Centrify Identity Service, Centrify Privilege Service, Centrify Server Suite - MFAQuestion:
Why is Centrify changing support for Integrated Windows Authentication (IWA)? What changes are being made, and how can I ensure IWA continues to work as expected post 16.10?Answer:
Centrify has identified a theoretical means by which the IWA feature could be susceptible to a Man-in-the-Middle attack when attempted while off the corporate network if not configured to also use HTTPS. In order to ensure security standards are maintained, the use of IWA over HTTP will be deprecated in Centrify cloud version 16.10. Starting with the cloud release of 16.7, use of HTTPS will be the default setting for IWA for any new cloud connector installation.What is being deprecated?
Starting with Identity Service version 16.10, Centrify will remove the ability to use HTTP for IWA - all IWA will be performed using HTTPS. To ensure continued functionality of the IWA feature, it should be confirmed within the Cloud Manager that IWA is configured to use HTTPS. When the deprecation period ends, any connector using HTTP only for IWA, will automatically begin using HTTPS for IWA. Users will be directed to the Centrify User portal login page when IWA is unavailable to allow for manual login. Similarly, the ability to disable HTTPS will be removed from the administrative UI.Note:
Use of HTTPS requires issuer of IWA host certificate to be trusted on all machines where IWA is attempted.Actions Required to Configure IWA with HTTPS:
In order to deploy HTTPS for IWA, each connector which is used in the IWA communication process must be issued a host certificate. This certificate must be issued by a Certificate Authority (CA) which the IWA endpoint (e.g. user’s browser) trusts. The management portal’s interface for configuring IWA allows for two distinct options, which are explored further below.Option 1: Trust Centrify Tenant CA (Recommended):
All installed connectors are automatically issued a host certificate sufficient for IWA purposes by a CA created specifically for your tenant by the cloud service. The public root certificate for this CA is available for download using the “Download your IWA root CA certificate” link when viewing cloud connector properties within the cloud manager settings interface. Once downloaded, endpoints must be configured to trust this CA. The CA can be trusted by either manually importing the downloaded certificate into the “Trusted Root Certificate Authorities” store (or equivalent keychain location on other platforms) on any endpoint which uses IWA, or automatically through Group Policy using the “Trusted Root Certification Authorities” GPO setting (see the Centrify online help section Trusting the root IWA certificate
or the following Microsoft article
A video walkthrough of how to download and distribute the IWA root certificate using group policy can be viewed HERE
and is attached at the bottom of this article for reference. Option 2: Bring Your Own CA (Advanced Users):
If an Enterprise CA is already available and trusted by your endpoints, a certificate issued by this CA may be uploaded using the management portal, which the cloud will then disseminate to the Cloud Connector automatically. The issued certificate must satisfy the following requirements:
- Certificate is issued by a trusted CA
- SAN or Subject matching machine’s short name
- SAN or Subject matching the machine’s hostname as configured in the management portal
- “Key Usage” must enable “Digital Signature” and “Key Encipherment”
- “Enhanced Key Usage” must enable “Server Authentication”
- The certificate must be available as a PKCS#12 file (.pfx or .p12) which includes private key in order to upload it to the cloud service.
For additional information, please refer to the following Microsoft article How to Export a Certificate with the Private Key
.Verify IWA over HTTPS:
During or after configuration according to one of the below options, the validity of the Cloud Connector host certificate can be tested with the following steps:
- Open a web browser from an endpoint machine
- Navigate to the following address: https://<yourconnectorhostname>:<httpsport>/iwa/ping
- Look for the green certificate vs red error box in the browser.
How to disable IWA:
IWA is not required for manual authentication using Centrify and can be disabled. If you cannot use IWA on the corporate network, administrators may choose to disable IWA by de-selecting “Enable Web Server” on the Cloud Connector Configuration window.
- Open Cloud Manager, click Settings, Network, Cloud Connectors.
- Select the relevant cloud connector.
- Unselect the Enable Web Server option.
- Click OK.
Centrify Server Suite requires
IWA for MFA purposes.Additional Considerations:
Firefox uses it’s own built in CA, and does not respect machine configured settings. To enable Firefox to work using HTTPS, the certificate used above must be imported to Firefox via it’s settings UI.
- This can be accessed within Firefox via Preferences/Options > Advanced > View Certificates > Import
After selecting the IWA certificate for import, be sure to select "Trust this CA to identity websites" and select OK.
After successfully importing the certificate, it should be listed under certificate authorities:
For additional information not covered in this guide or troubleshooting assistance, please review Centrify Online Help
or visit the Customer Support Portal