Centrify Server Suite 2016 - New Features in Action

Centrify Server Suite 2016 - New features, New Platforms, New Possibilities

Just in time for the Holidays and the New Year Centrify delivered Server Suite 2016;  this release is focused on unleashing the power of the Centrify Platform:

a) Server Suite

b) Identity Service

c) Privilege Service

As well as continuing to delight customers and prospects.

Here are a few demos:

Step-Up Authentication (+ CIS)

Reporting Services (+SSRS)

Local UNIX User and Group Management

Privilege Service Integration - Automation Unleashed

Centrify Start Menu for DirectAuthorize Windows, CLI Tools, PowerShell, GPOs

New Supported Platforms (CDC)

-  Windows 10 (x86_64)

-  Mac OS X 10.11 (x86_64)

-  Fedora 23 (x86, x86_64)

-  CentOS 6.7 (x86, x86_64)

-  Oracle Enterprise Linux 6.7 (x86, x86_64)

-  Red Hat Enterprise Linux Desktop 6.7 (x86, x86_64)

-  Red Hat Enterprise Linux Server 6.7 (x86, x86_64)

-  Red Hat Enterprise Linux Server 6.7 (ppc64 – no Power8)

-  Red Hat Enterprise Linux Desktop 7.2 (x86_64)

-  Red Hat Enterprise Linux Server 7.2 (x86_64)

-  Red Hat Enterprise Linux Server 7.0, 7.1, 7.2 (ppc64 – no Power8)

-  Scientific Linux 6.7 (x86, x86_64)

-  Ubuntu Desktop 15.10 (x86, x86_64)

-  Ubuntu Server 15.10 (x86, x86_64)

-  SUSE Linux Enterprise Desktop 11 SP4 (x86, x86_64)

-  SUSE Linux Enterprise Server 11 SP4 (x86, x86_64, ppc64, ia64)

-  SUSE Linux Enterprise Server 12 (ppc64 – no Power8)

-  Oracle Solaris 11.3 (x86_64, SPARC)

Centrify DirectControl for UNIX/Linux/Mac and servicePrincipalNames

Background

IT Ops often ask themselves about servicePrincipalNames in the context of Kerberos and ActiveDirectory.  When a system is Centrified, part of the process is to populate some of these entries to facilitate certain services to "just work";  SPNs play a part on that equation;  however there may be conflicts as well;  many organizations use Centrify software to simplify and secure Hadoop implementations at the OS-layer;  there may be conflicts with other Kerberos-enabled apps as well.  This quick article consolidates the questions that we commonly get as it relates to SPNs and Centrify DirectControl.

What is a Kerberos SPN?

ServicePrincipalName is the name by which a Kerberos client identifies an instance of a service.  The simple format entry in Active Directory looks like this:  service/realm:PORT.  E.g. HTTP/host.example.com

What does this have to do with Centrify?

Centrify uses Kerberos for authentication against Active Directory.  When you join a UNIX, Linux or Mac system into Active Directory using Centrify, there are a set of ServicePrincipalNames defined for the system by default.  Some of these are (varies between platforms). 

afpserver:  for an Apple file server

cifs: for a Samba file server

ftp: for a Kerberos-enabled ftp server

host: for host services like SSHD

http: for Web Servers that use SPNEGO

ipp: for web-based printing

nfs: for Kerberos-enabled NFS

How commonly used are this servicePrincipalNames?

In an Active Directory environment, because it uses Kerberos as the authentication protocol, you interact with Kerberos-enabled services all the time.  As an example, right now, you can connect to a Centrified system using ssh.  When you do, you are getting a service ticket for the HOST service for that system.  You can verify this with the klist command on Windows or in UNIX.    For example:  Diana (dwirth) connects to two centrified systems using PuTTY (engcen6 and linux2); then she opens PowerShell and verifies that she has a service ticket.

Windows PowerShell
Copyright (C) 2014 Microsoft Corporation. All rights reserved.

PS C:\Users\dwirth> klist | sls host

    Server: host/engcen6.centrify.vms @ CENTRIFY.VMS
    Server: host/linux2.centrify.vms @ CENTRIFY.VMS

When does the service registration happen, when I install your CentrifyDC package?

