, create a new policy and under policy settings, apply the policy to a test role in your environment. The members of this test role should have a Symantec VIP token available and registered in the VIP Access manager service. An example policy is shown below:

 

 

 policy settings Screenshot 2018-05-21 22.16.38.png

 

 

 Step 6

 

  • Next, under the same policy, find the “Login Policies” section as shown below.
  • You have the option of configuring a login policy for login to the Centrify portal, UNIX and Windows Servers, and Windows Workstations.
  • We will configure the login policy for the Centrify Portal as an example. Simply enable authentication policy controls and define the Default Profile as the VIP authentication profile that we created earlier.
  • NOTE: The Authentication Rules can further define when the user will be challenged using situational awareness. This is also known as adaptive authentication. You can use static rules (i.e. the user is not coming from my corporate IP) or you can use dynamic risk scores (i.e. the user is coming from the right IP and the same machine we registered with the user, but he is logging into an application he has never used before) to adaptively challenge the user for MFA. This is the real power of using the Centrify platform to drive the policy with a 3rd party MFA provider.  

 

Screenshot 2018-05-21 22.17.37.png

 

Step 7

 

  • Configure the User security policy to enable 3rd party RADIUS authentication as an available option for the users that this policy applies to. 
  • With this setting, you are telling Centrify that the specific users that this policy applies to are allowed to use the 3rd party RADIUS authentication server (Symantec VIP in this case). This ensures that not everyone is driven to this authentication server if they don't need to be. 

 

Screenshot 2018-05-21 22.19.17.png

 

Checkpoint

 

Ok, that's it! Now you should be ready to test. Get your Symantec VIP token out and go to the Centrify portal login page and login with your test user.

 

portal login Screenshot 2018-05-21 22.25.17.png

 

Press Next and you should see the option to login with the Symantec VIP authenticator. Enter the passcode displayed by the Symantec VIP authenticator token.

 symantec vip IMG_0004.pngvip code entry Screenshot 2018-05-21 22.25.43.png

 

Press Next and you will now be challenged for a password (since this is the order that we set in our authentication profile above).

 

password entry Screenshot 2018-05-21 22.26.08.png

 

Press Next after entering your password and voila! If everything worked, you should now be logged into the Centrify portal and you were able to authenticate with the Symantec VIP token for MFA. Now you can go about using single sign on to your corporate applications or go into the Administration section to manage your privileged identity management systems and resources.

 

infrastructure homepage Screenshot 2018-05-21 22.27.07.png

 

 

Conclusion

 

Thanks for following along with this three-part blog series. To recap, this blog series walked through the process of using the Centrify Identity platform to drive the authentication policy that leveraged the Symantec VIP infrastructure for MFA. The benefit of this integration is that if you are a Symantec VIP customer, you can maximize your existing Symantec VIP tokens for MFA to provide identity assurance to applications and infrastructure by driving the policy through the Centrify identity platform. This allows you to use a common set of security policy to provide MFA for web applications, server login, workstation login, privilege elevation, password checkout, and much more. It also allows you to take advantage of the Centrify platform without having to rip and replace your existing MFA provider. I hope this blog was helpful. 

Centrify's App Gateway provides the ability to access internal web apps or intranet sites without a VPN. This help to provide just the right amount of access to third party vendors, or convenient access to internal resources from a non-work computer. This article will walk through the steps to enable App Gateway.

Read more...

The following Techblog details how to configure People HR  with SAML for federation to Centrify Application Services.  Also covered in this techblog are options to enhance the security posture using Centrify Multi Factor Authenticaion when users access people HR. The techblog finishes with a video clip showing the end user experience. 

Read more...

Working With Keytabs

By Centrify Contributor II on ‎07-09-2018 02:10 PM

Learn the basics of Kerberos and how keytabs can be created, with examples for common scenarios.

Read more...

Introduction:

This article is the second part of a series to show how to integrate Symantec VIP with the Centrify Identity Platform. Part II will cover the following:

  • Pre-requisites for setting up the test environment
  • High-level architecture of the solution
  • Configure Symantec VIP Manager hosted service
  • Install Symantec Enterprise Gateway on our Windows Server
  • Establish Trusted communications between the Enterprise Gateway and the Symantec VIP Manager service
  • Configure a RADIUS validation server to listen to RADIUS requests
  • Test the RADIUS validation server to ensure it was fulfilling the RADIUS requests sent to it. 

 

The first part of this series discussed the value of this integration and walked through the end user experience at a high level. To review the first article in the series you can view it here.

