Tips for finding Knowledge Articles

  • - Enter just a few key words related to your question or problem
  • - Add Key words to refine your search as necessary
  • - Do not use punctuation
  • - Search is not case sensitive
  • - Avoid non-descriptive filler words like "how", "the", "what", etc.
  • - If you do not find what you are looking for the first time,reduce the number of key words you enter and try searching again.
  • - Minimum supported Internet Explorer version is IE9
Home  >
article

KB-7392: Impact of Centrify Cloud IWA changes on Server Suite MFA

26 August,16 at 09:44 PM

Applies to: Centrify Server Suite customers who use multi-factor authentication (MFA) on their Linux / Unix machines

Question: 
What are the impact of upcoming Integrated Windows Authentication (IWA) changes in Centrify Cloud on MFA on Linux / Unix machines? 

Answer: 
Centrify has identified a theoretical means by which the IWA feature could be susceptible to a Man-in-the-Middle attack when attempted while off the corporate network if not configured to also use HTTPS. In order to ensure security standards are maintained, the use of IWA over HTTP will be deprecated in Centrify Identity Service version 16.9. Starting with the cloud release of 16.7, use of HTTPS will be the default setting for IWA for any new cloud connector installation.  
Because of this change, for MFA to work on Linux / Unix machines, cloud connector's root CA certificate needs to be trusted by Linux / Unix /Windows machines. 

Please refer to KB-7074 for further details regarding scheduled IWA changes. 



Actions required to ensure MFA functionality after IWA HTTP is deprecated:

1. Install the updated version of Centrify DirectControl 2016.1.

   In order for MFA on Linux / Unix / Windows machines to work with HTTPS, updated version of 2016.1 Centirfy DirectControl agent must be installed on Linux / Unix / Windows machines. 
   Agents can be obtained from the following sources:     Please note only DirectControl / DirectAuthorize agents need to be updated. Other components (e.g DirectAudit agent) do not need to be updated. 
   As of writing of this article, Deployment Manager do not support installation of updated DirectControl agent. Support for this will be added in Suite 2017.     

2. Configure IWA for HTTPS. 

  Centrify Tenant CA needs to be trusted by Linux / Unix machines or a custom CA (AD CS, for example) needs to configured. 


Please refer to KB-7393 for detailed steps on how to configure DirectControl agents and Cloud Connectors to support MFA over HTTPS. 


For additional information regarding this change, please refer to the following links: 

Still have questions? Click here to log a technical support case, or collaborate with your peers in Centrify's Online Community.