Tips for finding Knowledge Articles

  • - Enter just a few key words related to your question or problem
  • - Add Key words to refine your search as necessary
  • - Do not use punctuation
  • - Search is not case sensitive
  • - Avoid non-descriptive filler words like "how", "the", "what", etc.
  • - If you do not find what you are looking for the first time,reduce the number of key words you enter and try searching again.
  • - Minimum supported Internet Explorer version is IE9
Home  >
article

KB-8757: How to exclude other credential providers to prevent bypassing windows agent MFA

Authentication Service ,  

12 December,18 at 05:32 PM

Applies to: Centrify Agent for Windows Suite 2017 and above

Question:
MFA is required for a user logging into a Windows machine but they are not being prompted for MFA and are allowed to login. Why is this happening and how do we prevent it?

Answer:
This can happen when additional credential providers are enabled on these systems and are being used to login. For example Symantec, VMWare or Amazon can allow users to extend the Windows logon experience and thus bypass the Centrify MFA. 
 
How to check if the Centrify dzCredentialProvider is being used:
 
1)Recreate a login bypassing MFA
2) Navigate to this Registry Key location and look for our CLSID: 6FBD1D90-9D9D-40D9-B487-C4162172F45D
 
"HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Authentication\LogonUI\LastLoggedOnProvider"
User-added image
 

If the LastLoggedOnProvider is not using our dzCredentialProvider, as shown in the screenshot, then MFA is being bypassed using the Credential Provider shown in this key. 

How to prevent this:
 
1)Use a Group Policy to exclude the credential providers that are allowing MFA to be bypassed.
To find all credential provider IDs:
 
"HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Authentication\Credential Provider Filters"
"HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Authentication\Credential Providers"
User-added image
 
Under this registry key, click on each sub key to find out the other credential providers by software name (by looking at the "Data" column of the "(Default)" value). When it is found, copy the sub key name which is a CLSID string, e.g. {A3193558-BB44-4ddd-B0F9-001362EFB898}
 

2) Navigate to the Centrify GPO located at:

Computer Configuration\Centrify Settings\Windows Settings\MFA Settings\Specify the credential providers to exclude from the logon screen

3) Place the Credential Provider CLSID string copied in Step 1 (enclosed with {}) to the value field, together with the pre-filled CLSIDs (for Microsoft Password Credential Providers), comma-separated for multiple CLSIDs.

4) Push this GPO settings to the client machine to take effect.

5) If the issue continues repeat the steps going back to the LastLoggedOnProvider. The reason for this is if multiple credential providers are enabled the only way to know is by logging out of the machine and logging back in to check until the Centrify Credential Provider is the one being used. 

 

For Windows 10 machines you can also specify a default Credential Provider, please reference this MS KB for those steps HERE.


Please review the following if still having issues:
KB-10049: MFA bypassed when McAfee Endpoint Encryption is installed

For reference:
Review Microsoft's guidelines on 
How to disable additional credential providers here.
Attached are Common CLSID for various Operating Systems.


Centrify Corporation does not take any responsibility for the content or availability of this link and it was provided as a courtesy.  Customers should contact the vendor if there are any further questions
 

Attachments:

Still have questions? Click here to log a technical support case, or collaborate with your peers in Centrify's Online Community.