Let's start configuring a test environment so you can try this out yourself. 

Disclaimers:

  • This posting is provided "AS IS" with no warranties and confers no rights.
  • This is a lab entry. It is only meant to show the reader one method for this integration and to provide an informal how-to guide on setting it up.
  • It's not meant for production design and does not address things like high availability and separation of duties.
  • Production designs require planning for people, process and technology.
  • Symantec VIP is a registered trademark of Symantec.
  • The versions of software used in this guide are supported as of 2018. There is no guarantee that future versions of the software released by the vendors will be compatible for this integration. Its always best practice to validate new versions of the software through official support channels.


Now that the disclaimers are out of the way, let's get started.

 

Pre-requisites:

  1. Obtain VIP Manager Account
    1. You need this to configure VIP Authentication, download Symantec Enterprise Gateway, and download documentation.
  2. Obtain Centrify tenant
    1. You need this to configure Centrify Identity Platform and download the Centrify Connector. You can obtain a free trial for Centrify Application Services or Centrify Infrastructure services here.
  3. A SmartPhone for Testing
    1. You need a smartphone to download the Symantec VIP Authenticator application and to register it with Symantec VIP.
  4. A Windows 2012 R2 Server
    1. You need this system to download and install the Symantec Enterprise Gateway and the Centrify Connector. This should be a domain joined server which will allow the Centrify connector to connect your on-premise Active Directory to perform user authentication services. The server will also need to allow outbound https traffic to the respective Symantec VIP and Centrify hosted services. Details of ports and settings can be found on each vendor's documentation. 
  5. Microsoft Active Directory Environment
    1. You will need a test Active Directory environment to follow along with the example below. I am using domain functional level 2012 R2. Note that this process can be accomplished with any LDAP directory. 

 

Assumptions:

This article focuses on the configuration of Symantec VIP to provide MFA (multi-factor authentication) for the Centrify platform policies and assumes that you have familiarity with Symantec VIP Access manager and the Centrify Identity platform. The article does not go into detail on how to set up the Centrify platform or Symantec VIP because there is a lot of documentation publicly available that covers these topics.

Diagram.

The high-level flow diagram for this setup is as follows:

 

Screenshot 2018-05-28 22.21.25.png

 

The diagram above shows the Centrify and Symantec SaaS-based identity platforms, the Centrify Connector, the Symantec Enterprise Gateway, and Active Directory as the main components used in this example. The flow for this use case is as follows:

 

  1. The end user logs into the Centrify Portal or Centrify protected application/resource.
  2. Centrify will determine via policy that the user needs to be challenged for MFA by the Symantec VIP platform.
  3. The Centrify connector will pass the authentication to the Symantec Enterprise Gateway using RADIUS.
  4. Symantec Enterprise Gateway will leverage the VIP cloud service to authenticate the user with her VIP soft token.
  5. The VIP service will authenticate the VIP token code and send the result to Symantec Enterprise Gateway.
  6. Symantec Enterprise Gateway will pass the result back to the Centrify Connector.
  7. If MFA is successful, the Centrify Connector will then authenticate the user's AD credentials as per authentication policy.
  8. Active Directory will verify the user's credentials and send the result to the Centrify connector.
  9. The Centrify connector will pass the result back to the web application or resource server.
  10. Centrify will confirm the result and redirect the user appropriately.

Note:

  • This configuration does not take into account high availability.
  • The Active Directory LDAP authentication can be performed by Symantec VIP or Centrify but I have configured Centrify to perform the AD authentication so that we can challenge for MFA first through Symantec VIP, and AD authentication second with Centrify.

 

Setting up Symantec VIP Manager:

 

Step 1
The first step is to Setup up Cloud-based VIP Manager

  • Login to VIP Manager with your credentials and VIP credential

Screenshot 2018-05-21 21.45.33.png

 

Screenshot 2018-05-21 21.46.47.png

 

  • Download Enterprise Gateway installation bits and install guide.

Screenshot 2018-05-28 23.07.30.png

 

Screenshot 2018-05-28 23.12.29.png

 

  • Download the Enterprise Gateway bits to the Windows Server where your Centrify connector is running, or on a server where it can communicate with the Centrify connector using RADIUS. We will come back to the Enterprise Gateway in a bit but for now, let's finish setup in the VIP manager.

Step 2

Next, we're going to create a test user. Note that the user id is the email address because this is how we will later lookup the user for AD validation. Also, note that you need to download and register a Symantec VIP soft token credential for this user.

