Configuration Options for Windows Computers

The following sections describe multi-factor authentication configuration options for Server Suite-managed Windows computers. In addition to these options, you can use group policies to customize basic operations for connecting to the Delinea Platform and multi-factor authentication on Windows computers. For more information on these group policies, please see the Group Policy Guide.

You can find the group policies for multi-factor authentication and the grace period on Windows computers in the Group Policy Management Editor under Computer Configuration > Centrify Settings > Windows Settings > MFA Settings.

To set the grace period, use the following group policies:

  • Configure multi-factor authentication lock screen grace period. This group policy enables the grace period for lock screen.
  • Configure multi-factor authentication user privilege elevation grace period

    This group policy allows the administrator to set the grace period for privilege elevation for users.

Reset Password

Password reset is a very popular self-service capability for Identity and Access Management solutions: It reduces calls to the help-desk and enables users to become productive quickly. The system allows the user to make a limited number of reset password requests within a specified period.

This feature does not enable the user to unlock their account.

To reset your password (user instructions):

  1. On the login screen, click the Forgot Password link.

    A prompt appears asking the user name. (If the user already entered their username using the login screen, it appears in this user name field.)

  2. Complete the MFA challenges, which are based on the password reset profile.

  3. A new prompt asks you to enter a new password and confirm it.

    After resetting the password, you can log in using the normal login screen.

Disable Self-Service Password Reset

Configuring this policy setting allows the administrator to force disable the password reset.

You can use this group policy to allow the administrator to force disabling of the password reset feature. There are two settings for this group policy:

  • Enabled: If this policy is set to Enabled, the self-service password reset feature on the machine is disabled, including the cloud-enabled self-service password reset.

  • If this policy is set to Disabled or Not Configured, the self-service password reset feature on the machine follows the cloud policy setting (cloud policy settings can be found at: Policy Settings > User Security Policies > Self Service > Password Reset). The cloud policy settings are accessed through the Admin Portal.

    The Admin Portal is available after you log in to a Delinea Platform instance.

Configure Offline Multi-factor Authentication and Rescue Users

When a Windows computer that is running a Server Suite Agent is not configured to use multi-factor authentication, you can use a local account to rescue that system when it cannot connect to the Delinea Platform.

Local users do not require MFA challenge. For non-safe mode in Windows Operating System:

  • With Privilege Elevation Service (zone mode) a local user can log in without MFA whenever they cannot connect to the Centrify Platform. The exception is that the local user does not assign roles for either "Window login permit" or "rescue user."
  • Without the Privilege Elevation Service (zoneless mode) a local user is allowed to log in without MFA.

For safe mode in Windows Operating System, a local user can only log in as a rescue user. To set a rescue user for zone mode, go through the Access Manager to assign roles. To set a rescue user for zoneless mode, go through Group Policies to configure.

If a computer that is joined to a zone starts in Safe Mode, only users who are assigned a Login role with the system rescue right selected will be able to access the machine. These users will not be required to use multi-factor authentication.

Users who are required to use multi-factor authentication to log in to their Windows workstations can set up an offline MFA profile to use as a second form of authentication in the event that their machine cannot connect to the Delinea Platform. These users will see a system notification urging them to set up this passcode each time they log in to their machine until they configure it.

Users set up their offline MFA profile in following way:

To set up an offline MFA profile:

  1. Right click the Delinea notification icon in the system notification area, and select Setup Offline MFA Profile.

  2. Click Next to begin the Offline Authentication Wizard.

  3. Select one of the following methods to create a authenticator account profile on your mobile device:

    • Scan barcode

      If you select this option, a QR code is displayed for you to scan using your mobile authenticator application. You can use either the Delinea application or a third-party authenticator application.

    • Manual entry

      If you select this option, you must manually enter the displayed account profile information into your authenticator application.

    • Program YubiKey

      If you select this option, you can use a YubiKey as the second form of authentication. You'll then need to select which slot on the YubiKey to use, and whether or not to use Yubikey's touch-to-sign feature.

