A Centrify Connector on an AWS private subnet allows you to:
- Integrate with an Active Directory domain that is associated with the private subnet,
- Use the Centrify Connector as a bastion host that is in the private subnet instead of public,
- Password vault local and domain service accounts being used in the private subnet,
- Provide MFA login for Windows or Linux servers
- Provide MFA for other AWS services such as AWS Workspaces.
This article will go over the AWS and Centrify configurations you will need to use a Centrify Connector on an AWS private subnet.Read more...
Learn the basic of Microsoft Red Forest and how Centrify can be used to provide a more effective security strategy.Read more...
Learn how to protect Office 365 accounts from brute force attacks and prevent account lock outs. This article will show you how to use password-less authentication to prevent AD account lockouts and distracting MFA notifications caused by brute force attacks.Read more...
Before you join a computer to AD, there are three things to check:
- DNS settings
- Computer name
- Network communication between the Linux/UNIX system and Active Directory domain controller(s)
The Centrify Agent for Windows™ provides organizations with the ability to secure Windows systems. This article's goal is to introduce the basic information (pre-requisites, communications), deployment scenarios and tools available for each deployment option. The next articles in the series focus on specialized topics or use cases.Read more...
Security questions are like a second password prompt. Just like passwords, users tend to create weak or easy to guess answers. Unlike passwords, security questions usually do not have policies to enforce complexity, uniqueness and guessability.
Here are some tips to help make your security question answers stronger:
1. Use a non-corresponding answer.
Using an answer that does not correspond to the question will make it harder for unauthorized users to guess or find your answer. For example, if the question is your first car model, answer with "blankcowblueYogurt". If the question is your mother's maiden name, don't use your mother's maiden name as the answer. Your mother's maiden name might be easily acquired through social media, social engineering, stolen records, public records, malware, easily guessed or many other methods.
2. Avoid answers that are vulnerable to social engineering.
Even if you use a non-corresponding answer to a security question, unauthorized users may still randomly attempt to use information that could be acquired through social media or social engineering such as the name of your child, pet, school, or company.
3. Follow password complexity rules for your answers.
Security questions are just like a second password. Hackers may use brute force or dictionary attacks on a security question. Following password complexity rules can help to make your security question answers more secure.
An easy to remember and yet complex answer is to use four random words like "blankcowblueYogurt".
4. Use spaces if possible.
Older generation brute force and dictionary attacks don't account for spaces. For modern tools, it can make it longer and harder to crack if there are spaces. Add a space in your answer if allowed. "blank cow blue Yogurt"
Centrify MFA can use security questions for:
- AD password reset / account unlock
- Computer login (Windows / Linux / Unix)
- Privilege elevation (Windows / Linux / Unix)
- Remote access through Centrify's password vault.
- Password checkout for shared privileged accounts.
- AWS Workspaces
- Horizon View
- Accessing a web application
- Accessing the Centrify User and Admin Portals.
- VPN access
Centrify users can set up their security question(s) through the Account tab in the Centrify User portal.
Employee on-boarding, transitions and departures often require manual and time consuming user administration tasks performed between HR and IT. Generally, identity originates in the HRIS system when the candidate becomes an employee. Coordinate between HR to IT is done such that, IT can create accounts for the new hire in Active Directory and every application required for their job. Similarly, during a transitin or departure, HR coordinates with IT to modify or disable access in Active Directory and every application.
With an integration to Centrify, Workday can serve as the master employee database within the enterprise. New hires, transitions and departures are managed by HR within the HR system while Centrify automatically provisions or de-provisions accounts into Active Directory and downstream productivity applications. Specific benefits include:
- Automatic provisioning of new hires in Workday to Active Directory.
- Randomly generated Active Directory password automatically emailed to new hire.
- Automatic account updates (e.g. promotions, department changes) of employees in Workday to Active Directory.
- Automatic disablement of users in Active Directory when terminated in Workday.
Here is a demo video of how the integration can help streamline user administration in your enterprise:
See this work within your environment by registering for a free 30 day trial here.