 

  • Create a test user (RADIUS - email address) with an email address and register a VIP credential.

 Screenshot 2018-05-28 23.23.02.png

 

Step 3

Next, you need to Create a VIP Certificate to establish a trusted connection between Enterprise Gateway and Symantec VIP.

      • Click on the Account Tab at the top of the screen and then select “Manage VIP Certificates”

manage vip certs.png

 

 

  • Create a new Certificate by clicking on “Request a Certificate”. This certificate will be needed on the Enterprise Gateway in order to establish a secure connection with the VIP manager.

Step 4

  • Our next step is to Install Enterprise Gateway. Symantec provides detailed instructions on how to do this in this document. Its also relatively easy to click through without reading the documentation.
  • Run the setup wizard to install the Enterprise Gateway software to run as a Windows Service.

Step 5

  • Next, you need to Login to Enterprise Gateway (once it is launched in a web browser).
  • Once Enterprise Gateway is running, you need to configure the VIP certificate to secure communications to VIP manager. 
  • The screenshot below shows where you need to add the VIP certificate that you downloaded in Step 3. This will establish mutually authenticated (trusted) communication between your Enterprise Gateway and your Symantec VIP service. 

 

add vip cert.png

Step 6

Create a Radius Validation Server

      • We need to create a RADIUS validation server object in Symantec Enterprise Gateway to accept RADIUS connections from a RADIUS client. This is a key step because the Symantec RADIUS validation server will be listening for authentication requests from the RADIUS client. The Centrify connector will be the RADIUS client we will set up in the next blog article. Refer back to the architecture document at the beginning to get a visual reminder of how this will work if you're getting lost.
      • Create a Radius Validation Server object as shown below. You need to define where the RADIUS authentication requests will be coming from. This requires that you configure the server name that the RADIUS requests will be coming from, the server IP, an open port, and a shared secret. Note: We will use this information in the next blog article when we tell the RADIUS client where to send it's authentication requests. The rest of the options can be left default for this simple test.

 

radius validation server.png

 

Step 7

  • Once this is setup we need to test the Validation Server. Symantec includes a nice test tool to help you double check that your RADIUS connectivity is all setup.
  • The Symantec RADIUS tool is located in the Enterprise Gateway files under the tools directory The syntax is shown below to test connectivity to the Enterprise Gateway acting as the RADIUS server.
  • Note: You can also use NTRadPing which is a great tool to test RADIUS client-server communication. 

RADIUS test.png

 

Checkpoint

 

Once the RADIUS validation test works, you are in good shape. We know that the Symantec Enterprise Gateway RADIUS validation server is listening, accepting authentication requests, and fulfilling those requests. Now the only thing left to do is to set up the Centrify Connector to act as the RADIUS client to the Enterprise Gateway. 

 

Note: If the test above did not work, make sure you have ports correct, shared secrets correct, make sure firewalls are open on appropriate ports, and make sure you are testing with the right username/password and Symantec VIP credential.

This concludes part II of this blog. As a review, we completed the following:

  • Covered the Pre-requisites for setting up the test environment
  • Provided a High-level architecture of the solution
  • Configured Symantec VIP Manager hosted service
  • Installed Symantec Enterprise Gateway on our Windows Server
  • Established Trusted communications between the Enterprise Gateway and the Symantec VIP Manager service
  • Configured a RADIUS validation server to listen to RADIUS requests
  • Tested the RADIUS validation server to ensure it was fulfilling the RADIUS requests sent to it. 

 

 

In the next article, I will go through the setups on the Centrify Portal to complete the setup. 

 

You can find the next article (part III) in this blog here

To review part I of this article go here

A DirectManage Audit 3.x installation typically creates and deals with two types of databases i.e. an Audit Server database (also known as the Management database) and Audit Store database. The Audit Server database stores DirectManage Audit 3.x application specific settings whereas the Audit Store database is used to store the actual audited user sessions. A typical DirectManage Audit 3.x installation consists of one Audit Server database and one or more Audit Store database(s).

 

In a nutshell, here are the steps involved when migrating database from one database server to another:

 

Step 1  - Stop all the collectors

 

Step 2  - Take backup of existing databases (optional but recommended)

 

Step 3 -  Detach the existing databases and attach them to the new database server

 

Step 4  -  Ensure that CLR integration is enabled on the new database server and login for NT AUTHORITY\SYSTEM exists on the server

 

Step 5  -  Restore the TRUSTWORTHY flag and owner of the database

 

Step 6  - Modify the newly attached Audit Server database

 

Step 7 -  Restoring connection between Audit Server database and Audit Store database

 

Step 8  -  Update the database entries in Active Directory

 

Step 9  -  Start all the collectors

 

Attached document explains in details each step above should be taken in case if database migration is inevitable in order to keep the impact on the DirectManage Audit system as minimal as possible.

