The Centrify Agent for Windows™ provides organizations with the ability to secure Windows systems. This article's goal is to provide a simple set of instructions of how to deploy the software using Group Policy for the purposes of MFA and corporate enrollment. Other articles in this series cover different deployment scenarios.
- Centrify Agent for Windows™ Deployment Options - Introduction
Provides an overview of the Windows agent pre-requisites, components and functionality, process, options, communication requirements, tools and where to obtain them as well as some planning topics. If you want to use this article with the right context, please stop and read this "level-setting" article.
- Centrify Agent for Windows™ Group Policies
In this article we'll make heavy reference to the group policy objects that are used to configure and customize the software. The linked documentation provides in depth information each GPO.
- MFA - Troubleshooting (UNIX, Linux and Windows)
This article explains how MFA relies on PKI, authorization and authentication profiles, plus offers tips to troubleshoot and fix MFA scenarios.
What you'll need (tools)
- A Centrify Identity Services (or Privilege Service) instance configured for MFA
- You should be able to retrieve the IWA root certificate.
- The instance should be configured for MFA for Windows systems (Policy, Authentication Profile).
- A Centrify connector running in the target network and reachable by clients (IWA over HTTPS).
- Centrify Agent for Windows™ installation (MSI package) and transform file (MST) version 2017.3 (build 3.4.3-872 or later).
- A non-dedicated domain-joined Windows system with:
- Group Policy Management
- Centrify Group Policy Management Extensions installed
- A dedicated domain-joined Windows system running:
- Centrify Licensing Service
This service can be shared with other services/utilities.
- A network installation share to host the MSI and MST files (this can be a different server)
- A Centrify Privilege Elevation service license installed.
This is needed to be able to use the Group Policy Extensions.
- An Active Directory OU
This is to keep the scope of the GPO being tested to a single place.
- You must be able to create, edit and scope GPOs in the target OU.
- You must be able to install software in your test system.
- One (or a handful) of current Windows 64-bit clients (e.g. Windows 10).
- For successful testing, you need to make sure your test users have a way to satisfy the MFA methods configured in the Authentication Profiles. E.g. if step-up via email/SMS is set, the user must have an email address/mobile phone in the directory respectively. If MFA via OATH OTP is set, the user must have onboarded her individual Authenticator app.
Note: The introductory post (link) has information on how to obtain these tools or how to set up pre-requisites.
Objectives and Assumptions
This technical post will cover one deployment scenario:
- Leverages Centrify Identity Platform (App Services/Endpoint Services)
- Multi-factor Authentication for Login (console/remote), screen unlock and offline mode.
- Enrolls a Windows 10 system to the Centrify Identity Platform as a corporate-owned device.
- Assumptions: You understand the client's pre-requisites and communication requirements
The introductory post (link) has all this information; this is to keep the use-case scenario posts easier to read.
Methodology: We will use the Plan-Do-Check-Adjust methodology.
- How will the PKI certificate be distributed?
- What functionality is required? (MFA, Windows 10 MDM enrollment, ZSO, Vaulting of Admin Accounts).
- Interoperability: Should Windows Credential providers be excluded from the chain?
- Usability: What will be the grace period for MFA on screen saver unlock?
- Offline/Safe Mode MFA: Will this be enabled? What rescue users will be designated?
- Communications: Depends on functionality or usage in your environment. See network reference here (link).
- Audit Trail: Should the Centrify events be sent to the SIEM tool.
- Retrieve the IWA Trust certificate from your Centrify Platform Instance.
- Set-up a shared folder and copy the Centrify software.
- Create a test organizational unit (OU) and AD Groups.
- Create a GPO and tie it to your test OU.
- Configure the Windows GPO Settings.
- Add the Centrify GPO extensions.
- Configure PKI trust settings.
- Assign the Software for GPO deployment.
- Configure the Centrify GPO Settings
- Platform Instance URL.
- Enable MFA.
- Specifying which users are required to sign-in with MFA.
- Specifying which users will be designated for rescue rights.
- Enabling Automatic MDM Enrollment.
I. Retrieve the IWA Trust certificate from your Centrify Platform Instance
- Sign-in to your instance navigate to: Admin Portal > Settings > Network > Centrify Connectors and double-click an active connector for your environment.
- Go to the IWA Service tab, and click “Download your IWA root CA certificate.”
- Note the location of this file (e.g. downloads).
II. Set-up a shared folder and copy the Centrify software
You will be performing these steps from the domain-joined Windows system hosting the file share.
- Using Windows Explorer, create a new folder (e.g. software).
- Copy the MSI (Microsoft Installer File) and Transform (MST) files obtained from Centrify to this folder.
- Share the folder (using advanced sharing) and make sure Authenticated Users has the read-only permission.
This allows any domain user (including workstations) to read from this share if they are authenticated in the domain. Feel free to use a more restrictive permissions scheme if needed. Make sure you know the UNC Path of this share (e.g. \\servername\software).
- Make sure the file share is accessible from your ALL Windows test systems.
Failure to verify this test will cause everything else to fail.
III. Create a test organizational unit (OU) and AD Groups.
You will be performing these steps from a secure domain-joined Windows system with Active Directory management tools (e.g. ADUC or PowerShell).
