Centrify Express For Mac

Centrify Express is an Active Directory based authentication and single sign-on to cross-platform systems. It used to integrate Linux and Mac systems with Windows. Centrify Express installs a program called the DirectControl agent on a UNIX system so that computer can be a managed system and can be joined to Active Directory in the same manner as a Windows computer. When a computer is managed by DirectControl agent and connected to a domain, all users and groups defined in Active Directory for the forest automatically become valid users and groups on the UNIX machine unless configured to deny or allow specific users or groups access. These users can perform the following common tasks:

  • Log on to the UNIX shell or desktop program and use standard programs and services such as telnet, ssh, and ftp.

Centrify Corporation, the leading provider of security and compliance solutions that centrally control, secure and audit access to cross-platform systems, mobile devices and applications, today announced. Centrify Express 2010 for Windows v.1.2.0 Centrify Express is primarily useful when you need proven Active Directory authentication for a small number of systems. Centrify Suite for Mac OS v.2010.2 Continue to move onto corporate desktops, corporate IT managers want to ensure these workstations are as easy to manage as their Windows counterparts. Jul 16, 2020 Verifying Centrify DirectControl Agent for Mac installation prerequisites. Before installing the Centrify DirectControl Agent for Mac on your Mac computers, be certain that you or another administrator has installed Centrify Management Services on a Windows computer in the domain. The Authentication Service Agent for Mac one-off release v.5.7.0, build 224, will be available end of day December 28, 2020 on the Centrify Download Center. If the currently installed Agent is version of 5.7.0, build 218 (the GA release), a reinstallation is necessary. Version information can be found in the Centrify System Preferences panel.

  • Log on to a computer that is disconnected from the network or unable to access Active Directory, if they have successfully logged on and been authenticated by Active Directory previously.
  • Manage their Active Directory passwords directly from the UNIX command line, provided they can connect to Active Directory.

Centrify Express consists of:

DirectControl Express
Joins Linux and Mac systems to Active Directory, giving users multi-platform single sign-on

DirectManage Express

Automates discovery, readiness, and deployment of Express agent for easy integration with Active Directory

Centrify-Enabled Open Source Tools

Use our free, enhanced versions of OpenSSH, PuTTY and Samba for painless integration

Installation.

DirectControl Express installation steps are simple:

  1. On the Linux computer, log on as root.
  2. If necessary, unzip the centrify-suite archive file.
  3. Run the install-express.sh command to install the Express Agent and Centrify-enabled

./install-express.sh

The installation script begins by running the adcheck program to check the operating system, disk space, DNS resolution, network connectivity, Active Directory configuration and other requirements on the computer. If you receive errors or warnings, see the DirectControl Express Administrator’s Guide for information on how to correct them.

Express

When you run the installation script, answer the prompts as follows:

How do you want to proceed? (E|S|X|C|Q) [X]: X

Type X (the default) for Express Mode. For most of the prompts, you can accept the default value by pressing Enter.

Be certain to specify Yes when prompted to join a domain. For an Express installation, the script automatically joins a computer in unlicensed mode. If you manually join a domain after installation, you must manually turn off licensed features. This process is covered in the Centrify DirectControl Express Administrator’s Guide.

Once installed the users can enter their username in the form that they are most comfortable with, saving time and not requiring them to remember or type a domain name. All of these examples work equally well:

  • user.name
  • user name
  • user.name@domain.com
  • domain.comuser.name

One of my favorite features other than the single login, is that you can authenticate Active Directory users accessing Samba shares at add an easier way to add users, keep track of who has access.

