Tips for finding Knowledge Articles

  • - Enter just a few key words related to your question or problem
  • - Add Key words to refine your search as necessary
  • - Do not use punctuation
  • - Search is not case sensitive
  • - Avoid non-descriptive filler words like "how", "the", "what", etc.
  • - If you do not find what you are looking for the first time,reduce the number of key words you enter and try searching again.
  • - Minimum supported Internet Explorer version is IE9
Home  >
article

KB-6724: MFA failed when creating DZ desktop/Running with Privilege on win2K8R2/Win7

Centrify DirectControl ,  

19 April,16 at 03:05 AM

Applies to: Centrify Server Suite 2016 (Version 5.3.0)

Question:

Why MFA might fail when creating DZ desktop/Running with Privilege on win2K8R2/Win7?

Answer: 

Normally, Microsoft would automatically distribute and install root certificates to the Windows system from trusted Certificate Authorities (CA). Users would be seamlessly able to use secured connection by trusting certificate chain issued from the trusted CA. However, this might not be the case if the system is in a disconnected environment where access to Windows Update is blocked or the " Automatic Root Certificate Installation" feature is disabled. Without updates on the certificate trust list (CTL), the default CTLs on the system may not be enough for the secured connections of Centrify multi-factor authentication, specially for older versions of Windows such as Windows 7 and Windows Server 2008 R2.

To ensure the success of Centrify multi-factor authentication, user would need to take action to distribute the latest CTLs or other similar approach to distribute and install the required root certificate to systems in a disconnected environment.

The end goal is to distribute and have the local machine install the root certificate for the secure connections. There are several different ways to achieve this goal. However, different methods cover different scope and implication. There are pros and cons for each approach and one should choose a suitable one base on one's needs and situation.

Configure systems in disconnected environment to retrieve CTLs from internal location. A complete solution to get full and updated list of trusted and untrusted CTLs from Microsoft just as a connected system would do through Windows Update. A comprehensive solution requires more initial setup. Do not have to keep track of certificate lists since they are maintained by Microsoft.

Configure systems in disconnected environment by deploying specific certificate through Group Policy. Has more control to distribute certificates but so as the increase in responsibility to maintain and update the lists.

Still have questions? Click here to log a technical support case, or collaborate with your peers in Centrify's Online Community.