centrifying: OpsWorks

Centrifying

This article is a republish of a blog post that I wrote for the Centrify Community Techblog.

Background

As Amazon AWS's popularity increases as an IaaS platform, many organizations are looking to extend current capabilities like consolidated identities and privilege management out to those environments.

AWS provides a framework for DevOps called AWS OpsWorks. This framework allows the use of solutions like Chef or Puppet to manage the lifecycle of Linux or Windows instances.

Centrify customers and prospects have requested sample configurations to control the lifecycle of the deployment of Centrify DirectControl out in AWS. The typical goals are:

Linux or (Windows) instances are launched in AWS
Centrify DirectControl is installed on these instances
The system is joined to Active Directory (Linux) and the Centrify Zone, Child Zone and/or Computer Role (Windows, Linux)
On termination, the system(s) leave the domain and Centrify zone (freeing-up the Centrify license)

This way, while the system is running:

Administration is Centralized and not duplicated (like with SSH keys)
Assurance is achieved, for example, with MFA
Privileged User Management is based on roles
There are reporting and attestation mechanisms.

Pre-flight Checklist

You have AWS account set up with a VPC set up correctly for DNS and Active Directory communication
Your account has AWSOpsWorksFullAccess and permission to create, modify, read, list and delete IAM Policies and Roles
You have Active Directory (managed by you or with Amazon) and a Centrify Zone
You have tested joining a Linux system to your AD and Centrify zone successfully. Your users can authenticate and perform privilege management duties.
You have an AWS S3 Bucket and permission to create and upload files to it.
You have a Kerberos key table for a service account authorized to join systems to Active Directory and Centrify Zones
For an article on this topic, click here:
http://centrifying.blogspot.com/2017/04/setting-up-kerberos-keytab-to-automate.html
You know the DN for your Computers container (e.g. "ou=servers,ou=centrify"), this is where the service account can create (or delete) computer objects.
You have a Centrify Repo credential, zone information (E.g. Name) or an alternate repo with the Centrify packages for your platform type (yum, apt, zypper)
Optional: A domain-joined Windows server with Centrify tools (for verification purposes)
Optional: You have an AWS key-pair to deploy our EC2 instances to connect for troubleshooting purposes

A Centrify-AWS Lab article has been written for the pre-requisites

http://centrifying.blogspot.com/2017/04/building-test-lab-centrify-capabilities.html

You need to be at the Standard Edition set up to follow this lab.

Note: for abbreviated instructions and the source code for the methods use here, go to https://github.com/centrify/AWS-OpsWorks

Supported Platforms

Amazon Linux
Centos 7
Red Hat Enterprise 7
Ubuntu 16.04 LTS
Ubuntu 14.04 LTS
Chef 12

Configuration Overview

Copy your Kerberos keytab to your S3 bucket
Create an IAM policy for use by the IAM role for the instances created by OpsWorks
Create an IAM role to grant EC2 instances to access AWS resources
Create and configure Chef 12 OpsWorks custom stack
Add a layer to your stack
Add instances and troubleshooting
Verifying success for provisioning and deprovisioning

Copy your Kerberos keytab to your S3 bucket

Sign-in to the system that has the keytab (if the keytab file is in Linux, copy it to your Windows system)
Open Go to the S3 console: https://console.aws.amazon.com/s3/home
Click your S3 bucket and then click upload
Press Upload, click on the uploaded file and note the link. E.g.
https://s3-your-region.amazonaws.com/your-bucket-name-here/login.keytab

Create an IAM policy for use by the IAM role for the instances created by OpsWorks

Go to the IAM home: https://console.aws.amazon.com/iam/home and click on Policies, then Create Policy
Select "Create your own Policy"
In the review policy page, give it a name (e.g. Centrify-Keytab-S3-Access-Policy and a description)

The policy should contain the following

{
 "Version": "2012-10-17",
 "Statement": [ 
  {
  "Effect":"Allow",
  "Action":[
   "s3:GetObject",
   "s3:ListObject"
  ],
  "Resource":[ "arn:aws:s3:::your_s3_bucket/login.keytab" ]
  },
  {
  "Action": ["ec2:*",
   "iam:PassRole",
   "cloudwatch:GetMetricStatistics",
   "cloudwatch:DescribeAlarms",
   "ecs:*",
   "elasticloadbalancing:*",
   "rds:*"],
  "Effect": "Allow",
  "Resource": ["*"] 
  }
 ]
}

Substitute "your_s3_bucket" for the name of the S3 bucket you have from the AWS Centrify lab or from your environment.