No.  Remember that installing our packages only will place our binaries in your system.  These changes happen when you run the adjoin command OR on the AD side, when you use the "Prepare UNIX computer" option in Centrify Access Manager or when you use the New-CdmManagedComputer PowerShell commandlet.

You have a chance to add/remove or modify SPNs during the Pre-Create stage.

Why do you do this?

To make sure that certain common services that rely on Kerberos just work out of the box.

Can I control the behavior of the default SPNs?

Yes.  The adclient.krb5.service.principals parameter takes care of what SPNs are set up in the computer’s AD object and its corresponding system keytab entries. All you need to do is enable the parameter, PRIOR to running adjoin to join AD and only the entries defined will be created by default.  From the Centrify UNIX configuration guide:

"adclient.krb5.service.principals

This configuration parameter specifies additional service principals 
for entries in the Kerberos key table. The key table is populated by 
default with the service principals host, http, cifs, and nfs.
This parameter's value must be one or more principal service names, 
separated by a space or by a comma. For example:

adclient.krb5.service.principals: http ftp cifs nfs

If this parameter is not defined in the configuration file, no 
additional principal names are added to the Kerberos key table."

You can also leverage the Precrate option in Access Manager or the New-CdmManagedComputer PowerShell commandlet.

How can I see the existing registered SPNs for a Centrified system?

On UNIX/Linux/Mac CLI:   Use the “adinfo –C” command from the CLI. 

1. Make sure you have a current Kerberos ticket. If you get a "cannot bind" error, just kinit and reauthenticate against AD.

$ adinfo -C
Computer Account Diagnostics
  Joined as: engcen6
  Trusted for Delegation: true
  Use DES Key Only: false
  Run adinfo as root to examine local key info
  Key Version: 11   (local key version unavailable)
  Service Principal Names: myservice/engcen6
                           myservice/engcen6.centrify.vms
                           nfs/engcen6.centrify.vms
                           nfs/engcen6
                           ipp/engcen6.centrify.vms
                           ipp/engcen6
                           http/engcen6.centrify.vms
                           http/engcen6
                           host/engcen6.centrify.vms
                           host/engcen6
                           ftp/engcen6.centrify.vms
                           ftp/engcen6
                           cifs/engcen6.centrify.vms
                           cifs/engcen6
                           afpserver/engcen6.centrify.vms
                           afpserver/engcen6

Supported Encryption Type(s): RC4-HMAC
                              AES128-CTS-HMAC-SHA1-96
                              AES256-CTS-HMAC-SHA1-96

Operating System Version: 6.1:6.5 (Final)

From Windows using the CLI:  Use the “setspn.exe –L <hostname>”

Microsoft Windows [Version 6.3.9600]
(c) 2013 Microsoft Corporation. All rights reserved.

C:\>setspn -L engcen6
Registered ServicePrincipalNames for CN=engcen6,OU=Servers,OU=centrifyse,DC=cent
rify,DC=vms:
        myservice/engcen6
        myservice/engcen6.centrify.vms
        nfs/engcen6.centrify.vms
        nfs/engcen6
        ipp/engcen6.centrify.vms
        ipp/engcen6
        http/engcen6.centrify.vms
        http/engcen6
        host/engcen6.centrify.vms
        host/engcen6
        ftp/engcen6.centrify.vms
        ftp/engcen6
        cifs/engcen6.centrify.vms
        cifs/engcen6
        afpserver/engcen6.centrify.vms
        afpserver/engcen6

From Windows Using Active Directory Users and Computers

1. Make sure that the Advanced Features check is set in the View menu.
2. Find the computer object > right click > Properties > Attribute Editor
3. In the Attribute Editor, find the servicePrincipalName field.
   

What if I need to change the SPNs for an existing system?

There are several ways to do it.  The easiest way to do it is using adkeytab; however if you want this to happen automatically during join, you have to modify the configuration file.

You can also use adleave/adjoin, however this has the drawback that the agent will be disabled temporarily.

Using adkeytab 
To add an SPN to the computer

Example:  adding the oracle service to the shortname engcen6 – notice that you need to be root or elevate to change the system keytab, plus you'll need an AD user that can modify the computer object in AD.

