CentrifyZTP-Corev19.6 - Lab Guide FY2019 PDF

Technical Training
Centrify Zero Trust Privilege

Core Edition
Lab Guide
Revision 2019-Q3-v19 ©2019 Centrify Corporation. All Rights

Reserved
Centrify Zero Trust Privilege – Lab Guide
This page is intentionally left blank.
Centrify Corporation
http://www.centrify.com
2 ©2019 Centrify Corporation. All Rights Reserved

Legal notice
This document and the software described in this document are furnished under and are subject to the
terms of a subscription license agreement or a non-disclosure agreement. Except as expressly set forth
in such subscription license agreement or nondisclosure agreement, Centrify Corporation provides this
document and the software described in this document “as is” without warranty of any kind, either express
or implied, including, but not limited to, the implied warranties of merchantability or fitness for a particular
purpose. Some states do not allow disclaimers of express or implied warranties in certain transactions;
therefore, this statement may not apply to you.
This document and the software described in this document may not be lent, sold, or given away without
the prior written permission of Centrify Corporation, except as otherwise permitted by law. Except as
expressly set forth in such subscription license agreement or non-disclosure agreement, no part of this
document or the software described in this document may be reproduced, stored in a retrieval system,
or transmitted in any form or by any means, electronic, mechanical, or otherwise, without the prior written
consent of Centrify Corporation. Some companies, names, and data in this document are used for
illustration purposes and may not represent real companies, individuals, or data.
This document could include technical inaccuracies or typographical errors. Changes are periodically
made to the information herein. These changes may be incorporated in new editions of this document.
Centrify Corporation may make improvements in or changes to the software described in this document
at any time.
© 2018 Centrify Corporation. All rights reserved. Portions of Centrify software are derived from third party
or open source software. Copyright and legal notices for these sources are listed separately in the
Acknowledgements.txt file included with the software.
U.S. Government Restricted Rights: If the software and documentation are being acquired by or on behalf
of the U.S. Government or by a U.S. Government prime contractor or subcontractor (at any tier), in
accordance with 48 C.F.R. 227.7202-1 through 227.7202-4 (for Department of Defense (DOD)
acquisitions) and 48 C.F.R. 2.101 and 12.212 (for non-DOD acquisitions), the software and
documentation are being licensed to U.S. Government end-users (a) only as Commercial Items and (b)
with only those rights as are granted to all other end-users pursuant to the terms and conditions of the
subscription license agreement.
Centrify, Centrify Express, Centrify for Mobile, Centrify for SaaS, Centrify Identity Service, Centrify
Privilege Service, Centrify Server Suite, Centrify Suite, Centrity User Suite, DirectAudit, DirectAuthorize,
DirectControl, DirectControl Express, DirectManage, DirectManage Express and DirectSecure are
registered trademarks of Centrify Corporation in the United States and other countries. Microsoft, Active
Directory, Windows, Windows NT, and Windows Server are either registered trademarks or trademarks
of Microsoft Corporation in the United States and other countries. Centrify Suite is protected by U.S.
Patents 7,591,005; 8,024,360; 8,321,523; 9,015,103; 9,112,846; 9,197,670; 9,442,962 and 9,378,391.
The names of any other companies and products mentioned in this document may be the trademarks or
registered trademarks of their respective owners. Unless otherwise noted, all the names used as
examples of companies, organizations, domain names, people and events herein are fictitious. No
association with any real company, organization, domain name, person, or event is intended or should
be inferred.


About this Guide

This hands-on exercise guide will walk you through the fundamental features and functionality
of Centrify Privilege Access Service and Identity Platform. You will be working with several
computer systems as you complete each exercise, however not all systems will need to be
powered during each lab exercise. Before each lab begins you will be provided initial instructions
related to required systems. This is done to conserve resources in the virtual environment.
If you plan to use the training materials for in-house training, you can configure a training
environment in your network, but it is recommended to consider your network configurations and
security practices. This environment is for training purposes and will not match your network
environment.
During this training, you are the IT Administrator for Omicron Equipment Company. Omicron’s
network includes a Windows Active Directory domain controller, a Windows application server,
a Windows Database server, two (2) UNIX servers and a dedicated server for Centrify. The
configuration of this network environment is listed below.

