Background

Last month, with the release of Server Suite 2016.1, Centrify expanded on the MFA Everywhere strategy adding support for UNIX systems (AIX, HP-UX, Solaris) for Server Login and Privilege Elevation, on Microsoft Windows, MFA was added for Privilege Elevation and finally, MFA  at login for Auto Zone and Classic Zones.  This means that Centrify Express for UNIX/Linux customers can use the industry-recognized Centrify Identity Service tenants can implement MFA or step-up authentication when accessing systems. 

This article covers the steps to implement MFA as an additional control to access systems integrated to AD with Centrify Express for UNIX/Linux.  The information in this article can also be applied to Classic zones and Auto Zone (workstation mode).

For an in depth discussion on Centrify Server Suite MFA, you can read this lab entry.

For information on how to get started with Centrify Identity Service, visit the Getting Started page.

Planning

Potential Stakeholders

• Centrify SMEs:  UNIX/Linux admins familiar with Centrify DirectControl (CLI tools and configuration)
  
• Security Lead:  The security lead can answer questions like these:
  a) What servers require step-up authentication for login?
  b) What users will be challenged for Multifactor at login?
  c) What users will have the rights to log in without multifactor or for troubleshooting purposes?
  
• IT/AD Infrastructure lead:   This SME will help setting up a Windows Server to act as the Centrify connector
• PKI Lead (optional):  If using enterprise trust to issue certificate to be used for Integrated Windows Authentication (IWA/SPNEGO) over HTTPS.

Technical Requirements

• Active Directory
  
• A supported Centrify Express OS with Centrify DirectControl 5.3.1 (2016.1) and up
  
• A Centrify Identity Service tenant  (you can sign-up for a trial here) with a Centrify Connector
  Centrify Connectors run on 64-bit Windows Servers and require outbound HTTPS connectivity (can be behind a proxy)
  
• A user with a supported MFA or step-up method (Phone Number, Mobile Number (for SMS), Centrify Mobile Authenticator for Push MFA, OATH OTP (Google Authenticator, FreeOTP, YubiKey, DUO, etc).
• If using Centrify Mobile Authenticator or Google Authenticator  you'll need an iOS or Android device

Centrify Parameters for MFA on Auto Zone

Centrify Express joins Active Directory in workstation mode.  This allows for quick integration with AD for all users without worrying about UNIX identity.  UNIX login, UID, primary group, GECOS, home and Shell are generated by the Centrify client.  Configuration can be managed via parameters.   The parameters introduced for MFA are the following:

• adclient.legacyzone.mfa.enabled: This parameter turns on MFA and it is set to false by default.
  
• adclient.legacyzone.mfa.cloudurl: This is the Centrify Identity Service tenant URL that is configured to grant MFA to the system.
  
• adclient.legacyzone.mfa.required.groups (or users):  These parameters specify which users (or members of the AD group) that will be challenged for multi-factor on login.
• adclient.legacyzone.mfa.rescue.users: These are the users that can access the system in case no tunnel can be established with the MFA service.
  

Other relevant parameters:

• adclient.cloud.connector:  This parameter can be used to specify a proxy server if in use.

Implementation

Scenario

We will get started with a Centrify Identity Service that has the Centrify Connector set up with the AD Bridge enabled.

To learn how to set up a Centrify connector you can always review the Getting Started guide.

First, we will enable MFA using information from a user in AD (e-mail, SMS, phone factor), then we will walk the user through the process of enrolling a mobile device (to enable Centrify Mobile Authenticator for push MFA) and we'll also use Google Authenticator for OATH OTP.

Configuring a Centrify Connector

Centrify connector configuration steps are outlined here. However, the steps are as follows:

1. In Admin Portal, navigate to Settings > Network > Centrify Connectors
2. Click the "Add Centrify Connector"
   
3. Download the bits and run setup.  All you need is the Centrify connector component.
4. You have to authorize the Centrify Connector following the steps on the wizard.  Refer to the link below for a video detailed steps.

Retrieve the IWA Cert

Since Centrify Identity Platform 16.10, IWA happens over HTTPS.  This means that you must deploy a public, enterprise or tenant certificate.  The steps below explain how to use the IWA certificate provided with the connector.

