Tips for finding Knowledge Articles

  • - Enter just a few key words related to your question or problem
  • - Add Key words to refine your search as necessary
  • - Do not use punctuation
  • - Search is not case sensitive
  • - Avoid non-descriptive filler words like "how", "the", "what", etc.
  • - If you do not find what you are looking for the first time,reduce the number of key words you enter and try searching again.
  • - Minimum supported Internet Explorer version is IE9
Home  >

KB-9139: MFA for Amazon WorkSpaces using RADIUS with Centrify

App Access Service ,   App Gateway Service ,  

23 May,18 at 09:19 PM


How to configure Centrify for MFA login with Amazon WorkSpaces.


A Centrify Community Techblog is also available that provides a detailed walk through of setting up MFA login with Amazon WorkSpaces using Centrify at the following location:

The following steps show the Centrify settings needed for configuring MFA login with Amazon WorkSpaces.

Configure Centrify Connector as RADIUS Server

  • Click Settings > Network > Centrify Connector.
  • Select an existing connector or add a new one.
  • Click RADIUS.
  • Select the Enable incoming RADIUS connections checkbox.
  • Provide the port number in which the Centrify Connector talks to Centrify Identity Services. The default port number is 1812.
  • Click Save.
User-added image

Create Authentication Profile

  • Click Settings > Authentication.
  • Click Add Profile on the Authentication Profiles page.
  • Enter a unique name for the profile.
  • Select the Authentication Mechanisms
  1. Challenge 1: Password
  2. Challenge 2: Desired second factor (Mobile Authenticator, SMS, Email, etc)

Important: Centrify recommends that you select a profile where the first challenge is "Password" because the user prompt from the RADIUS client defaults to Username/Password, regardless of the authentication mechanism(s) you choose for the first challenge. If you select a profile where the first challenge is not Password, for example it is Mobile Authenticator, then users may not successfully authenticate with the RADIUS client because we are expecting a mobile authenticator code but users enter their username/password based on the UI prompt.

  • ​Click Save.
User-added image

Create Policy set

  • Click Core Services > Policies > Add Policy Set.
  • Click Add Policy Set.
  • Enter a name for the policy set.
  • Click User Security Policies > RADIUS.
  • Select Yes in the Allow RADIUS client connections dropdown.
  • Select the Require authentication challenge checkbox to require that users provide a secondary authentication mechanism to log in via the RADIUS client.
  • Select the authentication profile (Name from “Create Authentication Profile” step) from the dropdown.
  • Click Save.
User-added image

Configure the RADIUS client information for each AWS AD Connector instance

  • Click Authentication > RADIUS Connections > Client tab > Add to configure your RADIUS client.
  • Enter a name for the RADIUS client.
  • Enter the Client Hostname or IP Address: IP of AWS AD Connector instance.
  • Enter the Client Secret: Shared secret code from AWS AD Connector instance.
User-added image
  • Click Response.
  • Select Mechanism Response Options - Select a response option for each mechanism. Use Push to respond from the mechanism or Enter Code to manually respond.
  • Click Save.
User-added image

Still have questions? Click here to log a technical support case, or collaborate with your peers in Centrify's Online Community.