Press Validate Policy and then Press Create Policy.

Now you have a Policy.

Create an IAM role to grant EC2 instances to access AWS resources

Go to the IAM home: https://console.aws.amazon.com/iam/home and click on Policies, then Create New Role
In Select Role Type under Amazon Role Service Amazon EC2, click Select
In attach policy, find the previously-created policy (e.g. Centrify-Keytab-S3-Access-Policy) and check the box next to it, then press Next Step.
In set role name and review, give the role a name and optionally a description.

Click on the newly-created role and go to the Trust Relationship tab and press edit and substitute with this:

{ 
    "Version": "2012-10-17", 
    "Statement": [ 
        { "Effect": "Allow", 
        "Principal": { 
            "Service": [ "opsworks.amazonaws.com", "ec2.amazonaws.com" ]
            
        }, "Action": "sts:AssumeRole" 
            
        }] 
    
}

Press Update Trust History

Now you have a role associated to your policy

Create and configure Chef 12 OpsWorks custom stack

In this step, we'll configure the stack to be used for deploying DirectControl, here we'll add custom JSON with information about your environment.

Create a Stack

Go to the AWS OpsWorks home: https://console.aws.amazon.com/opsworks/home and Press Add Stack
Select Chef 12 stack and complete the following info:
- Name, Region and Subnet > based on your AWS Settings
- Operating System > Linux and select your OS/version based on the supported platforms above
- Default SSH Key > select yours if needed (do this at first to troubleshoot)
- Use Custom Chef cookbok > Yes
- Repository type: Git
- Repository URL: https://github.com/centrify/AWS-Opsworks.git
Select Advanced Options and in Custom JSON add:
```
{
 "CENTRIFY_REPO_CREDENTIAL":"your-repo-credential",
 "CENTRIFYDC_JOIN_TO_AD": "yes",
 "CENTRIFYDC_ZONE_NAME": "AWS",
 "CENTRIFYDC_KEYTAB_S3_BUCKET": "centri-bucket",
 "CENTRIFYDC_ADDITIONAL_PACKAGES": "centrifydc-openssh",
 "CENTRIFYDC_ADJOIN_ADDITIONAL_OPTIONS": "--ldap --verbose --container ou=servers,ou=centrify"
}
```
The information (in red) in this JSON file is based on my example configuration:
CENTRIFY_REPO_CREDENTIAL is the cyphered username/password combination assigned to you in the Centrify Download repo page.
CENTRIFY_ZONE_NAME is the name of the Centrify Zone in AD that I want my Linux systems to be joined to
CENTRIFY_KEYTAB_S3_BUCKET is the name of the S3 bucket that contains the login.keytab file for the service account.
CENTRIFY_ADJOIN_ADDITIONAL_OPTIONS: has been set with the --container option that points to the DN of where my service account can add computer objects (e.g. ou=servers,ou=centrify)
Press Add Stack

Add a Layer

The desired state is that when the system is launched, the Centrified system is joined to AD and to the Zone. Once the system is shutdown, the system leaves AD, the Centrify license is freed and the access/privilege reports reflect the proper information.

In your newly-created stack, click on layers and press Add Layer
Give it a name and a short name and press Add Layer
In the layers, click on Recipes tab, this will display the Custom Recipes lifecycle
- Setup box: centrify_agents::deploy_centrifydc
- Shutdown box: centrify_agents::undeploy_centrifydcPress Save
On the Network tab, select the option based on your AWS VPC setup (e.g. Public IP addresses yes)
On the Security tab, press Edit and in
Security Groups select your Security group
EC2 Instance Profile select the IAM Role created in the previous step (e.g. Centrify-IAM-Role-4EC2)
Press Save.

Adding instances to your stack

Adding instances is the opportunity to debug your newly-created stack recipes.

In your stack, click Instances and click Add an Instance
- Hostname: give it a name (e.g. test1)
- Size: select a size (e.g. t2-micro)
- Subnet: select a subnet from your VPC (must have AD connectivity and DNS resolution)
Press Add Instance
Press Start

Troubleshooting and Debugging

Your troubleshooting can happen from the OpsWorks console. If there's an issue with your setup, the console will provide you with an error and a log with the actions yielded by Chef. For example, while debugging, I saw this issue:

Note that the erros will be quite explicit. The category of errors that you'll see may be dependent on the sanity checks that you perform along the way.