Computer System Configuration
Hostname Hardware Software & Configuration
DC.OMICRON.LAB 2 Processor OS: Windows 2012 R2

4 GB RAM 1. Hostname Changed
40 GB HDD 2. IP Address Changed to Static
3. Active Directory Domain Services Installed
4. Active Directory Domain Controller Configured
(omicron.lab)
5. DNS Configured with Reverse Lookup Zone
6. DNS Host Entries for UNIX Based Systems
7. Active Directory Certificate Services Installed
8. Active Directory Certificate Authority Configured
(Enterprise CA Root)
9. Staff OU Added
10. AD Users and Groups Added (See AD Identities
below)
11. Internet Explorer Enhanced Security Disabled
12. Firewall Disabled
13. Windows Update configured to check for updates
without download.
14. Create PAS Host Certificate
APPSERVER.OMICRON.LAB 2 Processor OS: Windows 2012 R2

3. System joined to omicron.lab domain
4. Secondary DNS added/ Configured
without download.
8. Silverlight Installed
9. Python Installed
10. Google Chrome Installed
11. User Access Control (UAC) disabled
12. Local Administrator Account Omicron-A Added
(Password: Centr1fy)
HELPDESK.OMICRON.LAB 2 Processor OS: CentOS 6.6

512 MB RAM 1. Hostname Changed
3. Name Server Configured to include AD DNS
4. Perl Installed
5. Users and Groups Installed (See UNIX Identities
below)
6. RPM Installed
7. WGET Installed
8. Wheel/ Sudoer File edited
9. Centrify Repo file configured and added
10. sshd_config file modified (ChallengeResponse
allowed

PAYROLL.OMICRON.LAB 2 Processor OS: CentOS 6.6

512 MB RAM 1. Hostname Changed
3. Name Server Configured to include AD DNS
4. Perl Installed
5. Users and Groups Installed (See UNIX Identities
below)
6. RPM Installed
7. WGET Installed
8. Wheel/ Sudoer File edited
9. Centrify Repo file configured and added
10. sshd_config file modified (ChallengeResponse
allowed
CENTRIFY.OMICRON.LAB 4 Processor OS: Windows 2012 R2

3. Internet Information Services (IIS) Installed
without download.
7. Active Directory Tools Added
PS import-module servermanager
PS add-windowsfeature rsat-adds-tools
PS install-windowsfeature -name GPMC
8. Group Policy Tools added to Taskbar & Start
9. Active Directory Users and Computers added to
Taskbar & Start
10. Services added to Taskbar & Start
12. Python Installed
15. WINSCP installed
DATABASE.OMICRON.LAB 2 Processor OS: Windows 2012 R2

18. MS SQL Server Installed with Reporting Services
without download.
23. Python Installed

Active Directory Identities
Given Name Username Password Group Memberships AD Context
OMICRON_GRP_Auditors
OMICRON_GRP_Contractors
OMICRON_GRP_Finance
OMICRON_GRP_Helpdesk
OMICRON_GRP_IT
OMICRON_GRP_Sales
OMICRON_GRP_Security
OMICRON_GRP_UNIXAdmins
OMICRON_GRP_UNIXDBA
OMICRON_GRP_WindowsDBA
Administrator administrator Centr1fy Administrators OU=Users,
Domain Admins DC=omicron,
Domain Users DC=lab
Enterprise Admins
Group Policy Creator Owners
Schema Admins
Alex Foster afoster Centr1fy Domain Admins OU=Staff,
Domain Users DC=omicron,
Enterprise Admins DC=lab
OMICRON_GRP_IT
OMICRON_GRP_Security
Amy Houston ahouston Centr1fy Domain Users OU=Staff,

OMICRON_GRP_Auditors DC=omicron,
DC=lab
Ann Washington awashington Centr1fy Domain Users OU=Staff,
OMICRON_GRP_Sales DC=omicron,
DC=lab
Bob Hughes bhughes Centr1fy Domain Users OU=Staff,
OMICRON_GRP_IT DC=omicron,
OMICRON_GRP_Helpdesk DC=lab
Bradley Adams badams Centr1fy Domain Users OU=Staff,

DC=lab
Brandon Michaels bmichaels Centr1fy Domain Users OU=Staff,
OMICRON_GRP_Security DC=lab
Carol Nichols cnichols Centr1fy Domain Users OU=Staff,

OMICRON_GRP_Contractors DC=omicron,
DC=lab
Diego Martinez dmartinez Centr1fy Domain Users OU=Staff,
DC=lab
Felipe Montoya fmontoya Centr1fy Domain Users OU=Staff,
DC=lab
Jennifer Charles jcharles Centr1fy Domain Users OU=Staff,
Joe Miller jmiller Centr1fy Domain Users OU=Staff,