  4. Enter the passcode that is generated after you have created your authenticator profile. Click Next.

  5. Click Finish to exit the Wizard.

After a user has set up their offline MFA profile, they will be prompted to enter the mobile passcode generated by their authentication application or YubiKey as the second form of authentication when they attempt to log in to their machine if it cannot connect to the Delinea Platform instance.

If you have already set up your offline MFA profile and want to reconfigure (override) it, you will be prompted for multi-factor authentication. That profile is set in the MFA Login Policy.

Require Multi-Factor Authentication using Computer Roles

Computer roles can enable you to group and provide access to computers through role assignments. One strategy you might find useful is to use computer roles to control where multi-factor authentication should apply. For example, you might have several computers with highly sensitive material where you want to ensure all user access will require multi-factor authentication. To accomplish this goal, you can configure a computer role, then add and remove computers with sensitive information to control whether multi-factor authentication is required.

To require multi-factor authentication based on a computer role

  1. Open Access Manager.

  2. Expand Zones and the individual parent or child zones required to select the zone name that will contain the new computer role.

  3. Expand Authorization to select Computer Roles, right-click, then click Create Computer Role.

  4. Type the role name and, optionally, a role description, then select <Create group> for the Computer group to create a new Active Directory group for computers.

    For example, to create a new Active Directory security group for the computers with sensitive information, click Browse to select the Active Directory location for the new group. If you are using the default deployment structure, you would browse to a location similar to acme.sales.org/ACME/Computer Roles then type a group name such as mfa_required_consols, select a scope, and click OK.

  5. Click OK to save the new computer role.

  6. Add the computers that require multi-factor authentication for access to the mfa_required_consoles Active Directory security group.

    As you add computers to the Active Directory security group, the computers are listed as Members of the computer role.

  7. Expand the computer role you created in Step 4, select Role Assignments, right-click, then select Assign Role.

    For example, if you created a new computer role with the role name CR_MFA_required, expand that computer role name to select Role Assignments, right-click, then select Assign Role.

  8. Select the predefined require MFA for login role definition, then click OK.

  9. Select All Active Directory accounts, then click OK.

Using Multi-Factor Authentication when there are Selective Cross-Forest Trusts

If you have domains in different forests that have a two-way selective trust relationship, any computer or user accounts that are used to log on to the remote forest must be granted the “Allowed to authenticate” right on the domain controllers in both forests to get role information.

In addition to granting the “Allowed to authenticate” right to users and to computers with the Server Suite Agent for Windows installed, the right must also be granted to computers that host your Cloud Connectors. <

After you grant these computers and users the “Allowed to authenticate” right for the domains in both forests, users that are assigned a role with a multi-factor authentication right for login and privilege elevation will be able to authenticate using any of the authentication mechanisms that you have assigned to them.

If a connector is not allowed to authenticate on the remote domain controller, some multi-factor authentication mechanisms may fail to authenticate users.

Configuring MFA with RADIUS for Privilege Elevation Service for Windows Checklist

This document provides a configuration checklist for 3rd party multi-factor authentication providers such as Duo, Okta, SecurID (or any other vendor that provides a RADIUS service) to provide identity validation with the Privilege Elevation Service in the Microsoft Windows platform.

If you have an identity service provider (such as Duo, Okta, SecureID, and so forth) that you use for MFA logins, you can integrate authentication and privilege elevation with your identity provider and the RADIUS protocol to require MFA for privilege elevation tasks, such as Run with Privilege and New Desktop.

Make sure that you work with your RADIUS expert along with your network and directory services lead administrators during the design and configuration tasks.

The checklist below includes links to documented procedures.

