Salesforce

KB-7393: How to configure the updated 2016.1 DirectControl agent to support MFA over HTTPS to the Cloud Connector

Printable View
« Go Back

Information

 
TitleKB-7393: How to configure the updated 2016.1 DirectControl agent to support MFA over HTTPS to the Cloud Connector
URL NameKB-7393-How-to-configure-the-updated-2016-1-DirectControl-agent-to-support-MFA-over-HTTPS-to-the-Cloud-Connector
Knowledge Article TypeHow To’s
Article TypeKnowledge
ArticleType 
ProductAuthentication Service
ComponentUnix Agent
Version5.3.1
TagsMFA, adclient, DirectControl, https, http, vulnerability
Internal Comments
Article Edits
Bug #
Solution ID
Knowledge Base Article Details
Applies to: 

Centrify Server Suite customers who use multi-factor authentication (MFA) on their Linux / Unix machines


Question: 

What configuration changes are needed for MFA to work after HTTP is deprecated in Centrify Identity Service 16.9?


Answer: 

There are two components that need to be updated and configured in order for MFA to function after Centrify Identity Service 16.9 is released. 

1. Configure IWA for HTTPS: 


There are two options to configure IWA for HTTPS: 

Option 1: Trust Centrify Tenant CA (Recommended):

All installed connectors are automatically issued a host certificate sufficient for IWA purposes by a CA created specifically for your tenant by the cloud service. The public root certificate for this CA is available for download using the “Download your IWA root CA certificate” link when viewing cloud connector properties within the cloud manager settings interface. 
  1. In Cloud Manager, click Settings and choose Network from the menu on the left. 
  2. Select the cloud connector you would like to configure. 
  3. Ensure "Use HTTPS for IWA Negotiations" checkbox is checked. 
  4. Click the "Download your IWA root CA Certificate" link to retrieve the public certificate for the tenant CA. 
Once the tenant CA certificate is downloaded, the certificate needs to be trusted by Linux / Unix machines. Please follow the steps below to distribute it via Group Policy. 
  1. Open the downloaded root certificate and go to the Details tab. 
  2. Click "Copy to file" to start the Certificate Export Wizard.
  3. In the wizard, set the file format to DER encoded binary X.509 (.CER), then click finish. 
  4. Open Group Policy Management Console.
  5. Find an existing or create a new GPO to contain the certificate settings.
  6. In the navigation pane, open Computer Configuration\Policies\Windows Settings\Security Settings\Public Key Policies\Trusted Root Certification Authorities
  7. Click the Action menu, and then click Import.
  8. Follow the instructions in the Certificate Import Wizard to find and import the certificate.

Option 2: Bring Your Own CA (Advanced Users):

If an Enterprise CA is already available and trusted by your endpoints, a certificate issued by this CA may be uploaded using the management portal, which the cloud will then disseminate to the Cloud Connector automatically.  The issued certificate must satisfy the following pre-requisites, in addition to being issued by a trusted CA:
  • SAN or Subject matching machine’s short name
  • SAN or Subject matching the machine’s hostname as configured in the management portal
To configure a connector using an existing certificate: 
  1. In Cloud Manager, click Settings and choose Network from the menu on the left.
  2. Select the cloud connector you would like to configure. 
  3. Ensure "Use HTTPS for IWA Negotiations" checkbox is checked. 
  4. Click Upload and navigate to the location of the certificate trusted by your environment.
Note: 
  • The certificate must be available as a PKCS#12 file (.pfx or .p12) which includes private key in order to upload it to the cloud service. For additional information, please refer to the following Microsoft article How to Export a Certificate with the Private Key.
  • If the machine is joined to Auto zone (Express Mode) and GP cannot be used to push the certificate. Please follow the steps below: 
  1. Copy the root CA Certificate to /var/centrify/net/certs/<CertName>.cert  
  2. ln -s /var/centrify/net/certs/yourname.cert `openssl x509 -hash -noout -in  /var/centrify/net/certs/yourname.cert`.0 
 

2. Update DirectControl agents: 

Install the updated 2016.1 DirectControl agents: 
  1. Once IWA is configured for HTTPS, the updated version of DirectControl 2016.1 agent needs to be installed. 
  2. Updated packages are available from the following sources: 
Verify certificates are retrieved by agents and MFA functionality: 
  1. Once agents are updated, verify that the newly configured certificate is available under /var/centrify/net/certs/ 
  2. If it is not listed under the directory, please execute adgpupdate to force the machine to retrieve the certificate from AD. 
  3. Execute  /usr/share/centrifydc/bin/adcdiag as root. If the command succeeds with no errors reported, MFA should function correctly. 

If there are any MFA problems after HTTPS is implemented, please check the following:
  • Execute /usr/share/centrifydc/bin/adcdiag as root to see if it reports any errors. 
  • Execute /usr/share/centrifydc/bin/adcdiag -k. The -k option verifies connection to cloud connectors without verifying certificate information. If this succeeds, there likely is an issue with the certificate. 
  • Ensure HTTPS and IWA are enabled in Centrify Cloud Manager. 
  • Verify the certificate used by cloud connectors are correct:  
    # KRB5CCNAME=/etc/krb5.ccache /usr/share/centrifydc/bin/curl --negotiate -u : -k https://<cloudconnector.dc.com:8443/iwa/SiteCheck -v
  • Ensure correct root CA certificate is installed on the system:  
    # openssl x509 -in /var/centrify/net/certs/trust_45F53543F2ED7D8E1CDE930E2E6323F215EB0C50.cert -text





 
Solution CreatorManabu McCloskey
DraftNot Checked
LithiumId
Lithium_Board_Id
Lithium_View_Href
Tags 
Category 
ArticleImage
Known IssuesNot Checked
Powered by