John Smith jsmith Centr1fy Domain Users OU=Staff,

Kim Rogers krogers Centr1fy Domain Users OU=Staff,

OMICRON_GRP_Finance DC=omicron,
OMICRON_GRP_UNIXAdmins DC=lab
Larry Patel lpatel Centr1fy Domain Users OU=Staff,
DC=lab
Laura Bennett lbennett Centr1fy Domain Users OU=Staff,
DC=lab
Li Wang lwang Centr1fy Domain Users OU=Staff,
DC=lab
Linda Scott lscott Centr1fy Domain Users OU=Staff,
Mia Thompson mthompson Centr1fy Domain Users OU=Staff,

DC=lab
Michael Perry mperry Centr1fy Domain Users OU=Staff,
DC=lab
Nancy Jenkins njenkins Centr1fy Domain Users OU=Staff,
DC=lab
Nelson Long nlong Centr1fy Domain Users OU=Staff,
DC=lab
Robert Johnson rjohnson Centr1fy Domain Users OU=Staff,
Sam Nguyen snguyen Centr1fy Domain Users OU=Staff,

DC=omicron,
DC=lab
Wilson Spaulding wspaulding Centr1fy Domain Users OU=Staff,
DC=lab
UNIX Identities
Given Name Username Password Group Memberships
ROOT root password1

Alex Foster alex Centr1fy Wheel/Sudoers, Users for both systems
Kim Rogers kim Centr1fy Users for both systems
Li Wang wang Centr1fy Users for both systems
Sam Nguyen sam Centr1fy Users for both systems
Larry Patel larry Centr1fy Users for both systems
Wilson Spaulding wilson Centr1fy Users for both systems
Bob Hughes bob Centr1fy Users for Helpdesk Only
Robert Johnson robert Centr1fy Users for Helpdesk Only
Jennifer Charles jennifer Centr1fy Users for Helpdesk Only
Joe Miller joe Centr1fy Users for Helpdesk Only

Additional Configurations:
AD Default Group Policy Changes:
• Computer Configuration →Policies →Windows Settings → Security Settings → Account Policies
→ Password Policy
o Minimum Password Age = 0
• Computer Configuration →Policies →Windows Settings → Security Settings → Account Policies
→ Account Lockout Policy
o Account Lockout Threshold = 3 invalid logon attempts
o Account Lockout Duration = 10 minutes
o Reset account lockout counter after = 10 minutes

Table of Contents
1. Install Centrify Identity Platform …….………………………………… 13
2. Install and Configure Centrify Connector ....…….……………………………… 17
3. Customize and Configure Portal …….………………………………… 21
4. Complete Global Configuration Settings …….………………………………… 25
5. Configure Domain Administrative Account .……………………………………… 29
6. Create and Configure Roles with Administrative Rights ………………...…………… 31
7. Create and Configure Authentication Profiles …... .………………………………… 35
8. Import Systems Using Bulk Import Template …….………………………………… 37
9. Configure Discovery Profiles …….………………………………… 39
10. Create New Sets …….………………………………… 41
11. Configure Properties for Local and Shared Accounts …………………..………… 45
12. Configure Secrets …….………………………………… 49
13. Configure Multifactor Authentication for Secure Remote Login …………………… 53
14. Configure Multifactor Authentication for Password Check-out .…………………… 55
15. Configure Request Workflow …….………………………………… 57
16. Configure Account Unlock and Self Service ……………………………………… 61
17 Manage Active Sessions …….………………………………… 65
18. Configure and Run Reports …….………………………………… 67
19. Dedicate Centrify Connector …….………………………………… 69


Lab 1 - Install Centrify Identity Platform

Omicron Equipment Company has recently purchased Centrify Privilege
Access Service. IT Administrator, Alex Foster has prepared a domain
joined Windows server for the installation of the Centrify Identity Platform
inside the network. In this exercise, you will install the Centrify Identity Platform.
For this exercise you will need to power up the domain controller (dc.omicron.lab) and the new
windows server (centrify.omicron.lab).
1. Login to centrify.omicron.lab
Username: afoster
Password: Centr1fy
STAGE 1: Install Centrify Identity Platform
2. Launch the Install Privilege Access Service shortcut found on the Desktop:
3. The Centrify Installation Wizard will be displayed.
Click Next
4. Accept the terms of the license agreement
Click Next
5. The License Information window will be displayed. A file containing the license
information is stored on the server in the following location
C:\centrify\LicenseKey.txt
Without exiting the installation wizard, open the file and copy the company name and
paste it in the corresponding section of the wizard.
Repeat this set with the license key
Click Next