- Open Active Directory Users and Computers.
- In the proper location in your domain tree, create a new OU, and give it a name (e.g. “Deployment”)
- Now let's create two Security Groups. In a designated OU, select New > Group. Make sure this is a security group with the proper scope. The names can be something descriptive like "Centrify MFA Users." and "Centrify MFA Rescue Users."
- Leave ADUC open for any other future tasks.
IV. Create a GPO and tie it to your test OU
You will be performing these steps from a secure domain-joined Windows system with the Group Policy Management console.
- Open GPMC and expand your forest, domain and browse to the newly-created OU
- Right click the Deployment OU and select “Create a GPO in this domain, and Link it here…”
- Set a name for your GPO (e.g. Centrify Settings).
- Right-click the newly-created GPO and select Edit. (Opens the GPO Editor).
- Leave the GPO Editor open.
V. Configure the Windows GPO Settings
Load the Centrify Group Policy Extensions
- In the recently-edited GPO, let’s add the Centrify Templates for Windows.
- Navigate to Computer Configuration > Policies, right-click Centrify Settings, press “Add/Remove templates” and press the Add button.
- Click the centrify_windows_settings XML file and press Open.
Note: Each time you upgrade the Centrify consoles, you need to revisit these steps to expose any newly-released GPOs.
- Press OK and leave GPOE open.
Establish PKI Trust
- In GPOE, navigate to Computer Configuration > Policies > Windows Settings > Security Settings > Public Key Policies.
- Double-click the Trusted Root Certification Authorities, and in the right pane, right click and select Import.
- Browse to the location of the IWA Root Certificate from section I, and select it. The certificate in the store should match the tenant that you’ll be using for enrollment.
- Leave the GPOE open for the next section.
Assign the software
- In Group Policy Editor, browse to Computer Configuration > Policies > Software Settings > Software Installation, then right-click and select New > Deployment Package.
- Browse to the software share (from Section II) (e.g. \\servername\software) and click on the Centrify MSI package.
- Select “Advanced” when prompted for the deployment method. This will open the properties of the Centrify Agent for Windows™ package.
- Click on the modifications tab, and press Add and browse to the newly-created share, then select the MST file.
- Leave the GPOE open for the section.
At this point, you have taken care of the basic Windows Group Policies, including loading the templates, software assignment and PKI settings.
VI. Configure the Centrify GPO Settings
Based on our planning, we are going to:
- Associate the Windows systems to a specific Centrify platform instance
This is a required settings established via the Specify the Platform instance URL to use group policy. This has to be populated with the platform URL. E.g. https:example.my.centrify.com
- Enable MFA at login for all Domain Users
This is established via 2 GPOs.
- The first on "turns on" MFA: Specify whether to enable multi-factor authentication for Windows login when the agent is not joined to a zone usually set to "enabled."
- The second one: Specify Active Directory users that require multi-factor authentication on Windows login (when the agent is not joined to a zone is populated with the users or groups that contain users to be challenged for MFA.
- Enable a special group "MFA - Rescue Users" to skip MFA in case of offline or Windows Safe Mode
This is established via the Specify a list of rescue users (when the agent is not joined to a zone) and is is populated with the users or groups that contain users to be challenged for MFA.
- Enable corporate enrollment of Windows 10 systems.
This is the default behavior, however it can be disabled via the Common Settings\Disable automatic enable of MDM enrollment policy GPO.
- In the recently-edited GPO, let's add the Platform URL.
- Navigate to Computer Configuration > Policies > Centrify Settings > Windows Settings and expand MFA Settings.
Note: If you don't see the Windows Settings section, you did not import the templates.
- Double-click Specify the platform URL to use, enable it and set it to the URL for your tenant and press OK.
Make sure you use the default URL, not any of the vanity URLs that your tenant may have. E.g. aab234.my.centrify.com.
- Double click the: Specify whether to enable multi-factor authentication for Windows login when the agent is not joined to a zone, set it to enabled and press OK.
- Double click the: Specify the Active Directory users that require multi-factor authentication on Windows login when the agent is not joined to a zone GPO, enable it and add your test users or test AD group(s), then press OK.
- Now go to the Common Settings folder and Double click the: Specify a list of rescue users (when the agent is not joined to a zone) GPO, enable it and add your rescue users group (e.g. Centrify MFA Rescue Users).
At this point, you should be done with all Group Policy Editor Settings.
Testing (verifying) the implementation
- Make sure your Windows systems can reach the software distribution file share.
- Make sure your AD groups are properly populated.
- Make sure your systems are in the Deployment test OU.
- Make sure your users can satisfy the MFA challenges that will be deployed.
Verification Video Playlist
3 videos. ~24 minutes.
- Disable Self-Service Password Reset: perhaps your organization will be ready as part of a next phase.
- Specify a screen lockout grace period: to delight users that don't want to be challenged within a specific period.
- Specify a web proxy: if required in your environment.
- Centrify connector override: if required for a specific network configuration (e.g. DMZ).
These and additional topics are covered in the Windows GPO Guide.
Articles in this series