Centrify Server Suite customers who use multi-factor authentication (MFA) on their Linux / Unix machinesQuestion:
What are the impact of upcoming Integrated Windows Authentication (IWA) changes in Centrify Cloud on MFA on Linux / Unix machines? Answer:
Centrify has identified a theoretical means by which the IWA feature could be susceptible to a Man-in-the-Middle attack when attempted while off the corporate network if not configured to also use HTTPS. In order to ensure security standards are maintained, the use of IWA over HTTP will be deprecated in Centrify Identity Service version 16.9. Starting with the cloud release of 16.7, use of HTTPS will be the default setting for IWA for any new cloud connector installation.
Because of this change, for MFA to work on Linux / Unix machines, cloud connector's root CA certificate needs to be trusted by Linux / Unix /Windows machines. Please refer to KB-7074 for further details regarding scheduled IWA changes. Actions required to ensure MFA functionality after IWA HTTP is deprecated:1. Install the updated version of Centrify DirectControl 2016.1.
In order for MFA on Linux / Unix / Windows machines to work with HTTPS, updated version of 2016.1 Centirfy DirectControl agent must be installed on Linux / Unix / Windows machines.
Agents can be obtained from the following sources:
Please note only DirectControl / DirectAuthorize agents need to be updated. Other components (e.g DirectAudit agent) do not need to be updated.
As of writing of this article, Deployment Manager do not support installation of updated DirectControl agent. Support for this will be added in Suite 2017. 2. Configure IWA for HTTPS.
Centrify Tenant CA needs to be trusted by Linux / Unix machines or a custom CA (AD CS, for example) needs to configured. Please refer to KB-7393 for detailed steps on how to configure DirectControl agents and Cloud Connectors to support MFA over HTTPS.
For additional information regarding this change, please refer to the following links: