Enabling client-based login

Client-based login is a way that you can use the Centrify Client to log in to other systems that you have registered in Privileged Access Service. There are two main components to enabling client-based login:

  • Grant client-based login permission (also called the AgentAuth permission) to the desired user accounts or roles.

  • Enable the client-based login feature (also called the AgentAuth feature) when you enroll a system with the Centrify Client. This can only be done at the time of enrollment.

Below is some information about how client-based login differs on Windows and Linux systems, and then how to enable client-based login.

About client-based login on Windows

The first time that you log in to a Windows system using client-based login, the service creates a new, local user that corresponds to your Privileged Access Service account if your account is a Centrify directory or a federated account. Each time that you log in this way the service rotates the password to a random string of 32 characters. If your account is based in Active Directory, the service does not create a local account for you; you log in with your Active Directory credentials.

The service also assigns this user to local groups according to local group mapping rules that you have configured. Any changes that you make to the local group mapping configurations take effect the next time the user logs in. If an affected user is currently logged in when you make the changes, the changes take effect after the user logs out and logs in again.

This local user operates as a background user and does not show up in any lists of local users inside of Privileged Access Service; you can see this local user in the Local Users and Groups on Windows. This local account stays provisioned until you uninstall the client.

About client-based login on Linux

The first time that you log in to a Linux system using client-based login, the PAM and NSS modules for the Centrify Client handle the authentication and group membership of your account. The service does not create a local user account. If desired, you can modify any default Linux user configuration settings under Settings > Enrollment > Linux Settings.

Enabling the AgentAuth feature and granting the AgentAuth permission

To enable client-based login for a system and a user or role:

  1. Enroll the computer in the Privileged Access Service and enable the AgentAuth feature.

    In the Windows Centrify Client installer, you can enable all features by not entering anything in the Optional Parameters section. Or, you can enter AgentAuth as a parameter to only enable client-based login.

    If you're using the cenroll command either on Windows or Linux, you can include either of the following options to enable either just the client-based login or all features:

    --features AgentAuth

    --features All

    For details about Centrify Client commands and options, see Using Centrify Client commands.

  2. Log on to the Privileged Access Service.

  3. Click Resources > Systems, then click the computer you registered to display its details.

  4. Click Permissions.

  5. Click Add, if necessary, to find and select the user account or role, then select Agent Auth.

    For example, if you want to add client-based login for the user kris-pubs@centrify.com.720 on this computer, you would add the user to the list of accounts that have permission on the system then select the Agent Auth permission.

    Note:   You can configure client-based login for a specific system or a set of systems.

  6. Click Save.