Known Errors

Invalid CENTRIFYDC_ADDITIONAL_PACKAGES attribute: the JSON value contains an invalid value. Valid entries include: centrifydc-openssh, centrifydc-ldapproxy, etc. Modify the value of the custom JSON attributes in the stack.
Either user your-user@YOURDOMAINNAME. does not have sufficient permissions to update
the YOUR_ZONE zone computer information: this means that the service account can't create the computer object in the target container. Note that if you did not modify the JSON parameter for the stack called CENTRIFY_ADJOIN_ADDITIONAL_OPTIONS to have the --container switch with the proper DN, adjoin will try to add the system to the default computers container in AD. This is atypical.

Verifying Success - Provisioning

The layman's test is to be able to sign-in to the system and perform privilege elevation

The OpsWorks console shows the system online.

In Active Directory, there should be a computer object in the target OU:

Attestation reports can be generated with who has access to which system(s), what type of access they have, what privileged commands they can run, and where the privileges came from.

Verifying Success - Deprovisioning

The best test here is to stop the system and verify that the objects don't exist in AD and the system no longer is present in the Access/Privilege reports.

Conclusion

You can leverage Centrify's Github https://github.com/centrify/ for different private and public cloud configurations. This scenario is only the first of many to come.

Related Articles

Setting a Centrify AWS Test Lab: http://centrifying.blogspot.com/2017/04/building-test-lab-centrify-capabilities.html

Centrifying

This article is a republish of a blog post that I wrote for the Centrify Community Techblog.

The goal of this article is to set up the building-blocks to test Centrify Server Suite and Privilege Service in an AWS environment. This article is the foundation for several how to guides in development.

Audience: Technical leads looking to test capabilities in a lab environment.

Knowledge level: You must be familiar with AWS, Linux , Windows, TCP/IP, Domain Name System and with basic Centrify product capabilities

Levels

Standard Edition Level - allows you to complete labs related to Centrify DirectControl
Privilege Service Level - allows you to complete labs related to Privilege Service

Basic AWS Setup

The basic steps to set up an AWS Playground lab are:

Once you have this set-up, we can talk about some planning scenarios.

Planning to modify your Security Rules

In this playground, here's the connectivity you'll need:
- RDP from your client to your Windows systems
- SSH from your client to your Linux instances
- You need your instances to talk to each other via AD ports and others (to simplify things, you can allow any traffic between your EC2 instances).

Create an S3 Bucket

Official instructions here: http://docs.aws.amazon.com/AmazonS3/latest/UG/CreatingaBucket.html

Sign in to the AWS Management Console and open the Amazon S3 console at https://console.aws.amazon.com/s3/.
Click Create Bucket.
In the Create Bucket dialog box, in the Bucket Name box, type a name for your bucket (nmust be unique)
In the Region box, click the region where you want the bucket to reside.
Optional - Enable logging.
Click Create.

Sanity Check # 1At this point, you should have:

At this point you should have several credentials:
- An amazon account (your root account) that has all the rights to your AWS account - this account is your email account.
- If you created an IAM user, you should have that credential too.
An AWS key-pair that allows you to SSH into Linux instances using the ec2-user or decrypt Windows Administrator passwords.
You have created a virtual private cloud (VPC)
You have configured a security group that allows you to access the AWS EC2 instances/services and communications between them. You'll be using this security group for all newly-created EC2 instances.
You have an S3 bucket that you can use later to host files.

Active Directory in AWS

Active Directory in AWS (or other clouds) can be deployed in different ways. This all boils down to the connectivity between corporate and AWS. If there's a dedicated VPN, provided that DNS and Security rules are well-designed, you an either extend or duplicate your AD infrastructure in AWS.

For more information: http://docs.aws.amazon.com/quickstart/latest/active-directory-ds/architecture.html

This article is not concerned with that. If you are doing a lab, most likely you'll be using the scenario where AD is run in AWS (hosted by you in EC2 instances) or hosted by AWS (SimpleAD or AWS Directory Service).

1. Setting-up Active Directory in AWS

Hosting your own Active Directory Domain Controller in an AWS EC2 Instance

There are many resources like the official recipe from Amazon here: http://docs.aws.amazon.com/quickstart/latest/active-directory-ds/step1.html, however for a small lab, I recommend that you have the following:

One VPC
One EC2 Instance running your domain controller and DNS (you could also leverage Route53)
One EC2 Instance running your member server (e.g. APP1 or MEMBER)

For setup, you can can reuse the instructions from the Microsoft Test Lab Guides to onboard a DC1 and APP1 servers.