1. Run “dzdo adkeytab --addspn --principal [principal in correct format] --user [ad-user-that-can-modify-computer-object] --verbose”
   

   $ dzdo adkeytab --addspn --principal oracle/engcen6 --user dwirth --verbose
   Active Directory Password:
   ADKeyTab version: CentrifyDC 5.2.0-218
   Options
   -------
   use machine ccache: no
   domain: centrify.vms
   server: null
   user: dwirth
   container: null
   account: null
   trust: no
   des: no
   dwirth@CENTRIFY.VMS's password:
   Attempting bind to centrify.vms site:Demo-Network server:dc.centrify.vms: ccache:MEMORY:0x5666c0
   Bind successful to server dc.centrify.vms
   Searching for AD Object: filter = (samAccountName=engcen6$), root = DC=centrify,DC=vms
   AD Object found: CN=engcen6,OU=Servers,OU=centrifyse,DC=centrify,DC=vms
   Key Version = 11
   Success: Add SPNs: Default Key Tab
   

2. Verify the new SPN with “adinfo –C”
   

   $ adinfo -C | grep oracle
     Service Principal Names: oracle/engcen6
   

3. Optional:  List the contents of the system keytab
   

   dzdo /usr/share/centrifydc/kerberos/bin/klist -kt /etc/krb5.keytab | grep oracle
     11 12/16/15 07:27:47 oracle/engcen6@CENTRIFY.VMS
   [output truncated]
   

   The KVNO goes up, and the new entry is present.

To remove an SPN from the computer (example:  removing the entry I added above to the same system)

1. Run “dzdo adkeytab --delspn --principal oracle/engcen6 --user [ad-user-that-can-modify-computer-object] --verbose”
   

   $ dzdo adkeytab --delspn --principal oracle/engcen6 --user dwirth --verbose
   ADKeyTab version: CentrifyDC 5.2.0-218
   Options
   -------
   use machine ccache: no
   domain: centrify.vms
   server: null
   user: dwirth
   container: null
   account: null
   trust: no
   des: no
   dwirth@CENTRIFY.VMS's password:
   Attempting bind to centrify.vms site:Demo-Network server:dc.centrify.vms: ccache:MEMORY:0x5666c0
   Bind successful to server dc.centrify.vms
   Searching for AD Object: filter = (samAccountName=engcen6$), root = DC=centrify,DC=vms
   AD Object found: CN=engcen6,OU=Servers,OU=centrifyse,DC=centrify,DC=vms
   Key Version = 11
   Deleting SPN oracle/engcen6
   Keeping SPN myservice/engcen6
   Keeping SPN myservice/engcen6.centrify.vms
   Keeping SPN nfs/engcen6.centrify.vms
   Keeping SPN nfs/engcen6
   Keeping SPN ipp/engcen6.centrify.vms
   Keeping SPN ipp/engcen6
   Keeping SPN http/engcen6.centrify.vms
   Keeping SPN http/engcen6
   Keeping SPN host/engcen6.centrify.vms
   Keeping SPN host/engcen6
   Keeping SPN ftp/engcen6.centrify.vms
   Keeping SPN ftp/engcen6
   Keeping SPN cifs/engcen6.centrify.vms
   Keeping SPN cifs/engcen6
   Keeping SPN afpserver/engcen6.centrify.vms
   Keeping SPN afpserver/engcen6
   Removing SPNs from ADObject engcen6
   Removing spns and from config file for engcen6
   Removing SPNS from Keytab for engcen6
   Success: Del SPNs: Default Key Tab
   

2. Verify the new deleted SPN with “adinfo –C”
   

   $ adinfo -C | grep oracle
   $
   

   No results imply that there's no entry.

