Monday, September 12, 2016

Enabling Centrify Identity Service and Privilege Service for Smart Card Authentication

Background
Many governmental and commercial organizations have implemented smart cards as their preferred method for Multi-factor Authentication.  This post explains how to configure Centrify Identity Service (CIS) or Centrify Privilege Service (CPS) to provide authentication using Smart Cards.  This article provides the configuration steps to enable Smartcard (certificate)-based authentication for CIS or CPS.

How it works
Generally, cryptographic credentials (user certificates) are stored in the smart card (PIV or CAC card) and the system has a dedicated reader.   Upon successful authentication (credentials verified and PIN submitted) the operating system or application will use a standard protocol (like Kerberos) or a one-time-code to grant access to the system or application.

For example, Centrify Server Suite allows the user of Kerberos for SSO to applications like Secure Shell (SSH).  Our DirectAuthorize can enforce if the user is allowed to log in with a password or with Kerberos/GSSAPI only.

In the case of Identity Service and Privilege Service, we use a Centrify capability called Zero Sign-on (SZO).  SZO provides a one-time token to use for authentication if the Authentication Profile that applies to the user is configured for Certificate-based Authentication.  All the user needs to do is navigate to the CIS/CPS site, select the smart card certificate and PIN.
pki-cis-cps.png
This setup provides strong authentication to access Apps or for Privileged Identity Management scenarios.

What you'll need:
  1. An instance of Centrify Identity Service App+ or Privilege Service  (CPS can be SaaS or On-Prem)
  2. Public Key Infrastructure Infrastructure  (Enterprise CA, Revocation Infrastructure, well-configured PKI clients) and understanding of how the subject name is being provisioned.
  3. A copy of the Certificate Chain (or Root CA) for your PKI infrastructure.
  4. A SmartCard or Yubikey configured for authentication into your environment.
    This post contains instructions to set up a lab. See "Lab - Base Setup"
Strong Disclaimer:  This is a PKI-related topic.  You should always be workign with your PKI SME with anything related to certificates, trust chains, revocations, etc.

Configuration Overview
The configuration depends on the deployment option of the service.
  1. Configuring the Root CA in Identity Service App+ or Privilege Service
  2. Configuring a Policy that allows for Integrated Windows Authentication
  3. Testing the configuration
  4. Appendix:  Configure Privilege Service On-Premises CNAME and Zero Sign-on SSL Certificate
Configuring the Root CA in Identity Service App+ or Privilege Service (SaaS)
  1. Sign-in to Cloud Manager
  2. Go to Settings > Authentication > Certificate Authorities
    Note:  If you can't see the Certificate Authorities option, you're not running the App+ edition or in the case of Privilege Service on-premises, you have to perform the activation steps (see below).
  3. Press Add and complete the follwing information:
    add-ca.png
    Name:  descriptive name of the CA
    Extract login name from:  The options are
    a) Principal Name from Subject Alternate Name
    b) E-mail address field from Subject Alternate Name
    c) Username from Subject
  4. Click Browse and select the location of the root ca certificate.
  5. If you are confident that you have a highly-distributed (Internal & Internet facing) Certificate revocation infrastructure, check the "Enable Client Certificate Revocation Check" if you are not sure un-check the box for now.
    Note:  If you don't know what PKI certificate revocation is, it's time to find your in-house PKI expert and get him or her involved.  This is a serious topic.
  6. Press Save
Configuring a Policy that allows for Integrated Windows Authentication
  1. Sign-in to Cloud Manager
  2. Go to Policies > [Select your Test Policy] > Expand User Security Policies > Login Authentication
  3. Set the "Enable authentication policy controls" setting to Yes, if not selected.
  4. Scroll down to "Other Settings" and make sure that the "Allow IWA connections..." is checked.  Then note the following:
    Note: Certificate-based authentication bypasses the login authentication rules set up for that profile.  The key settings are:
    cert-options.png
    The first setting "Use certificates for authentication..." is the main switch.  If you un-check this box, the users in scope for this policy won't be able to use smart cards for authentication.  This bypasses any controls set under "Login Authentication" in the preceding section.
    The second setting  "Set identity cookie..."  controls whether the cookie is set for the browser.   I would not set this flag if you expect users to access via non-managed systems.
    The third setting "Accept connections using certificate..." defines whether if users logging in with smart cards or certs are treated as "strongly-authenticated"

    Make your selections based on your desired security posture.
  5. Press Save.

Testing your configuration
  1.  Navigate to your Identity Service or Privilege Service URL
  2. Depending if your browser is configured correctly, you'll see any of the following pop-ups will come up:
    cert-challenge.png
  3. After selecting the Certificate on the Smart Card, you'll be prompted for the PIN:
    pin-cert.png
  4. Once you type-in the PIN, you'll be redirected to the appropriate portal (User | Cloud Manager | Privilege Manager).

Quick Setup Video


Appendix 1:  Enabling Certificate Authorities for Centrify Privilege Service (On-Premises)
Background:  Centrify Privilege Service can be deployed on premises on a Windows Server 2012 R2 system.  You need a CNAME record for the Zero Sign-On website and a x.509 certificate with that DNS name.

Pre-requisite tasks:
a) Set-up a DNS CNAME record to with the name hostname[zso].domain.name pointing to the hostname.domain.name.  E.g. if your system name is app1.corp.contoso.com, create a CNAME record to app1zso.corp.contoso.com and point it to the original host name.
b) You need an SSL Certificate with the DNSname for the SZO special host.

  1. Log in to the server hosting Centrify Privilege Service
  2. Open an Administrative PowerShell and navigate to %Programfiles%\Centrify\Centrify Identity Platform\Scripts
  3. Run the setup_certauth.ps1 script.   The program will ask if the pre-requisites have been met.
    setup_certhauth.png
  4. Confirm and you'll be prompted to provide the x.509 (SSL) cert for the SZO site.
  5. Once completed, you can return to Cloud Manager and perform the steps outlined above in the:  "Configuring the Root CA in Identity Service App+ or Privilege Service (SaaS)" section.

Other Resources and Related Topics
Documentation:  https://stage-docs.centrify.com/en/centrify/adminref/index.html?version=141#page/cloudhelp%2FCloud_Policy.13.html
Centrify's support for Derived Credentials: 
- Blog: https://www.centrify.com/products/identity-service/emm/derived-credentials/

- Docs:  https://docs.centrify.com/en/centrify/adminref/index.html?version=141#page/cloudhelp%2FderivedCreds.html

This article was originally written as a Centrify Tech Blog.

No comments:

Post a Comment