2. Configuring Microsoft DNS with a Forwarder

If you are managing your own DC running Microsoft DNS, as a measure, you may want to add the Amazon-provided DNS servers as forwarders. This will ensure public name resolution to AD clients.

On your DC, in an administrative powershell, run this command:

Set-DnsServerForwarder -IPAddress "w.x.y.z" -PassThru

Where w.x.y.z is your Amazon-provided DNS server IP address.

Using an Amazon-hosted option

Simple AD: http://docs.aws.amazon.com/directoryservice/latest/admin-guide/cloud_setup_tutorial.html

Active Directory: http://docs.aws.amazon.com/directoryservice/latest/admin-guide/create_directory.html

Note that whether you set up your own, or are using a hosted option, you should have the domain name, IP address(es) for the domain controller(s) and an admin credential. The addresses are needed for the next step, and the credential is needed to manage AD with tools like AD Users and Groups.

3. Modify DHCP Option Sets to align with your new DNS

Without properly functioning DNS, there is no Active Directory functionality. DHCP option sets in AWS make your life very easy and you don't need to add Route53 (AWS's DNS Service) complexity.

Open the Amazon VPC console at https://console.aws.amazon.com/vpc/.
In the navigation pane, choose DHCP Options Sets.
Select Create DHCP Options Sets.
Add the options for your domain name and DNS Servers (your DC and the Amazon-provided DNS). In the name tag, provide a descriptive name, domain name servers, type the IP address of the DC(s) and an Amazon-provided DNS, and the AD domain name in the domain name.
Press Yes, Create
In the navigation pane, choose Your VPCs.
Select the VPC(s) for your lab, and select Edit DHCP Options Set from the Actions list.
In the DHCP Options Set list, select the set you created from the list, and then choose Save

Sanity Check # 2At this point, you should have:

A running your domain controller managed by you or hosted Active Directory and you should be able to connect to it as an administrative user.
Your domain controller should be running Microsoft DNS hosting the AD records. Write down the IP address and domain name.
DNS resolution in your subnets, when you launch an EC2 instance and you ping your DC by name, it should be resolvable as well as public FQDNs.

Centrify Standard Edition Lab Setup - Member Server

The member server will be running the Active Directory and Centrify tools. In addition, we can use the server as a Centrify Connector and DirectAudit Infrastructure. This post will focus on AD and Centrify tools:

DirectManage Access Manager - GUI tool manipulate Centrify data in AD
DirectManage PowerShell - Use PowerShell commandlets to manage Centrify data in AD
GPMC Extensions - configure and enforce Group Policies in UNIX, Linux and Mac systems
Centrify PuTTY - Leverage Kerberos with PuTTY
Licensing Service - A required component for Centrify Standard Edition 2017 and above
Report Services - Generate and customize attestation reports

Add Windows Features

Launch a Windows Server (2012R2 or 2016) and log in as the local administrator.
Make sure the system can ping the domain controller by name.
Run PowerShell as Administrator and join the domain
```
Add-Computer -DomainName domain.name -Credential administrator@domain.name
```
Provide the credentials and reboot.
Sign-in to your member server as your domain administrator account, re-launch PowerShell as administrator and add the Group Policy Management, DNS and Active Directory management tools.
```
Add-WindowsFeature GPMC, RSAT-DNS-Server, RSAT-ADDS
```

Install Centrify Standard Edition Tools

Download Centrify Standard Edition 2017 (or Enterprise to use later)
https://www.centrify.com/support/customer-support-portal/download-center/
Unzip the file, navigate to the DirectManage folder and run Setup. These are the components you're adding
Follow the prompts. You may have to follow the instructions to set up Report Services. For more information go here:
http://community.centrify.com/t5/TechBlog/LABS-Setup-and-test-the-Centrify-Reports-feature-of-Server...

