This article walks through the configurations for controlling which privileged accounts users can see in the Centrify Admin Portal. A common use case would be to grant developers or third party vendors access to the privileged accounts they are only allowed to use.


This article walks through the configurations for controlling which server(s) or network appliance(s) users can see in the Centrify Admin Portal's list of Systems. A common use case would be to grant developers or third party vendors access to only the system(s) they are allowed to see, and without exposing all the other system names in your environment.


Working With Keytabs

By Centrify Contributor II on ‎07-09-2018 02:10 PM

Learn the basics of Kerberos and how keytabs can be created, with examples for common scenarios.


Do you want to give an individual remote access without giving it to all users then this blog is for you!


A Centrify Connector on an AWS private subnet allows you to:

  • Gain better accountability of who is accessing the private subnet,
  • Apply role-base access to the private subnet,
  • Password vault local and domain service accounts being used in the private subnet,
  • Provide MFA login for Windows or Linux servers
  • Integrate with an Active Directory domain that is associated with the private subnet, 
  • Provide MFA for other AWS services such as AWS Workspaces. 

This article will go over the AWS and Centrify configurations you will need to use a Centrify Connector on an AWS private subnet.


Learn the basic of Microsoft Red Forest and how Centrify can be used to provide a more effective security strategy.


Learn how to protect Office 365 accounts from brute force attacks and prevent account lock outs. This article will show you how to use password-less authentication to prevent AD account lockouts and distracting MFA notifications caused by brute force attacks.


Before you join a computer to AD, there are three things to check:

  • DNS settings
  • Computer name
  • Network communication between the Linux/UNIX system and Active Directory domain controller(s)

The Centrify Agent for Windows provides organizations with the ability to secure Windows systems.  This article's goal is to introduce the basic information (pre-requisites, communications), deployment scenarios and tools available for each deployment option.  The next articles in the series focus on specialized topics or use cases.


Security questions are like a second password prompt. Just like passwords, users tend to create weak or easy to guess answers. Unlike passwords, security questions usually do not have policies to enforce complexity, uniqueness and guessability.


Here are some tips to help make your security question answers stronger:

1. Use a non-corresponding answer.

Using an answer that does not correspond to the question will make it harder for unauthorized users to guess or find your answer. For example, if the question is your first car model, answer with "blankcowblueYogurt". If the question is your mother's maiden name, don't use your mother's maiden name as the answer. Your mother's maiden name might be easily acquired through social media, social engineering, stolen records, public records, malware, easily guessed or many other methods.


2. Avoid answers that are vulnerable to social engineering.

Even if you use a non-corresponding answer to a security question, unauthorized users may still randomly attempt to use information that could be acquired through social media or social engineering such as the name of your child, pet, school, or company.


3. Follow password complexity rules for your answers.

Security questions are just like a second password. Hackers may use brute force or dictionary attacks on a security question. Following password complexity rules can help to make your security question answers more secure.


An easy to remember and yet complex answer is to use four random words like "blankcowblueYogurt".




4. Use spaces if possible.

Older generation brute force and dictionary attacks don't account for spaces. For modern tools, it can make it longer and harder to crack if there are spaces. Add a space in your answer if allowed. "blank cow blue Yogurt"  


Centrify MFA can use security questions for:

  • AD password reset / account unlock
  • Computer login (Windows / Linux / Unix)
  • Privilege elevation (Windows / Linux / Unix)
  • Remote access through Centrify's password vault.
  • Password checkout for shared privileged accounts.
  • AWS Workspaces
  • Horizon View
  • Accessing a web application
  • Accessing the Centrify User and Admin Portals. 
  • VPN access

Centrify users can set up their security question(s) through the Account tab in the Centrify User portal.

Employee on-boarding, transitions and departures often require manual and time consuming user administration tasks performed between HR and IT. Generally, identity originates in the HRIS system when the candidate becomes an employee. Coordinate between HR to IT is done such that, IT can create accounts for the new hire in Active Directory and every application required for their job. Similarly, during a transitin or departure, HR coordinates with IT to modify or disable access in Active Directory and every application. 


With an integration to Centrify, Workday can serve as the master employee database within the enterprise. New hires, transitions and departures are managed by HR within the HR system while Centrify automatically provisions or de-provisions accounts into Active Directory and downstream productivity applications. Specific benefits include: 


  • Automatic provisioning of new hires in Workday to Active Directory.
  • Randomly generated Active Directory password automatically emailed to new hire.
  • Automatic account updates (e.g. promotions, department changes) of employees in Workday to Active Directory.
  • Automatic disablement of users in Active Directory when terminated in Workday.

