Announcing a new series!!!
I recently got some YubiKeys from HQ (thanks @Peter) and since they provide all-in-one smart card (PIV) and OTP (OATH) capabilities plus they work great with Centrify products.
Here are the series links:
Part 1: Securing Windows Server Access and Privilege Escalation with Centrify, Active Directory and YubiKey
Part 2: Securing local and remote access to UNIX/Linux with Centrify, Active Directory and YubiKey
Part 3: Using SmartCard (or YubiKey) to secure Apps, Shared Secrets an Sessions with CIS and CPS
About the Series
This new series showcases our MFA Everywhere initiative and we'll be posting a series of HOWTO labs to cover several scenarios:
Strong Authentication (PKI) Smart Card / Yubikey
- Leverage what you have: Active Directory, Microsoft CA, Group Policies
- Enforcing Smart Card access to UNIX/Linux/Mac systems (Windows systems support this natively)
- Use DirectAuthorize roles to limit access to strongly authenticated sessions
Strong Authentication for Windows Privilege Elevation
We already covered Access and Privilege Elevation For UNIX/Linux using Centrify MFA here: http://community.centrify.com/t5/Community-Tech-Blog/LABS-Setting-up-the-MFA-for-Servers-feature-of-Centrify-Server/ba-p/22457
Strong Authentication (Smartcard/Yubikey) & OATH OTP access
- IdP Portal Access
- OnPrem or SaaS Application Access
- Privilege Portal Access
- Privilege Password Manager (Shared Account Password Manager)
- Privilege Session Manager (Jump Box)
Here's a quick overview/demo
Lab - Base Setup
The base setup is the pre-requisite for all the Yubikey/SmartCard related labs.
What you'll need
- Active Directory with Certificate Services
- A domain joined member server with Centrify Server Suite 2016
- .NET 3.x features enabled
- Feature RSAT: Active Directory, Group Policy Management and Certificate Services tools
- One or two UNIX/Linux systems with Centrify Standard Edition 2016 (5.3+) (if testing UNIX/Linux)
- Access to Centrify Standard Edition installation files (evaluation or licensed)
- Yubikey PIV Manager (download link)
- Yubikey 4, NANO or NEO
- You need working knowledge of Active Directory and Centrify Zones
Tip: To set up a base configuration, you can build on the Microsoft Test Lab Guide.
Create Test Users and AD Group
On the member server
- Open Active Directory Users and Computers and navigate to your desired OU
- Right click and select New > User and follow the wizard until the user is created.
- Right click the newly-created user and select properties. In the general tab, update the Email to match the user principal name.
e.g. email@example.com and press OK.
- Right click the OU and select New > Group and make it a Global/Security group. Call it "Smart Card Users"
- Right click the Group, select properties, go to the Members tab, press Add and add the user created in step 2.
- On the member server, grant the group or user the ability to log on remotely.
Computer > Properties > Remote Settings > Remote Desktop > Select Users > Add > [select user or group] press OK twice.
Modify the Smart Card User template
- Open the Certification Authority console (Start > Search > Certification Authority)
If you get an error, retarget the console to the appropriate server (e.g. DC1)
- On the left pane, right click "Certificate Templates" and select Manage. This will open the Certificate Templates console.
- In the template list, right-click the SmartCard User template and select "Duplicate Template"
- In the General tab, give the template a descriptive name. I used "Smart card User V2" (this is the display name, the actual template name is SmartcardUserV2)
- Click on the Security tab, press Add, select the newly-created Smart Card Users group, check the Enroll and Autoenroll boxes, then press OK and close the Certificate Templates console.
Publish the Newly-Created Template
- In the Certification Authorities console, on the left pane, right click "Certificate Templates" and select New > Certificate Template to Issue
- Select the newly-created version of the Smart Card User template (e.g. Smart Card User v2) and press OK.
Provision the Smart Card User Certificate into your Yubikey
- Log on to your member system with the test user.
- Open the Yubikey PIV manager tool with the Test User (shift+right click > run as different user)
- If you're using a VM, connect the Yubikey to your virtual machine.
Note: If you're using VMWare, you need to add the parameter below for the Yubikey to be available to your VM.
usb.generic.allowHID = "TRUE"
This step is performed by editing the .vmx file and editing it with your current text editor while the VM is off.
- Initialize the Yubikey if brand new. Do not forget the PIN.
- In Yubikey PIV manager, press Certificates > Generate New Key and make sure you type the Certificate Template name (not the display name) and press OK.
- Type the PIN when challenged, and select your existing CA. In my case I use the non HTTP link and press OK
- To test the smart card authentication, either lock your screen or logoff. If you can unlock or login successfully, you should be ready for the next steps.
Lab Verification Video