Tips for finding Knowledge Articles

  • - Enter just a few key words related to your question or problem
  • - Add Key words to refine your search as necessary
  • - Do not use punctuation
  • - Search is not case sensitive
  • - Avoid non-descriptive filler words like "how", "the", "what", etc.
  • - If you do not find what you are looking for the first time,reduce the number of key words you enter and try searching again.
  • - Minimum supported Internet Explorer version is IE9
Home  >
article

KB-12215: How to silently install the Centrify Agent for Windows™ using Group Policies for MFA and Enrollment

11 April,19 at 11:50 AM

Background

The Centrify Agent for Windows provides organizations with the ability to secure Windows systems.  This article's goal is to provide a simple set of instructions of how to deploy the software using Group Policy for the purposes of MFA and corporate enrollment.  Other articles in this series cover different deployment scenarios.

 

Recommended Reading

  • Centrify Agent for Windows Deployment Options - Introduction
    Provides an overview of the Windows agent pre-requisites, components and functionality, process, options, communication requirements, tools and where to obtain them as well as some planning topics.  If you want to use this article with the right context, please stop and read this "level-setting" article.
  • Centrify Agent for Windows™ Group Policies
    In this article we'll make heavy reference to the group policy objects that are used to configure and customize the software.  The linked documentation provides in depth information each GPO.
  • MFA - Troubleshooting (UNIX, Linux and Windows)
    This article explains how MFA relies on PKI, authorization and authentication profiles, plus offers tips to troubleshoot and fix MFA scenarios. 

What you'll need (tools)

  1. A Centrify Identity Services (or Privilege Service) instance configured for MFA
    • You should be able to retrieve the IWA root certificate.
    • The instance should be configured for MFA for Windows systems (Policy, Authentication Profile).
    • A Centrify connector running in the target network and reachable by clients (IWA over HTTPS).
  2. Centrify Agent for Windows installation (MSI package) and transform file (MST) version 2017.3 (build 3.4.3-872 or later).
  3. A non-dedicated domain-joined Windows system with:
    • Group Policy Management
    • Centrify Group Policy Management Extensions installed
  4. A dedicated domain-joined Windows system running:
    • Centrify Licensing Service
      This service can be shared with other services/utilities.
    • A network installation  share to host the MSI and MST files (this can be a different server)
    • A Centrify Privilege Elevation service license installed.
      This is needed to be able to use the Group Policy Extensions.
  5. An Active Directory OU
    This is to keep the scope of the GPO being tested to a single place. 
  6. Privileges:
    • You must be able to create, edit and scope GPOs in the target OU.
    • You must be able to install software in your test system.
  7. One (or a handful) of current Windows 64-bit clients (e.g. Windows 10).
  8. For successful testing, you need to make sure your test users have a way to satisfy the MFA methods configured in the Authentication Profiles.  E.g. if step-up via email/SMS is set, the user must have an email address/mobile phone in the directory respectively.  If MFA via OATH OTP is set, the user must have onboarded her individual Authenticator app.

Note: The introductory post (link) has information on how to obtain these tools or how to set up pre-requisites.

 

Objectives and Assumptions

This technical post will cover one deployment scenario:

  • Leverages Centrify Identity Platform (App Services/Endpoint Services)
  • Multi-factor Authentication for Login (console/remote), screen unlock and offline mode.
  • Enrolls a Windows 10 system to the Centrify Identity Platform as a corporate-owned device.
  • Assumptions:  You understand the client's pre-requisites and communication requirements
    The introductory post (link) has all this information; this is to keep the use-case scenario posts easier to read.

Methodology:  We will use the Plan-Do-Check-Adjust methodology.

 

Diagram

gpo-dep-diag.png

 

Planning Topics

  • How will the PKI certificate be distributed?
  • What functionality is required?  (MFA, Windows 10 MDM enrollment, ZSO, Vaulting of Admin Accounts).
  • Interoperability:  Should Windows Credential providers be excluded from the chain?
  • Usability: What will be the grace period for MFA on screen saver unlock?
  • Offline/Safe Mode MFA:  Will this be enabled?  What rescue users will be designated?
  • Communications:  Depends on functionality or usage in your environment.  See network reference here (link).
  • Audit Trail:  Should the Centrify events be sent to the SIEM tool.

Implementation Overview

  1. Retrieve the IWA Trust certificate from your Centrify Platform Instance.
  2. Set-up a shared folder and copy the Centrify software.
  3. Create a test organizational unit (OU) and AD Groups.
  4. Create a GPO and tie it to your test OU.
  5. Configure the Windows GPO Settings.
    • Add the Centrify GPO extensions.
    • Configure PKI trust settings.
    • Assign the Software for GPO deployment.
  6. Configure the Centrify GPO Settings
    • Platform Instance URL.
    • Enable MFA.
    • Specifying which users are required to sign-in with MFA.
    • Specifying which users will be designated for rescue rights.
  7. Enabling Automatic MDM Enrollment.