Using a custom Centrify login URL offers a number of benefits, inlcuding branded login screen, Integrated Windows Authentication, and being able to log in using your short name or samAccountName. This article will walk you through configuring your custom login URL for your Centrify tenant.
1. Log into your Centrify Admin Portal.
2. In the left column, navigate to Settings > Customization > Tenant URLs, then click on the Add button.
3. Enter your preferred unique name that is not used by another Centrify customer, then press Save. For example https://yourcompany.my.centrify.com
Once this is complete, you can log into the Centrify portal with your custom login URL.
Centrify User Portal: https://yourcompany.my.centrify.com
Centrify Admin Portal: https://yourcompany.my.centrify.com/manage
By default, Centrify automatically populates the username field with the User Principal Name for SAML web logins. However some web logins use first name space last name (eg. John Smith) instead of the full UPN format (eg. email@example.com).
To configure your web app in Centrify to autopopulate with the user's first name (space) last name:
1. Edit your web app and go to Account Mapping.
2. Select Use Account Mapping Script and enter the following into the script field:
LoginUser.Username = LoginUser.FirstName + " " + LoginUser.LastName;
3. Press Save.
"Why port 389?"
A customer recently emailed me asking a few questions about the Unix agent communication security with Active Directory
- "Why does the Centrify Unix agent (adclient) communicate with Active Directory over port 389?
- How is this communucation secured?
- What are the implications to Active Directory? Specifically, how do we protect Active Directory against unsigned/unencrypted LDAP requests?"
Typically, this question tends to come from Security/Compliance and Unix teams. From their vantage, interacting with LDAP over 389 raises a flag, where traditionally communications over this port tend to be unencrypted. If the question comes from the Active Directory team, they are usually looking for confirmation and assurance that our interactions with Active Directory align with best practices and their secrity expecations.
Integrating Active Directory with the Centrify Identity Platform allows you log into the Centrify Admin Portal with domain credentails. This article will walk you through the integration and System Administrator role assignment.
1. Integrate Active Directory with the Centrify Identitly Platform
Install the Centrify Connector on a 64-bit Windows member server. See instructions. Once the Centrify Connector has been installed, all domain users will now be able to log into the Centrify User Portal with domain credentials. To grant permissions to log into the Admin Portal, you will need to add the domain user(s) or group(s) to the System Adminstrator role or any other role with administrative rights.
2. Add domain user(s) or group(s) to the System Adminstrator role
a) In the Centrify Admin Portal, go to the left column and navigate to Core Services > Roles.
b) Click on the System Administrator role.
c) Select Members then click Add and search for your desired domain user(s) and/or group(s) that you want to grant administrative rights to the Centrify Admin Portal.
Now you can log in with your domain credentials to the Centrify Admin Portal.
Step 1. Use Apple Configurator 2 to create the desired WiFi setting, then export the profile.
1. Launch Apple Configurator and select File > New Profile.
2. Enter a display name for the profile in General.
3. In the left column, select WiFi, click the Configure button, then enter your WiFi settings.
4. Once you have completed your configuration, go to File > Save.
Step 2. Upload the saved mobileconfig profile into your domain controller: \\yourdomain\SYSVOL\yourdomain\mobileconfig Create this directory if it does not exist.
Step 3. Specify the profile in one of the following GPO settings to apply the WiFi settings:
- Computer Configuration > Policies > Centrify Settings > Mac OS X Settings > Custom Settings > Install MobileConfig Profiles or
- User Configuration > Policies > Centrify Settings > Mac OS X Settings > Custom Settings > Install MobileConfig Profiles
Other settings to consider:
- How to setup a workstation-authentication certificate for auto-enrollment
- How to setup a user-authentication certificate for auto-enrollment
- How to push WiFi settings via Centrify's cloud policy service
This tech blog explains how an Administrator can extend Active Directory to include Exchange server specific Active Directory Attributes, to use some additional Exchange specific features with Office 365, even though Exchange server is not/was not installed on premise.Read more...
Your Centrify Privilege Service (CPS) deployment could go a lot smoother with this checklist. This checklist is a high overview of the necesarry tasks to prepare, deploy, configure, and validate a CPS environment.Read more...
