Introduction:

This article is the third part of a series to show how to integrate Symantec VIP with the Centrify Identity Platform. The first part of this series discussed the value of this integration and walked through the end user experience at a high level. The second part of the series covered the pre-requisites, architecture, and setting up the Symantec VIP solution to act as the RADIUS server for this integration. Please review parts I and II before you read this article to get the full context of the integration and the value it provides to the business.

 

To review the first article in the series you can view it here.
To review the second article in this series you can go here.

 

Part III will cover the following:

  • Setting up Centrify Identity Platform to act as the RADIUS client to the Symantec Enterprise Gateway RADIUS server.
  • Testing the MFA at portal login to ensure it uses Symantec VIP


Disclaimers:

  • This posting is provided "AS IS" with no warranties and confers no rights.
  • This is a lab entry. It is only meant to show the reader one method for this integration and to provide an informal how-to guide on setting it up.
  • It's not meant for production design and does not address things like high availability and separation of duties.
  • Production designs require planning for people, process and technology.
  • Symantec VIP is a registered trademark of Symantec.
  • The versions of software used in this guide are supported as of 2018. There is no guarantee that future versions of the software released by the vendors will be compatible for this integration. Its always best practice to validate new versions of the software through official support channels.

Pre-requisites:

  • Please review the pre-requisites in part II of this blog series here

Assumptions:
This article focuses on the configuration of Symantec VIP to provide MFA (multi-factor authentication) for the Centrify platform policies and assumes that you have familiarity with Symantec VIP Access manager and the Centrify Identity platform. The article does not go into detail on how to set up the Centrify platform or Symantec VIP because there is a lot of documentation publicly available that covers these topics. This article also assumes that you read parts I and II of this series.

Let's get started by presenting the same diagram we showed you in part II as a refresher. We are going to be configuring the Centrify side of the diagram in this article.
diagram.png

 

Step 1

  • Let's set up the Centrify portal side of the integration. This step is assuming you have valid Centrify tenant created and you have already installed a Centrify connector that has a line of sight to your Symantec Enterprise Gateway server. Refer back to the architecture diagram above to see what I mean. 
  • Create a test Authentication profile that is going to use a 3rd party RADIUS server for authentication.Screenshot 2018-05-21 22.12.13.png

     

Step 2

  • Give the authentication profile a name and select 3rd party RADIUS authentication as one of the challenges. Configure the profile to challenge for the VIP token first and the password 2nd to prevent account lockouts.

 

Screenshot 2018-05-21 22.12.43.png

 

Step 3

 

  • Next, create a connection to the Symantec RADIUS validation server that we will be fulfilling the authentication request. You can do this under the Authentication section in Settings as shown below.

 

 

Screenshot 2018-05-21 22.13.57.png

 

 

Step 4

  • Give the RADIUS server a name and enter in the hostname or IP address of the Symantec Enterprise Gateway (which is going to be listening for RADIUS connections)
  • Specify the RADIUS port that the RADIUS server is listening on and input the server secret that was used in the Symantec Enterprise gateway configuration
  • Select a user identifier attribute of EmailAddress. The user identifier attribute is what enables Symantec Enterprise Gateway to look up your user to validate that they are entering the right code. So this setting is important to ensure the lookup occurs accurately. In my case, my user attribute mapped to my Symantec VIP service is my email address in my Active Directory.
  • Note: You can use other user attributes and you can configure Symantec Enterprise Gateway to look up an attribute in AD directly. These alternate configuration options are not covered in this blog but there is some flexibility in how you perform the user mapping between the 2 solutions. 

 

radius server settings Screenshot 2018-05-21 22.14.33.png

 

Checkpoint

 

At this point, you have created a Centrify authentication profile that will use a 3rd party RADIUS server (i.e. Symantec Enterprise Gateway) and you have also created a 3rd party RADIUS server connection (also Symantec Enterprise Gateway) that is listening for RADIUS authentication requests on the port that we specified. Next, we will create the Centrify authentication policy that will generate the authentication request when we want to use Symantec VIP for authentication. 