6. The Feature Selection will show you the installation options you can use. For this
training, you will perform an Evaluation installation.
No change is required. Click Next
7. The Centrify Identity platform uses a PostgresSQL Database that can be included in
the installation or you can point to an existing instance.
For this training, we will include it in the installation and a custom database is not
needed.
8. The destination folder will be set, and no further change is required.
Click Next.
9. Now that the configuration of the installation has been completed.
Click Install to begin the process.
10. Once completed, you can move to STAGE 2 of the installation process.
Click Finish.
STAGE 2: PowerShell Configuration
11. Once the Installation of the Identity Platform is complete, PowerShell will
automatically launch.
You will be prompted to supply specific information to further configure the Identity
Platform.
Username of initial administrator account (default: admin@opie.demo)
Type: admin@omicron.lab
12. Enter the administrator email address (default: opiedemo@centrify.com)
Type: admin@omicron.lab
13. Enter and Verify the administrator password
Type and Confirm: Centr1fy

14. Enter the FQDN used for this service (default: centrify.omicron.lab)
Press Enter to use the default
15. You will then be asked if you want to supply a custom host certificate. One has been
provided and is stored in the folder below:
C:\centrify\vault-cert.pfx
Type Y to use the custom certificate and a folder section will be displayed. Browse to
the folder and select the certificate and Click Open.
The certificate does not require a password. Type N to continue.
16. A Folder selection will now be displayed to identify the service database location.
No change is required. Click Select Folder to continue.
A series of Microsoft C++ distribution tasks will begin and facilitate the configuration
process – PLEASE BE PATIENT.
17. Another folder Selection will be displayed to identify the location of the service setup/
recovery file.
No change is required. Click Select Folder to continue.
Additional tasks will execute and once completed the Internet browser will be
launched, navigating to the new Centrify Portal Login.
18. Login using the Admin Account created during steps 11-13 and confirm a successful
login into the portal.
Close the browser and PowerShell.


Lab 2 - Install and Configure Centrify

Connector
In this exercise, you will connect the Omicron Active Directory Domain
to the Centrify Identity Platform by deploying a Centrify Connector.
For this exercise you will need to power up the domain controller (dc.omicron.lab), the new
Windows server (centrify.omicron.lab), and the Windows Application Server
(appserver.omicron.lab).
1. Login to appserver.omicron.lab
Username: afoster
Password: Centr1fy
2. Open the Internet browser and navigate to the Centrify Portal
https://centrify.omicron.lab/manage
3. Login using the administrator account created in Lab 1.
Username: admin@omicron.lab
Password: Centr1fy
PART I: Download and Install Centrify Connector Software
4. Close the Welcome Message by clicking Cancel.

On the left side of the page, Click Settings
5. Click Network
6. Under Centrify Connectors, Click the Add Centrify Connector button.
7. Under Download, Click the 64-bit link to download the Centrify Connector Software.
8. From the Downloads folder, launch the Cloud-Mgmt-Suite-win64.exe application.
9. The Centrify Installation Wizard will appear.
Click Next

10. Accept the terms of the license agreement and Click Next
11. The Centrify Connector Setup can be configured to install specific features and change
the storage location of the Connector software.
12. Now that the configuration of the installation has been completed, Click Install to begin
the process.
13. Once completed, you can move to the Centrify Connector Configuration.
Click Finish.
PART II: Centrify Connector Configuration Wizard
14. Once the Installation is complete, the Centrify Connector Configuration Wizard will
automatically launch.
Click Next
15. You will need to enter the following information to link the Centrify Connector to the
instance of Centrify Identity Platform.
Admin User Name: admin@omicron.lab
Admin Password:
Centr1fy
Centrify Service:
https://centrify.omicron.lab
16. The Web Proxy Configuration is used when a web proxy is required to communicate
with Identity Platform.
Web Proxy is not needed in this training. Click Next.
17. The Setup Properties Page is used to activate the Centrify Property Pages in all Active
Directory Administration Screens.
By default, the Property pages are active using the current user credentials (Enterprise
Admin Privilege compliant).
No change is required. Click Next.

18. Connector Configuration requires read permission to Deleted Objects in Active

Directory.
Select the domain (omicron.lab) and Click Next.
To confirm the change, users will need to be owners of the Deleted Objects container.
Click Yes to confirm the change and continue.
19. The connector will use the configuration specified and register with the Centrify Identity
Platform.
Click Finish.
20. Click Close to close the Centrify Connector Control Panel.
PART III: Verify Centrify Connector Registration
21. In the Admin Portal, Click Close to close the Add Centrify Connector option.
22. Refresh the Centrify Connector Page by clicking the Admin Profile found at the top
right and Click Reload.
The newly installed connector will be displayed.