Centrify Express supports the following Operating Systems:

Linux

CentOS Linux: 3.8, 3.9, 4.4, 4.6, 4.7, 4.8, 5, 5.1, 5.2, 5.3, 5.4, 5.5 (32-bit & 64-bit)
Citrix XenServer: 4, 4.1, 5 (32-bit)
Debian: 3.1, 4, 5 (32-bit & 64-bit)
Mandriva Linux One: 2008, 2009, 2009.1, 2010, 2010.1 (32-bit)
Novell SUSE Linux: Server 8, 9, 10, 11 (32-bit); Desktop 9.2, 9.3, 10, 11 (32-bit)
Novell SUSE Linux PPC: 9, 10, 11 (64-bit)
Novell SUSE Linux Itanium: 9, 10, 11 (64-bit)
OpenSUSE Linux: 10.1, 10.2, 10.3, 11, 11.1, 11.2 (32-bit)
OpenSUSE Linux: 10.1, 10.2, 10.3, 11, 11.1, 11.2 (64-bit)
Oracle Enterprise Linux: 4, 5 (32-bit & 64-bit)
Red Hat Enterprise Linux: 3, 4, 4.8, 5, 5.1, 5.2 ,5.3, 5.4, 5.5 (32-bit & 64-bit)
Red Hat Enterprise Linux Itanium: 4, 4.8, 5, 5.1, 5.2, 5.3, 5.4, 5.5
Red Hat Fedora: 4, 5, 6, 7, 8, 9, 10, 11, 12, 13 (32-bit & 64-bit)
Scientific Linux: 3.0.8, 3.0.9, 4.4, 4.5, 4.6, 4.7, 4.8, 5, 5.1, 5.2, 5.3, 5.4, 5.5 (32-bit & 64-bit)
Ubuntu: 6.06 LTS, 7.04, 7.10, 8.04 LTS, 8.10, 9.04, 9.10, 10.04 LTS x86 (32-bit & 64-bit)
VMWare ESX Server: 3.0, 3.0.1, 3.0.2, 3.5 (32-bit)
VMWare ESX Server: 4 (64-bit)

MAC

Apple Mac OS X: 10.4.5+, 10.5.3+ on PPC, 10.4.5+, 10.5.3+ on Intel (32-bit)

Apple Mac OS X: 10.6 on Intel (32/64-bit)

There is a Centrify Suite that has more functionality but at a price. The Centrify Express is free and accomplishes exactly what I was looking for. If you want to intregrate Active Directory authentication into you Linux, Unix, or Mac machines check out Centrify Express it may be just what you are looking for. You can get more information at their website: www.centrify.com/default.asp

Background

Public Key Infrastructure (PKI) is the key building block for many IT capabilities and has been around for a long time. It is poorly understood. Let's start by defining some key terms:
PKI - Public key infrastructure (or standard x.509) defines the infrastructure, policies and usage of digital certificates.
Digital Certificate - a digital file pair that allows us to implement capabilities like
  • confidentiality - making sure data stays secret (at rest and in transit)
  • integrity - making sure a message has not been tampered with in transit
  • non-repudiation - making sure that a party is who they say they are

Certification Authority: A trusted computer that governs the policies, issuance, revocation and workflow of digital certificate operations. There are Root CAs, Intermediate CAs, and Registration Authorities. These roles (although NOT recommended) can be satisfied by a single system.
Certificate Policies: Define how a certificates is going to be used, issued, revoked, etc.
Certificate Revocation: When a certificate is revoked (e.g. user is disabled, or the computer role changes, certificate expires or is replaced), the revocation protocol is used. The legacy protocol is certificate revocation lists (CRLs), this has been replaced by the Online Certificate Status Protocol (OSCP).
PKI is all about the Trust Model and the standard as of how certificates are going to be handled. My advice is that standing a CA in an enterprise is a process that should not be taken lightly. The technology is the easy part.
For a great blog on PKI from the Microsoft PKI experts, go here: http://www.css-security.com/category/public-key-infrastructure/

Challenge: Managing the Lifecycle

Once a PKI infrastructure is established, in a Windows environment the lifecycle of issuing, revoking, renewing and provisioning certificates is very simple: It can be done via self-service or with workflow, but we'll focus on the automatic method - using Group Policies.
It's all about simplicity: The group policy client will check if either the user or computer needs a certificate, the PKI client will do the rest. If a computer belongs to an OU that has a GPO for PKI certificates, there's a usable certificate template and the right permissions are in place, the certificate will be issued and provisioned to the computer. Depending the policy, a few weeks before the certificate is revoked, the certificate will be renewed.
We already outlined these steps with the Mac platform.