 

Step 5

 

  • Create a new policy that will challenge the user with the new authentication profile we created.
  • Under Core Services, create a new policy and under policy settings, apply the policy to a test role in your environment. The members of this test role should have a Symantec VIP token available and registered in the VIP Access manager service. An example policy is shown below:

 

 

 policy settings Screenshot 2018-05-21 22.16.38.png

 

 

 Step 6

 

  • Next, under the same policy, find the “Login Policies” section as shown below.
  • You have the option of configuring a login policy for login to the Centrify portal, UNIX and Windows Servers, and Windows Workstations.
  • We will configure the login policy for the Centrify Portal as an example. Simply enable authentication policy controls and define the Default Profile as the VIP authentication profile that we created earlier.
  • NOTE: The Authentication Rules can further define when the user will be challenged using situational awareness. This is also known as adaptive authentication. You can use static rules (i.e. the user is not coming from my corporate IP) or you can use dynamic risk scores (i.e. the user is coming from the right IP and the same machine we registered with the user, but he is logging into an application he has never used before) to adaptively challenge the user for MFA. This is the real power of using the Centrify platform to drive the policy with a 3rd party MFA provider.  

 

Screenshot 2018-05-21 22.17.37.png

 

Step 7

 

  • Configure the User security policy to enable 3rd party RADIUS authentication as an available option for the users that this policy applies to. 
  • With this setting, you are telling Centrify that the specific users that this policy applies to are allowed to use the 3rd party RADIUS authentication server (Symantec VIP in this case). This ensures that not everyone is driven to this authentication server if they don't need to be. 

 

Screenshot 2018-05-21 22.19.17.png

 

Checkpoint

 

Ok, that's it! Now you should be ready to test. Get your Symantec VIP token out and go to the Centrify portal login page and login with your test user.

 

portal login Screenshot 2018-05-21 22.25.17.png

 

Press Next and you should see the option to login with the Symantec VIP authenticator. Enter the passcode displayed by the Symantec VIP authenticator token.

 symantec vip IMG_0004.pngvip code entry Screenshot 2018-05-21 22.25.43.png

 

Press Next and you will now be challenged for a password (since this is the order that we set in our authentication profile above).

 

password entry Screenshot 2018-05-21 22.26.08.png

 

Press Next after entering your password and voila! If everything worked, you should now be logged into the Centrify portal and you were able to authenticate with the Symantec VIP token for MFA. Now you can go about using single sign on to your corporate applications or go into the Administration section to manage your privileged identity management systems and resources.

 

infrastructure homepage Screenshot 2018-05-21 22.27.07.png

 

 

Conclusion

 

Thanks for following along with this three-part blog series. To recap, this blog series walked through the process of using the Centrify Identity platform to drive the authentication policy that leveraged the Symantec VIP infrastructure for MFA. The benefit of this integration is that if you are a Symantec VIP customer, you can maximize your existing Symantec VIP tokens for MFA to provide identity assurance to applications and infrastructure by driving the policy through the Centrify identity platform. This allows you to use a common set of security policy to provide MFA for web applications, server login, workstation login, privilege elevation, password checkout, and much more. It also allows you to take advantage of the Centrify platform without having to rip and replace your existing MFA provider. I hope this blog was helpful. 

Centrify's App Gateway provides the ability to access internal web apps or intranet sites without a VPN. This help to provide just the right amount of access to third party vendors, or convenient access to internal resources from a non-work computer. This article will walk through the steps to enable App Gateway.

Read more...

The following Techblog details how to configure People HR  with SAML for federation to Centrify Application Services.  Also covered in this techblog are options to enhance the security posture using Centrify Multi Factor Authenticaion when users access people HR. The techblog finishes with a video clip showing the end user experience. 

Read more...

Introduction:

This article is the second part of a series to show how to integrate Symantec VIP with the Centrify Identity Platform. Part II will cover the following:

  • Pre-requisites for setting up the test environment
  • High-level architecture of the solution
  • Configure Symantec VIP Manager hosted service
  • Install Symantec Enterprise Gateway on our Windows Server
  • Establish Trusted communications between the Enterprise Gateway and the Symantec VIP Manager service
  • Configure a RADIUS validation server to listen to RADIUS requests
  • Test the RADIUS validation server to ensure it was fulfilling the RADIUS requests sent to it. 

 

The first part of this series discussed the value of this integration and walked through the end user experience at a high level. To review the first article in the series you can view it here.

Let's start configuring a test environment so you can try this out yourself. 

Disclaimers:

  • This posting is provided "AS IS" with no warranties and confers no rights.
  • This is a lab entry. It is only meant to show the reader one method for this integration and to provide an informal how-to guide on setting it up.
  • It's not meant for production design and does not address things like high availability and separation of duties.
  • Production designs require planning for people, process and technology.
  • Symantec VIP is a registered trademark of Symantec.
  • The versions of software used in this guide are supported as of 2018. There is no guarantee that future versions of the software released by the vendors will be compatible for this integration. Its always best practice to validate new versions of the software through official support channels.