Lab 3 - Customize and Configure the

Portal
In this exercise, you will customize the User Portal. Each user will have
specific web applications added to their portal but can also add their own applications.
Additionally, you will configure the portal with a custom color and logo.
Username: afoster
Password: Centr1fy
2. Open the Internet browser and navigate to the Admin Portal.
3. Login to the Admin Portal using the Centrify administrator account
Username: afoster@omicron.lab
Password: Centr1fy
PART I: Customize the Color and Logo
4. Under Settings, Click General
5. Click Account Customization
6. Under General Options, Change the Color of the Portal Ribbon Accent Color
7. Under Login Image, Click Upload
8. Select the Login image found in the folder c:\Centrify
9. Under Portal Image, Click Upload
10. Select the Logo image found in the folder c:\Centrify

11. Change the Company Name
Type Omicron Equipment Company
12. Click Save
PART II: Configure Global Security Questions
13. Under Settings, Click Authentication
14. Click Security Questions
15. Click Add
16. Type in the question What is your Favorite Color?
Click OK
17. Click Add to add another question
18. Type the question What is your Favorite Sport?
Click OK
19. Under Access, Click Policies
20. Click Default Policy
21. Under User Security Policies, Click User Account Settings
22. Change the Enable Users to Configure Security Questions to Yes
23. Change the Required Number of Admin-Defined Questions to 2
24. Click Save
PART III: Confirm Configuration Changes
25. Complete the Security Questions for Alex Foster.
Once completed, logout of the portal.

26. Login to the Portal as the identities below and complete the Security Questions.
• Joe Miller (jmiller)

• Kim Rogers (krogers)
• Laura Bennett (lbennett)
• Linda Scott (lscott)
For Training Purposes, it is recommended you use the same answers to the security
questions. Use the space below to note your Security Questions and Answers.
1. What is your Favorite Color?
ANSWER: _________________________________________________________
2. What is your Favorite Sport?
ANSWER: _________________________________________________________
3. Custom Security Question: _______________________________________
ANSWER: _________________________________________________________


Lab 4 - Complete Global Configuration

Settings
In this exercise, you will configure the global settings for the new
installation. This will include creating a new Centrify Directory Administrator, assigning global
account and system permissions, and global security settings.
Username: afoster
Password: Centr1fy
Username: admin@omicron.lab
Password: Centr1fy
PART I: Create a New Centrify Directory User
4. Under Access, Click Users
5. Click Add User
6. Enter the required information for the new directory user:
Login Name:
OmicronSupport
E-Mail Address:
support@omicron.lab
Display Name:
Omicron Support Admin

Password (and Confirmation):

Centr1fy
Status:
Check Password never expires
Click Create User
7. Under Access, Click Roles
8. Click System Administrator
9. Click Members
10. Click Add
11. Search for the new user (OmicronSupport)
Click Add
12. Click Add
13. Search for user Alex Foster (afoster@omicron.lab)
Click Add
14. Click Save
PART II: Assign Global Account Permissions
15. Under Access, Click Global Account Permissions
16. Click Add
17. Add Omicron_GRP_Security Group
18. Check the following permissions for the added group:
Grant, View, Checkout, Login, Edit, Delete, Update Password, Rotate
19. Click Save

PART III: Assign Global System Permissions
20. Under Access, Click Global System Permissions
21. Click Add
23. Check the following permissions for the added group:
Grant, View, Manage Session, Edit, Delete
24. Click Save
PART IV: Configure Security Settings
25. Under Settings, Click Resources
26. Click Security Settings
27. Under Global Account Security, Enable periodic password rotation at specified interval
for 90 days.
28. Under Global System Security, check the box to allow access from a public network
(web client only)
29. Click Save
PART V: Grant Permissions to Domain
30. Under Resources, Click Domains
31. Click the omicron.lab domain
32. Click Permissions
33. Click Add

35. Check the Add Account permission for the added group.
36. Click Save

Lab 5 - Configure Domain Administrative

Account
In this exercise, you will need to configure a Domain Administrative
Account.
(appserver.omicron.lab). Approximate time to complete (5-10 minutes)
Username: afoster
Password: Centr1fy
Password: Centr1fy
4. Under Resources, Click Domains
5. Click the omicron.lab domain
6. Click Settings
7. Click Select
8. Select Active Directory Option and Click Select
9. Search for and add Alex Foster (afoster@omicron.lab)
10. Enter the password for Alex (Centr1fy)
11. Click the blue Select button to save the changes.
12. Click Save


Lab 6 - Create and Configure Roles with

Administrative Rights
In this exercise, you will configure roles with Administrative Rights for
selective Active Directory Groups.
Username: afoster
Password: Centr1fy
3. Login to the Admin Portal as Alex Foster
Password: Centr1fy
PART I: Create Privilege Access Admin Role
5. Click Add Role
6. Type in the name of the role Privilege Access Admins
7. Type in the description