 

I. Retrieve the IWA Trust certificate from your Centrify Platform Instance

  1. Sign-in to your instance navigate to: Admin Portal > Settings > Network > Centrify Connectors and double-click an active connector for your environment.
  2. Go to the IWA Service tab, and click “Download your IWA root CA certificate.
    iwa.png
  3. Note the location of this file (e.g. downloads).
  4.  

II. Set-up a shared folder and copy the Centrify software

You will be performing these steps from the domain-joined Windows system hosting the file share.

  1. Using Windows Explorer, create a new folder (e.g. software).
  2. Copy the MSI (Microsoft Installer File) and Transform (MST) files obtained from Centrify to this folder.
    caw-bits2.png
  3. Share the folder (using advanced sharing) and make sure Authenticated Users has the read-only permission.
    This allows any domain user (including workstations) to read from this share if they are authenticated in the domain.  Feel free to use a more restrictive permissions scheme if needed.  Make sure you know the UNC Path of this share (e.g. \\servername\software).
  4. Make sure the file share is accessible from your ALL Windows test systems.
    Failure to verify this test will cause everything else to fail. 

III. Create a test organizational unit (OU) and AD Groups.

You will be performing these steps from a secure domain-joined Windows system with Active Directory management tools (e.g. ADUC or PowerShell).

  1. Open Active Directory Users and Computers.
  2. In the proper location in your domain tree, create a new OU, and give it a name (e.g. “Deployment”)
  3. Now let's create two Security Groups.  In a designated OU, select New > Group.  Make sure this is a security group with the proper scope.  The names can be something descriptive like "Centrify MFA Users." and "Centrify MFA Rescue Users."
  4. Leave ADUC open for any other future tasks.

IV. Create a GPO and tie it to your test OU

You will be performing these steps from a secure domain-joined Windows system with the Group Policy Management console.

  1. Open GPMC and expand your forest, domain and browse to the newly-created OU
  2. Right click the Deployment OU and select “Create a GPO in this domain, and Link it here…
    gpocreate.png
  3. Set a name for your GPO (e.g. Centrify Settings). 
  4.  Right-click the newly-created GPO and select Edit. (Opens the GPO Editor).
  5. Leave the GPO Editor open.

V. Configure the Windows GPO Settings

Load the Centrify Group Policy Extensions

  1. In the recently-edited GPO, let’s add the Centrify Templates for Windows.
  2. Navigate to Computer Configuration > Policies, right-click Centrify Settings, press “Add/Remove templates” and press the Add button.
  3. Click the centrify_windows_settings XML file and press Open.
    gpoe-win.png
    Note:  Each time you upgrade the Centrify consoles, you need to revisit these steps to expose any newly-released GPOs.
  4. Press OK and leave GPOE open.

Establish PKI Trust

  1. In GPOE, navigate to Computer Configuration > Policies > Windows Settings > Security Settings > Public Key Policies.
  2. Double-click the Trusted Root Certification Authorities, and in the right pane, right click and select Import.
  3. Browse to the location of the IWA Root Certificate from section I, and select it.  The certificate in the store should match the tenant that you’ll be using for enrollment.
    pkitrust.png
  4. Leave the GPOE open for the next section.

Assign the softwaregpo-assing.png

  1. In Group Policy Editor, browse to Computer Configuration > Policies > Software Settings > Software Installation, then right-click and select New > Deployment Package.
  2. Browse to the software share (from Section II)  (e.g. \\servername\software) and click on the Centrify MSI package.
  3. Select “Advanced” when prompted for the deployment method.  This will open the properties of the Centrify Agent for Windows™ package.
  4. Click on the modifications tab, and press Add and browse to the newly-created share, then select the MST file.
    gpo-mod.png
  5. Leave the GPOE open for the section.

At this point, you have taken care of the basic Windows Group Policies, including loading the templates, software assignment and PKI settings.