Now that the disclaimers are out of the way, let's get started.

 

Pre-requisites:

  1. Obtain VIP Manager Account
    1. You need this to configure VIP Authentication, download Symantec Enterprise Gateway, and download documentation.
  2. Obtain Centrify tenant
    1. You need this to configure Centrify Identity Platform and download the Centrify Connector. You can obtain a free trial for Centrify Application Services or Centrify Infrastructure services here.
  3. A SmartPhone for Testing
    1. You need a smartphone to download the Symantec VIP Authenticator application and to register it with Symantec VIP.
  4. A Windows 2012 R2 Server
    1. You need this system to download and install the Symantec Enterprise Gateway and the Centrify Connector. This should be a domain joined server which will allow the Centrify connector to connect your on-premise Active Directory to perform user authentication services. The server will also need to allow outbound https traffic to the respective Symantec VIP and Centrify hosted services. Details of ports and settings can be found on each vendor's documentation. 
  5. Microsoft Active Directory Environment
    1. You will need a test Active Directory environment to follow along with the example below. I am using domain functional level 2012 R2. Note that this process can be accomplished with any LDAP directory. 

 

Assumptions:

This article focuses on the configuration of Symantec VIP to provide MFA (multi-factor authentication) for the Centrify platform policies and assumes that you have familiarity with Symantec VIP Access manager and the Centrify Identity platform. The article does not go into detail on how to set up the Centrify platform or Symantec VIP because there is a lot of documentation publicly available that covers these topics.

Diagram.

The high-level flow diagram for this setup is as follows:

 

Screenshot 2018-05-28 22.21.25.png

 

The diagram above shows the Centrify and Symantec SaaS-based identity platforms, the Centrify Connector, the Symantec Enterprise Gateway, and Active Directory as the main components used in this example. The flow for this use case is as follows:

 

  1. The end user logs into the Centrify Portal or Centrify protected application/resource.
  2. Centrify will determine via policy that the user needs to be challenged for MFA by the Symantec VIP platform.
  3. The Centrify connector will pass the authentication to the Symantec Enterprise Gateway using RADIUS.
  4. Symantec Enterprise Gateway will leverage the VIP cloud service to authenticate the user with her VIP soft token.
  5. The VIP service will authenticate the VIP token code and send the result to Symantec Enterprise Gateway.
  6. Symantec Enterprise Gateway will pass the result back to the Centrify Connector.
  7. If MFA is successful, the Centrify Connector will then authenticate the user's AD credentials as per authentication policy.
  8. Active Directory will verify the user's credentials and send the result to the Centrify connector.
  9. The Centrify connector will pass the result back to the web application or resource server.
  10. Centrify will confirm the result and redirect the user appropriately.

Note:

  • This configuration does not take into account high availability.
  • The Active Directory LDAP authentication can be performed by Symantec VIP or Centrify but I have configured Centrify to perform the AD authentication so that we can challenge for MFA first through Symantec VIP, and AD authentication second with Centrify.

 

Setting up Symantec VIP Manager:

 

Step 1
The first step is to Setup up Cloud-based VIP Manager

  • Login to VIP Manager with your credentials and VIP credential

Screenshot 2018-05-21 21.45.33.png

 

Screenshot 2018-05-21 21.46.47.png

 

  • Download Enterprise Gateway installation bits and install guide.

Screenshot 2018-05-28 23.07.30.png

 

Screenshot 2018-05-28 23.12.29.png

 

  • Download the Enterprise Gateway bits to the Windows Server where your Centrify connector is running, or on a server where it can communicate with the Centrify connector using RADIUS. We will come back to the Enterprise Gateway in a bit but for now, let's finish setup in the VIP manager.

Step 2

Next, we're going to create a test user. Note that the user id is the email address because this is how we will later lookup the user for AD validation. Also, note that you need to download and register a Symantec VIP soft token credential for this user.

 

  • Create a test user (RADIUS - email address) with an email address and register a VIP credential.

 Screenshot 2018-05-28 23.23.02.png

 

Step 3

Next, you need to Create a VIP Certificate to establish a trusted connection between Enterprise Gateway and Symantec VIP.

      • Click on the Account Tab at the top of the screen and then select “Manage VIP Certificates”

manage vip certs.png

 

 

  • Create a new Certificate by clicking on “Request a Certificate”. This certificate will be needed on the Enterprise Gateway in order to establish a secure connection with the VIP manager.