Here is a demo video of how the integration can help streamline user administration in your enterprise: 



See this work within your environment by registering for a free 30 day trial here.

custom login screen.png

Using a custom Centrify login URL offers a number of benefits, inlcuding branded login screen, Integrated Windows Authentication, and being able to log in using your short name or samAccountName. This article will walk you through configuring your custom login URL for your Centrify tenant.


1. Log into your Centrify Admin Portal.

2. In the left column, navigate to Settings > Customization > Tenant URLs, then click on the Add button.


3. Enter your preferred unique name that is not used by another Centrify customer, then press Save. For example

custom name.png


Once this is complete, you can log into the Centrify portal with your custom login URL.

Centrify User Portal:

Centrify Admin Portal:



By default, Centrify automatically populates the username field with the User Principal Name for SAML web logins. However some web logins use first name space last name (eg. John Smith) instead of the full UPN format (eg. 


To configure your web app in Centrify to autopopulate with the user's first name (space) last name:

1. Edit your web app and go to Account Mapping.

2. Select Use Account Mapping Script and enter the following into the script field:


LoginUser.Username = LoginUser.FirstName + " " + LoginUser.LastName;



3. Press Save.



Related articles:

How to configure Centrify to use short name or samAccountName for web application login

Signed and Sealed - "Why port 389?"

By Centrify Contributor II ‎09-11-2017 09:56 AM

"Why port 389?"


A customer recently emailed me asking a few questions about the Unix agent communication security with Active Directory


  1.  "Why does the Centrify Unix agent (adclient) communicate with Active Directory over port 389?
  2. How is this communucation secured?
  3. What are the implications to Active Directory? Specifically, how do we protect Active Directory against unsigned/unencrypted LDAP requests?"


Typically, this question tends to come from Security/Compliance and Unix teams. From their vantage, interacting with LDAP over 389 raises a flag, where traditionally communications over this port tend to be unencrypted.  If the question comes from the Active Directory team, they are usually looking for confirmation and assurance that our interactions with Active Directory align with best practices and their secrity expecations.


1) Why port 389: The short answer is that the Centrify Unix agent's approach/design is consistent with how Windows computers and services securely communicate with AD and other kerberos principals. Explained below…
2) Secure Active Directory communication: The Centrify Unix agent authenticates and encrypts all communications with Active Directory using Kerberos (GSSAPI). This is referred to as a "signed and sealed" connection. The agent encrypts its payload using a kerberos session-key before sending over the wire to Active Directory. We do not use LDAP over SSL/TLS. This approach depends on certificates (along with the certificate management headaches that come with).  
3) Rejecting unsigned/unencrypted LDAP requests: Microsoft advises we configure servers to reject Simple Authentication and Security Layer (SASL) binds that do not request signing or reject LDAP simple binds that are performed in the clear. This AD group policy configuration ensures that “non-kerberized” LDAP client requests communicate with AD over SSL/TLS (e.g. Port 636). The following Microsoft article explains further. 

Integrating Active Directory with the Centrify Identity Platform allows you log into the Centrify Admin Portal with domain credentails. This article will walk you through the integration and System Administrator role assignment.


1. Integrate Active Directory with the Centrify Identitly Platform

Install the Centrify Connector on a 64-bit Windows member server. See instructions. Once the Centrify Connector has been installed, all domain users will now be able to log into the Centrify User Portal with domain credentials. To grant permissions to log into the Admin Portal, you will need to add the domain user(s) or group(s) to the System Adminstrator role or any other role with administrative rights.


2. Add domain user(s) or group(s) to the System Adminstrator role

a) In the Centrify Admin Portal, go to the left column and navigate to Core Services > Roles.


b) Click on the System Administrator role. 

c) Select Members then click Add and search for your desired domain user(s) and/or group(s) that you want to grant administrative rights to the Centrify Admin Portal.


Now you can log in with your domain credentials to the Centrify Admin Portal.

Step 1. Use Apple Configurator 2 to create the desired WiFi setting, then export the profile.

1. Launch Apple Configurator and select File > New Profile.

2. Enter a display name for the profile in General. 

3. In the left column, select WiFi, click the Configure button, then enter your WiFi settings.

4. Once you have completed your configuration, go to File > Save.


Step 2. Upload the saved mobileconfig profile into your domain controller: \\yourdomain\SYSVOL\yourdomain\mobileconfig Create this directory if it does not exist.


Step 3. Specify the profile in one of the following GPO settings to apply the WiFi settings:

  • Computer Configuration > Policies > Centrify Settings > Mac OS X Settings > Custom Settings > Install MobileConfig Profiles or
  • User Configuration > Policies > Centrify Settings > Mac OS X Settings > Custom Settings > Install MobileConfig Profiles



For more details on computer configuration or user configuration.