 

How to configure SSO for Inormatica Intelligent Cloud Services using SAML...

Read more...

How to:
Centrify provides the following scripts to enable/disable debug logging:

  • Centrify Agent for Linux:  /usr/share/centrifycc/bin/cdebug
  • DirectControl:  /usr/share/centrifydc/bin/addebug
  • DirectAudit: /usr/sbin/dadabug

Enable debugging in journald environment

Read more...

Do you want to give an individual remote access without giving it to all users then this blog is for you!

Read more...

Using the IS-CPS Bulk Import Tool

By Centrify ‎06-27-2018 04:09 PM

This article describes the basic steps to obtain and configure the necessary tools used to import objects into the privilege service vault. This feature was added in Centrify Privilege Service 18.4 and allows admins to import systems, domains, databases and their accounts. This is a powershell module that will be released in github.

Read more...

In the documentation for Centrify Report Services, it mentions setting up permissions in SSRS for user accounts that need to access Report Services to view (Report Viewer) and write (Report Writer) reports. 

 

This article goes over the section for "Required SSRS permissions" (Report Admin, Report Viewer, Report Writer)

Read more...

This blog goes over the Regular Expression, or REGEX for short, when creating a new command. Some tips and things to watch out for when using REGEX commands. 

REGEX.PNG

Read more...

A Centrify Connector on an AWS private subnet allows you to:

  • Gain better accountability of who is accessing the private subnet,
  • Apply role-base access to the private subnet,
  • Password vault local and domain service accounts being used in the private subnet,
  • Provide MFA login for Windows or Linux servers
  • Integrate with an Active Directory domain that is associated with the private subnet, 
  • Provide MFA for other AWS services such as AWS Workspaces. 

This article will go over the AWS and Centrify configurations you will need to use a Centrify Connector on an AWS private subnet.

Read more...

How to allow users to log into a remote Linux machine via SSH, using Active Directory credentials that require smart card authentication

Read more...

This TechBlog describes how to create a scheduled task that will automatically rotate the Centrify Auditing database on the first day of each month. You can easily modify the command outlined to suit your requirements.

Read more...

Maximize your Symantec VIP investment with Centrify

Many organizations are using Symantec VIP to provide MFA (multi-factor authentication) services for identity assurance, but (often times) their use cases are narrow in scope. For example, MFA may only be used at VPN Login or for a specific application login. I want to demonstrate how organizations can maximize their investment in Symantec VIP to provide MFA Everywhere by combining it with the Centrify Identity Platform. This includes MFA for web applications, server login, workstation login, privilege elevation, password checkout, and more. The key is to use the Centrify Identity Platform as the policy engine that drives MFA when needed. This empowers organizations to use a single source of policy to drive MFA Everywhere and take advantage of having a single platform to provide identity assurance for single sign-on, enterprise mobility management, and privileged identity management. Not only does this maximize the investment in their existing MFA solution (Symantec in this example), but it also allows them to leverage centralized administration, reporting, and risk-based analytics to drive logical access across the enterprise.

 

In our example below, we will leverage Symantec VIP to provide MFA to a web-based application. Additionally, I wrote an article a while back that explains how you can extend Symantec VIP to provide MFA in conjunction with Centrify Infrastructure Services (formerly known as Centrify Server Suite) at server login and privilege elevation. This solution allows you to centralize non-windows identities to Active Directory and use Symantec VIP to provide identity assurance for specific server related tasks.

Let us take a look at the high-level overview of what this looks like for the end user. If you would like to skip ahead to the setup, go to part II of this blog here

Step 1:

When an Active Directory user logs into the Centrify end user portal, he/she would be challenged with Symantec VIP as shown below:
portal login Screenshot 2018-05-21 22.25.17.png

 

Step 2:

The first authentication method is going to ask the user to provide the access code on his/her VIP token:

 

symantec vip IMG_0004.pngvip code entry Screenshot 2018-05-21 22.25.43.png

Step 3:

The second authentication will validate the user's LDAP directory password. We're using Microsoft Active Directory in our example. Once completed, the user will be taken to the user portal page.