Initialize Centrify Standard Edition

Double-click the Access Manager icon, this will start the setup wizard
Welcome page - press next
User Credentials - press next (unless you're not using a privileged user)
Deployment Structure - Check the box > generate default deployment structure
Choose container - Browse - Select your domain and press OK.
License Container - should be set to [your domain]/Centrify/Licenses and press Next
You'll be informed that the container will be set as read only for all users. Press Yes.
Install License Keys - Type your centrify license key and press add, then press next
Default Zone Container - Should be set to [your domain]/Centrify/Zones, press next
Delegate Permission - Uncheck the box (we aren't placing systems in the default computers container)
Notification Handler - Should be unchcecked, press next
Summary - press next
Competing Page - press Finish. Access Manager will open. Close it.

Initializing Access Manager, has deployed the Centrify recommended OU structure. This is where the objects will reside for Centrify-related data.

For more information about this OU structure, check out @Fabrice's article here:
http://community.centrify.com/t5/TechBlog/Best-practice-Active-Directory-OU-structure/ba-p/21470

At this point you should have the base configuration to perform the Standard Edition labs.

Sanity Check # 3

At this point, you should:

Have a domain-joined Windows Server and you should be able to log in with domain users.
The system should have the GPMC and RSAT ADDS tools
The system should have Centrify DirectManage Access Manager, PowerShell, PuTTY and Centrify Report Services
In Active Directory, you have laid-out the Centrify-recommended OU structure.

Set-up a Cast of Characters and Implement a basic Access and Privilege Model

Users, Groups and Roles

ad-admin - your AD Domain Administrator
cps-admin (privilege service) - is your
Lisa - Linux Administrator (will be a member of AWS Windows Administrator)
Maggie - Windows Administrator (will be an AWS Linux Administrators)
Bart - Security Officer (will be an AWS Security Analyst)
Homer - An auditor (will be a Mixed Auditor)
ad-joiner - Service account for automated joins
centrify.reports - Service account for Report Services

Groups

Unix-Users - Catch-all group for all UNIX users (unix-users); maggie, bart and homer are members.

Sample User Creation Script

Write-Host "Creating Users..."  -ForegroundColor red -BackgroundColor white
$ou = New-ADOrganizationalUnit -Name AWSDemo -Path "dc=example,dc=com" -ProtectedFromAccidentalDeletion $false
$oupath = (Get-ADOrganizationalUnit -Filter 'Name -like "AWSDemo"').DistinguishedName 
$passwd = (ConvertTo-SecureString "AWSPlayGround2017!@" -AsPlainText -force)
New-ADUser -Name "Lisa" -SamAccountName lisa -AccountPassword $passwd  -Description "Linux Administrator" -ChangePasswordAtLogon $false -Path $oupath -Enabled $true 
New-ADUser -Name "Bart" -SamAccountName bart -AccountPassword $passwd  -Description "Security Officer" -ChangePasswordAtLogon $false -Path $oupath -Enabled $true 
New-ADUser -Name "Maggie" -SamAccountName maggie -AccountPassword $passwd  -Description "Windows Administrator" -ChangePasswordAtLogon $false -Path $oupath -Enabled $true 
New-ADUser -Name "Homer" -SamAccountName homer -AccountPassword $passwd  -Description "Auditor (Cross-platform)" -ChangePasswordAtLogon $false -Path $oupath -Enabled $true 
New-ADGroup -Name "unix-users" -GroupCategory Security -GroupScope Global -Path $oupath
Get-ADGroup unix-users | Add-ADGroupMember -Members Lisa, Bart, Maggie, Homer
Write-Host "User creation completed."  -ForegroundColor red -BackgroundColor white

This script creates our cast of AD users and a group inside the AWSDemo OU. Make sure you change the text in red to fit your environment.

Create and Configure a Centrify Zone

Our zone name will be AWS, and it will have a very simple set up. All users will be UNIX-enabled and there will be three roles: A UNIX Sysadmin role, a Windows Sysadmin role and a regular UNIX user role.

Zone Creation and User UNIX-enablement

$zone = New-CdmZone -Name AWS -Container "CN=Zones,OU=UNIX,DC=centrify,DC=vms"
Write-Host "Unix-Enabling Users..."  -ForegroundColor red -BackgroundColor white
New-CdmUserProfile -Zone $zone –User lisa@example.com -login lisa -UseAutoUid -AutoPrivateGroup –HomeDir "%{home}/%{user}" –Gecos "%{u:displayName}" –Shell "%{shell}"
New-CdmUserProfile -Zone $zone –User bart@example.com -login bart -UseAutoUid -AutoPrivateGroup –HomeDir "%{home}/%{user}" –Gecos "%{u:displayName}" –Shell "%{shell}"
New-CdmUserProfile -Zone $zone –User maggie@example.com -login maggie -UseAutoUid -AutoPrivateGroup –HomeDir "%{home}/%{user}" –Gecos "%{u:displayName}" –Shell "%{shell}"
New-CdmUserProfile -Zone $zone –User homer@example.com -login homer -UseAutoUid -AutoPrivateGroup –HomeDir "%{home}/%{user}" –Gecos "%{u:displayName}" –Shell "%{shell}"
Write-Host "Unix-enabling complete." -ForegroundColor red -BackgroundColor white

