Privileged Access Service deployment checklist

• Join primary server node and secondary server nodes to the domain:
• Download primary server and secondary server and import into VMWare.

On both systems, join your domain using the system properties or with an administrative PowerShell window.

• Install the Windows Failover Clustering feature on both nodes (with Server Manager or using PowerShell).

• Install and configure the required services.
• Configure iSCSI disks and target.

Server Manager > Local Server > File and Storage Services > iSCSI.

• Configure iSCSI Initiators on primary server and secondary server.

Start > Search > Type iSCSI and open iSCSI Initiator.

• Initialize the Virtual Disks using the Primary Node (primary server).

Administrative Tools > Disk Management.

• Establish temporary name resolution for primary node.
• Install Privileged Access Serviceon the primary node.
• Primary Node verification and hosts file cleanup.
• Install Privileged Access Serviceon the secondary server.

On primary server logged in as a privileged domain user.

On primary server logged in as Domain Admin.

Admin Portal > Settings > Network.

On secondary server logged in as a privileged domain user.

• Create and validate the cluster.

Administrative Tools > Failover Cluster Manager > Actions, select Create Cluster, this opens the Failover Cluster Wizard.

• Configure Privilege Service as a clustered application.

Administrative Tools > Failover Cluster Manager > Actions > Configure Role.

• Configure Wizard.

Connector configuration Wizard.

• Review failover policies.

Vault properties window.

• Conduct failover tests:
  • Maintenance Mode (drain)
  • Transfer the role to a different cluster node
  • Simulate Disk Failure
  • Simulate Network Failure
  • Stop cisdb-pgsql
  • Stop IIS Web Service (W3SVC)
  • Operations: Node recoverability
  • Operations: Backup
  • Operations: Upgrade
  • Operations: Restore
  • Operations Recover from replicated file

• Test the Privileged Access Serviceinstance.
• Backup and recovery of Privileged Access Service.

• Request a free trial or subscription.

  Note:   This step is not required if you are performing a customer-managed deployment.

https://www.centrify.com/free-trial/

• Register for a Centrify account with a valid email address. 

  You will receive an “Activate Your Centrify Account” email followed by a “Your Centrify Account Is Ready - Next Steps” email with your account details.

  Your account details include the user name for an administrative account, a temporary password, and a unique customer identifier.

  Note:   This step is not required if you are performing a customer-managed deployment.

Email account

• Log in to the Centrify Admin Portal using the account name, temporary password, and URL from the email notification.

The account used to log on for the first time is a Centrify Directory account and is automatically made a member of the System Administrator role with all administrative rights.

Admin Portal Login Screen

Set and confirm the new password to activate your account.

Admin Portal Login Screen

• Review Connector requirements.
• Check firewall rules for the connections between the Centrify Connectors to the Privileged Access Service.

If you are using Discovery, check firewall rules to determine if Connectors can connect to potential resources via SMB and RPC over TCP.

Online help

• Select a host computer to install the Centrify Connector.

Network

• On the host computer, log in to the Admin Portal and select to add a connector and complete installation.

  Installing the Centrify Connector integrates your Active Directory/LDAP service with Privileged Access Service. The connector allows you to specify groups whose members can enroll and manage devices. It also monitors Active Directory/LDAP for group policy changes, which it sends to Privileged Access Service to update enrolled devices.

Admin Portal> Settings > Network > Centrify Connector

• Map a subnet pattern to a selected set of connectors.

Admin Portal> Settings > Resources > System Subnet Mapping

• Customize settings such as login suffix and tenant URLs.

Admin Portal > Settings > General

• Configure additional customization such as logos and colors for the Admin Portal.

Admin Portal > Settings > General > Account Customization

• Add IP ranges to identify internal and external networks which can be used to specify authentication requirements.

Admin Portal > Settings > Network > Corporate IP Range > Add

• Manually create additional System Administrator accounts in the Centrify Cloud Directory.

  You can add Active Directory users in later steps (after you configure the Centrify Connector).

  Manually create Centrify Directory user accounts in the Centrify Cloud Directory.

  You can also bulk import Centrify Directory users accounts, see How to Bulk import user accounts.

Admin Portal > Access > Users

• Add System Administrator accounts to System Administrator roles.
• Add Centrify Directory user accounts to roles.