Talking about our supported local clients for remote sessions, one of the quetions I often get back is, "What about PowerShell?". In this post I will demonstrate how to launch PowerShell sessions from the Centrify cloud platform using PowerShell Web Access (PSWA).
We heard from some customers that would like to use AD credentials to authenticate to IBM Sterling Connect:Direct. IBM Sterling Connect:Direct provides security-rich, point-to-point file transfers to lessen dependency on unreliable File Transfer Protocol (FTP) transfers.
Continue reading...Read more...
This Cheat Sheet should be used with Centrify Mac Agent version 5.2.4 and higher.
The Centrify Mac Diagnostic Tool location:
To join the domain in Auto Zone:
sudo /usr/local/sbin/adjoin --user domain_admin_username --workstation domain.com
To join the domain in Zone mode:
sudo /usr/local/sbin/adjoin --user domain_admin_username --zone zonename domain.com
To leave the domain and disable the computer object:
sudo /usr/local/sbin/adleave --user domain_admin_username
To leave the domain and remove the computer object:
sudo /usr/local/sbin/adleave --user domain_admin_username --remove
To leave the domain and leave the computer object untouched in Active Directory:
sudo /usr/local/sbin/adleave --user domain_admin_username --remove
To print information for the domain:
To print network diagnostic information for the domain:
sudo /usr/local/bin/adinfo --diag
To view licensing mode:
To enable licensed features:
sudo /usr/local/sbin/adlicense --licensed
To look up an Active Directory user's information:
/usr/local/bin/adquery user -A username
To look up an Active Directory computer's information:
/usr/local/bin/adquery user -A computername$
To look up an Active Directory computer's Manager (managedBy attribute used with FileVault policy):
/usr/local/bin/adquery user -b managedBy computername$
To look up an Active Directory group's information:
/usr/local/bin/adquery group -A groupname
To change the currently logged in user's Active Directory password:
To change an Active Directory user's password:
/usr/local/bin/adpasswd --adminuser domain_admin_username firstname.lastname@example.org
To flush the Mac agent cache (Active Directory users will need to login again to cache their credentials after this is ran):
The location of the Centrify configuration file:
The location of Centrify Kerberos tools:
To restart the Mac agent:
sudo /usr/local/share/centrifydc/bin/centrifydc restart
To turn on logging:
To turn off logging:
To clear out the current log file:
Log file location:
To uninstall the Mac agent:
To uninstall silently:
sudo /usr/local/share/centrifydc/bin/uninstall.sh --std-suite
To force group policy updates for both user and machine policies:
To update group policy for user policies only:
/usr/local/bin/adgpupdate --target User
To update group policy for machine policies only:
/usr/local/bin/adgpupdate --target Computer
To view the curent set group policies:
To view the curent set user group policies:
/usr/local/bin/adgpresult --user username
To view the curent set machine group policies:
The location of computer group policy reports:
The location of the user group policy reports:
The location of login scripts:
To retrieve machine certificates:
sudo /usr/local/share/centrifydc/sbin/adcert --machine --keychain
To retrieve user certificates:
/usr/local/share/centrifydc/sbin/adcert --user --keychain
The location of machine certificates:
The location of user certificates:
To see if the machine is joined to the domain using the Apple plugin:
To unbind from the domain using the Apple plugin:
sudo /usr/sbin/dsconfigad –remove -username domain_admin_username
To list all of the users in the Directory Service and in Active Directory for the zone:
/usr/bin/dscl /Search -list /Users
To list only the Active Directory users enabled for the zone:
/usr/bin/dscl /CentrifyDC -list /Users
To display detailed information about the specified Active Directory user:
/usr/bin/dscl /CentrifyDC -read /Users/username
To list all of the groups in the DirectoryService and in Active Directory for the zone:
/usr/bin/dscl /Search -list /Groups
To list only the Active Directory groups enabled for the zone:
/usr/bin/dscl /CentrifyDC -list /Groups
Command to display detailed informationa bout the specified Active Directory group name:
/usr/bin/dscl /CentrifyDC -read /Groups/groupname
To see if FileVault is enabled:
To list FileVault enabled users:
To disable FileVault:
sudo /usr/bin/fdesetup disable
To add a local or mobile account to the FileVault user list:
sudo /usr/bin/fdesetup add -usertoadd username
To see if smart card support is enabled:
To enable smart card support:
To disable smart card support:
To dump out all the certificates and Active Directory information present on the smart card:
To get a new kerberos ticket:
Centrify provides an account migration tool that simplifies the process of converting a local account's home directory into the Active Directory account. Migrating the account helps to save the user's files, application settings, and browser bookmarks.Read more...
