Friday, July 3, 2015

Implementing the Centrify's Account Prevalidation Capability on UNIX, Linux and OS X using Group Policies

In case of an Active Directory catastrophic failure, a limited set of trusted administrators shall be able to log in to UNIX, Linux or OS X systems and perform the actions defined in their privileged management roles.

Contoso has 3,000 servers and many of them on branch deployments and public clouds, there are no DCs in the branches.  WAN connectivity can be lost and a mechanism to allow trusted administrators to perform actions should be available.  It's highly unlikely the set of trusted admins have logged in to all systems. This is why Centrify implemented the account prevalidation feature.

Tools and Targets
  • Group Policy Management
  • Active Directory Users and Computers
  • CLI tools:  adgpupdate, adgpresult, setspn & PowerShell(windows)
  • Configuration files:  /etc/centrifydc/centrifydc.conf
  • Target Group:  Account prevalidation can be assigned to users or groups.  Ideally this would be assigned to groups so the management can be delegated to the Helpdesk, or front ended by an ITSM or Worfklow solution.
    This means that an AD Group should be requested.  Sample Name:   Centrify-Prevalidated-Admins
  • Process: 
    Onboarding:  When senior UNIX, Linux or Mac OS X administrators are onboarded, the user template or form should be updated so they are added to this group by default.
    One-offs:   When critical projects are going on and stakeholders need to be added to this group, our ITSM tool will front end a workflow request that ends on a PowerShell action that adds (or removes) the user from the target group.
    Attestation:   This group does not have any additional rights, however it has to be attested as part of the disaster recovery plan.
What you'll need
  • Centrify Standard Edition or Centrify Identity Service Mac Edition  (licensed)
  • A Windows system with Group Policy Management and the Centrify Group Policy Extensions (GPOE) installed
  • An Active Directory group pre-populated with the users that will be prevalidated
  • A GPO tied to the OU of the target UNIX, Linux or OS X systems.
  • Rights to edit the GPO
  • Centrified system in the OU that has the GPO linked to verify.
First, Gather information about the members of the group
From a Centrified System 
$ adquery group -A Centrify-Prevalidated-Users | grep members
members:centrifyimage.vms/Staff/IT/Diana Wirth

From Windows with PowerShell
PS > get-adgroupmember Centrify-Prevalidated-Users | Select-Object samaccountname


Second, Configure the GPO
  1. Open Group Policy Management
  2. Create or edit the GPO in the corresponding forest/domain/OU.
    GPMC - Location of NIX.jpg
  3. In group Policy Editor, navigate to Computer Configuration > Policies > Centrify Settings(*) > DirectControl Settings(**) > Account Prevalidation.  In the right pane, double-click on "Specify allowed groups for prevalidation" select Enabled and populate the dialog box with the group predefined for this purpose and press OK and close Group Policy Editor.
    GPO - account prevalidation.jpgGPO - Prevalidation groups.jpg
    (*) If you don't see a Centrify Settings section, you don't have the Centrify GPOE installed.
    (**) If you don't see a "DirectControl Settings" folder, you need to add the template.

Third, Add the Preval SPN to the members of the group and commit the changes in the Centrified system

a) To add the SPN

# From Windows with the setspn utility
C:\> setspn -A preval/rpimentel rpimentel
Checking domain DC=centrifyimage,DC=vms

Registering ServicePrincipalNames for CN=Diana Wirth,OU=IT,OU=Staff,DC=centrifyimage,DC=vms
Updated object

# From Windows using PowerShell
PS > Get-ADUser dwirth | Set-ADUser -ServicePrincipalNames @{Add="preval/dwirth"}

# From a Centrified System Using adedit
## Authenticate as someone who can edit the target object
$ kinit administrator
Password for administrator@CENTRIFYIMAGE.VMS:

# Open adedit, bind to domain and use the add_object_value function
$ adedit
>bind centrifyimage.vms
>package require ade_lib
> add_object_value "CN=Diana Wirth,OU=IT,OU=Staff,DC=centrifyimage,DC=vms" serviceprincipalname "preval/dwirth"
> exit

# Manually using Active Directory Users and Computers
  1. Open ADUC
  2. In the View menu, check "Advanced Features"
  3. Open your target user > Attribute Editor > servicePrincipalName
  4. Click add, and type  preval/<user>, press OK twice.
ADUC - mv preval.jpg

b) To verify the SPN was added succesfully
# from a Centrified system using CLI
$ adquery user dwirth --attribute servicePrincipalName

# from Windows using PowerShell
PS > Get-ADUser dwirth -prop ServicePrincipalNames | Select-Object Name, ServicePrincipalNames

Name                                  ServicePrincipalNames
----                                  ---------------------
Diana Wirth                           {preval/dwirth}

c) To commit the changes to a system for the purposes of testing
## flush the cache - only if you want this immediately (will happen automatically after cache flush interval + gpo refresh
$ dzdo adflush
DNS cache flushed successfully.
Authorization cache store flushed successfully.
GC and DC caches expired successfully.
DA name cache flushed successfully.
DA installation information cache flushed successfully.

## perform a group policy update - again, this happens on the GPO refresh.
$ adgpupdate
Refreshing Computer Policy...
Refreshing User Policy...
User Policy disabled on this machine.

## verify that the GPO inserted changes in the config file
$ adgpresult | grep Centrify-Prevalidated-Users
        adclient.prevalidate.allow.groups = Centrify-Prevalidated-Users,

Notes:  This process can also be implemented with a Management tool like Chef, Puppet, Spacewalk, etc.  Ultimately the parameter that will be adjusted is the "adclient.prevalidate.allow.groups" in the /etc/centrifydc/centrifydc.conf file.  This can also be part of a master config file that is enforced across the board, but watch out for conflicts with GPOs.  You must pick a tool.

Verify and Test
 To verify prevalidation you'll need a recently centrified system OR a system that you know one of your test subjects has never logged in.  You will also have to switch the agent to offline mode.  There are two ways to do it:
a) If this is a VM, go to the hypervisor console, and disconnect the network; OR
b) Force the agent to go offline by adding all your DCs to the dns.block parameter.
E.g. if I have 2 DCs  ( and, the parameter would look like this:
dns.block:  dc1.corp.contoso,com,
c) If you have console access, you can also disable the network interface momentarily.

This video explains the installation and testing process:

 There are several areas of improvement for this process:

A really cool improvement has to do with the automation of the prevalidation SPN.  For example, you can implement both in a Centrified UNIX/Linux system or with Windows PowerShell script that checks if new users are added to your target group, and automatically will add (or remove) the preval SPN.

Service Management and Approvals
If you have an ITSM (like ServiceNow) or an IdM with workflow/approvals, you can front-end this process by adding references and approvals to be able to answer these questions:
  • Why is this user a member of this group?
  • Who approved?
  • What's the reference number

No comments:

Post a Comment