This script creates the AWS zone and enables our users

UNIX and Windows Admin Roles + Assignments

$cmd1 = New-CdmCommandRight -Zone $zone -Name "Run any command as root" -Pattern "*" -MatchPath "*" -Authentication user 
$cmd2 = Get-CdmPamRight -Zone $zone -Name "login-all" 
$role1 = New-CdmRole -Zone $zone -Name "UNIX Sysadmin" -UnixSysRights login, ssologin, nondzsh, visible -HasRescueRight $true -AuditLevel possible

Add-CdmCommandRight -Right $cmd1  -Role $role1 
Add-CdmPamRight  -Right $cmd2 -Role $role1 

New-CdmRoleAssignment -Zone $zone -Role $role1 -TrusteeType ADUser  -ADTrustee (Get-ADUser -Filter 'Name -like "lisa"')

$desktop1 = New-CdmDesktopRight -Zone $zone -Name "Admin Desktop" -RunasSelfGroups "Builtin\Administrators" -RequirePassword $true
$role2 = New-CdmRole -Zone $zone -Name "Windows Admin" -WinSysRights console, remote -AuditLevel possible

Add-CdmDesktopRight -Role $role2 -Right $desktop1
New-CdmRoleAssignment -Zone $zone -Role $role2 -TrusteeType ADUser  -ADTrustee (Get-ADUser -Filter 'Name -like "maggie"')

New-CdmRoleAssignment -Zone $zone -Role (Get-CdmRole -Zone $zone -Name "UNIX Login") TrusteeType ADGroup  -ADTrustee (Get-ADGroup -Filter 'Name -like "unix-users"')

This script creates the roles and assigns them to the proper users/groups

Install Centrify DirectControl and run adcheck

Launch a new EC2 Linux instance (e.g. Amazon Linux)
Log in as ec2-user

Run sudo vi /etc/yum.repos.d/centrify.repo and populate it with:

[centrify]
name=centrify
baseurl=https://username:password@repo.centrify.com/rpm-redhat/
enabled=1
repo_gpgcheck=1
gpgcheck=1
gpgkey=https://downloads.centrify.com/products/RPM-GPG-KEY-centrify

make sure you substitute the user/password with your own (this is in the repo page of the Download Center)

Install CentrifyDC
sudo yum install CentrifyDC
answer any prompts that come up.

Run adcheck and correct any errors

$ adcheck awsrealm.centrifying.net
OSCHK    : Verify that this is a supported OS                          : Pass
PATCH    : Linux patch check                                           : Pass
PERL     : Verify perl is present and is a good version                : Pass
SAMBA    : Inspecting Samba installation                               : Pass
SPACECHK : Check if there is enough disk space in /var /usr /tmp       : Pass
HOSTNAME : Verify hostname setting                                     : Warning
         : Computer name should not be localhost or
         : localhost.localdomain. You may edit /etc/hosts or your
         : DNS server to set your hostname correctly or you must
         : use the --name option when running adjoin.

NSHOSTS  : Check hosts line in /etc/nsswitch.conf                      : Pass
DNSPROBE : Probe DNS server 172.31.26.75                               : Pass
DNSPROBE : Probe DNS server 172.31.38.176                              : Warning
         : This DNS server does not respond to requests. This is a serious problem

DNSCHECK : Analyze basic health of DNS servers                         : Warning
         : One or more DNS servers are dead or marginal.
         : Check the following IP addresses in /etc/resolv.conf.
         :
         : The following table lists the state of all configured
         : DNS servers.
         :  172.31.26.75 (ip-172-31-26-75.us-west-2.compute.internal): OK
         :  172.31.38.176 (unknown): dead
         : Only one good DNS server was found
         : You might be able to continue but it is likely that you
         : will have problems.
         : Add more good DNS servers into /etc/resolv.conf.

