Tips for finding Knowledge Articles

  • - Enter just a few key words related to your question or problem
  • - Add Key words to refine your search as necessary
  • - Do not use punctuation
  • - Search is not case sensitive
  • - Avoid non-descriptive filler words like "how", "the", "what", etc.
  • - If you do not find what you are looking for the first time,reduce the number of key words you enter and try searching again.
  • - Minimum supported Internet Explorer version is IE9
Home  >
article

How to install the Centrify Client for Windows silently and remotely

Privileged Access Service ,  

30 April,21 at 04:23 PM

How to install the Centrify Client for Windows silently and remotely.

This technical blog post is intended to highlight some(of many) deployment methods for the Centrify Client for Windows

One can silently install the Centrify client for windows in one of the three ways:

1. Install locally via msiexec
2. Install remotely using PsExec tool 
3. Install using a 3rd party tools such as SCCM,PDQ Deploy

Considerations/Pre-requisites
This post is assuming the following are available:
- The Centrify Client for Windows has been downloaded and put on an accessible Windows share. The Centrify Client for Windows can be downloaded from the Centrify download Center or from the
Centrify Privileged Access Service Portal.
- PsExec Tool has been downloaded on the management system. I found this link helpful for downloading PsExec and setting up prerequisites:
Psexec: The Ultimate Guide
- The account that will be used to perform the install has Local Administrator permissions on the target systems.

Steps to download the Centrify Client for Windows from the Centrify Download Center:
1. Navigate to the Centrify Support download center
2. Click the product drop down menu and select the "Privileged Access Service" product.

downloadcenter1

3. Locate the "Centrify Client for Windows Server 2012r2, 2016, 2019" download, it looks something like this:

centrifyclientforwindows


Steps to download the Centrify Client for Windows from the Centrify Privileged Access Service Portal

1. Navigate to the "Downloads" section in the Centrify Privileged Access Service portal.
2. Locate the "Centrify Client for Windows" download. It looks something like this:

 

fromadminportaldownload


Once the Centrify Client for Windows is downloaded, proceed to place it on the target system.

Installing the Centrify Client for Windows locally on a Windows system:
1.  Place the Centrify Client for Windows in a known location

 

locationofcclient1

2. Open the Windows command prompt as Administrator on the target system and navigate to the location that holds the Centrify Client for Windows download
 

cclient1

3. Run the msiexec command, for my case, this is the command I used:
msiexec.exe /i cagentinstaller.msi TENANTURL=aau0350.my.centrify.com ENROLLCODE=1VMROSWI_I1KFGCK3E6EMEGL3OJ7AD5EIHCIRMVGUI41 PARAM="-F all /-l Everybody" /qn

TENANTURL - the URL of the tenant portal for your organization
ENROLLCODE - the code that is generated by the administrator of the tenant’s web portal.
PARAM - <any additional parameters that you want to pass to cenroll.exe. any additional parameters that you want to pass to cenroll.exe. For additional options for cenroll, see Using Centrify Client commands.
For the cenroll parameters in the command above, I have used the -F(--features) which Configures specific features for this system, I have chosen the "all" value so that all features can be enabled for the Centrify Client for Windows, the
-l(--agentauth) Specifies the roles to which the AgentAuth/login permission is assigned, in my case I want to assign the agent authentication feature to everybody hence I have used the "Everybody" role that exists in the Privileged Access Service portal.


cclient2


To verify that the installation was successful, we could open a new command prompt as Administrator(or Powershell as administrator) and run the "cinfo" command. If the installation was successful, the cinfo command should provide
results that are similar to this:


cinfo1


We could also locate the enrolled system in the Centrify Privileged Access Service portal under the Resources>Systems>SystemName

proof1


The local installation method can also be done via PowerShell,
1. Open PowerShell as Administrator
2. Navigate to the location of the Centrify Client for Windows download
3. Run the msiexec command, below is the PowerShell command I used:

msiexec.exe /q /i cagentinstaller.msi tenanturl=aau0350.my.centrify.com ENROLLCODE=1VMROSWI_I1KFGCK3E6EMEGL3OJ7AD5EIHCIRMVGUI41 PARAM='"-F all -l Everybody"'


powershell installation1



Troubleshooting:
Incase the installation and enrollment is not successful, there are logs that are helpful to identify the issue.
Logging can be enabled for the msiexec portion of the command, to enable logging, the following can be appended to the end of the command:

 /l*v c:\log\example.log 
In the above example, the "log" is a folder I have created on the local system, hence the "example.log file will get created in that location and will have the logging for the msiexec portion of the command.
For the Centrify logging, if the msiexec portion of the command is working, but the cenroll is failing, please locate the cenroll logs located here: 

C:\ProgramData\Centrify\Logs
If the Centrify Client for Windows installation is getting installed, but the "cinfo" command returns the message "Machine is not enrolled in Centrify identity platform" please look at the C:\ProgramData\Centrify\Logs\cenroll log file
for details why the cenroll is failing.


cenrolllogs1



Installing the Centrify Client for Windows remotely using the PsExec tool
The steps in this section assume that the prerequisites listed in the introduction of this blog have already been fulfilled.
1. Create a share on the management system to hold the Centrify Client for Windows installer. In my case I created a Windows network share named "share" and gave read permissions to "Everybody"
(Ensure that this share can be accessed from the remote systems where the Centrify Client for Windows will be installed)



share1


2. Place the Centrify Client for Windows download to the share


share2



3. Open the Command Prompt as Administrator and navigate to the location of the PsExec executable, run the psexec.exe command, this is the command I used:
psexec.exe \\rafiki1.centrify.aws -u centrify\gluganda -p *password* cmd /c "msiexec.exe /i \\member2.centrify.aws\share\cagentinstaller.msi TENANTURL=aau0350.my.centrify.com ENROLLCODE=1VMROSWI_I1KFGCK3E6EMEGL3OJ7AD5EIHCIRMVGUI41 PARAM="-F all /-l Everybody"" /qn

