Documente Academic
Documente Profesional
Documente Cultură
Lab Guide
Centrify Corporation
http://www.centrify.com
Legal notice
This document and the software described in this document are furnished under and are subject to the
terms of a subscription license agreement or a non-disclosure agreement. Except as expressly set forth
in such subscription license agreement or nondisclosure agreement, Centrify Corporation provides this
document and the software described in this document “as is” without warranty of any kind, either express
or implied, including, but not limited to, the implied warranties of merchantability or fitness for a particular
purpose. Some states do not allow disclaimers of express or implied warranties in certain transactions;
therefore, this statement may not apply to you.
This document and the software described in this document may not be lent, sold, or given away without
the prior written permission of Centrify Corporation, except as otherwise permitted by law. Except as
expressly set forth in such subscription license agreement or non-disclosure agreement, no part of this
document or the software described in this document may be reproduced, stored in a retrieval system,
or transmitted in any form or by any means, electronic, mechanical, or otherwise, without the prior written
consent of Centrify Corporation. Some companies, names, and data in this document are used for
illustration purposes and may not represent real companies, individuals, or data.
This document could include technical inaccuracies or typographical errors. Changes are periodically
made to the information herein. These changes may be incorporated in new editions of this document.
Centrify Corporation may make improvements in or changes to the software described in this document
at any time.
© 2018 Centrify Corporation. All rights reserved. Portions of Centrify software are derived from third party
or open source software. Copyright and legal notices for these sources are listed separately in the
Acknowledgements.txt file included with the software.
U.S. Government Restricted Rights: If the software and documentation are being acquired by or on behalf
of the U.S. Government or by a U.S. Government prime contractor or subcontractor (at any tier), in
accordance with 48 C.F.R. 227.7202-1 through 227.7202-4 (for Department of Defense (DOD)
acquisitions) and 48 C.F.R. 2.101 and 12.212 (for non-DOD acquisitions), the software and
documentation are being licensed to U.S. Government end-users (a) only as Commercial Items and (b)
with only those rights as are granted to all other end-users pursuant to the terms and conditions of the
subscription license agreement.
Centrify, Centrify Express, Centrify for Mobile, Centrify for SaaS, Centrify Identity Service, Centrify
Privilege Service, Centrify Server Suite, Centrify Suite, Centrity User Suite, DirectAudit, DirectAuthorize,
DirectControl, DirectControl Express, DirectManage, DirectManage Express and DirectSecure are
registered trademarks of Centrify Corporation in the United States and other countries. Microsoft, Active
Directory, Windows, Windows NT, and Windows Server are either registered trademarks or trademarks
of Microsoft Corporation in the United States and other countries. Centrify Suite is protected by U.S.
Patents 7,591,005; 8,024,360; 8,321,523; 9,015,103; 9,112,846; 9,197,670; 9,442,962 and 9,378,391.
The names of any other companies and products mentioned in this document may be the trademarks or
registered trademarks of their respective owners. Unless otherwise noted, all the names used as
examples of companies, organizations, domain names, people and events herein are fictitious. No
association with any real company, organization, domain name, person, or event is intended or should
be inferred.
If you plan to use the training materials for in-house training, you can configure a training
environment in your network, but it is recommended to consider your network configurations and
security practices. This environment is for training purposes and will not match your network
environment.
During this training, you are the IT Administrator for Omicron Equipment Company. Omicron’s
network includes a Windows Active Directory domain controller, a Windows application server,
a Windows Database server, two (2) UNIX servers and a dedicated server for Centrify. The
configuration of this network environment is listed below.
OMICRON_GRP_Auditors
OMICRON_GRP_Contractors
OMICRON_GRP_Finance
OMICRON_GRP_Helpdesk
OMICRON_GRP_IT
OMICRON_GRP_Sales
OMICRON_GRP_Security
OMICRON_GRP_UNIXAdmins
OMICRON_GRP_UNIXDBA
OMICRON_GRP_WindowsDBA
Administrator administrator Centr1fy Administrators OU=Users,
Domain Admins DC=omicron,
Domain Users DC=lab
Enterprise Admins
Group Policy Creator Owners
Schema Admins
Alex Foster afoster Centr1fy Domain Admins OU=Staff,
Domain Users DC=omicron,
Enterprise Admins DC=lab
OMICRON_GRP_IT
OMICRON_GRP_Security
UNIX Identities
Additional Configurations:
AD Default Group Policy Changes:
• Computer Configuration →Policies →Windows Settings → Security Settings → Account Policies
→ Password Policy
o Minimum Password Age = 0
• Computer Configuration →Policies →Windows Settings → Security Settings → Account Policies
→ Account Lockout Policy
o Account Lockout Threshold = 3 invalid logon attempts
o Account Lockout Duration = 10 minutes
o Reset account lockout counter after = 10 minutes
Table of Contents
1. Install Centrify Identity Platform …….………………………………… 13
For this exercise you will need to power up the domain controller (dc.omicron.lab) and the new
windows server (centrify.omicron.lab).
