Problem:After upgrading Centrify Direct Control to 5.4.1 or greater MFA no longer works.
Cause:Starting in Suite 2017.1 (5.4.1), Centrify added additional security enhancements with certificate checking. The DirectControl agent now validates the certificate of the Centrify Identity Platform (CIP) to prevent the possibility of a spoofed certificate.
Resolution:Please run the following to check for errors:
/usr/share/centrifydc/bin/adcdiag
Open the log created by this utilitiy and check for the following error message:
SSL certificate problem: unable to get local issuer certificate
For Centrify Privilege Service On-premise/Customer Managed:
A) Download and Add the Centrify Identity Platform Certificate
1. Log into the Portal
2. View/download the certificate:
For a Chrome browser:
Hit f12 -> select security -> Certification Path -> Select Root CA -> view certificate -> details -> copy to file -> next -> DER format -> Next -> Name the cert and save.
3. Import the certificate to GP:
Computer Configuration > Policies > Windows Settings > Security Settings > Public Key Policies > Trusted Root Certification Authorities.
4. Run adgpupdate
For Centrify Privilege Service Cloud:
A) Ensure you have a ca-bundle.crt to trust the issuer of the platform certificate.
If you do not have a ca-bundle.crt run the following:
If you are running a older release or if your ca-bundle.crt is expired:
For example on RHEL:
OR
yum update ca-certificates
OR
Download the attached cacert.pem and save it to your machine. Run the following to override the existing bundle with the updated CA certificates:mv /tmp/cacert.pem /etc/pki/tls/certs/ca-bundle.crt
Note: adclient looks for the CA bundle in the following locations:
/etc/ssl/certs/ca-certificates.crt
/etc/pki/tls/certs/ca-bundle.crt
/user/share/ssl/certs/ca-bundle.crt
/usr/local/share/certs/ca-root-nss.crt
/etc/ssl/cert.pem
/etc/certs/ca-certificates.crt
Make sure to move the downloaded file to one of the above locations.
OR
In
/etc/centrifydc/centrifydc.conf add the location to the following parameter:
adclient.cloud.cert.store: <Location of CA cert>
Note: adcdiag will not check the above override parameter and will still show as failed. Test the completion of the above parameter by attempting an MFA login.
*** The following method is insecure and should be used for Eval/testing/troubleshooting only ***
B) Skip check of local issuer certificate.
1. Run /usr/share/centrifydc/bin/adcdiag -K
- -k will skip verification of CA cert for the cloud connector
- -K will skip the check of the CIP host cert.
2. Add the following in /etc/centrifydc/centrifydc.conf:
adclient.cloud.skip.cert.verification: true