If you use Privileged Access Service, although you can enable MFA with RADIUS, the recommended practice is that you use the native integration.
In GPME, go to computer Configuration > Policies > Centrify Audit Trail Settings > Centrify Global Settings > Send audit trail to log file (this is not configured by default). For details, see "Send audit trail to log file" in the Group Policy Guide. For details, see "Send audit trail to log file" in the Group Policy Guide. |
Step# RADIUS Configuration Step Notes
RADIUS requirements
1 Gather the following settings for your RADIUS service: IP address or fully qualified domain name Port Timeout settings Pre-shared secret
2 Verify that you can generate a RADIUS one-time password successfully.
3 Verify that identity authentication is working correctly with your RADIUS system.
4 Have access to someone who is knowledgeable about your RADIUS system and can answer questions or help troubleshoot issues, if needed.
Windows and Active Directory requirements for RADIUS configuration
5 A Windows computer to use as a RADIUS client for initial testing, including: Client name Client IP address
6 Make sure that client systems can reach the RADIUS server over the network (check your firewall settings). You may need help also from your network team if your RADIUS cluster has a load-balancer in the front end.
7 You have administrative access to the designated Windows computer so that you can install software and do configurations.
8 You have Active Directory account access so that you can modify group policies that apply to the target computer.
9 You have access to the Group Policy Management Console.
10 Your Active Directory expert must decide how the group policy layout and scope will be designed so that the group policies are applied to the clients based on their RADIUS service availability.
Authentication and Privilege Elevation Services Requirements for RADIUS configuration
11 Access Manager console is installed on the client computer. For details, see "Run the setup program on a Windows computer" in the Administrator’s Guide for Windows.
12 The Agent for Windows is installed on the client system, you've configured the system to work with Privilege Elevation Service, including joining the computer to a zone. For details, see "Install agents for Windows" in the Administrator’s Guide for Windows.
13 You have administrative access to Access Manager so that you can manage roles and rights.
14 The group policy templates from release 19.6 or later are installed. For RADIUS configuration, you need at least the Centrify Windows settings group policies. For details, see "Install group policy extensions separately from Access Manager" in the Administrator’s Guide for Windows.
15 If you want to capture the RADIUS events in your SIEM system, make sure the Audit trail is configured to go to the local log file.
16You have a role and user to test with. Make sure the role has rights for privilege elevation, such as New Desktop rights or Run as Role.Make sure that you can elevate privileges successfully for that user and role before you try to configure RADIUS authentication.
Configure a system to use RADIUS for privilege elevation (using group policies)
17Enable and configure the RADIUS group policies. Configure the following group policies: Windows > MFA Settings > Specify the authentication source for privilege elevation : set this policy to RADIUS Authentication. Windows > MFA Settings > Remote Authentication Dial-In User Service (RADIUS) Settings > Enable Remote Authentication Dial-In User Service (RADIUS): enable this policy. Specify the RADIUS connection timeout: Configure to match your RADIUS timeout setting. Specify the RADIUS server IP address: enter your RADIUS IP address. Specify the RADIUS server port number: enter your RADIUS port number (the default is 1812). For details, see "Remote Authentication Dial-In User Service (RADIUS) Service Settings" in the Group Policy Guide. For details, see "Remote Authentication Dial-In User Service (RADIUS) Service Settings" in the Group Policy Guide. After you update the policies, do a group policy update on the Windows client computer.
18Configure the role to require re-authentication using multi-factor authentication.For example: Right-click your test role and choose Properties. The Role Properties dialog box opens. Click the Run As tab. Select Re-authenticate current user and then select Require multi-factor authentication. Click OK to apply the changes.
19Run dzflush to make sure that the agent has the changes from Access Manager. For details, see "Using dzflush" in the Administrator’s Guide for Windows.
20Set the RADIUS shared secret. The RADIUS secret is unique to each system and will match the secret that the RADIUS server has. You can set the pre-shared secret by either of the following methods on the client computer: Run the Set-RadiusSecret cmdlet to set the RADIUS shared client secret. For details, see the DirectAuthorize PowerShell cmdlet help. Use the Agent Configuration settings dialog box to configure the RADIUS server, including the pre-shared secret. For details, see "Configuring agent settings for the Identity Services Platform" in the Administrator’s Guide for Windows.
TEST AND VERIFY
21Verify that a user can elevate privileges by entering the RADIUS one-time password.For example, if your role has New Desktop rights: Right-click the System Tray and select New Desktop. In the dialog box that appears, select your test role and click OK. If the RADIUS authentication has been configured successfully, you are prompted to enter a password for RADIUS authentication. Enter the password and click Next to continue. You can also view the audit trails for the successful authentication in the system's event log.
22Verify that a user cannot elevate privileges after entering an incorrect RADIUS one-time password.