Authentication if managing the service on-site

If you have installed Privileged Access Service on your internal network and are managing the service yourself, you can define authentication profiles that use most of the same challenges as when the Privileged Access Service is deployed as a -based service. However, some challenges—such as the Email configuration code and text message confirmation code—require you to configure settings to support outgoing email and SMS-based text messaging.

You can configure the settings for a custom Simple Mail Transport Protocol (SMTP) mail server and a Twilio in the Admin Portal. To support the Mobile Authenticator as a challenge, you must have a properly registered mobile device. For details about post-installation configuration steps when you deploy Privileged Access Service as an on-site service, see the Installation and Configuration Guide for On-Site Deployment.

To add an authentication rule and profile for password checkouts:

  1. In the Admin Portal, click Resources, then click Accounts to display the list of accounts.
  2. Click Local Accounts, Domain Accounts, or Database Accounts to select the type of account you want to modify.
  3. Select an account to display the account-specific details.
  4. Click Policy.
  5. Under Password Checkout Challenge Rules, click Add Rule.
  6. Click Add Rule to define the conditions to evaluate to determine the authentication profile to use when users attempt to check out an account password.

    For example, click Add Rule, select a condition such as IP Address and outside of the corporate range, then click Add. You can add more than one condition to the rule. However, all conditions must be true for the rule to apply.

  7. Select the authentication profile to use when all of the conditions you specify are true, then click OK.

    • You can select any existing authentication profile if an appropriate profile has been previously-defined in the Admin Portal for the Centrify Privileged Access Service.
    • You can select Not Allowed as the authentication profile if you want to prevent password checkouts when the conditions for this authentication rule are met. For example, you might want to select Not Allowed to prevent password checkouts when the request comes from an IP address outside of the corporate IP range.
    • You can select Add New Profile if you want to create a new authentication profile to use when the selected conditions.

    If you are adding a new authentication profile, type a profile name, select the types of authentication challenges to present, set the challenge duration time to specify how long a previously‑satisfied authentication challenge is valid, then click OK. For information about creating authentication profiles and specifying the types of authentication challenges for the authentication profiles you define, see Creating authentication rules and Creating authentication profiles.

  8. Click OK to save the authentication rule and it corresponding authentication profile.

  9. Select the default password checkout authentication profile to use if no conditions matching the authentication rules are met.