1. Login to centrify.omicron.lab
Username: afoster
Password: Centr1fy
2. Launch the Install Privilege Access Service shortcut found on the Desktop:
Click Next
Click Next
5. The License Information window will be displayed. A file containing the license
information is stored on the server in the following location
C:\centrify\LicenseKey.txt
Without exiting the installation wizard, open the file and copy the company name and
paste it in the corresponding section of the wizard.
Click Next
6. The Feature Selection will show you the installation options you can use. For this
training, you will perform an Evaluation installation.
7. The Centrify Identity platform uses a PostgresSQL Database that can be included in
the installation or you can point to an existing instance.
For this training, we will include it in the installation and a custom database is not
needed.
Click Next.
10. Once completed, you can move to STAGE 2 of the installation process.
Click Finish.
11. Once the Installation of the Identity Platform is complete, PowerShell will
automatically launch.
You will be prompted to supply specific information to further configure the Identity
Platform.
Type: admin@omicron.lab
Type: admin@omicron.lab
14. Enter the FQDN used for this service (default: centrify.omicron.lab)
15. You will then be asked if you want to supply a custom host certificate. One has been
provided and is stored in the folder below:
C:\centrify\vault-cert.pfx
Type Y to use the custom certificate and a folder section will be displayed. Browse to
the folder and select the certificate and Click Open.
16. A Folder selection will now be displayed to identify the service database location.
A series of Microsoft C++ distribution tasks will begin and facilitate the configuration
process – PLEASE BE PATIENT.
17. Another folder Selection will be displayed to identify the location of the service setup/
recovery file.
Additional tasks will execute and once completed the Internet browser will be
launched, navigating to the new Centrify Portal Login.
18. Login using the Admin Account created during steps 11-13 and confirm a successful
login into the portal.
1. Login to appserver.omicron.lab
Username: afoster
Password: Centr1fy
https://centrify.omicron.lab/manage
Username: admin@omicron.lab
Password: Centr1fy
5. Click Network
7. Under Download, Click the 64-bit link to download the Centrify Connector Software.
Click Next
10. Accept the terms of the license agreement and Click Next
11. The Centrify Connector Setup can be configured to install specific features and change
the storage location of the Connector software.
12. Now that the configuration of the installation has been completed, Click Install to begin
the process.
13. Once completed, you can move to the Centrify Connector Configuration.
Click Finish.
14. Once the Installation is complete, the Centrify Connector Configuration Wizard will
automatically launch.
Click Next
15. You will need to enter the following information to link the Centrify Connector to the
instance of Centrify Identity Platform.
Admin Password:
Centr1fy
Centrify Service:
https://centrify.omicron.lab
16. The Web Proxy Configuration is used when a web proxy is required to communicate
with Identity Platform.
17. The Setup Properties Page is used to activate the Centrify Property Pages in all Active
Directory Administration Screens.
By default, the Property pages are active using the current user credentials (Enterprise
Admin Privilege compliant).
To confirm the change, users will need to be owners of the Deleted Objects container.
Click Yes to confirm the change and continue.
19. The connector will use the configuration specified and register with the Centrify Identity
Platform.
Click Finish.
21. In the Admin Portal, Click Close to close the Add Centrify Connector option.
22. Refresh the Centrify Connector Page by clicking the Admin Profile found at the top
right and Click Reload.
For this exercise you will need to power up the domain controller (dc.omicron.lab), the new
Windows server (centrify.omicron.lab), and the Windows Application Server
(appserver.omicron.lab).
1. Login to centrify.omicron.lab
Username: afoster
Password: Centr1fy
https://centrify.omicron.lab
Username: afoster@omicron.lab
Password: Centr1fy
6. Under General Options, Change the Color of the Portal Ribbon Accent Color
Click OK
Click OK
26. Login to the Portal as the identities below and complete the Security Questions.
For Training Purposes, it is recommended you use the same answers to the security
questions. Use the space below to note your Security Questions and Answers.