Other settings to consider:



This tech blog explains how an Administrator can extend Active Directory to include Exchange server specific Active Directory Attributes, to use some additional Exchange specific features with Office 365, even though Exchange server is not/was not installed on premise.


Your Centrify Privilege Service (CPS) deployment could go a lot smoother with this checklist. This checklist is a high overview of the necesarry tasks to prepare, deploy, configure, and validate a CPS environment.


Talking about our supported local clients for remote sessions, one of the quetions I often get back is, "What about PowerShell?".  In this post I will demonstrate how to launch PowerShell sessions from the Centrify cloud platform using PowerShell Web Access (PSWA).




We heard from some customers that would like to use AD credentials to authenticate to IBM Sterling Connect:Direct. IBM Sterling Connect:Direct provides security-rich, point-to-point file transfers to lessen dependency on unreliable File Transfer Protocol (FTP) transfers.


Continue reading...


This Cheat Sheet should be used with Centrify Mac Agent version 5.2.4 and higher.


The Centrify Mac Diagnostic Tool location:
/Library/Application Support/Centrify/



Centrify Agent


To join the domain in Auto Zone:
sudo /usr/local/sbin/adjoin --user domain_admin_username --workstation


To join the domain in Zone mode:
sudo /usr/local/sbin/adjoin --user domain_admin_username --zone zonename


To leave the domain and disable the computer object:
sudo /usr/local/sbin/adleave --user domain_admin_username 


To leave the domain and remove the computer object:
sudo /usr/local/sbin/adleave --user domain_admin_username --remove


To leave the domain and leave the computer object untouched in Active Directory:
sudo /usr/local/sbin/adleave --user domain_admin_username --remove


To print information for the domain:


To print network diagnostic information for the domain:
sudo /usr/local/bin/adinfo --diag


To view licensing mode:



To enable licensed features:

sudo /usr/local/sbin/adlicense --licensed


To look up an Active Directory user's information:

/usr/local/bin/adquery user -A username


To look up an Active Directory computer's information:

/usr/local/bin/adquery user -A computername$


To look up an Active Directory computer's Manager (managedBy attribute used with FileVault policy):


/usr/local/bin/adquery user -b managedBy computername$


To look up an Active Directory group's information:

/usr/local/bin/adquery group -A groupname


To change the currently logged in user's Active Directory password:



To change an Active Directory user's password:

/usr/local/bin/adpasswd --adminuser domain_admin_username


To flush the Mac agent cache (Active Directory users will need to login again to cache their credentials after this is ran):

sudo /usr/local/sbin/adflush


The location of the Centrify configuration file:


The location of Centrify Kerberos tools:


To restart the Mac agent:
sudo /usr/local/share/centrifydc/bin/centrifydc restart 


To turn on logging:
sudo/usr/local/share/centrifydc/bin/cdcdebug on


To turn off logging:
sudo/usr/local/share/centrifydc/bin/cdcdebug off 


To clear out the current log file:

sudo/usr/local/share/centrifydc/bin/addebug clear

Log file location:


To uninstall the Mac agent:
sudo /usr/local/share/centrifydc/bin/


To uninstall silently:
sudo /usr/local/share/centrifydc/bin/ --std-suite



Group Policy


To force group policy updates for both user and machine policies:


To update group policy for user policies only:
/usr/local/bin/adgpupdate --target User


To update group policy for machine policies only:
/usr/local/bin/adgpupdate --target Computer


To view the curent set group policies:



To view the curent set user group policies:

/usr/local/bin/adgpresult --user username


To view the curent set machine group policies:

/usr/local/bin/adgpresult --machine


The location of computer group policy reports:


The location of the user group policy reports:


The location of login scripts:



To retrieve machine certificates:
sudo /usr/local/share/centrifydc/sbin/adcert --machine --keychain


To retrieve user certificates:
/usr/local/share/centrifydc/sbin/adcert --user --keychain


The location of machine certificates:


The location of user certificates:




Directory Services


To see if the machine is joined to the domain using the Apple plugin:
/usr/sbin/dsconfigad –show


To unbind from the domain using the Apple plugin:

sudo /usr/sbin/dsconfigad –remove -username domain_admin_username


To list all of the users in the Directory Service and in Active Directory for the zone:
/usr/bin/dscl /Search -list /Users


To list only the Active Directory users enabled for the zone:
/usr/bin/dscl /CentrifyDC -list /Users


To display detailed information about the specified Active Directory user:
/usr/bin/dscl /CentrifyDC -read /Users/username


To list all of the groups in the DirectoryService and in Active Directory for the zone:
/usr/bin/dscl /Search -list /Groups


