Tips for finding Knowledge Articles

  • - Enter just a few key words related to your question or problem
  • - Add Key words to refine your search as necessary
  • - Do not use punctuation
  • - Search is not case sensitive
  • - Avoid non-descriptive filler words like "how", "the", "what", etc.
  • - If you do not find what you are looking for the first time,reduce the number of key words you enter and try searching again.
  • - Minimum supported Internet Explorer version is IE9
Home  >

KB-9301: Centrify DirectControl support user-specified HTTP Proxy Server with authentication for MFA

Authentication Service ,  

27 October,17 at 11:02 PM

UNIX Agents are normally running in a private network. When the agent is required to communicate to Centrify Identity Platform (CIP), e.g. to do MFA, is normally located in a public network. In some scenarios it is a common practice for traffic to go through a Proxy Server when talking to a Server in the public network. 

The Centrify DirectControl Agent by default will use Centrify Cloud Connector as the Proxy Server, which will use SPENGO as authentication method and authenticate as machine account. Some environments may have their own Proxy Server configured and would prefer to use their own Proxy Server with the Agent. 

There is no way to specify an alternate HTTP Proxy Server in Centrify DirectControl Agent, and no way to configure the credential for the proxy server. 

Centrify Connectors 17.7 and greater allow for HTTP Proxy Server with authentication to be specified. Enter the Server FQDN within the connector control panel along with the needed credentials. 

User-added image

Note: Each connector will need to have this configured. 

In Suite 2017.3 (5.4.3) Centrify Direct Control will support user-specified Proxy Server with authentication for MFA. 

A new CLI adwebproxyconf to allow user to configure web proxy locally:

  • Setup HTTP Proxy credential to be used by agent.
  • Delete HTTP Proxy credential. 
  • Get the HTTP Proxy credential info. 
  • Test the proxy connection using configured or supplied HTTP Proxy credential 
  • Provide option to configure HTTP Proxy Server to use.
  • Only root is allowed to run this command
  • Machine must joined to zone to run

Please review man pages for more information. 

New settings that will allow configuration of an alternative Proxy Server.

  • HTTP Proxy Server that DirectControl should use to connect to the CIP. Default is empty, i.e. none.
    • adclient.http.proxy.server: FQDN
  •  Determine if authentication is required for a specified HTTP Proxy Server. Default is false. 
    • adclient.http.proxy.server.auth.required: false 
  • Determine what authentication type should be used when authenticating to HTTP Proxy Server. Supported Values are; AnyAuth (Default), Basic, Digest, NTLM, Negotiate.
    • adclient.http.proxy.server.auth.type: "AnyAuth"