Quantcast
Channel: All Centrify Express posts
Viewing all 1833 articles
Browse latest View live

Email address for MFA

June 16, 2017, 10:55 pm
$
0
0

Hello,

 

In MFA, is it possible to send verification email to another (common) mailbox, instead of the primary email address associated with the mailbox?

 

Why am asking this is because, since the authentication email will be sent to the primary email address (the one I am accessing now), it will go into a cyclical loop and you I not be able to login to the mailbox at all. This will negate the use of Multi-Factor Authentication (MFA), where someone wants to access the mailbox even when browsing outside the corporate network.

 

Regards,
Ganesan

Search

Re: Email address for MFA

June 17, 2017, 4:18 pm
$
0
0

,

 

What you want to accomplish (as described) defeats the purpose of establishing identity assurance (e.g. that the person is who they say they are).  Once a common mailbox is used, you no longer can guarantee that who accessed is the primary account owner.

 

My advice is that if e-mail will be used, you also provide alternative method(s)  (e.g. SMS, OATH OTP, RADIUS, Smart Card, Phone Factor) to address the issue of not being able to reach the mailbox to satisfy an MFA challenge.

 

That being said, you can leverage additional attributes for MFA, and the help topic can be found here: 

https://docs.centrify.com/en/centrify/adminref/index.html#page/cloudhelp%2FCloud_Settings.56.html%23ww1152326

 

R.P

Re: Email address for MFA

June 18, 2017, 11:13 pm
$
0
0

Hi Robertson,

Thanks for your help.

 

As for accessing Office 365 resources outside the corporate network, we would like to assign this privilege to only a select few employees. So it is fine for us to have a common mailbox, which the authorised admin would faciliate MFA for the select employees.

 

In other words, we do not bother about who accessed Office 365 is the primary account owner, since the access will anyway be granted by single authorised admin.

 

Please let me know if that is possible.

 

Regards,
Ganesan

User Login : Not able to login to some of the hosts

June 27, 2017, 9:10 am
$
0
0

Hi Everyone,

 

One of our user is not able to couple of hosts using his AD ID. I was able to see his ID on those hosts,but still not able to login. He is able to login to other hosts with the same password.

 

Below are the logs generated in /var/adm/messages when he try to login.

Jun 26 10:22:35 appleserver adclient[17860]: [ID 702911 auth.warning] WARN <fd:10 PAMVerifyPassword> audit User 'abc123' not authenticated: bad password
Jun 26 10:22:35 appleserver sshd[4655]: [ID 800047 auth.notice] Failed keyboard-interactive for opajg1 from 10.68.112.43 port 60500 ssh2
Jun 26 14:21:59 appleserver adclient[4020]: [ID 702911 auth.warning] WARN <fd:8 PAMVerifyPassword> audit User 'abc123' not authenticated: bad password
Jun 26 14:21:59 appleserver sshd[7304]: [ID 800047 auth.notice] Failed keyboard-interactive for opajg1 from 10.68.112.43 port 49754 ssh2
Jun 26 14:55:58 appleserver adclient[4020]: [ID 702911 auth.warning] WARN <fd:8 PAMVerifyPassword> audit User 'abc123' not authenticated: bad password
Jun 26 14:55:58 appleserver sshd[22165]: [ID 800047 auth.notice] Failed keyboard-interactive for opajg1 from 10.68.112.43 port 57924 ssh2
Jun 26 14:56:50 appleserver adclient[4020]: [ID 702911 auth.warning] WARN <fd:25 PAMVerifyPassword> audit User 'abc123' not authenticated: bad password
Jun 26 14:56:50 appleserver sshd[22696]: [ID 800047 auth.notice] Failed keyboard-interactive for opajg1 from 10.68.112.43 port 57939 ssh2

Re: NOOB question - can't SSH to Centrify protected Ubuntu server

June 29, 2017, 2:23 am
$
0
0

When I run this command - 

 "adquery user" - I get nothing back

 

radmin@master:~$ adquery user
radmin@master:~$

 

However when I run "adquery -A bruce"   I get :

 

radmin@master:~$ adquery user -A bruce
dn:CN=bruce,CN=Users,DC=r##########n,DC=net
samAccountName:bruce
sid:S-1-5-21-662088380-377811889-2506711748-1112
userPrincipalName:bruce@R##########N.NET
canonicalName:r#########n.net/Users/bruce
passwordHash:x
guid:11ac64be-1d75-476c-96f6-ab8753ba5cb4
requireMfa:false
zoneEnabled:false
memberOf:r##########n.net/Users/Domain Users,r##########n.net/Users/engineering

 

What permissions / groups must user "bruce" have to be able to SSH in ?

 

Thanks!

 

Account sync issue in Centrify

July 5, 2017, 4:45 am
$
0
0

Hello,

 

We have setup the Centrify connector in two domains. In one domain, it was working fine.

 

In other domain, we have created one user account in a sub OU recently. This account is not updated in Centrify portal. Hence, it is not automatically proceeding without asking for password. It is logging into the portal as if it is cloud ID.

 

Can you please tell us how to resolve this issue?

 

Regards,
Ganesan

Re: User Login : Not able to login to some of the hosts

July 5, 2017, 3:29 pm
$
0
0

Hello Unix20466,

 

Thank you for posting to our express forum.  

 

Do you see the problem account has a full and complete profile whne running the following command?

 

"adquery user -A abc123"

 

Key entries would be the UID,GID, home, shell and "zonenabled:true"

 

If anything is missing please verify these in the Direct Manage Access manager Console and try running "adflush -f" as root or sudo.

 

I see you may be a Centrify Customer with a paid support contract.

