Privileged Access Service deployment checklist

You will need to perform the following initial tasks to:

• Gain access to the Privileged Access Service Admin Portal

• Configure users and roles

• Add and configure resources to be managed by the Privileged Access Service

The initial steps below are included for customer-managed deployments. For additional customer-managed deployment requirements, see Customer-managed Privileged Access Service additional requirements. If your deployment is a cloud-based deployment, you can start at the Access the Admin Portal step.

Privileged Access Service steps: Configuration location: Detailed Instructions:

(Customer-managed deployments only) Prepare the virtual machines

  • Join primary server node and secondary server nodes to the domain:
  • Download primary server and secondary server and import into VMWare.

On both systems, join your domain using the system properties or with an administrative PowerShell window.

  • Install the Windows Failover Clustering feature on both nodes (with Server Manager or using PowerShell).

 

Installation and Configuration Guide for On-Site Deployment

(Customer-managed deployments only) Configure a shared virtual disc host

Note:   The following steps are not needed if you are using a customer-managed PostgreSQL database. Make sure the database is configured to be reachable by DNS and have the database user configured.

  • Install and configure the required services.
  • Configure iSCSI disks and target.

Server Manager > Local Server > File and Storage Services > iSCSI.

Installation and Configuration Guide for On-Site Deployment

  • Configure iSCSI Initiators on primary server and secondary server.

Start > Search > Type iSCSI and open iSCSI Initiator.

Installation and Configuration Guide for On-Site Deployment

  • Initialize the Virtual Disks using the Primary Node (primary server).

Administrative Tools > Disk Management.

Installation and Configuration Guide for On-Site Deployment

(Customer-managed deployments only) Install Privileged Access Service

  • Establish temporary name resolution for primary node.
  • Install Privileged Access Serviceon the primary node.
  • Primary Node verification and hosts file cleanup.
  • Install Privileged Access Serviceon the secondary server.

On primary server logged in as a privileged domain user.

On primary server logged in as Domain Admin.

Admin Portal > Settings > Network.

On secondary server logged in as a privileged domain user.

Installation and Configuration Guide for On-Site Deployment

(Customer-managed deployments only) Configure Windows failover cluster

  • Create and validate the cluster.

Administrative Tools > Failover Cluster Manager > Actions, select Create Cluster, this opens the Failover Cluster Wizard.

Installation and Configuration Guide for On-Site Deployment

  • Configure Privilege Service as a clustered application.

Administrative Tools > Failover Cluster Manager > Actions > Configure Role.

Installation and Configuration Guide for On-Site Deployment

(Customer-managed deployments only) Add Centrify connectors

  • Configure Wizard.

Connector configuration Wizard.

Installation and Configuration Guide for On-Site Deployment

(Customer-managed deployments only) Test failover

  • Review failover policies.

Vault properties window.

Installation and Configuration Guide for On-Site Deployment

  • Conduct failover tests:
    • Maintenance Mode (drain)
    • Transfer the role to a different cluster node
    • Simulate Disk Failure
    • Simulate Network Failure
    • Stop cisdb-pgsql
    • Stop IIS Web Service (W3SVC)
    • Operations: Node recoverability
    • Operations: Backup
    • Operations: Upgrade
    • Operations: Restore
    • Operations Recover from replicated file

 

Installation and Configuration Guide for On-Site Deployment

  • Test the Privileged Access Serviceinstance.
  • Backup and recovery of Privileged Access Service.

 

Installation and Configuration Guide for On-Site Deployment

→ Access the Admin Portal

  • Request a free trial or subscription.

    Note:   This step is not required if you are performing a customer-managed deployment.

https://www.centrify.com/free-trial/

Registering for service

  • Register for a Centrify account with a valid email address. 

    You will receive an “Activate Your Centrify Account” email followed by a “Your Centrify Account Is Ready - Next Steps” email with your account details.

    Your account details include the user name for an administrative account, a temporary password, and a unique customer identifier.

    Note:   This step is not required if you are performing a customer-managed deployment.

Email account

 

Registering for service

  • Log in to the Centrify Admin Portal using the account name, temporary password, and URL from the email notification.

The account used to log on for the first time is a Centrify Directory account and is automatically made a member of the System Administrator role with all administrative rights.

Admin Portal Login Screen

Registering for service

Set and confirm the new password to activate your account.