1. In Admin Portal > Settings > Network > Centrify Connectors > click the connector > IWA Service and click "Download your IWA root CA certificate"
   
   
2. Locate the file and try to open it with a text editor. If the text reads "--- begin certificate" you are dealing with a usable certificate.
   Save the file and transfer it to your target system (e.g. IWACert.crt)

Configuring your Centrify Identity Service tenant for Server MFA

There are 4 tasks to configure MFA for Servers in the Admin Portal side:

1. Role Creation
   Create a role that has the "Server Login and Privilege Elevation" right and contains the computer accounts that will be requiring multi-factor authentication.
   Admin Portal > Roles > New Role > [Rights and Members]
   
   
2. Authentication Profile
   Create an authentication profile that specifies the MFA methods to be used.
   Admin Portal > Settings > Authentication > Authentication Profiles
   
   Notes:  It is important to make the distinction between step-up authentication and multi-factor authentication (sometimes used interchangeably).  In addition to the login password challenge, an e-mail link delivered to your inbox qualifies as step-up, but push MFA from a registered mobile device (something you have) is MFA.
   Note that I've left out password and user-defined security question.  Checking password will re-prompt the user for their AD password and the answer to a security question is just another secret that can be obtained by social-engineering.
   
   
3. Set up an Authentication profile for Server Suite Authentication
   Admin Portal  > Settings > Authentication Profiles > Server Suite Authentication
   
   For Centrify Express, only the Access Profile applies.
4. Verification of Methods
   Make sure your users have the step-up methods populated in AD:
   
   If looking to provide Step-up via email, the user has to have a valid e-mail address.  For phone call, phone/mobile are required, for SMS mobile is required.

Configuring the UNIX/Linux System's PKI to use the tenant certificate

You need to make sure the ca-certificates package is installed in your system and that you append the certificate retrieved from the connector in the previous steps (IWACert.crt) to the ca-bundle file.

To check if the CA certificates bundle is installed

# On RHEL and derivatives 
$ sudo yum info ca-certificates
# If not installed
$ sudo yum install ca-certificates

To append the Centrify Connector IWA certificate to your existing CA bundle

$ sudo cat /home/user/IWACert.crt >> /etc/pki/tls/certs/ca-bundle.crt

Note:  This approach is recommended for a lab. Ideally you would have a public certificate or an Enterprise CA certificate deployed.  More info in this post.

Configure Centrify Express for MFA at login

This is a parameter-based configuration.  As defined above, you need at least 4 parameters in the /etc/centrifydc/centrifydc.conf file:

# set this one to true
adclient.legacyzone.mfa.enabled: true

# to require MFA, you can either use individual users or groups.
# groups are more efficient

adclient.legacyzone.mfa.required.groups: mfa-required
# all members of mfa-required AD group will be prompted
# rescue rights can be assigned for HA in case all CCs are down
# or there's no redundant connectivity to the cloud service

adclient.legacyzone.mfa.rescue.users: vip.user1, vip.user2
# vip users can access systems in case of comm failure
# The cloud URL is the key parameter to specify your tenant
# note that no direct internet connectivity is required, the CC
# will broker this.

adclient.legacyzone.mfa.cloudurl: https://unique-id.my.centrify.com:443/
# Use the unique URL instead of the vanity URL if you expect
# any changes.
# There are other parameters (e.g. for a Proxy server)

Save your changes and run an adreload or simply restart the centrifydc service.

Use adcdiag to check your work:

$  sudo /usr/share/centrifydc/bin/adcdiag

In my case, I just need to make sure that ChallengeResponse is set, since I'm using stock SSH.

 $ grep Challenge /etc/ssh/sshd_config
ChallengeResponseAuthentication yes 

Verification

login as: lisa.simpson
Using keyboard-interactive authentication.
Password:
Using keyboard-interactive authentication.
[Available mechanisms]
 1 - Mobile Authenticator
 2 - Yubikey or OATH Token
 3 - Email... @rpdemo.net
 4 - SMS... XXX-2980
 5 - Phone Call... XXX-2980
 6 - Phone Call... XXX-4210
Please select a mechanism [1]:       

E-mail

Device enrollment for Push MFA with Centrify's Mobile Authenticator

Push MFA enhances the experience and provides more meaningful information.  This requires that the current policy allows the user to enroll an Android or iOS device. 

OATH OTP (Google Authenticator, FreeOTP, Yubico Authenticator, Duo and more)

OATH OTP opens more possibilities with this open standard.  Users are easy to onboard, and there are a variety of Authenticators that can be used.

Enhancements

For those using Centrify Standard Edition with classic zones or workstation mode, you can use GPOs to manage the settings (or DevOps tools)

Centrify has also enhanced the documentation available for solutions like SecurID.  Check out the Documentation Center.

Video Playlist