Step 4

  • Our next step is to Install Enterprise Gateway. Symantec provides detailed instructions on how to do this in this document. Its also relatively easy to click through without reading the documentation.
  • Run the setup wizard to install the Enterprise Gateway software to run as a Windows Service.

Step 5

  • Next, you need to Login to Enterprise Gateway (once it is launched in a web browser).
  • Once Enterprise Gateway is running, you need to configure the VIP certificate to secure communications to VIP manager. 
  • The screenshot below shows where you need to add the VIP certificate that you downloaded in Step 3. This will establish mutually authenticated (trusted) communication between your Enterprise Gateway and your Symantec VIP service. 

 

add vip cert.png

Step 6

Create a Radius Validation Server

      • We need to create a RADIUS validation server object in Symantec Enterprise Gateway to accept RADIUS connections from a RADIUS client. This is a key step because the Symantec RADIUS validation server will be listening for authentication requests from the RADIUS client. The Centrify connector will be the RADIUS client we will set up in the next blog article. Refer back to the architecture document at the beginning to get a visual reminder of how this will work if you're getting lost.
      • Create a Radius Validation Server object as shown below. You need to define where the RADIUS authentication requests will be coming from. This requires that you configure the server name that the RADIUS requests will be coming from, the server IP, an open port, and a shared secret. Note: We will use this information in the next blog article when we tell the RADIUS client where to send it's authentication requests. The rest of the options can be left default for this simple test.

 

radius validation server.png

 

Step 7

  • Once this is setup we need to test the Validation Server. Symantec includes a nice test tool to help you double check that your RADIUS connectivity is all setup.
  • The Symantec RADIUS tool is located in the Enterprise Gateway files under the tools directory The syntax is shown below to test connectivity to the Enterprise Gateway acting as the RADIUS server.
  • Note: You can also use NTRadPing which is a great tool to test RADIUS client-server communication. 

RADIUS test.png

 

Checkpoint

 

Once the RADIUS validation test works, you are in good shape. We know that the Symantec Enterprise Gateway RADIUS validation server is listening, accepting authentication requests, and fulfilling those requests. Now the only thing left to do is to set up the Centrify Connector to act as the RADIUS client to the Enterprise Gateway. 

 

Note: If the test above did not work, make sure you have ports correct, shared secrets correct, make sure firewalls are open on appropriate ports, and make sure you are testing with the right username/password and Symantec VIP credential.

This concludes part II of this blog. As a review, we completed the following:

  • Covered the Pre-requisites for setting up the test environment
  • Provided a High-level architecture of the solution
  • Configured Symantec VIP Manager hosted service
  • Installed Symantec Enterprise Gateway on our Windows Server
  • Established Trusted communications between the Enterprise Gateway and the Symantec VIP Manager service
  • Configured a RADIUS validation server to listen to RADIUS requests
  • Tested the RADIUS validation server to ensure it was fulfilling the RADIUS requests sent to it. 

 

 

In the next article, I will go through the setups on the Centrify Portal to complete the setup. 

 

You can find the next article (part III) in this blog here

To review part I of this article go here

How to configure SSO for Inormatica Intelligent Cloud Services using SAML...

Read more...

A Centrify Connector on an AWS private subnet allows you to:

  • Gain better accountability of who is accessing the private subnet,
  • Apply role-base access to the private subnet,
  • Password vault local and domain service accounts being used in the private subnet,
  • Provide MFA login for Windows or Linux servers
  • Integrate with an Active Directory domain that is associated with the private subnet, 
  • Provide MFA for other AWS services such as AWS Workspaces. 

This article will go over the AWS and Centrify configurations you will need to use a Centrify Connector on an AWS private subnet.

Read more...

Maximize your Symantec VIP investment with Centrify

Many organizations are using Symantec VIP to provide MFA (multi-factor authentication) services for identity assurance, but (often times) their use cases are narrow in scope. For example, MFA may only be used at VPN Login or for a specific application login. I want to demonstrate how organizations can maximize their investment in Symantec VIP to provide MFA Everywhere by combining it with the Centrify Identity Platform. This includes MFA for web applications, server login, workstation login, privilege elevation, password checkout, and more. The key is to use the Centrify Identity Platform as the policy engine that drives MFA when needed. This empowers organizations to use a single source of policy to drive MFA Everywhere and take advantage of having a single platform to provide identity assurance for single sign-on, enterprise mobility management, and privileged identity management. Not only does this maximize the investment in their existing MFA solution (Symantec in this example), but it also allows them to leverage centralized administration, reporting, and risk-based analytics to drive logical access across the enterprise.