Full administrative rights for Privilege Access
8. Click Members
9. Click Add
10. Add Domain Admins

11. Click Administrative Rights
12. Click Add
13. Select Privilege Access Service Administrator
This administrative right grants members access to all Infrastructure tab menus and permissions
in the Admin Portal. Members will be granted view, add, and remove system and account
permissions. Additionally, members can grant permissions to other users for specific systems
and accounts they add to the identity platform.
14. Click Add
15. Click Save
PART II: Create Privilege Access Power Users Role
17. Click Add Role
18. Type in the name of the role Privilege Access Power Users

Limited administrative rights for Privilege Access
20. Click Members
21. Click Add
22. Add Omicron_GRP_Helpdesk
24. Click Add
25. Select Privilege Access Service Power Users
This limited administrative right grants members access to all Infrastructure tab menus and
permissions in the Admin Portal. Members will be granted view all system and account
permissions. Users cannot add systems or account information and either need to request
access to accounts via workflow or be granted explicit permissions by a user with grant
permissions.

26. Click Add
27. Click Save
PART III: Create Privilege Access Service User Role
29. Click Add Role
30. Type in the name of the role Privilege Access Service Users

Limited administrative rights for Windows Services and UNIX Systems
32. Click Members
33. Click Add
34. Add Omicron_GRP_Contractors and Omicron_GRP_Finance
36. Click Add
37. Select Privilege Access Service Users
This right grants members access to a limited set of Infrastructure tab menus and permissions
in the Admin Portal. Members will be granted view only system and account permissions they
have been explicitly granted. Users cannot add systems or account information.
38. Click Add
39. Click Save


Lab 7 - Create and Configure

Authentication Profiles
In this exercise, you will prepare the environment to use Multifactor
Authentication (MFA).
Username: afoster
Password: Centr1fy
Password: Centr1fy
4. Under Settings, Click Authentication
5. Click Authentication Profiles
6. Click Add Profile
7. Name the Profile Omicron MFA Profile
8. Under the Authentication Mechanisms:
Set Challenge 1 – Click Password
Set Challenge 2 – Click Security Questions leaving the default number of questions set
at one (1).
Change the Challenge Pass-Through Duration to No Pass Through
9. Click OK


Lab 8 - Import Systems using Bulk Import

Template
Now it is time to bring systems into the Centrify Identity Platform. In this
exercise you will use the Bulk Import Template to import domain controller.
Username: afoster
Password: Centr1fy
Password: Centr1fy
4. Under Resources, Click Systems
5. Click Import
6. Click the link to download the Bulk System Import Template
Leave the browser open to this section – we will revisit it to complete the import.
7. Open the file using Notepad and add to the bottom the following information:
appserver.omicron.lab, appserver.omicron.lab, Windows, Windows Application Server

and Centrify Connector,,,,Administrator,Centr1fy,FALSE,FALSE,Applications for
Omicron
8. Remove all other hosts leaving only the header line and the Appserver information.
9. Save the file C:\Centrify\servimport.csv
10. Return to the Admin Portal, click browse and select the updated template file

11. Click import
12. Use the profile menu at the top right to reload the page and confirm the system has been
added.

Lab 9 - Configure Discovery Profiles

In this exercise, you will import systems into the Centrify Identity
Platform using a Discovery Profile.
Windows server (centrify.omicron.lab), the Windows Application Server
(appserver.omicron.lab), the Windows database Server (database.omicron.lab), and the two
(2) UNIX systems (helpdesk and payroll).
Username: afoster
Password: Centr1fy
Password: Centr1fy
4. Under Discovery, Click System and Accounts
5. Click Profiles
PART I: Configure Active Directory Discovery
7. Name the Profile Discovery Active Directory Systems
8. Under Discovery Method, Active Directory
9. Click Select button to add the account to facilitate the discovery
10. Search and Select afoster@omicron.lab
11. Check the domain that will be the scope of the discovery.
12. Click Save

PART II: Configure Network Scan Discovery
14. Name the Profile Discovery Network Scan Discovery
15. Under Discovery Method, Port Scan
16. Click Add
17. Under Scope Method, choose IP Range and add 10.160.0.30 to 10.160.0.31
18. Under Discovery Accounts, use the dropdown and select Add Discovery Account
19. Name the Discovery Account UNIX ROOT
20. Enter the username and password of the UNIX root account.
Username: root
Password: password1
21. Click Done
22. Click Add to add UNIX ROOT to the Account List
23. Click Done
24. Click Save
25. Right click on each Discovery Profile and Select Run
The status of the process will be shown at the far right. Use the User Profile Menu to reload the
page. Only one profile can be run at a time. This process will take a couple of minutes, PLEASE
BE PATIENT. After the first is completed you can run the second profile.
26. Once the Discovery Profile has a Ready Status, navigate to Resources and Click
Systems
The system appserver.omicron.lab is already shown in the list. Confirm that

centrify.omicron.lab, database.omicron.lab, helpdesk.omicron.lab, payroll.omicron.lab, and
dc.omicron.lab are also listed.
Use the User Profile Menu at the top right to reload the page.

