Establishing a connector identity for multi-factor authentication

In order to enable multi-factor authentication for Centrify-managed UNIX and Linux machines, the connector must validate the machine credentials using the Integrated Windows Authentication (IWA) service. To use the IWA service, your connectors must be configured to use an HTTPS-enabled port.

To configure connectors to use an HTTPS-enabled port, you must either download a host certificate issued by Centrify, or upload a host certificate issued by a Certificate Authority already trusted by your environment.

To configure Windows computers for multi-factor authentication, you must establish an initial trust relationship between the Windows machine and the Centrify connector. Since the connector accesses the IWA service through a secure HTTPS channel, you must validate the correct certificate during installation when enabling multi-factor authentication for login.

If you are operating in an evaluation environment, and cannot easily set up the required certificate trust relationship, you have the option to skip this step during installation and trust your own connector without enrolling in the IWA service. In this case, the computer is connected directly to the Centrify Identity platform, and multi-factor authentication can be enabled. Note, however, that this should only be done in an evaluation environment, as it has serious security implications in a live production environment.

If you have chosen not to establish the trust relationship, but wish to do so in the future, you can either leave and then rejoin a zone if you are joined to one, or you can disable and then re-enable multi-factor authentication for login to launch the configuration wizard.

To configure a connector to use a Centrify-issued root certificate

  1. In the Admin Portal, click Settings > Network.
  2. Select the connector you want to configure, and choose Modify from the Actions menu.
  3. In IWA Service, click Download your IWA root CA Certificate to retrieve the public certificate for the tenant-specific CA certificate issued by Centrify.
  4. Click Download to download the host certificate issued by Centrify for your connector.

You can export the IwaTrustedRoot.cer trusted root CA certificate issued by Centrify and manually install it on a local computer, or use group policy to distribute the certificate file as a trusted root certificate to multiple computers

Note:   Centrify Express users cannot use group policies to distribute certificates in bulk to UNIX and Linux computers. To distribute the certificates, you must download and install the certificate in the appropriate directory on each computer.

To import the certificate manually to a local Windows computer

  1. Right click on the certificate you downloaded in To configure a connector to use a Centrify-issued root certificate.
  2. Select Install Certificate to start the Certificate Import Wizard.
  3. Select Local Machine and click Next.
  4. Select Place all certificates in the following store and click Browse.
  5. Select Trusted Root Certification Authorities and click OK.
  6. Click Next and then Finish to complete the Wizard.

    A Windows Security Warning may be displayed. Click Yes to finish installing the certificate.

To export the certificate for bulk Group Policy distribution

  1. Select the trusted root certificate you downloaded, right-click, then click Open.
  2. Click the Details tab and click Copy to file to start the Certificate Export Wizard, then click Next.
  3. Select DER encoded binary X.509 (.CER) as the file format, then click Next.
  4. Click Browse to select a location on the local server, type a file name and click Save, then click Next.
  5. Click Finish.

To distribute the certificate using group policy

  1. Open Group Policy Management to select the group policy object that defines the IP Security policies, then click Edit.
  2. Click Computer Configuration > Policies > Windows Settings > Security Settings > Public Key Policies > Trusted Root Certification Authorities.
  3. Select Trusted Root Certification Authorities, right click, and select Import to open the Certificate Import Wizard.
  4. Click Next on the Welcome screen.
  5. Browse to find the root certificate you downloaded, then click to accept the default values on each screen.
  6. Click Finish to complete the wizard.

    The root certificate is now in the Active Directory Trusted Root Certification Authorities container. Group policy publishes all certificates in this container to computers joined to the domain. You can also run the gpupdate command from a command prompt to push the certificates to the computers in the domain.

Using a host certificate not issued by Centrify

If you want to use integrated Windows authentication over an HTTPS‑enabled port with a certificate issued by a certificate authority (CA) that is trusted by your organization, you must upload the host certificate to the Identity platform instance to ensure the computer credentials can be validated for secure communication between the connector and the authentication server.

To use an existing host certificate for a connector

  1. In the administrative portal, click Settings > Network.
  2. Select the connector you want to configure, and choose Modify from the Actions menu.
  3. Click IWA Service.
  4. Click Upload and navigate to the location of the certificate trusted by your organization.

This certificate must be trusted by both the local computer and the Identity platform instance.

Note:   You may get the following error while enrolling a Windows agent/machine into the cloud-based CIS with debugging enabled:

Failed to auto-enroll to the cloud: System.Net.Http.HttpRequestException: 

An error occurred while sending the request. ---> System.Net.WebException: 

The underlying connection was closed: Could not establish trust relationship for 

the SSL/TLS secure channel. ---> System.Security.Authentication.AuthenticationException: 

The remote certificate is invalid according to the validation procedure.

If so, check your local machine trusted root CA. The server may not have the corresponding DigiCert Global Root CA installed. If so, export the local cert. Then import the cert to the server. After that, you should be able to enroll the server.