Admin Portal Login Screen

 

Install the Centrify Connector, Integrate Active Directory or LDAP or Federated Users, and Configure Subnet Mapping

  • Review Connector requirements.
  • Check firewall rules for the connections between the Centrify Connectors to the Privileged Access Service.

If you are using Discovery, check firewall rules to determine if Connectors can connect to potential resources via SMB and RPC over TCP.

Online help

Review the firewall rules

Determining whether you need a connector

Integrating Centrify Privileged Access Service with Microsoft Azure Active Directory

Integrating Centrify Privileged Access Service and Idaptive tenants

Integrating Centrify Privileged Access Service and Okta

  • Select a host computer to install the Centrify Connector.

Network

Configuring the Centrify Connector

  • On the host computer, log in to the Admin Portal and select to add a connector and complete installation.

    Installing the Centrify Connector integrates your Active Directory/LDAP service with Privileged Access Service. The connector allows you to specify groups whose members can enroll and manage devices. It also monitors Active Directory/LDAP for group policy changes, which it sends to Privileged Access Service to update enrolled devices.

Admin Portal> Settings > Network > Centrify Connector

Installing a Centrify Connector

  • Map a subnet pattern to a selected set of connectors.

Admin Portal> Settings > Resources > System Subnet Mapping

Mapping system subnets to connectors

(Optional) Customize the Admin Portal

  • Customize settings such as login suffix and tenant URLs.

Admin Portal > Settings > General

Settings UI fields

  • Configure additional customization such as logos and colors for the Admin Portal.

Admin Portal > Settings > General > Account Customization

 

How to customize the admin and login window

Add Corporate IP Range

  • Add IP ranges to identify internal and external networks which can be used to specify authentication requirements.

Admin Portal > Settings > Network > Corporate IP Range > Add

How to set Corporate IP ranges

Add Users and Roles to the Centrify Directory

  • Manually create additional System Administrator accounts in the Centrify Cloud Directory.

    You can add Active Directory users in later steps (after you configure the Centrify Connector).

    Manually create Centrify Directory user accounts in the Centrify Cloud Directory.

    You can also bulk import Centrify Directory users accounts, see How to Bulk import user accounts.

Admin Portal > Access > Users

Creating individual directory service users

  • Add System Administrator accounts to System Administrator roles.
  • Add Centrify Directory user accounts to roles.

By default, users are added to the Everybody role. You can add additional roles with different Administrative rights to control access over who can do what or which policies should be applied to different groups of users.

Admin Portal > Access > Roles

Adding roles

Configure Policies

  • Configure user security forPrivileged Access Service, such as password-based authentication. In particular, be sure to configure:
    • Authentication Policies > Centrify Services
    • User Security Policies
    • Devices

Admin Portal > Access > Policies

How to create a policy set and assign it to users

Reference content — Roles

  • Configure multi-factor authentication if applicable:
    • For MFA with mobile device phone numbers: check that these attributes exist and are provisioned in their directory source (Active Directory, Federation etc.)
    • For MFA with email: check that email attributes exist and have been provisioned in their directory source (Active Directory, Federation etc.)
    • For RADIUS for MFA: configure RADIUSFor OATH for MFA: configure OATH

 

 

(MFA mobile) Identity store—such as Active Directory or another LDAP-based service.

(MFA email) Identity store—such as Active Directory or another LDAP-based service

(RADIUS) Access > Policies > User Security Policies > RADIUS

Also refer to your RADIUS client documentation for additional configuration procedures and guidelines.

 

(OATH) Access > Policies > User Security Policies > OATH OTP

Exact configuration steps are dependent on your OATH method.

 

 

How to configure MFA for Third Party Integration

Configuring the Centrify Connector for use as a RADIUS server

How to configure OATH OTP

  • Configure global security settings such as frequency of password rotation, minimum password age, how long passwords can be checked out, etc.

Admin Portal > Settings > Resources > Security Settings

How to set authentication security options

Configure Password Profiles

  • Customize password profiles for systems, domains, and databases.

     

Admin Portal > Settings > Resources > Password Profiles

 

 

Configuring password profiles

Add and Configure Resources

Add resources, such as Systems, Databases, Domains, Accounts, Secrets, SSH keys, Services, that you want managed by the Privileged Access Service using one of the following methods:

  • Import function (Admin Portal Import function or through PowerShell)
  • Discovery (for Systems and Accounts only)

If you are using Discovery, identify an Active Directory account with local administrator permissions to access resources that will be discovered.