 

password entry Screenshot 2018-05-21 22.26.08.png

The order of authentication (i.e. challenging for LDAP password second) can be controlled by policy. Challenging for the one-time passcode from the Symantec VIP token first prevents an attacker from locking out the end user's Active Directory account by ensuring the possession of the Symantec VIP token before allowing the user to enter her Active Directory password. It is a handy policy to have for an internet facing web application.


This is just one example of how an organization can leverage a Centrify policy while facilitating MFA with an MFA provider of their choice. Taking this further, organizations configure adaptive authentication rules and take advantage of the Centrify machine learning analytics engine to dynamically decide when a user's access is risky before challenging for MFA.


The benefits of this approach are that the organization can leverage an enterprise-wide access policy engine and make context-based decisions on when to authenticate with Symantec VIP for MFA. Additionally, this enables an organization to Centrify without having to rip and replace their existing MFA provider and re-issue MFA tokens to all end users. This approach will maximize your investment for any MFA provider that can integrate to 3rd party solutions using standards like RADIUS and SAML federation. 

To see more information on how to integrate the two Centrify and Symantec solutions to provide this functionality, please see the How-To articles in this series:

 

Part II - Configuring Symantec VIP

Part III - Configuring Centrify

 

How to configure the integration between Infrastructure Service (Auditing and Monitoring Service) and Splunk

Part2 - Integration between Infrastructure Service (Auditing and Monitoring Service) and Splunk

 

Summary
The configuration of a profile will be made to start the recordings of the sessions from the elevation of privileges and the integration will be made with splunk so that the auditing sessions can be viewed directly from the Splunk Portal.

Read more...

Como configurar la integración entre Infrastructure Service (Auditing and Monitoring Service) y Splunk

Parte2 - Configuración de integración entre Infrastructure Service (Auditing and Monitoring Service) y Splunk

Resumen
Se realizará la configuración de un perfil para iniciar las grabaciones de las sesiones a partir de la elevación de privilegios y se realizará la integración con splunk de forma que se puedan visualizar las sesiones de auditoria directamente desde el Portal de Splunk.
Read more...

Centrify Infrastructure Services (Privilege Access Service) has the ability to store secrets. These secrets can be free-form text or files (currently up to 5mb in size). 

 

There will be use cases where the contents of these secrets need to be programmatically accessed EG from inside an application or as part of orchestration/DevOps processes. 

 

By leveraging Centrify's OAuth2 authorization framework, this article will describe how to configure OAuth2 to enable a PowerShell script to obtain the contents of a text-based secret from the Centrify platform.

 

However, it does not stop there. Using this methodology (Oauth2 apps & scopes) and the example script as a base, any programmatic call to the Centrify Identity Platform required for automation may be achieved. Including writing objects such as systems, shared accounts, secrets ETC. Pretty much everything that can be done via the portal can be automated/configured programmatically. 

 

Whilst this example is in PowerShell any compliant code can leverage this methodology (Java, C#, Go ETC). For example, I have Python code to run SQL queries against the Centrify Identity Platform from LINUX, but that's for another post Smiley Happy

 

For more detail on the Centrify Identity Platform API's see https://developer.centrify.com

Bed Time reading on OAuth2 : https://tools.ietf.org/html/rfc6749

Read more...

Ever stayed up late at night dreaming of how awesome it would be to implement RADIUS in your environment?  Maybe that's a stretch...  But, before you wrestle with your VPN, try setting up a simple test configuration to get a feel for how it all works.  Look no further, because this blog will help you do just that!

Read more...

We will cover how to secure FortiGate Administrator access using Centrify MFA. We will be using an Active Directory user that is federated to Centrify to log in to a FortiGate as an Admin user and prompted for MFA at both CLI and Web GUI login.

Read more...

[How to] Integration between Infrastructure Service (Auditing and Monitoring Service) and Splunk

Part1 - Start session recording when performing privilege elevation
 
Summary
We will made the configuration of a profile to start the recordings of the sessions from the elevation of privileges and the Splunk integration with Infrastructure Service (Auditing and Monitoring Service) so the auditing sessions can be viewed directly from the Splunk Portal.

Read more...

Como configurar la integración entre Infrastructure Service (Auditing and Monitoring Service) y Splunk
Parte1 - Iniciar grabación de sesiones al realizar elevación de privilegios 
Resumen
Se realizará la configuración de un perfil para iniciar las grabaciones de las sesiones a partir de la elevación de privilegios y se realizará la integración con Splunk de forma que se puedan visualizar las sesiones de auditoria directamente desde el Portal de Splunk.
 
 
Read more...

Showing results for 
Search instead for 
Do you mean 
Labels

Community Control Panel