 

In our example below, we will leverage Symantec VIP to provide MFA to a web-based application. Additionally, I wrote an article a while back that explains how you can extend Symantec VIP to provide MFA in conjunction with Centrify Infrastructure Services (formerly known as Centrify Server Suite) at server login and privilege elevation. This solution allows you to centralize non-windows identities to Active Directory and use Symantec VIP to provide identity assurance for specific server related tasks.

Let us take a look at the high-level overview of what this looks like for the end user. If you would like to skip ahead to the setup, go to part II of this blog here

Step 1:

When an Active Directory user logs into the Centrify end user portal, he/she would be challenged with Symantec VIP as shown below:
portal login Screenshot 2018-05-21 22.25.17.png

 

Step 2:

The first authentication method is going to ask the user to provide the access code on his/her VIP token:

 

symantec vip IMG_0004.pngvip code entry Screenshot 2018-05-21 22.25.43.png

Step 3:

The second authentication will validate the user's LDAP directory password. We're using Microsoft Active Directory in our example. Once completed, the user will be taken to the user portal page.

 

password entry Screenshot 2018-05-21 22.26.08.png

The order of authentication (i.e. challenging for LDAP password second) can be controlled by policy. Challenging for the one-time passcode from the Symantec VIP token first prevents an attacker from locking out the end user's Active Directory account by ensuring the possession of the Symantec VIP token before allowing the user to enter her Active Directory password. It is a handy policy to have for an internet facing web application.


This is just one example of how an organization can leverage a Centrify policy while facilitating MFA with an MFA provider of their choice. Taking this further, organizations configure adaptive authentication rules and take advantage of the Centrify machine learning analytics engine to dynamically decide when a user's access is risky before challenging for MFA.


The benefits of this approach are that the organization can leverage an enterprise-wide access policy engine and make context-based decisions on when to authenticate with Symantec VIP for MFA. Additionally, this enables an organization to Centrify without having to rip and replace their existing MFA provider and re-issue MFA tokens to all end users. This approach will maximize your investment for any MFA provider that can integrate to 3rd party solutions using standards like RADIUS and SAML federation. 

To see more information on how to integrate the two Centrify and Symantec solutions to provide this functionality, please see the How-To articles in this series:

 

Part II - Configuring Symantec VIP

Part III - Configuring Centrify

 

Ever stayed up late at night dreaming of how awesome it would be to implement RADIUS in your environment?  Maybe that's a stretch...  But, before you wrestle with your VPN, try setting up a simple test configuration to get a feel for how it all works.  Look no further, because this blog will help you do just that!

Read more...

 

  1. Log into the Centrify Admin Portal.
  2. Go to Core Services > Policies.
  3. Edit an existing policy by clicking on the name of the policy or create one.

 

  1. Go to Endpoint Policies > Device Enrollment Settings, then select Yes in the “Show welcome screen on enrollment drop down”. By default, it is set to Yes.

tech0.png 

 

  1. Go to Settings > Endpoints > Endpoint Customization, then check the box on the left of “Specify unique welcome message for supported languages.”

tech1.png 

 

  1. Below will show a number of message for supported languages. By default, each welcome message for different language will state “This welcome text and logo can be configured by visiting https://(tenant).my.centrify.com/manage, under 'Settings'.

 tech2.png

 

  1. You can edit the welcome message by clicking on a language. After any change click the Save button.

 tech3.png

 

8. When you enroll a device that is listed as one of the languages from the table it will show the welcome message that is attached to the language. Below shows a phone that is set in Spanish and English.

 

 IMG_0003.PNGIMG_0001.PNG

Administrators today are implementing MFA in earnest, and often come across some instances where the "out of the box" options just will not do it. Sometimes, a user may ask to use his personal email address instead of corporate mail to log in.

Read more...

This article will explain how to set up Citrix StoreFront AD authentication with Centrify using SAML

Read more...

This article will help you set up a second factor of authentication to your Citrix StoreFront portal using Centrify Application Services

Read more...

This Tech blog article will guide you through the process of using Centrify Multifactor authentication for Pulse Secure VPN access. At the end of this article you will be in a postion to deploy the Pulse Secure Connect virtual VPN appliance using Centrify strong authentication for your remote users.

 

 

Read more...