Using adleave/adjoin 

1. Edit the /etc/centrifydc/centrifydc.conf file and use the krb5.service.principals parameter to reflect the desired SPNs and save the file
2. Note the Zone and Computer Roles the system belongs to  (using access manager, UNIX CLI or ADUC)
3. Leave AD by running “dzdo adleave –r –u [AD-user-that-can-remove-the-computer-object]”
   this will leave the domain and remove the computer object;  if you rather do an offline leave, use the adleave -f command.
4. Join AD by running the “[elevate] adjoin –z [zone] –c [container-in-ad] –u [ad-user-that-can-join]  [domain.name]” 
   if you have to join any computer roles, use the –computerrolrole parameter and list the computer roles.
5. Verify that the newly-joined system has the SPNs you require by using adinfo -C

Do you know any instances of conflicts with these SPNs?

Yes.  Other Kerberos-enabled apps may rely on these SPNs.  Some notables:

• Hadoop:  Applications like Cloudera Manager, Hortonworks Ambari or MapR Control System will create HTTP records for SNEGO-enabled services.  The best practice is to disable the http SPN using the krb5.service.principals parameter PRIOR to joining any systems that will participate in Hadoop clusters.
  For example, if I forgot to remove the http entry and I already joined my Hadoop node, all I need to do is run the "sudo adkeytab --delspn --principal http/shortname --principal http/fqdn --user myuser"  > this will remove all http SPNs.
• Certain Java apps:   Some Kerberized java applications may have other conflicts.  Applications vary.
• Mixed Kerberos Environments: In environments with mixed Kerberos environments (where AD and MIT Kerberos coexist) there may be conflicts, however if you follow the guidelines on Mixed Kerberos, there should be none given that the realms are different and the system keytabs & krb5.conf files are independent.

Centrify and Active Directory Functional Upgrades

This article was written originally for the Centrify Community.

What are Active Directory Functional Levels?
When Microsoft introduces new versions of Windows Server, they may add new capabilities to Active Directory. These new capabilities impact the environment and require planning, the “functional levels” can be introduced by the organization as they become ready. There are two types of functional level upgrade: domain and forest; the scope of forest functional levels affect the whole subtree, and domain-level changes only affect the target domain. A very common misconception is that all features are enabled. A functional upgrade may make a new capability or schema objects available, but it does not mean that your organization is ready or will use those capabilities.

Why should I know this, I only deal with UNIX | Linux | Mac OS X and upper-layer apps (Apache, Java, SAP, DB2)?
When your organization committed to use Active Directory on non-Windows platforms, they gained efficiencies and improved security capabilities, however, AD becomes an integral piece of infrastructure just like power, cooling, switching/routing, etc. All systems relying on AD must be aware of “functional-level” major changes.

What will be the impact to my UNIX, Linux or Mac systems when the Functional level goes up?
The answer to this question really depends on how well you manage your environment.
The rule of thumb is this. If you deployed Centrify in your UNIX, Linux or Mac environment a few years ago and time constraints have kept you from maintaining it (or because it just works), you’ll have a tougher time. If you’ve been keeping-up with the software lifecycle (upgrades) and are listening-in your AD planning calls; you may be so ready that your impact could be close to nothing.
To level-set here, this is not a “Centrify-only” consideration; this affects software and hardware that integrates to Active Directory. This article is to deep-dive into Centrify Server Suite and Identity Service Mac Edition (on-premises client).

You caught my interest. Can you tell me more about Active Directory functional levels?
The best source of information is this Microsoft TechNet article: https://technet.microsoft.com/en-us/library/understanding-active-directory-functional-levels%28v=ws.10%29.aspx. If you want to be better informed, see the reading list below.

What happens when I raise the Domain Functional Level as it relates to Centrify?
The answer depends on what your current functional level is and what functional you're raising it to.
Let’s focus on 3-key aspects of going from DFL 2003 and DFL 2012 (conveniently how I set up my lab :smileyhappy:).

Kerberos
Centrify DirectControl (centrifydc/adclient), just like any other Active Directory client, uses Kerberos as the authentication protocol. In Kerberos session tickets encrypted using cyphers (algorithms).
As time goes both computers have more power and mathematicians grow smarter or find issues with existing algorithm. A very good example is the Data Encryption Standard (DES), it has been around since the 70s and it was broken in the late 90s; therefore DES became phased out by AES officially in 2002.
One of the changes introduced by a DFL is better encryption algorithms.

• Raising the DFL to Windows Server 2008 implements AES 128 and AES 256 for Kerberos.