adcert: Centrify's hidden gem

For any PKI expert, adcert is a gem. Why? The variability of UNIX and Linux platforms and the evolution of them have not produced several basic standards as of how certain things are going to be done. Since Centrify focuses in maximizing the investment in Active Directory with the Centrify Suite the answer is simple: Use the Microsoft CA.
adcert is an Active Directory PKI client that works on Unix, Linux and Macs. It also can be combined with Group Policies so the lifecycle can be managed the same way as in Windows.
adcert must be run as root and it exists in /usr/share/centrifydc/sbin. Certificates (CRLs, are placed in the /var/centrify/net/certs folder.
Some key switches:
-e enroll certificates for this computer
-u <user> - retrieve the certificates for the user. In UNIX/Linux user GPOs are not enabled by default.
-m retrieve certificates for the computer. There has to be a usable certificate.
Example - to enroll the computer-based certificates for a computer:
$ dzdo /usr/share/centrifydc/sbin/adcert -e -m -V
Certificate AutoEnrollment for suse1$@CORP.CONTOSO.COM in domain CORP.CONTOSO.COM
Retrieved 17 templates with client or server authentication

Centrify Express For Smart Card Mac


Check template Administrator
Centrify express for mac smart cardCheck template Centrify-Autoenroll
Check template Centrify-Autoenroll-Macs
autoenrollment is allowed
Check template ClientAuth
Check template DomainController
Check template DomainControllerAuthentication
Check template KerberosAuthentication
Check template MacAutoenroll
autoenrollment is allowed
Check template Machine
Check template OfflineRouter
Check template RASAndIASServer
Check template SmartcardLogon
Check template SmartcardUser
Check template User
Check template UserSignature
Check template WebServer
Check template Workstation
2 templates found with autoenrollment set
Checking certificate template Centrify-Autoenroll-Macs ...
certificate and private key exist on computer
revision (100) matches value in template
expiration is Mon Sep 21 13:00:58 2015 GMT
certificate public key matches private key
No OCSP url in AIA section of certificate.
ocsp operation not performed
certificate is valid
Checking certificate template MacAutoenroll ...
No issuing CA found for template MacAutoenroll.
No CA's found for all templates requiring new/updated certificates: [MacAutoenroll].
1/1 templates requiring a new certificate could not have one issued.
The only usable template is the one I set up for Mac Autoenrollment in a previous lab. The contents of the /var/centrify/net/certs shows:

Centrify Express For Mac Smart Card

total 12
-r--r--r-- 1 root root 2069 2014-09-21 09:10 auto_Centrify-Autoenroll-Macs.cert
-r--r--r-- 1 root root 3357 2014-09-21 09:10 auto_Centrify-Autoenroll-Macs.chain
-r-------- 1 root root 1671 2014-09-21 09:10 auto_Centrify-Autoenroll-Macs.key
-----BEGIN CERTIFICATE-----
MIIFyjCCBLKgAwIBAgIKIiSOLwAAAAAAHDANBgkqhkiG9w0BAQUFADBaMRMwEQYK
CZImiZPyLGQBGRYDY29tMRcwFQYKCZImiZPyLGQBGRYHY29udG9zbzEUMBIGCgmS

Centrify Express For Mac

JomT8ixkARkWBGNvcnAxFDASBgNVBAMTC2NvcnAtREMxLUNBMB4XDTE0MDkyMTEz
MDA1OFoXDTE1MDkyMTEzMDA1OFowITEfMB0GA1UEAxMWc3VzZTEuY29ycC5jb250
b3NvLmNvbTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBANCZDHWJaHKR

Understanding the benefits

The key here is process consolidation and cost savings, especially for internal certs. The Microsoft root CA is trusted by all domain-joined computers, this means that Unix, Linux and Mac computers can easily participate in getting their own SSL, 802.1x, Code Signing and other types of certs; all with a single infrastructure and consolidated process. That is power.

Video - Using adcert (5:18)