By default, users are added to the Everybody role. You can add additional roles with different Administrative rights to control access over who can do what or which policies should be applied to different groups of users.

Admin Portal > Access > Roles

• Configure user security forPrivileged Access Service, such as password-based authentication. In particular, be sure to configure:
  • Authentication Policies > Centrify Services
  • User Security Policies
  • Devices

Admin Portal > Access > Policies

• Configure multi-factor authentication if applicable:
  • For MFA with mobile device phone numbers: check that these attributes exist and are provisioned in their directory source (Active Directory, Federation etc.)
  • For MFA with email: check that email attributes exist and have been provisioned in their directory source (Active Directory, Federation etc.)
  • For RADIUS for MFA: configure RADIUSFor OATH for MFA: configure OATH

(MFA mobile) Identity store—such as Active Directory or another LDAP-based service.

(MFA email) Identity store—such as Active Directory or another LDAP-based service

(RADIUS) Access > Policies > User Security Policies > RADIUS

Also refer to your RADIUS client documentation for additional configuration procedures and guidelines.

Exact configuration steps are dependent on your OATH method.

• Configure global security settings such as frequency of password rotation, minimum password age, how long passwords can be checked out, etc.

Admin Portal > Settings > Resources > Security Settings

• Customize password profiles for systems, domains, and databases.

   

Admin Portal > Settings > Resources > Password Profiles

Add resources, such as Systems, Databases, Domains, Accounts, Secrets, SSH keys, Services, that you want managed by the Privileged Access Service using one of the following methods:

• Import function (Admin Portal Import function or through PowerShell)
• Discovery (for Systems and Accounts only)

If you are using Discovery, identify an Active Directory account with local administrator permissions to access resources that will be discovered.

• Manually

(Import) Admin Portal > Resources > Systems > Import or Github to download the PowerShell script.

(Discovery) Admin Portal > Discovery > Systems and Accounts or Alternate Accounts > Profiles

(Manually) Admin Portal > Resources >Systems, Databases, Domains, Accounts, Secrets, SSH keys, or Services

Configure service settings for the following:

• Accounts used to run Windows services or scheduled tasks
• IIS application pools
• Multiplexed accounts used to rotate the password for service accounts

Admin Portal > Resources > Services

Configure permission access for resources.

• Individual (all)
• Global (Systems and Accounts)
• Sets (all)

 (Individual) Admin Portal >Resources > select resource type> Permissions

(Global) Admin Portal > Access > Global Account Permissions or Global System Permissions

(Sets) Admin Portal > Resources > select resource type> Sets

• Add web applications to the Admin Portal app catalog.
• Configure application settings.
• Assign roles to the application.

Admin Portal > Apps > Add Web Apps

• Add desktop applications to the Admin Portall app catalog.
• Configure application settings.
• Assign roles to the application.

Admin Portal > Apps > Add Desktop Apps

Configure workflow (request and approval access) for Web applications, desktop applications and accounts.

• Configure roles for requestors and approvers
• Enable workflow for an application or an account
• Add approver

To simplify the process of configuring a “request and approval” workflow, you can enable workflow for all accounts stored in thePrivileged Access Service.

Applications:

Admin Portal > Web Apps or Desktop Apps > select application > Workflow

 Accounts:

Admin Portal > Resources > Accounts > select account > Workflow

Global Account Configuration:

Admin Portal > Settings > Resources > Global Account Workflow

• Configure Zone Role Workflow (request and approval access) for Systems and Domains.
• Configure roles for requestors and approvers.
• Enable Zone Role Workflow for all computers in a domain.
• Add approver

Systems must be joined to a zone.

Systems:

Admin Portal > Resources > Systems > select system > Zone Role Workflow

Domains:

Admin Portal > Resources > Systems > select system > Zone Role Workflow

• If you require remote access to systems using PuTTY or local RDP, install a local client kit and enable access for individual users.

Admin Portal > Settings > Resources > User Preferences

• Create an audit installation and verify that the environment is working. 
• Enable auditing and specify the installation name for the systems you manage in the Admin Portal.

See the Audit and Monitoring Checklist for additional details.

Install the Centrify Client for Linux or the Centrify Client for Windows to allow computer accounts to run services and to check out account passwords that are stored in the Privileged Access Service.

Admin Portal > Downloads