To list only the Active Directory groups enabled for the zone:
/usr/bin/dscl /CentrifyDC -list /Groups


Command to display detailed informationa bout the specified Active Directory group name:
/usr/bin/dscl /CentrifyDC -read /Groups/groupname





To see if FileVault is enabled:

/usr/bin/fdesetup status


To list FileVault enabled users:

/usr/bin/fdesetup list


To disable FileVault:

sudo /usr/bin/fdesetup disable


To add a local or mobile account to the FileVault user list:

sudo /usr/bin/fdesetup add -usertoadd username



Smart Card


To see if smart card support is enabled: 
/usr/local/bin/sctool --status


To enable smart card support: 
/usr/local/bin/sctool --enable


To disable smart card support: 
/usr/local/bin/sctool --disable


To dump out all the certificates and Active Directory information present on the smart card:

/usr/local/bin/sctool --dump


To get a new kerberos ticket: 

/usr/local/bin/sctool --pkinit


Related Articles:


A Centrify Server Suite Cheat Sheet

Centrify provides an account migration tool that simplifies the process of converting a local account's home directory into the Active Directory account. Migrating the account helps to save the user's files, application settings, and browser bookmarks.


Using local MacOS administrator accounts can lead to security and compliance issues such as unauthorized sharing of the administrator password with non-administrators or remote access by a former employee. The secure approach is to grant Active Directory users Mac administrator rights to minimize risk and meet regulatory compliance. This article will show you how to grant Mac administrator rights to Active Directory users through Centrify's Active Directory group policy settings.


 1. In Group Policy Management, create a GPO and enable: Computer Settings > Policies > Centrify Settings > Mac OS X Settings > Accounts > Map zone groups to local admin group




   a) Click on the Add... button. A new window will appear.




   b) Click on the Browse button. A new window will appear. You can enter manually enter a group name in this window but it is better to browse and select the group to ensure the proper group name is entered.



Selecting Group.png


   c) Enter a keyword into the Name field for the Active Directory group that you want to add, then click on Find Now. Make sure you add IT/helpdesk team and any user that needs admin rights on the Mac.


type group name.png


   d) Select the desired group name and click OK.


Select desired group.png


The setting will apply when the user logs out and logs back in.


If your Mac is using Zone mode, use the following article:



Prevent unauthorized access and minimize risk by restricting MacOS login access to specific Active Directory users or groups. 


How to retaining the user's Mac home directory, when a user wants to change their name after marriage or divorce.


Validating Centrify Zone Delegations

By Centrify Contributor II on ‎01-06-2017 07:06 AM

One of the major strengths of Centrify Server Suite, is that all UNIX identity and authorization data is stored as Active Directory objects in Centrify Zones. As a consequence, delegation tasks of zone management, are stored in Discretionary Access Control Lists (DACLs) on Centrify Zone objects in Active Directory.


The Zone delegations can be implemented using PowerShell (for example, using the Set-CdmDelegation PowerShell CMDlet, which is included with the Centrify.DirectControl.PowerShell module), or by using the 'Delegate Zone Control' context menu option in the Centrify DirectManage Access Manager console. Either method will provide you with the ability to chose from a list of a granular zone delegation tasks, that can be delegated to an Active Directory user or security group.



DMAM_DelegateZoneControl_Tasks.pngList of zone delegations in Access Manager

DMAM_Set-CdmDelegation.pngApplying zone delegations using the Centrify PowerShell CMDlet 

As part of an engagement, Centrify Professional Services can aid you to conceive a delegation model using a RACI matrix, and implement the resultant zone delegations. This allows for implementing least privilege, where (for example) the service account for the zone provisioning agent can only add/remove UNIX profiles to/from a zone, but nothing more than that. If the ZPA service account gets compromised, it cannot be (ab)used to modify UNIX authorizations.


A returning question from customers during these engagements is: How can we validate that the delegations that have been implemented, are actually in place?




This article details the methods available to implement zone delegations, and how zone delegations can be validated.


The attached script can be used with the Deployment Manager to unbind a Mac that is bound to Active Directory via the Apple Directory Services plugin. This will allow mass deployments of the Centrify agent with binding to Active Directory using the Centrify Directory Services plugin.


Centrify's cloud platform, the Identity Service, can be configured to allow users to unlock their Active Directory accounts from the User Portal. The user is able to unlock their account without any administrator interaction, thus relieving the tasks that your system administrators and helpdesk team performs.


Si su empresa tiene contemplado migrar su correo a Office 365 o si es un cliente actual de Office 365 y está sufriendo con los problemas de sincronización de usuarios, este artículo es para usted.


Showing results for 
Search instead for 
Do you mean 

Community Control Panel