 

If this is the case I would request you please open a support case as further troubleshooting will require collection of logs so we can dig into the issue.

 

If this is not correct and you are still having this issue please update us here and we will see how best to continue.

 

Thank you,

JeffW

Re: User Login : Not able to login to some of the hosts

July 5, 2017, 8:44 pm
$
0
0

Hi,

 

Thank you for posting.

 

What version of Centrify are you running?  You can confirm by running the command "adinfo -v".

 

 

Regards,

 

Search

Re: Account sync issue in Centrify

July 6, 2017, 5:24 am
$
0
0

,

 

Accounts in Identity Service could take up to 10 minutes to be accessible (this is discounting replication on your end).

The resolution to this non-issue may just be to wait.

 

Please let us know if you got this resolved.

 

R.P

Re: Account sync issue in Centrify

July 6, 2017, 5:38 am
$
0
0

Hi Robertson,

 

That does not help. Nothing happened since I posted the query in the forum.

 

One point to note is that though the connector is installed in the on premise domain, UPN suffix domain assigned for the users is not federated. Will it cause any effect?

 

Regards,

Ganesan

Re: Account sync issue in Centrify

July 6, 2017, 6:17 am
$
0
0

,

 

Can you try to use different words to explain what's happening?

 

  • Are you having an issue seeing an AD object (user, security group or computer) to pick for roles, entitlements, etc?

Or

  • Are you having issues with outbound provisioning for an AD user (or group for provisioning) to a target App?

 

Two completely different problems with different troubleshooting approaches.

 

Remember, if you are a paying customer, you don't have to sit and wait for volunteers to answer in this forum.  You are entitled to SLA-based standard or 24x7 support.

Otherwise, my advice is to study the Connector log and the help page for the topic in question.

 

 

R.P

 

 

Re: Account sync issue in Centrify

July 6, 2017, 6:22 am
$
0
0

After re-reading this multiple times, it seems you are talking about outbound provisioning for Office365.

 

You have to follow the guidelines for this.  I believe that if you want things to work as expected (SSO, etc) the target domain has to be federated.

 

Aside from that, I can point you to (becasue there are moving parts to this)

Re: Account sync issue in Centrify

July 6, 2017, 6:35 am
$
0
0

Yes, exactly. We are working for outbound provisioning for Office365.

 

Can you confirm if the user listing in Centrify portal requires target domain to be federated?

 

As I said before, target domain name is assigned as UPN suffix for an on premise domain. Users in that domain has to be listed in Centrify for provisioning for Office 365.

 

Thanks.

 

 

naming of Agents

July 6, 2017, 3:01 pm
$
0
0

Hi,

 

I am completely new to Centrify software. The most obvious question I have is how do I install the Agent, when the agent is names:

 

centrify-suite-2017.1-rhel4-x86_64.solitairetheme8.

 

I was expecting to see a .tgz file or rpm package to install the Agent. How do I install this on a redhat platform?.

 

Could you please advise why the naming of the agent is .solitairetheme8.

 

Regards

 

Patrick McHale

Re: naming of Agents

July 6, 2017, 5:29 pm
$
0
0

,

 

Welcome to the forums.  I advise you not to use that file and that you delete it.

 

If you are an Express prospect/customer, you should use the form to access the downloadable bits.  Once there, you have the ability to download software and verify that you have the proper file.

 

The correct file name (for a 64-bit RHEL derivative), with the proper naming convention looks like this:

centrify-suite-2017.1-rhel4-x86_64.tgz and the MD5  hash is 3D53598E7CFD1C7DB31C1A8C328E58E6

In the download site, the hash can be viewed by hovering over the download link.

 

The naming convention explains the suite version (e.g. centrify-suite-2017.1), the platform family (e.g. Red Hat and derivatives), the lowest version supported (version 4) and the processor architecture (x86_64). It's a tar-gzipped file that contains the RPMs and utilities.

 

Make sure you verify the algorithm using MD5 (e.g. like below with PowerShell)

Get-FileHash -Algorithm MD5  centrify-suite-2017.1-rhel4-x86_64.tgz

Algorithm       Hash                                                                   Path
---------       ----                                                                   ----
MD5             3D53598E7CFD1C7DB31C1A8C328E58E6

All the RPMs in that tarball are signed with Centrify's public key.

 

If you are a commercial customer, remember you have access to the Centrify Repos (RPM, APT and Zypper).

 

Since this is potentially a serious matter, with your permission, if you tell us the origin of the file, we can report this to our security department.  If you downloaded the file from a compromised system, this could have caused the renaming of the file as well.

 

Robertson

Search

Re: naming of Agents

July 6, 2017, 5:33 pm
$
0
0
Hi,



Yes, that is where I went for the downloads, and everytime it gives me the
following files:



centrify-suite-2017.1-rhel4-x86_64.solitairetheme8 (no extension)



Every file I download from there has the same extention. Is there something
wrong with the download area?.



I have tried several times and ther are no *.tgz files available to
download.



Patrick


Re: naming of Agents

July 6, 2017, 5:45 pm

Re: naming of Agents

July 6, 2017, 5:57 pm

Re: naming of Agents

July 6, 2017, 6:00 pm
$
0
0

Thanks, that's sorted now. Was chrome browser, switching to firefox worked fine and I have run the installer.

 

Patrick

Centrify Express for RedHat with SmartCard Support

July 7, 2017, 8:23 am
$
0
0

Just a simple question.  Does Centrify Express on a RedHat 7.3 system support SmartCard authentication?  I see that MAC has a free SmartCard utility, hoping RedHat 7.3 does too.

Viewing all 1833 articles
Browse latest View live
Search