Lab 10 - Create New Sets

Now that you have our systems in the Centrify Identity Platform, you can
now group them into sets. In this exercise, you will group the Windows
systems into a specific set and the UNIX systems into a separate set.
Username: afoster
Password: Centr1fy
Password: Centr1fy
PART I: Create New Sets
4. Under Resources, Select Systems
5. On the right-hand side of the systems list is a Sets list. Click Windows Systems to
confirm the system list is filtered to only display Windows servers.
6. Click the Add button to Add a New Set
7. Name the Set Omicron UNIX Systems
8. Click Save
9. Click the Add button again to add another New Set
10. Name the Set Omicron Domain Controllers
11. Click Save

12. Select the Helpdesk and Payroll system and Use the Blue Actions button to Add to Set
13. Using the Sets Drop Down, Select Omicron UNIX Systems
14. Click Save
15. Click the dc.omicron.lab system and select Add to Set
16. Using the Sets Drop Down, Select Omicron Domain Controllers
17. Click Save
PART II: Apply Member Permissions to Sets
18. Domain Controllers should only be available to Domain Admins. Right Click on the
Omicron Domain Controllers Set and select Modify
19. Click Member Permissions and Click Add
20. Search and Add Domain Admins
21. Grant the View and Manage Session permissions to the Domain Admins Group
22. Click Save.
23. Right Click on the Omicron UNIX Systems Set and Select Modify
24. Click Member Permissions and Click Add
25. Search and Add Omicron_GRP_Helpdesk and Privilege Access Service User Role
26. Confirm the View Permission to the Omicron_GRP_Helpdesk and Privilege Access
Service User Role
27. Click Save
PART III: Confirm Visibility to Sets
28. Logout of the Admin Portal as Alex Foster (afoster)
29. Login in as Omicron_GRP_Helpdesk member Joe Miller (jmiller@omicron.lab)

31. Examine the list of systems
a. How many systems are shown in the list?

(answer should be 6)
b. Is there a Set for Omicron UNIX Systems?

(answer should be NO)
c. Is there a Set for Omicron Domain Controllers?

(answer should be NO)
PART IV: Assign Permissions to the Set
32. Logout of the Admin Portal and Re-Login as Alex Foster (afoster)
34. Right Click on Omicron Unix Systems and select Modify
36. Click Add
37. Search and Add Omicron_GRP_Helpdesk
38. Confirm the View Permissions to the Omicron_GRP_Helpdesk
39. Click Save
40. Repeat Steps 29-32 (Part III)
Did your original answers change? (Hint… They should slightly)
a. How many systems are shown in the list?

SIX (6). The systems are visible because Omicron_GRP_Helpdesk was assigned the
Privilege Access Power Users Role which gives them visibility to all systems.
b. Is there a Set for Omicron UNIX Systems?

Yes. The Permission changes have made the set visible to the members of the group.
c. Is there a Set for Omicron Domain Controllers?

No. No permission changes were made to this set.


Lab 11 - Configure Properties for Local

and Shared Accounts
In this exercise, you will configure local and shared accounts with
permissions for specific groups.
Username: afoster
Password: Centr1fy
Password: Centr1fy
PART I: Configure a Local Windows Account
5. Click on the appserver system and under Accounts, Click Add
6. Add the Omicron-A Username and Password
Username: Omicron-A
Password: Centr1fy
7. Click the checkbox to Manage The Password
8. Click Add
9. Click on the new Local Account

10. Under Permissions, Click Add
11. Add the Privilege Access Power Users role
12. Add the view, checkout and login permissions to the Privilege Access Power Users role
13. Click Save
PART II: Configure Local UNIX Account
Note: You must also set the view permissions to the server in order to use the privilege
Account.
14. Under Resources, Click Systems.
Click the helpdesk.omicron.lab system
15. Under Permissions, confirm Privilege Access Service Users has View Permissions
Click the payroll.omicron.lab system
17. Under Permissions, confirm Privilege Access Service Users has View Permissions
18. Click Accounts, Click Add
19. Add the root account username and password (Password: password1)
20. Do Not Check the Manage This Password Option
21. Click Add
22. Click on the new root account
24. Add the Privilege Access Users role
25. Add the view and login permissions to the Privilege Access Users role
26. Click Save