This is why Microsoft's first guidance is to perform an inventory of your AD real estate. When this change happened, many older systems could not authenticate as illustrated in this example. In some instances, even a non-DFL change like adding a “newer OS” to perform the domain controller role can introduce side effects. For example, introducing a Windows Server 2012 Domain Controller to a Windows 2003 DFL Domain will immediately will disallow older crypto algorithms.

Summary – stronger cryptography is good, however, raising the DFL to Windows 2012 OR introducing a Windows 2012 domain controller in a 2003 forest requires at a minimum Server Suite 2014.1 (5.2.x).

KRBTGT Password Change
Active Directory has a built-in account called “krbtgt” (Kerberos TGT). This account has a complex password that is only known to low-level services; However, this is a very important account because every Ticket Granting Ticket (TGT) generated by users and computers is encrypted with a key that is derived from this password. As you probably can infer from the previous topic, once you switch the cypher, the secret is updated as well.

• Raising the DFL will change the password of the KRBTGT account; this makes older secrets invalid.

Microsoft, as part of their strategy to mitigate advanced attacks like Pass-the-Hash (PtH) and others has established new best practices around the krbtgt account, but that’s the topic for another post.

Summary: When using stronger crypto, the passwords for the krbtgt will change.

SID Compression
The Windows Security Identifier (SID) is the unique and immutable identifier for an AD principal (user, group, etc.). Microsoft Kerberos implements methods that use the Privilege Attribute Certificate (PAC), in an over-simplistic way, the PAC contains information about the group membership and authorization information for the corresponding security principal.
Active Directory clients often need to make decisions about access control with information contained in the PAC; however when principals belong to large numbers of groups the information can't fit inside the data structure and that's why SID compression was implemented. Within Centrify Server Suite, this is very important especially in the context of Zones and DirectAuthorize.

• Windows 2012 Domain Controllers implement SID compression and is turned on by default.  If an AD client can't decompress the SID to view the PAC, it will have functionality issues.

This has caused many known issues, however there's flexibility given that you can disable SID compression at the object  level or at the DC level.

Summary: SID compression is enabled on Windows 2012 DCs.  This is important for group enumeration and authorization.

Now you made me worried, What should I do?
 No need to be worried, there are plenty of resources available (see the reading list below); I think that by reading this article you should be informed and dangerous enough, however my advice is this:

• Keep your agents up-to-date.
  This can be painful, but if you’re within the 3-year software life-cycle (for standard support, 5 years for premium), you should be fine. Keep in mind, you have to also be realistic. For example, Windows 2012 R2 was released in October of 2014 and Server Suite 2014.1 was released in August. In that case Centrify was ahead of the ball if organizations were looking to deploy that version of the software. In some instances we are behind and provide functionality based on the needs of our customer base.
• Maintain your consoles and utilities up-to-date
  Consoles and PowerShell commandlets are backwards compatible. Tools like Deployment Report can be great tools to inventory clients.
• Familiarize yourself with Microsoft’s methodology
  The methodology is outlined here: http://blogs.technet.com/b/askpfeplat/archive/2013/04/29/upgrading-or-migrating-active-directory-to-windows-server-2012-build-your-roadmap-now.aspx
  If you are working closely with your AD team, in the Assess phase you should be providing an inventory of all your Centrify clients and inform them if the version installed will support these key things: AES Encryption, KRBTGT password changes and SID Compression.
• Document  any exceptions
  You should also inventory if you have hardcoded certain parameters like adclient.krb5.permitted.encryption.types. Ideally you should let DCs negotiate with the client, they typically go for the maximum (AES256).