[How to] Configure Centrify to use Microsoft Authenticator for MFA

By Centrify Advisor IV on ‎03-23-2018 05:08 PM - last edited ‎04-03-2018 11:53 AM

Centrify support OATH OTP clients for multi-factor authentication such as Microsoft Authenticator, Google Authenticator, Centrify's mobile app and more. Centrify can use OATH OTP for

  • self-service AD password reset,
  • web application access,
  • VPN,
  • computer login (Windows, Linux and UNIX),
  • privilege elevation (Windows, Linux and UNIX),
  • privilege password checkout,
  • and more.

This article will walk through the steps to configure Centrify and Microsoft Authenticator for multi-factor authentication. 

Read more...

Configuring Centrify Platform for Radius MFA support for Symantec Validation and Identity Protection (VIP).

 

There are several pre-requisites required to set this up in your environment.

 

  1. Access to a working instance of the Symantec VIP service (VIP Authentication Service.
  2. Access to a Centrify Environment, for this technical tutorial we will be primarily using Centrify Application Services.
  3. Centrify Connector installed.
  4. A Symantec VIP Enterprise Gateway setup to communicate from your network to the Symantec VIP service. In this guide, I set this up on a Windows 2012 server using Symantec VIP Enterprise Gateway 9.8.
  5. Ensure you have the appropriate ports/firewalls configured for network communication to occur between the different components of this integration.
Read more...

FIDO U2F (Fast IDentity Online Universal 2nd Factor) is an authentication standard hosted by FIDO Alliance (https://fidoalliance.org/) that uses USB or NFC devices based on similar security technology to those found in smart cards (https://en.wikipedia.org/wiki/Universal_2nd_Factor).

 

FIDO U2F provides a fast and convenient authentication mechanism for authenticating to web applications using multi factor authentication (MFA) with Centrify Application Services

 

Note: FIDO U2F is designed for web application authentication and should not be used for Server or Workstation authentication.

 

 

Read more...

Beef up your Phone-call based MFA with Centrify

By Centrify Contributor II on ‎02-22-2018 07:43 PM - last edited ‎02-23-2018 11:00 AM

MFA is becoming a necessity these days and Centrify makes it easy for you to deploy “MFA Everywhere”. You can support authentication factors like phone-call, SMS, Push notification, Yubikey, FIDO U2F, Smartcards, OATH OTP, and the list goes on. For many of these authentication mechanisms, your user’s can simply leverage their own smartphone. But what if some of your users don’t have smartphones? Can you convince your CIO to purchase and manage hardware tokens? Many organizations want to get away from the overhead of managing tokens. You can see why MFA using a good old-fashioned phone call is a good option for these types of scenarios. The concept is easy, first, the user registers his/her phone number in the self-service portal. Then, at authentication time, the user confirms the receipt of a phone call to his/her mobile device by pressing the # or * key (in addition to another knowledge-based factor). There you go, 2 factors of authentication completed. But there’s a catch.

Read more...

This is the second article on a series around Centrify's role to participate or enhance the Microsoft Enhanced Security Administrative environment.

The first article on the series covered MS ESAE in FAQ form and introduces 10 Principles derived from this environment.

In this article, we provide information about how centrify can enable the implementation of the general principles and recommendations. 

 

Plesase read the original article (link below) to get the full context of the information:

https://community.centrify.com/t5/TechBlog/Security-Corner-Centrify-and-the-Microsoft-Enhanced-Secur...

Read more...

In this series we discuss Microsoft's Enhanced Security Administrative Environment (ESAE) and how Centrify participates and provides additional capabilities in this model.

 

The first article on the series is an introductory post on the topic.

Read more...

Security questions are like a second password prompt. Just like passwords, users tend to create weak or easy to guess answers. Unlike passwords, security questions usually do not have policies to enforce complexity, uniqueness and guessability.

 

Here are some tips to help make your security question answers stronger:

1. Use a non-corresponding answer.

Using an answer that does not correspond to the question will make it harder for unauthorized users to guess or find your answer. For example, if the question is your first car model, answer with "blankcowblueYogurt". If the question is your mother's maiden name, don't use your mother's maiden name as the answer. Your mother's maiden name might be easily acquired through social media, social engineering, stolen records, public records, malware, easily guessed or many other methods.

 

2. Avoid answers that are vulnerable to social engineering.

Even if you use a non-corresponding answer to a security question, unauthorized users may still randomly attempt to use information that could be acquired through social media or social engineering such as the name of your child, pet, school, or company.

 

3. Follow password complexity rules for your answers.

Security questions are just like a second password. Hackers may use brute force or dictionary attacks on a security question. Following password complexity rules can help to make your security question answers more secure.