VI. Configure the Centrify GPO Settings

Based on our planning, we are going to:

  • Associate the Windows systems to a specific Centrify platform instance
    This is a required settings established via the Specify the Platform instance URL to use group policy.  This has to be populated with the platform URL.  E.g. https:example.my.centrify.com
  • Enable MFA at login for all Domain Users
    This is established via 2 GPOs. 
    • The first on "turns on" MFA:  Specify whether to enable multi-factor authentication for Windows login when the agent is not joined to a zone usually set to "enabled."
    • The second one: Specify Active Directory users that require multi-factor authentication on Windows login (when the agent is not joined to a zone is populated with the users or groups that contain users to be challenged for MFA.
  • Enable a special group "MFA - Rescue Users" to skip MFA in case of offline or Windows Safe Mode
    This is established via the Specify a list of rescue users (when the agent is not joined to a zone) and is is populated with the users or groups that contain users to be challenged for MFA.
  • Enable corporate enrollment of Windows 10 systems.
    This is the default behavior, however it can be disabled via the Common Settings\Disable automatic enable of MDM enrollment policy GPO.

Implementation

  1. In the recently-edited GPO, let's add the Platform URL.
  2. Navigate to Computer Configuration > Policies > Centrify Settings > Windows Settings and expand MFA Settings.
    Note: If you don't see the Windows Settings section, you did not import the templates.
  3. Double-click Specify the platform URL to use, enable it and set it to the URL for your tenant and press OK.
    Make sure you use the default URL, not any of the vanity URLs that your tenant may have.  E.g. aab234.my.centrify.com.
    gpo-url.png
  4. Double click the: Specify whether to enable multi-factor authentication for Windows login when the agent is not joined to a zone, set it to enabled and press OK.
    gpo-mfa-enable.png
  5. Double click the: Specify the Active Directory users that require multi-factor authentication on Windows login when the agent is not joined to a zone GPO, enable it and add your test users or test AD group(s), then press OK.
    gpo-mfa-users.png
  6. Now go to the Common Settings folder and Double click the: Specify a list of rescue users (when the agent is not joined to a zone) GPO, enable it and add your rescue users group (e.g. Centrify MFA Rescue Users).
    gpo-mfa-resc.PNG
    At this point, you should be done with all Group Policy Editor Settings.

 

Testing (verifying) the implementation

Before Testing:

  • Make sure your Windows systems can reach the software distribution file share.
  • Make sure your AD groups are properly populated.
  • Make sure your systems are in the Deployment test OU.
  • Make sure your users can satisfy the MFA challenges that will be deployed.

 

Test NameTest StepsExpected Result
PKI Trust

1. Log in to your Windows 10 system.

2. Run the gpupdate /force command.

3. Open MMC and add the Certificates Snap-in for the Computer.

4. In the Certificates console, navigate to the Trusted Root Certification Authorities/Certificates.

5. Look for the Centrify Platform IWA Root Certficate.

The certificate is Present.
Software Installation

1. Log in to your Windows 10 system.

2. Run the gpupdate /force command.

3. If running for the first time, you will be prompted to reboot.

Once the system reboots the Centrify software is installed and configured.

Centrify Agent for Windows installed.
Configuration
and Rescue User test

1. Run the Software Installation tests.

2. Log in with a user from the Centrify MFA Rescue Users group.

3.  You will not be challenged for MFA.

4. Opent the Agent Configuration application.  you should have the "Centrify Identity Platform" set up and enabled
caw-cip.PNG

You should have the "Centrify Identity Platform" set up and enabled
MFA Tests
(console, remote and screen unlock)

1. Logoff your Windows System.

2. Attempt login with a user from the "Centrify MFA Users" group.

3. Attempt login via RDP (if enabled).

4. Lock your Station (Windows + L).

The user should be challenged for MFA on all 3 instances.
MFA Test
(offline)

1. As an MFA user, make sure you set up an offline passcode for the system.

2. Disable the network (Ethernet or Wifi) for the system.

3. Attempt login.

You should be prompted for Offline Passcode and if satisfied, log in successfully. 
Windows 10 corporate MDM enrollment

1. Log in to the Centrify Admin portal > Endpoints

2. Find the test system(s)

The systems should be corporate-enrolled.
Audit Trail

1. Log into your test system.

2. Open the Event Viewer application

3. Navigate to the Application Log.

4. Search for Centrify Audit Trail V2 source events.

All MFA events are being reported.

 

Verification Video Playlist 

 

 

3 videos. ~24 minutes.

 

Suggested Adjustments

  • Disable Self-Service Password Reset:  perhaps your organization will be ready as part of a next phase.
  • Specify a screen lockout grace period:  to delight users that don't want to be challenged within a specific period.
  • Specify a web proxy: if required in your environment.
  • Centrify connector override: if required for a specific network configuration (e.g. DMZ).

These and additional topics are covered in the Windows GPO Guide.

 

Articles in this series

Still have questions? Click here to log a technical support case, or collaborate with your peers in Centrify's Online Community.

Related Articles

No related Articles