  • Manually

 

(Import) Admin Portal > Resources > Systems > Import or Github to download the PowerShell script.

 

(Discovery) Admin Portal > Discovery > Systems and Accounts or Alternate Accounts > Profiles

 

(Manually) Admin Portal > Resources >Systems, Databases, Domains, Accounts, Secrets, SSH keys, or Services

Importing systems, accounts, domains, databases

Discovering systems

Using the wizard to add systems

Configure service settings for the following:

  • Accounts used to run Windows services or scheduled tasks
  • IIS application pools
  • Multiplexed accounts used to rotate the password for service accounts

Admin Portal > Resources > Services

Managing services

Configure permission access for resources.

  • Individual (all)
  • Global (Systems and Accounts)
  • Sets (all)

 (Individual) Admin Portal >Resources > select resource type> Permissions

(Global) Admin Portal > Access > Global Account Permissions or Global System Permissions

(Sets) Admin Portal > Resources > select resource type> Sets

Individual

Setting system-specific permissions

Setting domain-specific permissions

Setting database-specific permissions

Setting secret, folder, and set permissions

Setting service-specific permissions

Global

Setting global account permissions

Setting global system permissions

Sets:

See Individual references above.

 

Configure Web Apps

  • Add web applications to the Admin Portal app catalog.
  • Configure application settings.
  • Assign roles to the application.

Admin Portal > Apps > Add Web Apps

Adding web applications by using the Admin Portal

Configure Desktop Apps

  • Add desktop applications to the Admin Portall app catalog.
  • Configure application settings.
  • Assign roles to the application.

Admin Portal > Apps > Add Desktop Apps

Adding Desktop Apps using the Admin Portal

(Optional) Configure Workflow

Configure workflow (request and approval access) for Web applications, desktop applications and accounts.

  • Configure roles for requestors and approvers
  • Enable workflow for an application or an account
  • Add approver

To simplify the process of configuring a “request and approval” workflow, you can enable workflow for all accounts stored in thePrivileged Access Service.

Applications:

Admin Portal > Web Apps or Desktop Apps > select application > Workflow

 Accounts:

Admin Portal > Resources > Accounts > select account > Workflow

Global Account Configuration:

Admin Portal > Settings > Resources > Global Account Workflow

Managing application access requests

Enabling request and approval workflow

Configuring global account workflow

(Optional) Configure Zone Role Workflow (requires Authentication Service and Privilege Elevation Service)

  • Configure Zone Role Workflow (request and approval access) for Systems and Domains.
  • Configure roles for requestors and approvers.
  • Enable Zone Role Workflow for all computers in a domain.
  • Add approver

Systems must be joined to a zone.

Systems:

Admin Portal > Resources > Systems > select system > Zone Role Workflow

Domains:

Admin Portal > Resources > Systems > select system > Zone Role Workflow

Using zone role workflow

Configure Remote Access Kit

  • If you require remote access to systems using PuTTY or local RDP, install a local client kit and enable access for individual users.

Admin Portal > Settings > Resources > User Preferences

Selecting user preferences

Enable Auditing for remote sessions

  • Create an audit installation and verify that the environment is working. 
  • Enable auditing and specify the installation name for the systems you manage in the Admin Portal.

See the Audit and Monitoring Checklist for additional details.

 

Admin Portal > Settings > Resources > DirectAudit

Enabling auditing for remote sessions

Install Centrify Clients

Install the Centrify Client for Linux or the Centrify Client for Windows to allow computer accounts to run services and to check out account passwords that are stored in the Privileged Access Service.

Admin Portal > Downloads

Installing and using the Centrify Client for Windows

Enrolling and managing computers using Centrify Clients for Linux

Educate end users

Educate end users on how to:

  • Configure a user profile
  • Register devices
  • Launch web and desktop apps

 (User profile) Click Profile under your user name in the Admin Portal.

(Register devices) Click Profile > Devices > Add Device under your user name in the Admin Portal.

(Launch Apps) Admin Portal > Apps > Web Apps or Desktop Apps

Using the tabs

Launching applications

Selecting actions for desktop apps