ANSWER: _________________________________________________________
ANSWER: _________________________________________________________
ANSWER: _________________________________________________________
1. Login to centrify.omicron.lab
Username: afoster
Password: Centr1fy
https://centrify.omicron.lab
Username: admin@omicron.lab
Password: Centr1fy
Login Name:
OmicronSupport
E-Mail Address:
support@omicron.lab
Display Name:
Omicron Support Admin
Status:
Check Password never expires
9. Click Members
Click Add
Click Add
27. Under Global Account Security, Enable periodic password rotation at specified interval
for 90 days.
28. Under Global System Security, check the box to allow access from a public network
(web client only)
35. Check the Add Account permission for the added group.
1. Login to centrify.omicron.lab
Username: afoster
Password: Centr1fy
https://centrify.omicron.lab
Username: afoster@omicron.lab
Password: Centr1fy
6. Click Settings
7. Click Select
1. Login to centrify.omicron.lab
Username: afoster
Password: Centr1fy
https://centrify.omicron.lab
Username: afoster@omicron.lab
Password: Centr1fy
8. Click Members
9. Click Add
This administrative right grants members access to all Infrastructure tab menus and permissions
in the Admin Portal. Members will be granted view, add, and remove system and account
permissions. Additionally, members can grant permissions to other users for specific systems
and accounts they add to the identity platform.
18. Type in the name of the role Privilege Access Power Users
This limited administrative right grants members access to all Infrastructure tab menus and
permissions in the Admin Portal. Members will be granted view all system and account
permissions. Users cannot add systems or account information and either need to request
access to accounts via workflow or be granted explicit permissions by a user with grant
permissions.
30. Type in the name of the role Privilege Access Service Users
This right grants members access to a limited set of Infrastructure tab menus and permissions
in the Admin Portal. Members will be granted view only system and account permissions they
have been explicitly granted. Users cannot add systems or account information.
1. Login to centrify.omicron.lab
Username: afoster
Password: Centr1fy
https://centrify.omicron.lab
Username: afoster@omicron.lab
Password: Centr1fy
Set Challenge 2 – Click Security Questions leaving the default number of questions set
at one (1).
9. Click OK
1. Login to centrify.omicron.lab
Username: afoster
Password: Centr1fy
https://centrify.omicron.lab
Username: afoster@omicron.lab
Password: Centr1fy
5. Click Import
Leave the browser open to this section – we will revisit it to complete the import.
7. Open the file using Notepad and add to the bottom the following information:
8. Remove all other hosts leaving only the header line and the Appserver information.
10. Return to the Admin Portal, click browse and select the updated template file
12. Use the profile menu at the top right to reload the page and confirm the system has been
added.
1. Login to centrify.omicron.lab
Username: afoster
Password: Centr1fy
https://centrify.omicron.lab
Username: afoster@omicron.lab
Password: Centr1fy
5. Click Profiles
11. Check the domain that will be the scope of the discovery.
17. Under Scope Method, choose IP Range and add 10.160.0.30 to 10.160.0.31
18. Under Discovery Accounts, use the dropdown and select Add Discovery Account
20. Enter the username and password of the UNIX root account.
Username: root
Password: password1
The status of the process will be shown at the far right. Use the User Profile Menu to reload the
page. Only one profile can be run at a time. This process will take a couple of minutes, PLEASE
BE PATIENT. After the first is completed you can run the second profile.
26. Once the Discovery Profile has a Ready Status, navigate to Resources and Click
Systems
Use the User Profile Menu at the top right to reload the page.
For this exercise you will need to power up the domain controller (dc.omicron.lab), the new
Windows server (centrify.omicron.lab), the Windows Application Server
(appserver.omicron.lab), the Windows database Server (database.omicron.lab), and the two
(2) UNIX systems (helpdesk and payroll).
1. Login to centrify.omicron.lab
Username: afoster
Password: Centr1fy
https://centrify.omicron.lab
Username: afoster@omicron.lab
Password: Centr1fy
5. On the right-hand side of the systems list is a Sets list. Click Windows Systems to
confirm the system list is filtered to only display Windows servers.