Any tools, tips or tricks to share?
You can use Centrify CLI tools, Consoles and Utilities to discover, diagnose and collect information for your Functional Upgrade project.  Here are some examples:

Determining the Centrify version (per system - see below for inventory)

$ adinfo -v
adinfo (CentrifyDC 5.2.3-429)

Determining the forest and domain functional levels (per forest/domain)

$ adinfo --diag | grep Functionality
    domainFunctionality:           5 = (DS_BEHAVIOR_WINSERVER_2012)
    forestFunctionality:           5 = (DS_BEHAVIOR_WINSERVER_2012)
    domainControllerFunctionality: 6
    domainFunctionality:           5 = (DS_BEHAVIOR_WINSERVER_2012)
    forestFunctionality:           5 = (DS_BEHAVIOR_WINSERVER_2012)
    domainControllerFunctionality: 6

Determining if the encryption types have been changed (per client exception)

$ grep encryption.types /etc/centrifydc/centrifydc.conf
# adclient.krb5.tkt.encryption.types: aes256-cts aes128-cts arcfour-hmac-md5 des-cbc-md5 des-cbc-crc
# * the default encryption types permitted for Windows 2000 server and
#   adclient.krb5.permitted.encryption.types: arcfour-hmac-md5 des-cbc-md5 des-cbc-crc
# * the default encryption types permitted for Windows Server 2008 domain
#   adclient.krb5.permitted.encryption.types: aes256-cts aes128-cts arcfour-hmac-md5 des-cbc-md5 des-cbc-crc

Determining the Kerberos system key table (keytab) encryption (per agent)

$ dzdo /usr/share/centrifydc/kerberos/bin/klist -ke /etc/krb5.keytab
Keytab name: FILE:/etc/krb5.keytab
KVNO Principal
---- --------------------------------------------------------------------------
   7 nfs/engcen6.centrify.vms@CENTRIFY.VMS (AES-256 CTS mode with 96-bit SHA-1 HMAC)
   7 nfs/engcen6.centrify.vms@CENTRIFY.VMS (AES-128 CTS mode with 96-bit SHA-1 HMAC)
   7 nfs/engcen6.centrify.vms@CENTRIFY.VMS (ArcFour with HMAC/md5)
[output truncated] 

For each ServicePrincipalName (SPN) you should see an AES256 entry for DFL 2008 and above.

Determining if the encryption type on the system's ticket cache

$ dzdo /usr/share/centrifydc/kerberos/bin/klist -fe /etc/krb5.ccache
Ticket cache: FILE:/etc/krb5.ccache
Default principal: engcen6$@CENTRIFY.VMS

Valid starting     Expires            Service principal
12/08/15 14:56:35  12/09/15 00:56:34  krbtgt/CENTRIFY.VMS@CENTRIFY.VMS
        renew until 12/09/15 14:56:35, Flags: FRIA
        Etype (skey, tkt): AES-256 CTS mode with 96-bit SHA-1 HMAC, AES-256 CTS mode with 96-bit SHA-1 HMAC

Building an Inventory of Centrify agents and versions
Open Access Manager > Right Click "Centrify DirectManage Access Manager [dc]" > Select Deployment Report (Standard Edition)


What if I want to test this?

You'll need
a) A Windows Server (2003 or 2008) acting as a DC at the low level (e.g. Windows Server 2003 DFL)
To test the raising of the DFL to
b) A Windows Server 2012 member server that you can promote to a DC
To test the introduction of a 2012 DC
c) A Centrify client in any mode (Express | Workstation | Zone) for UNIX, Linux or OS X.

Video


Reading List

• https://technet.microsoft.com/en-us/library/understanding-active-directory-functional-levels%28v=ws.10%29.aspx
• http://blogs.technet.com/b/askds/archive/2011/06/14/what-is-the-impact-of-upgrading-the-domain-or-forest-functional-level.aspx
• http://blogs.technet.com/b/askpfeplat/archive/2013/04/29/upgrading-or-migrating-active-directory-to-windows-server-2012-build-your-roadmap-now.aspx
• http://blogs.technet.com/b/askpfeplat/archive/2012/09/03/introducing-the-first-windows-server-2012-domain-controller.aspx
• http://windowsitpro.com/security/resetting-password-krbtgt-active-directory-account
• http://download.microsoft.com/download/7/7/A/77ABC5BD-8320-41AF-863C-6ECFB10CB4B9/Mitigating-Pass-the-Hash-Attacks-and-Other-Credential-Theft-Version-2.pdf
• http://social.technet.microsoft.com/wiki/contents/articles/24370.sid-compression.aspx
• https://support.microsoft.com/en-us/kb/2774190