In the command above:
member2.centrify.aws: is the management system where the PsExec command is run
rafiki1.centrify.aws: is the remote system where the Centrify Client for WIndows will be installed
gluganda: is the user that has Local Administrator permissions on the target system(rafiki1.centrify.aws) to install the Centrify Client for Windows
-p: Is the password for the user performing the remote installation.(NOTE: this flag can be omitted from the command, and the executing user will be asked for a password at the execution prompt)
\\member2.centrify.aws\share: this is the location of the Centrify Client for Windows download



remotepsexecinstalltion1


A sign to look out for when the remote installation is successful is that the message"cmd exited on "target machine hostname" with error 0. This usually means that the execution was successful.
If the execution fails, a different error message will be presented that can be used for troubleshooting the failure.
To check whether the Centrify Client for Windows installed and enrolled as desired, you may run the cinfo command using PsExec as well



remotecinfocommand1


This PsExec method can also be used to perform the Centrify Client for Windows installation remotely on multiple target systems at the same time. The command to do this is similar to the one in the
previous step, but we will add the rest of the target systems to the command:
a) Using a comma to separate the systems:

psexec.exe \\rafiki1.centrify.aws,rafiki2.centrify.aws,rafiki3.centrify.aws,rafiki4.centrify.aws -u centrify\gluganda -p *Password* cmd /c "msiexec.exe /i
\\member2.centrify.aws\share\cagentinstaller.msi TENANTURL=aau0350.my.centrify.com ENROLLCODE=1VMROSWI_I1KFGCK3E6EMEGL3OJ7AD5EIHCIRMVGUI41 PARAM="-F all /-l Everybody"" /qn


psexeconmultiplesystems1


b) Have the PsExec tool read the target systems hostnames or IP addresses from a text file.
In my case, because I want to install the Centrify Client for Windows on a total of 4 remote Windows systems, all the four remote Windows systems are joined to my Active Directory Domain and have the hostnames:
rafiki1.centrify.aws
rariki2.centrify.aws
rafiki3.centrify.aws
rafiki4.centrify.aws

The command is similar to the one above, the only change is to remove the comma separated hostnames, and replace them with the @file the "file" is the filename containing the hostnames of the target systems.

psexec.exe @fileName.txt -u centrify\gluganda -p *Password* cmd /c "msiexec.exe /i \\member2.centrify.aws\share\cagentinstaller.msi TENANTURL=aau0350.my.centrify.com ENROLLCODE=1VMROSWI_I1KFGCK3E6EMEGL3OJ7AD5EIHCIRMVGUI41 PARAM="-F all /-l Everybody"" /qn

Installing the Centrify Client for Windows remotely using the PDQ Deploy tool
Another Option is to use the Free software PDQ Deploy. This is a 3rd Party tool that can be downloaded here:
https://www.pdq.com/downloads/
It does require that you sign up with an email address, first and last name. PDQ Deploy will email the download link to the email you use to signup.
Once downloaded, proceed to install PDQ Deploy on the management machine using defaults.
Once PDQ Deploy is installed, open the application.
- Navigate to Packages>NewPackage>

 

pdqdeploy1


pdqdeploy2

- Fill out the "Name, Version, Description" fields

 

pdqdeploy3


-  Leave the default values in the "Conditions" tab

 

pdq4


-  On the "Options" tab, make sure the proper User with appropriate permissions is populated in the "RUn AS" field. For my case, I am using the Deploy User because the deploy User has the needed permissions.
Leave the rest of the fields with the default values.


 

pdqdeploy4



- Click the "New Step" icon and select "Install"

 

pdqdeploy5


- On the "Details" tab, fill out the "Install File" by navigating to the location of your downloaded Centrify Client for Windows package.

 

pdqdeploy6


- Fill out the"Parameters" field. Put in the cenroll parameters like we have done in past commands. For my case, here is what I put into the "Parameters" field:
TENANTURL=aau0350.my.centrify.com ENROLLCODE=1VMROSWI_I1KFGCK3E6EMEGL3OJ7AD5EIHCIRMVGUI41 PARAM="-F all /-l Everybody"

Leave the rest of the fields on the "Details" tab to their default values.



pdqdeploy7



- Leave the "Conditions and Options" tabs as they are to their defaults. 
- Click the "Save" button to save your changes.



pdqdeploy8


- Exit out of the "Package" Window. Navigate back to the PDQ Deploy Application home interface.
- Locate the "Centrify Client for Windows" package, right click the package and select "Deploy Once"



pdqdeploy9



- Click the "Choose Targets" button. In my case, the target systems are in an Active DIrectory OU labelled "CentrifyCloudAgentCOmputers" so that is what I will select.
Note that PDQ Deploy allows you to select from a Text File, Target List etc...

pdqdeploy10



- After selecting the Target Systems, click the "OK" button


pdqdeploy11


- Click the "Deploy Now" button to kick off the deployment. You should also see a list of the Target systems in the left pane.


pdqdeploy12


- The PDQ Deploy console window will show the status of the deployment. Once it is complete we can check our Centrify Privileged Access Services Portal to see if the machines have been enrolled successfully into the portal.
The PDQ Deployment console window will look something similar to this:



pdqdeploy13



- In my Centrify Privileged Access Service Portal, I can see that the installation and enrollment of the Centrify Client for Windows was successful, as the target systems show up


evidenceSuccessful