8. Click Save
12. Select the Helpdesk and Payroll system and Use the Blue Actions button to Add to Set
13. Using the Sets Drop Down, Select Omicron UNIX Systems
16. Using the Sets Drop Down, Select Omicron Domain Controllers
18. Domain Controllers should only be available to Domain Admins. Right Click on the
Omicron Domain Controllers Set and select Modify
21. Grant the View and Manage Session permissions to the Domain Admins Group
23. Right Click on the Omicron UNIX Systems Set and Select Modify
25. Search and Add Omicron_GRP_Helpdesk and Privilege Access Service User Role
26. Confirm the View Permission to the Omicron_GRP_Helpdesk and Privilege Access
Service User Role
32. Logout of the Admin Portal and Re-Login as Alex Foster (afoster)
For this exercise you will need to power up the domain controller (dc.omicron.lab), the new
Windows server (centrify.omicron.lab), the Windows Application Server
(appserver.omicron.lab), the Windows database Server (database.omicron.lab), and the two
(2) UNIX systems (helpdesk and payroll).
1. Login to centrify.omicron.lab
Username: afoster
Password: Centr1fy
https://centrify.omicron.lab
Username: afoster@omicron.lab
Password: Centr1fy
Username: Omicron-A
Password: Centr1fy
8. Click Add
12. Add the view, checkout and login permissions to the Privilege Access Power Users role
Note: You must also set the view permissions to the server in order to use the privilege
Account.
15. Under Permissions, confirm Privilege Access Service Users has View Permissions
17. Under Permissions, confirm Privilege Access Service Users has View Permissions
19. Add the root account username and password (Password: password1)
25. Add the view and login permissions to the Privilege Access Users role
28. Click on the helpdesk.omicron.lab system and under Accounts, Click Add
29. Add the root account username and password (Password: password1)
35. Add the view and Checkout permissions to the Privilege Access Users role
40. Right click on the Appserver/ Omicron-A account and select Checkout
42. Close the password dialog and right click the account once again and select check-in
47. If successful a secure remote login session will be established without relinquishing the
root password to the user.
48. Close the remote session and logout of the Admin Portal
For this exercise you will need to power up the domain controller (dc.omicron.lab), the new
Windows server (centrify.omicron.lab), the Windows Application Server
(appserver.omicron.lab), the Windows database Server (database.omicron.lab), and the two
(2) UNIX systems (helpdesk and payroll).
1. Login to centrify.omicron.lab
Username: afoster
Password: Centr1fy
https://centrify.omicron.lab
Username: afoster@omicron.lab
Password: Centr1fy
6. Click Permissions
7. Click Add
8. Add Omicron_GRP_Contractors
14. Locate the LicenseKey.txt file used during the installation of the Identity Platform
(C:\Centrify)
24. Add Omicron_GRP_IT with View, Edit and Retrieve Secret Permissions
28. Logout of the Admin Portal and login as Joe Miller (jmiller) (Password: Centr1fy)
YES. Joe, a member of the Omicron_GRP_IT group provided him access to the secrets as a
member of the folder.
30. Logout of the Admin Portal and login as Laura Bennett (lbennett) (Password: Centr1fy)
31. Right click on the Office 365 Secret and select Retrieve Secret
33. QUESTION #2: Can Laura view the Software Licenses Folder? YES OR NO
QUESTION #3: How many Secrets does Laura have access to? ___________
One (1). Laura was only given permission to see one secret, not both
For this exercise you will need to power up the domain controller (dc.omicron.lab), the new
Windows server (centrify.omicron.lab), the Windows Application Server
(appserver.omicron.lab), the Windows database Server (database.omicron.lab), and the two
(2) UNIX systems (helpdesk and payroll).
1. Login to centrify.omicron.lab
Username: afoster
Password: Centr1fy
https://centrify.omicron.lab
Username: afoster@omicron.lab
Password: Centr1fy
5. Click appserver.omicron.lab
6. Click Policy
7. Under Default System Login Profile Use the Drop Down and Select Omicron MFA
(Authentication Profile created in Lab 7)
8. Click Save
15. Once you answer the security question, enter your password and confirm you are
securely logged in to the system.
For this exercise you will need to power up the domain controller (dc.omicron.lab), the new
Windows server (centrify.omicron.lab), the Windows Application Server
(appserver.omicron.lab), the Windows database Server (database.omicron.lab), and the two
(2) UNIX systems (helpdesk and payroll).
1. Login to centrify.omicron.lab
Username: afoster
Password: Centr1fy
https://centrify.omicron.lab
Username: afoster@omicron.lab
Password: Centr1fy
6. Click Policy
7. Under Default System Login Profile Use the Drop Down and Select Omicron MFA
(Authentication Profile created in Lab 7)
8. Click Save
13. Prior to having the options to view or copy the password, you will be prompted to answer
a Security Question
14. Once you answer the security question, enter your password and confirm you can
retrieve the password.