WHATSSH  : Is this an SSH that DirectControl works well with           : Pass
SSH      : SSHD version and configuration                              : Pass
DOMNAME  : Check that the domain name is reasonable                    : Pass
ADDC     : Find domain controllers in DNS                              : Pass
ADDNS    : DNS lookup of DC dc1.awsrealm.centrifying.net               : Pass
ADPORT   : Port scan of DC dc1.awsrealm.centrifying.net 172.31.26.75   : Pass
ADDC     : Check Domain Controllers                                    : Pass
ADDNS    : DNS lookup of DC dc1.awsrealm.centrifying.net               : Pass
GCPORT   : Port scan of GC dc1.awsrealm.centrifying.net 172.31.26.75   : Pass
ADGC     : Check Global Catalog servers                                : Pass
DCUP     : Check for operational DCs in awsrealm.centrifying.net       : Pass
SITEUP   : Check DCs for awsrealm.centrifying.net in our site          : Pass
DNSSYM   : Check DNS server symmetry                                   : Pass
ADSITE   : Check that this machine's subnet is in a site known by AD   : Pass
GSITE    : See if we think this is the correct site                    : Pass
TIME     : Check clock synchronization                                 : Pass
ADSYNC   : Check domains all synchronized                              : Pass
3 warnings were encountered during check. We recommend checking these before proceeding

Make sure you correct any major errors outlined by adcheck. The key here will be name resolution and connectivity with your domain controllers; if you laid-out your security rules correctly and have DNS set to resolve AD records, you should be fine.

Modify default AWS EC2 SSH Server Settings

By default, OpenSSH in AWS EC2 is not configured to allow password authentication. Although with Centrify the underlying authentication uses Kerberos to talk to DCs, ultimately the user must be allowed to type their password in an SSH session.

Sign-in to your EC2 instance with the ec2-user
Modify the /etc/ssh/sshd_config file and set these directives (e.g. usin vi - sudo vi /etc/ssh/sshd_config)
PasswordAuthentication yes
# PasswordAuthentication no
Save the file.
Restart the SSH server
sudo service sshd restart

Join your EC2 Linux instance to Active Directory Manually

$ sudo adjoin -z AWS -c "ou=servers,ou=centrify" -n demo3 -u admin awsrealm.centrifying.net
admin@AWSREALM.CENTRIFYING.NET's password:
Using domain controller: dc1.awsrealm.centrifying.net writable=true
Join to domain:awsrealm.centrifying.net, zone:AWS successful

Centrify DirectControl started.
Initializing cache
.
You have successfully joined the Active Directory domain: awsrealm.centrifying.net
in the Centrify DirectControl zone: CN=AWS,CN=Zones,OU=Centrify,DC=awsrealm,DC=centrifying,DC=net


You may need to restart other services that rely upon PAM and NSS or simply
reboot the computer for proper operation.  Failure to do so may result in
login problems for AD users.

Verify your UNIX Access and Privilege model

Connect to your Linux system using SSH (e.g. PuTTY or ssh), log in as one of your AD users (e.g. lisa)

login as: lisa
Server refused our key
lisa@172.31.44.61's password:
Created home directory

       __|  __|_  )
       _|  (     /   Amazon Linux AMI
      ___|\___|___|

https://aws.amazon.com/amazon-linux-ami/2017.03-release-notes/
2 package(s) needed for security, out of 2 available
Run "sudo yum update" to apply all updates.

Verify lisa's role using Centrify-enhance sudo

$ dzinfo --role
User: lisa
Forced into restricted environment: No
Centrify MFA Service authentication: Supported

  Role Name        Avail Restricted Env
  ---------------  ----- --------------
  UNIX             Yes   None
  Sysadmin/AWS

Now you can logout Lisa.

Reconnect again, and try to log in with Homer, then verify his role

login as: homer
Created home directory
$ dzinfo --roles
User: homer
Forced into restricted environment: No
Centrify MFA Service authentication: Supported

  Role Name        Avail Restricted Env
  ---------------  ----- --------------
  UNIX Login/AWS   Yes   None

Note the different role for Homer.

Close the session. You have now verified your Linux access model.

Join your EC2 Windows member to the Centrify Zone

Grant your test users remote desktop access

In your member server, right-click the start menu and select Run
Type compmgmt.msc and press enter
Navigate to Local Users and Groups > Groups and double-click Remote Desktop Users
Press Add. Now add the test users (or a group) you want to have RDP access. E.g. (maggie)
Press OK.

