Configuring roles and rights to use multi-factor authentication

You can prepare for multi-factor authentication before or after installing authentication, privilege elevation, and audit and monitoring servicescomponents. The steps in this section summarize what to do to finish configuring multi-factor authentication for login access and executing commands for computers in hierarchical zones. You can use Access Manager, adedit, or Access Module for PowerShell scripts to complete most of the next steps.

For more information about performing these tasks, see the following documentation:

  • Planning and Deployment Guide
  • Administrator’s Guide for Linux and UNIX
  • Administrator’s Guide for Windows

For example, see the Administrator’s Guide for Linux and UNIX for more detailed information about how to create zones, configure role definitions, and add command rights for Linux and UNIX computers.

To configure multi-factor authentication

  1. Install Access Manager and other components.
  2. Create at least one hierarchical zone.

  3. Verify the Identity platform instance URL for the zone by displaying the zone properties, then clicking the Platform tab.

    If necessary, you can click Browse to select a different Identity platform instance if you have access to more than one customer-specific Identity platform instance URL.

  4. Assign the predefined require MFA for login role definition to the Active Directory users who have access to computers where you want to require multi-factor authentication and who are already assigned the UNIX Login or Windows Login role.

    Alternatively, you can create one or more custom UNIX or Linux role definitions that include the Require multi‑factor authentication system right. Note that you can also use the Access Module for PowerShell to set the system right described in this step.

  5. Define the rights you would like to add to the role and select the Require multi‑factor authentication re‑authentication option on the Attributes tab.

    After you create rights that require multi-factor authentication, add the rights to the appropriate role definitions and assign the roles to the appropriate Active Directory users.

    Note that you can also use the Access Module for PowerShell to require multi-factor authentication for command execution.

  6. Refresh the agent.

    For a UNIX computer requiring multi-factor authentication, run adflush -f or restart the agent to test multi-factor authentication for login access and command execution.

    For a Windows computer requiring multi-factor authentication, run dzrefresh from a command prompt. Depending on your permission settings, you may need to open the command prompt using “Run as administrator.”

Note:   When you initially update or install the Centrify Agent for Windows and configure multi-factor authentication for login, there may be a slight delay while the cache refreshes. During this short period, users who are required to use multi-factor authentication to log in may only be asked for their Active Directory credentials. When they logout from their machine, the cache will have refreshed, and they will then be required to use multi-factor authentication in future login attempts.