For this exercise you will need to power up the domain controller (dc.omicron.lab), the new
Windows server (centrify.omicron.lab), the Windows Application Server
(appserver.omicron.lab), the Windows database Server (database.omicron.lab), and the two
(2) UNIX systems (helpdesk and payroll).
1. Login to centrify.omicron.lab
Username: afoster
Password: Centr1fy
https://centrify.omicron.lab
Username: afoster@omicron.lab
Password: Centr1fy
5. Click on appserver.omicron.lab
6. Click on Permissions
7. Click Add
9. Click on Accounts
13. Add Privilege Access Users with View and Checkout Permissions
37. Fill out the Request Login Form and Click Submit
41. Right Click on payroll/ root account and select Request Checkout
42. Fill out the Request Checkout Form and Click Submit
61. Right Click on the payroll/ root account and Click Checkout
64. Right Click the payroll/ root account and Click Checkin
For this exercise you will need to power up the domain controller (dc.omicron.lab), the new
Windows server (centrify.omicron.lab), the Windows Application Server
(appserver.omicron.lab), the Windows database Server (database.omicron.lab), and the two
(2) UNIX systems (helpdesk and payroll).
1. Login to centrify.omicron.lab
Username: afoster
Password: Centr1fy
https://centrify.omicron.lab
Username: afoster@omicron.lab
Password: Centr1fy
9. Use the Drop-Down Menu to select the Account Unlock Authentication Profile.
14. Click Ok
16. Under Active Directory Self Service Settings, Select the Use These Credentials option
and enter the username and password for Alex Foster.
Username: afoster
Password: Centr1fy
Switch to appserver.omicron.lab
18. Login to the system using the wrong password for jmiller until the account is locked.
Switch to centrify.omicron.lab
20. Confirm the Security Question was requested after the password.
What about users whose accounts were locked and need their password
reset?
26. Under Password Reset, Enable Password Reset for Active Directory Users
27. Use the Drop-Down menu to select the Password Reset Authentication Profile.
Switch to appserver.omicron.lab
29. Login to the system using the wrong password for jmiller until the account is locked.
Switch to centrify.omicron.lab
36. After entering your password, you will be prompted to answer the security question
again, to unlock the account.
Switch to appserver.omicron.lab
37. Login to the system using the NEW password for Joe Miller (jmiller) to confirm the
successful login.
For this exercise you will need to power up the domain controller (dc.omicron.lab), the new
Windows server (centrify.omicron.lab), the Windows Application Server
(appserver.omicron.lab), the Windows database Server (database.omicron.lab), and the two
(2) UNIX systems (helpdesk and payroll).
1. Login to appserver.omicron.lab
Username: afoster
Password: Centr1fy
Switch to centrify.omicron.lab
5. Login to centrify.omicron.lab
Username: afoster
Password: Centr1fy
https://centrify.omicron.lab
Username: afoster@omicron.lab
Password: Centr1fy
8. Click Dashboards
Click on the session and use the blue Actions button to watch the active session.
You can switch back to the appserver and type common UNIX commands and they will
appear in the monitored session.
11. Leave the active session open and return to the Admin Portal.
12. Select the active session and use the blue Actions button to terminate the session.
A message will appear on both the monitored session and on the secure remote session
running on the appserver indicating the session has been closed by the administrator.
For this exercise you will need to power up the domain controller
(dc.omicron.lab), the new Windows server (centrify.omicron.lab), the Windows Application
Server (appserver.omicron.lab), the Windows database Server (database.omicron.lab), and
the two (2) UNIX systems (helpdesk and payroll).
1. Login to centrify.omicron.lab
Username: afoster
Password: Centr1fy
https://centrify.omicron.lab
Username: afoster@omicron.lab
Password: Centr1fy
4. Click Reports
11. Click OK
The report will be generated and downloaded. Open the report to view the report details.
For this exercise you will need to power up the domain controller (dc.omicron.lab), the new
Windows server (centrify.omicron.lab), the Windows Application Server
(appserver.omicron.lab), the Windows database Server (database.omicron.lab), and the two
(2) UNIX systems (helpdesk and payroll).
1. Login to centrify.omicron.lab
Username: afoster
Password: Centr1fy
https://centrify.omicron.lab
Username: afoster@omicron.lab
Password: Centr1fy
6. Click Connectors
8. Click Save.