Install the Centrify Agent for Windows

Open Windows Explorer and navigate to the folder with the Centrify Server Suite bits.
Browse to the > Agent and run Centrify Agent for Windows64.exe (press Yes to the UAC prompt)
- Welcome Page > Press Next
- EULA Page > check the box and press Next
- Custom Setup Page > Select only the Access Components
  
  (This is unless you are planning or have added DirectAudit)
- Components Page > Next
- Confirmation Page > Install
- Completed Page > Make sure the "Run Agent Configuration Wizard" is checked, press Finish
Now you'll configure the Agent to join your zone.
- Configuration Page > Press Next
- (Optional) Associate DirectAudit Installation > Select your Installation
- Join to a Zone > Select the zone you created earlier (AWS) and Press Next
  Note, you may be asked to add the Domain Administrators to the Login role. You must do this, otherwise the only user that will be able to sign-in will be maggie (in this example).
- Configuration completed, Press Finish.
If asked to restart, press Yes when you are ready.

Verify your Windows Access and Privilege model

Sign-in to your Windows system as a member of the Domain Admins group
Right click start and run mstsc -v member -w:800 -h:600 (this launches an RDP session)
Attempt to log in with maggie (she should be able to log in)
Open the Windows systray and right-click the Centrify icon > Authorization Center and click on the Effective roles tab
Note Maggie's current roles in the AWS zone. Logoff.
Repeat step 2, and now try to log in with Bart. The result should be:

This is because Bart has not been assigned a role that allows for Windows access.
Press OK and close. At this point, you have tested the access model on Windows.

Sanity Check # 4

At this point you should have

Centrify tools installed in your member server (e.g. DirectManage)
You have a domain-joined Amazon linux instance
In the Centrify zone, you have a linux instance and your Windows member server
You have tested your access and privilege model in both Linux and Windows platforms.

MILESTONE: Now you have a system that you can use for sanity checks and to generate some of the tools required for the Standard Edition AWS labs. This is the state of your lab:

Privilege Service Lab Setup - Centrify Tenant and Connector

Obtain a Privilege Service Tenant

Get Centrify Privilege Service
https://www.centrify.com/free-trial/privilege-service-form/Once your tenant is approved, you'll receive an email with your URL, credential and one-time link. When you click on it, you will be logged-in. Make sure you change your password.
Once your tenant is set up, open its URL from the browser in your EC2 Windows instance (member server)
Note that you may have to relax the IE ESC settings on Windows or download an alternative browser like Chrome or Firefox. E.g. https://your-tenant.my.centrify.com/manage
Navigate to Settings > Network and click "Add Centrify Connector"; this will download the Connector bits.
Double-click the Connector zip file, and run the included setup file, this will start the wizard
- Welcome Page - press next
- EULA Page - check the box and press next
- Custom Setup - only install the Centrify Connector
- Ready to install - press next. When complete, press Finish. This will launch the configuration Wizard.
In the Configuration Wizard:
- Welcome Page - press next
- Centrify Connector Configuration - provide your admin account name and password
- Connector Configuration - Optional: check the box in the domain (you may not be able to if you're using a managed AD.
- Connection test - should be successful if your instance is allowed to go out to the Internet, press Next
- Configuring connector - Next and then Finish.
Once completed, the Settings > Network > Centrify Connectors should display your aws connector:

Configure Resource Subnet Mapping
This step is very important, especially if you're using the Privilege Service tenant in other environments like local VMs.

Log in to privilege manager (https://your-tenant.my.centrify.com/resources)
Go to Settings click on Resource Subnet Mapping and Press Add
Type the CDIR for your AWS Subnet (repeat if you have many - e.g. 172.31.0.0/16
Select "Choose" and check the box next to your AWS Windows Server running the Centrify Connector.
Press Save.

Sanity Check # 5At this point, you should:

Have a Privilege Service tenant and you should know its URL, an admin user and password.
Have a privilege service should ready to authenticate your AD users (see below) and to provide password and session services for your AWS subnet.

MILESTONE: You should be ready to perform the AWS Privilege Service Labs, and this should be the state of your lab.

Sections

Monday, April 24, 2017

Using AWS OpsWorks (Chef 12) to deploy Centrify DirectControl in EC2 Linux Instances

Building a lab to test Centrify capabilities in Amazon AWS