Installing a Centrify Connector
You install the Centrify Connector to integrate your Active Directory/LDAP service with Privileged Access Service. The connector allows you to, among other things, specify groups whose members can register and manage devices. It also monitors Active Directory/LDAP for group policy changes, which it sends to Privileged Access Service to update registered devices.
Industry best practice recommends that you do not install the connector on the same server as the domain controller. Domain controllers are single-purpose systems. To install the connector, you must first get the Privileged Access Service Management Suite package then run the installation wizard.
Note: Before you install the Centrify connector, you must ensure that your tenant URL is added to Internet Explorer's Trusted sites list.
Before you begin
Before you install the connector, you must create a new role and assign that role the right to register and administer the connectors. To do this, do the following:
- Create a new role: Access > Roles (add a role).
- Name the role Connector Administrator. The purpose of this role is to create and manage the addition of connectors to the system.
- On the Administrative Rights tab, add the right to Register and Administer Connectors and click Save.
- Navigate to Access > Users and create a new cloud user by clicking Add User. Name this user "connectoradmin." Add the email address, display name, password, and click Create User.
- Navigate back to Access > Roles and click the Connector Administrator role. Go to the Member tab and add the user "connectoradmin" to the Connector Administrator role and click Add.
Note: The above steps must be completed before you proceed to installing the connector.
Installing a connector on a host computer
- Log in to the host computer with an account that has sufficient Centrify Connector permissions to install the connector.
- Open Admin Portal.
- Click Settings >Network > Add Centrify Connector.
- Click 64-bit in the Download pane. The download begins.
- Extract the files and double-click the installation program: Centrify Installer.
Note: In the file name, rr.r indicates the release version and aa indicates the processor architecture (64-bit).
- Click Yes to continue if the User Account Control warning displays.
- Click Next on the Welcome page. Review the End User Software License and Services Agreement, accept the terms of agreement, then click Next.
- Select the components to install, then click Next.
Note: The default is to install all components. Use the description on the installation UI determine what you want to install.
- Click Install > Finish to open a second installation wizard. This second installation wizard initiates the connection between Active Directory and your Privileged Access Service tenant.
- Click Next on the Welcome page.
- You will next see the Centrify Connector Configuration wizard that allows you to set strong encryption protocols system-wide. The checkbox Enable strong encryption protocols system-wide is checked by default. Click Next.
- Next, enter the Tenant URL and you can either:
- proceed to MFA, or
- you can choose to use a registration code. If you use a registration code, you bypass the MFA process. You do this by clicking the Use Registration Code checkbox. To obtain a registration code, you must use a REST API call (as detailed below).
- Navigate to the Centrify Developer Portal and use the generate code string.
- Call endpoint /Core/GenerateNewProxyCode.
- If you have not used a registration code, you proceed to MFA and then step 17. If you used a registration code, you proceed with step 17.
- Click Next unless you are using a web proxy server to connect to Privileged Access Service. If you are using a web proxy service, select the associated check box and specify the IP address, port, user name, and password to use.
- Specify the monitored domains and relevant credentials to synchronize deleted objects in Active Directory/LDAP with Privileged Access Service, then click Next.
When you delete users in Active Directory and want this deletion synchronized with Privileged Access Service, you have two options:
- You must be the domain administrator of the Active Directory domain for the relevant deleted objects container. If you are deleting users in multiple domains, make sure that you are the domain administrator for all those domains.
- Delegate read permissions to the service account for the deleted objects container in the corresponding domain.
Note: If you do not take one of the above actions, users deleted in Active Directory will be listed on the Users page in Admin Portal until you manually delete them. However, they will not have access to any Privileged Access Service functionalities. The configuration wizard performs several tests to ensure connectivity.
- Click Finish to complete the configuration and open the connector configuration panel, which displays the status of the connection and your customer ID.
Note: If you are not authorized to retrieve a registration code, you will receive an error stating that.
- Click Centrify Connector to view or change any of the default settings.
- Click Close.
After you have installed and configured at least one connector, you can use either Admin Portal or your default browser to log on to Privileged Access Service. The next time you log on and see the welcome page, select Don’t show this to me again, then click Close.
The column headings in Admin Portal associated with each connector indicate the following:
The name of the computer
The domain name for the domain controller to which the connector is joined.
The version of the connector software.
You can configure the connector to update automatically—see How to auto-update connector software
The last time the Privileged Access Service successfully pinged the connector.
The DNS short name. You can also enter a fully qualified domain name to the IE local intranet zone.
See Enabling IWA Service on the connector to change this name.
AD Proxy -- Displays if the Active Directory proxy service is enabled on the connector. If enabled, it means you use the Active Directory proxy service to authenticate Privileged Access Service users who have Active Directory accounts.
LDAP Proxy -- Displays if the LDAP proxy service is enabled on the connector. If enabled, it means you use the LDAP proxy service to authenticate Privileged Access Service users who have LDAP accounts.
App Gateway -- Displays if the App Gateway service is enabled on the connector. The App Gateway service provides remote access and single sign on to web applications provided by internal web servers (see Applications).
RADIUS Client -- Displays if the connector is enabled for use as a RADIUS client.
RADIUS Server -- Displays if the connector is enabled for use as a RADIUS server for customers who support RADIUS authentication.
RDP Service -- Displays if the connector is enabled for remote desktop sessions using the remote desktop protocol (RDP) clients for access to target systems.
SSH Service-- Displays if the connector is enabled for secure shell sessions using SSH clients for access to target systems.
Web Server (IWA) -- Displays if the connector is configured to accept an Integrated Windows authentication (IWA) connection as sufficient authentication for users with Active Directory accounts. IWA is not available to Privileged Access Service account users.
Active indicates that the Privileged Access Service can communicate with the connector.
Inactive indicates that Privileged Access Service cannot communicate with the connector.