 

An easy to remember and yet complex answer is to use four random words like "blankcowblueYogurt".

 password_strength.png

Source: https://www.xkcd.com/936/

 

4. Use spaces if possible.

Older generation brute force and dictionary attacks don't account for spaces. For modern tools, it can make it longer and harder to crack if there are spaces. Add a space in your answer if allowed. "blank cow blue Yogurt"  

 

Centrify MFA can use security questions for:

  • AD password reset / account unlock
  • Computer login (Windows / Linux / Unix)
  • Privilege elevation (Windows / Linux / Unix)
  • Remote access through Centrify's password vault.
  • Password checkout for shared privileged accounts.
  • AWS Workspaces
  • Horizon View
  • Accessing a web application
  • Accessing the Centrify User and Admin Portals. 
  • VPN access

Centrify users can set up their security question(s) through the Account tab in the Centrify User portal.

The Centrify IWA root CA certificate is required for silent authentication into the Centrify User Portal or Admin Portal, and for computer MFA login. This article will walk through the steps for downloading the IWA root CA certificate for deployment.

 

Prerequisite: Install the Centrify Connector on a 64-bit system or VM inside your network.

 

1. Log into the Centrify Admin Portal. On the left column, navigate to Settings  > Network > Centrify Connectors.

connector-navigation.png

 

2. Click on the name of any Centrify Connector listed in the right pane. The Centrify Connector Configuration window will popup. 

connector-name.png

 

3. In the Centrify Connector Configuration window, click on IWA Service, then click on Download your IWA root CA certificate

download IWA root certificate.png

 

Make sure you select the link "Download your IWA root CA certificate" and not the Download button above the link.

rootCAcertificate.png

 

 Next: Deploy the Centrify IWA root CA certificate using group policies

 

Here is a video on how to do it

Related article: [Howto] Spotting and Remediating issues with PKI Trust on MFA (UNIX/Linux/Windows) or Enrollment

Through exposed Centrify APIs we're able to send our data to wherever it needs to go

Read more...

OAuth 2.0 is the industry-standard protocol for authorization...

Read more...

[HOW TO] Setup a Centrify Identity Services for AWS tenant

By Centrify on ‎12-29-2017 01:56 PM - last edited ‎01-19-2018 10:42 AM

Background:

 

This visual step by step blog post to cover the setup of a new AWS tenant.  

 

 

 

 

Instructions:

 

Step 1) login into AWS Marketplace and search for Centrify. 

 

Screen Shot 2017-12-14 at 2.00.39 PM.png

 

Step 2) In the Centrify page select continue. Please note the pricing details as these may be different.

 

Screen Shot 2017-12-14 at 2.00.54 PM.png

 

Step 3) On the next page select using the Subscribe button.  

 

Screen Shot 2017-12-14 at 2.25.34 PM.png 

 

Step 4) Congratulations. Click the Setup your account. 

 

Screen Shot 2017-12-14 at 2.25.45 PM.png

Step 5) You will receive an email with your Administrator account information.

 

Screen Shot 2017-12-29 at 2.44.38 PM.png

Step 6) Click the link in your email and use your login information form the email.

 

Screen Shot 2017-12-29 at 2.05.51 PM.png

 

Step 7) Login and change your password.

 

Step 8) Enjoy.

 

 

 

 

Resources:

 

 

 

 

 

 

 

 

 

Are you looking for some data that just isn’t covered in the stock reports?

 

You’ve come to the right place!  In this blog, I want to show you some of the basics of writing your own custom reports.

Read more...

 

Every now and then, this situation presents itself infront of me:  

 

-Is it possible for me to send one or more roles as a SAML attribute, inside of a SAML Assertion?

 

The answer to this question is yes, and here's how you do it:

 

  • Sending One Role:
    • Sending one role is much simpler than sending multiple roles.  It doesn't require an array, or any of that fancy stuff.  It requires one line of code:
      • setAttribute(‘role’ , “rolename”);   In this example, 'role' is the name of the SAML attribute, and 'rolename' is well, the name of the role in question.  Here's an example of a working piece of code, as well as a SAML assertion:
        setAttribute(‘role’ , “IT_Admins”);
        <Attribute Name="role" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic">
        <AttributeValue>IT_Admins</AttributeValue>
        </Attribute>
  • Sending Multiple Roles:
    • Sending multiple roles, is a bit more involved.  It does call for the above mentioned 'fancy stuff' such as an array.  In requires a few more lines of code, which I'll explain:
      // Create a variable for the current logged in user's role names
      var roleNames = LoginUser.RoleNames;
      
