How to set up smart card authentication for login to the Centrify Privileged Access Service portal
The steps in this blog will only work if Smart Card authentication has already been set up and is working successfully for the Active Directory users in the Active Directory Domain. For purposes of this example, the Active Directory user "email@example.com" has been set up to require smart card authentication into the Windows systems in the Active Directory Domain.
1. Log into the Centrify Portal 2 Navigate to the "Access> Polices"
3. Select a relevant policy or create a new policy; For this example, we will use the existing "Default Policy" 4. Click into the "Default Policy" 5. Navigate to "Authentication Policies> Centrify Services" 6. Under the "Other Settings" section of the page, select the option below: Use certificates for authentication (bypasses authentication rules and default profile)
7. Save the policy. 8. Upload your certificate authority chain to the Centrify portal: In the Centrify Portal, navigate to Settings > Authentication > Certificate Authorities.
At this point, we need to locate the CA Chain certificate: a. Locate the root certificate authority and upload it, for this example the certificate had to be exported into the accepted "p7b" format
b. Right click the "centrifycms-CA-3" certificate, select "All Tasks" select "Export" a wizard will open, follow the prompts
c. On the "Export File Format" page select the "Cryptographic Message Syntax -PKCS #7 Certificates (.P7B)
d. click "Next" e.Browse to a location where the exported certificate chain will be stored
f. Navigate back to the Centrify PAS portal to: Settings>Authentication>Certificate Authorities g. Click Add, the "Trusted Certificate Authorities" window opens it looks something like this:
h. Fill in the "Name" field. i. For the "Extract user login name as part of:" field, select the "Principal Name from Subject Alternate Name(most commonly used)
j. Click the "Browse" button under the "Upload CA chain" section and browse to the location of the exported CA chain certificates
k. Click "Save" l. Open the Microsoft Internet Explorer browser, type in the URL to the Centrify portal and push the "Enter" key if you have the IWA Service(Integrated Windows Authentication) enabled on the connectors where the Active Directory user resides, upon pushing the "Enter" key you should see a page that looks something like this:
m. A "Windows Security" prompt asking the User to "Select a Certificate" appears on the screen:
n. Click "OK" another "Windows Security" message asking the User to "Select a smart card device" will appear on the screen, click "OK"
o. Another "Windows Security" message box prompting the Active Directory user for their PIN will appear on the screen, proceed to type in the PIN and click "OK"
p. The Active Directory User should now be successfully logged into the Centrify PAS portal with Smart Card authentication.