Tips for finding Knowledge Articles

  • - Enter just a few key words related to your question or problem
  • - Add Key words to refine your search as necessary
  • - Do not use punctuation
  • - Search is not case sensitive
  • - Avoid non-descriptive filler words like "how", "the", "what", etc.
  • - If you do not find what you are looking for the first time,reduce the number of key words you enter and try searching again.
  • - Minimum supported Internet Explorer version is IE9
Home  >

KB-7393: How to configure the updated 2016.1 DirectControl agent to support MFA over HTTPS to the Cloud Connector

26 August,16 at 09:49 PM

Applies to: 

Centrify Server Suite customers who use multi-factor authentication (MFA) on their Linux / Unix machines


What configuration changes are needed for MFA to work after HTTP is deprecated in Centrify Identity Service 16.9?


There are two components that need to be updated and configured in order for MFA to function after Centrify Identity Service 16.9 is released. 

1. Configure IWA for HTTPS: 

There are two options to configure IWA for HTTPS: 

Option 1: Trust Centrify Tenant CA (Recommended):

All installed connectors are automatically issued a host certificate sufficient for IWA purposes by a CA created specifically for your tenant by the cloud service. The public root certificate for this CA is available for download using the “Download your IWA root CA certificate” link when viewing cloud connector properties within the cloud manager settings interface. 
  1. In Cloud Manager, click Settings and choose Network from the menu on the left. 
  2. Select the cloud connector you would like to configure. 
  3. Ensure "Use HTTPS for IWA Negotiations" checkbox is checked. 
  4. Click the "Download your IWA root CA Certificate" link to retrieve the public certificate for the tenant CA. 
Once the tenant CA certificate is downloaded, the certificate needs to be trusted by Linux / Unix machines. Please follow the steps below to distribute it via Group Policy. 
  1. Open the downloaded root certificate and go to the Details tab. 
  2. Click "Copy to file" to start the Certificate Export Wizard.
  3. In the wizard, set the file format to DER encoded binary X.509 (.CER), then click finish. 
  4. Open Group Policy Management Console.
  5. Find an existing or create a new GPO to contain the certificate settings.
  6. In the navigation pane, open Computer Configuration\Policies\Windows Settings\Security Settings\Public Key Policies\Trusted Root Certification Authorities
  7. Click the Action menu, and then click Import.
  8. Follow the instructions in the Certificate Import Wizard to find and import the certificate.

Option 2: Bring Your Own CA (Advanced Users):

If an Enterprise CA is already available and trusted by your endpoints, a certificate issued by this CA may be uploaded using the management portal, which the cloud will then disseminate to the Cloud Connector automatically.  The issued certificate must satisfy the following pre-requisites, in addition to being issued by a trusted CA:
  • SAN or Subject matching machine’s short name
  • SAN or Subject matching the machine’s hostname as configured in the management portal
To configure a connector using an existing certificate: 
  1. In Cloud Manager, click Settings and choose Network from the menu on the left.
  2. Select the cloud connector you would like to configure. 
  3. Ensure "Use HTTPS for IWA Negotiations" checkbox is checked. 
  4. Click Upload and navigate to the location of the certificate trusted by your environment.
  • The certificate must be available as a PKCS#12 file (.pfx or .p12) which includes private key in order to upload it to the cloud service. For additional information, please refer to the following Microsoft article How to Export a Certificate with the Private Key.
  • If the machine is joined to Auto zone (Express Mode) and GP cannot be used to push the certificate. Please follow the steps below: 
  1. Copy the root CA Certificate to /var/centrify/net/certs/<CertName>.cert  
  2. ln -s /var/centrify/net/certs/yourname.cert `openssl x509 -hash -noout -in  /var/centrify/net/certs/yourname.cert`.0 

2. Update DirectControl agents: 

Install the updated 2016.1 DirectControl agents: 
  1. Once IWA is configured for HTTPS, the updated version of DirectControl 2016.1 agent needs to be installed. 
  2. Updated packages are available from the following sources: 
Verify certificates are retrieved by agents and MFA functionality: 
  1. Once agents are updated, verify that the newly configured certificate is available under /var/centrify/net/certs/ 
  2. If it is not listed under the directory, please execute adgpupdate to force the machine to retrieve the certificate from AD. 
  3. Execute  /usr/share/centrifydc/bin/adcdiag as root. If the command succeeds with no errors reported, MFA should function correctly. 

If there are any MFA problems after HTTPS is implemented, please check the following:
  • Execute /usr/share/centrifydc/bin/adcdiag as root to see if it reports any errors. 
  • Execute /usr/share/centrifydc/bin/adcdiag -k. The -k option verifies connection to cloud connectors without verifying certificate information. If this succeeds, there likely is an issue with the certificate. 
  • Ensure HTTPS and IWA are enabled in Centrify Cloud Manager. 
  • Verify the certificate used by cloud connectors are correct: 
    # KRB5CCNAME=/etc/krb5.ccache /usr/share/centrifydc/bin/curl --negotiate -u : -k https://< -v
  • Ensure correct root CA certificate is installed on the system: 
    # openssl x509 -in /var/centrify/net/certs/trust_45F53543F2ED7D8E1CDE930E2E6323F215EB0C50.cert -text