      // Create an empty array 
      var attrArray = [];
      
      //Find all roles containing "admin"
      
      for (var i=0; i < roleNames.Length; i++){
          if (roleNames[i].indexOf("Admin") != -1){
          var v = roleNames[i];
        
      //Push roles containing "admin" into the empty array    
          attrArray.push(v);
          trace("Role containing 'Admin' for this user: " + v);
        }
      }
      
      //Set the array to role, with the values inside attrArray
      setAttributeArray('role', attrArray);
    • Right, so I've made this a little bit easier to explain here.  I've included comments (everything after //) that explains the logic of the above code.  Everything highlighted in red are the values that you, reader, might have to modify.  Starting from top to bottom:
      •  if (roleNames[i].indexOf("Admin") != -1)
        • This line of code simply checks all of the users roles, to see if they contain the string "admin".  Feel free to modify this to whatever you'd like.  Chances are if you're sending multiple roles to a SAML app, they should contain similar names.  Such as O365E1, O365E etc.  In this scenario, you could use 'O365' as your string. 
      • trace("Role containing 'admin' for this user: " + v);
        • This line of code simply gives you an output of which roles the user has, that matches your string.
      • setAttributeArray('role', attrArray);
        • As above, 'role' is the name of the attribute, attrArray is the value.  Feel free to change the former, but do not change the latter.
      • Here's an example of a SAML Assertion output:
        <Attribute Name="role" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic">
             <AttributeValue>SAML_Admin</AttributeValue>
             <AttributeValue>IT_Admin</AttributeValue>
             <AttributeValue>System Administrator</AttributeValue>
        </Attribute>
      • Here's the trace output:
        Role containing 'admin' for this user: SAML_Admin
        Role containing 'admin' for this user: IT_Admin
        Role containing 'admin' for this user: System Administrator

 

I hope you found this article is helpful, and as always if you have any questions- comment below.

 

-Nick 

 

Employee on-boarding, transitions and departures often require manual and time consuming user administration tasks performed between HR and IT. Generally, identity originates in the HRIS system when the candidate becomes an employee. Coordinate between HR to IT is done such that, IT can create accounts for the new hire in Active Directory and every application required for their job. Similarly, during a transitin or departure, HR coordinates with IT to modify or disable access in Active Directory and every application. 

 

With an integration to Centrify, Workday can serve as the master employee database within the enterprise. New hires, transitions and departures are managed by HR within the HR system while Centrify automatically provisions or de-provisions accounts into Active Directory and downstream productivity applications. Specific benefits include: 

 

  • Automatic provisioning of new hires in Workday to Active Directory.
  • Randomly generated Active Directory password automatically emailed to new hire.
  • Automatic account updates (e.g. promotions, department changes) of employees in Workday to Active Directory.
  • Automatic disablement of users in Active Directory when terminated in Workday.

Here is a demo video of how the integration can help streamline user administration in your enterprise: 

 

 

See this work within your environment by registering for a free 30 day trial here.

This article describes an approach to integrating Centrify Server Suite for UNIX with a third-party MFA solution. We'll focus on PingID MFA from Ping Identity as our example.  The key points this article conveys are:

  1. The recommended approach  to implement a third-party MFA with Centrify Server Suite is through Centrify Identity Service. Whenever a CSS MFA policy is triggered, CSS UNIX agent calls into CIS which in turn brokers the request to the third-party MFA;
  2. For customers that don’t want to implement CIS to enable third-party MFA for their Unix systems, it is technically possible to configure a third-party MFA PAM module with the CSS UNIX agent without relying on Centrify Identity Service. However, there are several technical dependencies need to consider. Section 4 addresses some of the risks and issues with this approach.
Read more...

Centrify Identity Service Getting Started Guide

By Centrify on ‎01-18-2016 11:50 AM - last edited ‎02-07-2018 02:06 PM

[Admin Edit: Please go to the Identity Service Getting Started Microsite for an updated version of this guide]

 

Congratulations! You have taken the first step to protecting your organization from the leading point of attack from data breaches, compromised user credentials, as well as enabling your end-users to easily access their business applications, all in one secure step.

 

To help drive a successful partnership, we have put together a set of resources  for you to leverage. Within this document you will find a step-by-step guide that walks you through the implementation and deployment phases as well best practices for Centrify Identity Service.

 

 
Click here to access our Centrify Identity Service Technical Implementation Guide. This is a companion document which should be used in conjunction to this powerpoint.

Showing results for 
Search instead for 
Do you mean 
Labels

Community Control Panel