Using local MacOS administrator accounts can lead to security and compliance issues such as unauthorized sharing of the administrator password with non-administrators or remote access by a former employee. The secure approach is to grant Active Directory users Mac administrator rights to minimize risk and meet regulatory compliance. This article will show you how to grant Mac administrator rights to Active Directory users through Centrify's Active Directory group policy settings.
1. In Group Policy Management, create a GPO and enable: Computer Settings > Policies > Centrify Settings > Mac OS X Settings > Accounts > Map zone groups to local admin group
a) Click on the Add... button. A new window will appear.
b) Click on the Browse button. A new window will appear. You can enter manually enter a group name in this window but it is better to browse and select the group to ensure the proper group name is entered.
c) Enter a keyword into the Name field for the Active Directory group that you want to add, then click on Find Now. Make sure you add IT/helpdesk team and any user that needs admin rights on the Mac.
d) Select the desired group name and click OK.
The setting will apply when the user logs out and logs back in.
If your Mac is using Zone mode, use the following article: https://centrify.force.com/support/Article/KB-3049-How-to-use-the-Map-zone-groups-to-local-admin-gro...
Prevent unauthorized access and minimize risk by restricting MacOS login access to specific Active Directory users or groups.Read more...
One of the major strengths of Centrify Server Suite, is that all UNIX identity and authorization data is stored as Active Directory objects in Centrify Zones. As a consequence, delegation tasks of zone management, are stored in Discretionary Access Control Lists (DACLs) on Centrify Zone objects in Active Directory.
The Zone delegations can be implemented using PowerShell (for example, using the Set-CdmDelegation PowerShell CMDlet, which is included with the Centrify.DirectControl.PowerShell module), or by using the 'Delegate Zone Control' context menu option in the Centrify DirectManage Access Manager console. Either method will provide you with the ability to chose from a list of a granular zone delegation tasks, that can be delegated to an Active Directory user or security group.
As part of an engagement, Centrify Professional Services can aid you to conceive a delegation model using a RACI matrix, and implement the resultant zone delegations. This allows for implementing least privilege, where (for example) the service account for the zone provisioning agent can only add/remove UNIX profiles to/from a zone, but nothing more than that. If the ZPA service account gets compromised, it cannot be (ab)used to modify UNIX authorizations.
A returning question from customers during these engagements is: How can we validate that the delegations that have been implemented, are actually in place?
This article details the methods available to implement zone delegations, and how zone delegations can be validated.Read more...
The attached script can be used with the Deployment Manager to unbind a Mac that is bound to Active Directory via the Apple Directory Services plugin. This will allow mass deployments of the Centrify agent with binding to Active Directory using the Centrify Directory Services plugin.Read more...
Centrify's cloud platform, the Identity Service, can be configured to allow users to unlock their Active Directory accounts from the User Portal. The user is able to unlock their account without any administrator interaction, thus relieving the tasks that your system administrators and helpdesk team performs.Read more...
Si su empresa tiene contemplado migrar su correo a Office 365 o si es un cliente actual de Office 365 y está sufriendo con los problemas de sincronización de usuarios, este artículo es para usted.Read more...
Centrify's Mac agent has an installation script that can be used to fully automate not only the install, but also the AD bind process. This can be helpful for automating Centrify agent deployments in imaging processes or other third-party deployment tools.Read more...
Did you know that you can give Active Directory users the ability to do specific priveleges without giving them full local administrative rights? Well, you can with Centrify's Group Policies by mapping AD group membership to local groups on the Mac.Read more...