27. Under Resources, Click Systems.
28. Click on the helpdesk.omicron.lab system and under Accounts, Click Add
29. Add the root account username and password (Password: password1)
30. Check the Manage This Password Option
31. Click Add
32. Click on the new root account
34. Add the Privilege Access Users role
35. Add the view and Checkout permissions to the Privilege Access Users role
36. Click Save
PART III: Confirm Configuration
37. Logout of the Admin Portal
38. Login as Joe Miller (Jmiller@omicron.lab) (Password:Centr1fy)
39. Under Resources, Click Accounts
40. Right click on the Appserver/ Omicron-A account and select Checkout
41. Click Show Password

Since the password is managed, the original password used has been changed.
42. Close the password dialog and right click the account once again and select check-in
44. Login as Kim Rogers (krogers@omicron.lab) (Password:Centr1fy)
46. Right Click on the payroll/Root account and select Login

47. If successful a secure remote login session will be established without relinquishing the
root password to the user.
48. Close the remote session and logout of the Admin Portal

Lab 12 - Configure Secrets

The Helpdesk team currently distributes software license keys to users upon
request and approval. In this exercise, you will add software license keys to
the Centrify Identity Platform as Secrets – providing permissions to the
Contractors and IT groups.
Username: afoster
Password: Centr1fy
Password: Centr1fy
PART I: Create Secret Text
1. Under Resources, Navigate to Secrets and Click Add Secret
2. Name the secret Office 365 License
3. Add a Description Office 365 Local Installation License Key
4. Change the Type to Text and Click Enter Text
5. Type F1Y0U-AR3NT-VA1LD-S33D3-K3YXX in the Secret Text Area
7. Click Add
8. Add Omicron_GRP_Contractors

9. Grant the Omicron_GRP_Contractors Group View and Retrieve Secret Permissions
10. Click Save
PART II: Creating a Secret File
11. Click Add Secret
12. Name the Secret Centrify License
13. Click Select File
14. Locate the LicenseKey.txt file used during the installation of the Identity Platform
(C:\Centrify)
15. Click Save
PART III: Creating Secret Folders
16. Click Add Folder
17. Name the Folder Software Licenses
18. Add a Description “Folder for Software License Keys”
19. Click Folder Permissions
20. Click Add
21. Add Omicron_GRP_IT with View and Add Permissions
22. Click Member Permissions
23. Click Add
24. Add Omicron_GRP_IT with View, Edit and Retrieve Secret Permissions
25. Click Save
26. Click on each secret and select Move
27. Move the secrets to the Software Licenses Folder

PART IV: Confirm Configuration
28. Logout of the Admin Portal and login as Joe Miller (jmiller) (Password: Centr1fy)
29. Under Secrets, Click Software Licenses
QUESTION #1: Does Joe have access to both Secrets? YES OR NO
YES. Joe, a member of the Omicron_GRP_IT group provided him access to the secrets as a
member of the folder.
30. Logout of the Admin Portal and login as Laura Bennett (lbennett) (Password: Centr1fy)
31. Right click on the Office 365 Secret and select Retrieve Secret
32. Click Show Text
33. QUESTION #2: Can Laura view the Software Licenses Folder? YES OR NO
NO. Laura had permission to see secrets, not the folder.
QUESTION #3: How many Secrets does Laura have access to? ___________
One (1). Laura was only given permission to see one secret, not both
34. Click Cancel and logout of the Admin Portal.


Lab 13 - Configure Multifactor

Authentication for Secure Remote Login
In this exercise, you will configure a policy with an Authentication Profile
with multifactor authentication for all users accessing the application server
Username: afoster
Password: Centr1fy
Password: Centr1fy
5. Click appserver.omicron.lab
6. Click Policy
7. Under Default System Login Profile Use the Drop Down and Select Omicron MFA
(Authentication Profile created in Lab 7)
8. Click Save
10. Login to the User Portal as Joe Miller (JMiller@omicron.lab) (Password:Centr1fy)

12. Right Click appserver.omicron.lab and click Select/ Request Account
13. Click on Omicron-A and Click Select
14. Prior to logging in you will be prompted to answer a Security Question
15. Once you answer the security question, enter your password and confirm you are
securely logged in to the system.
16. Close the Remote session

Lab 14 - Configure Multifactor

Authentication for Password Checkout
In this exercise, you will configure multifactor authentication for the root
account of the payroll system.
Username: afoster
Password: Centr1fy
Password: Centr1fy
5. Click helpdesk.omicron.lab/ root account
6. Click Policy
7. Under Default System Login Profile Use the Drop Down and Select Omicron MFA
(Authentication Profile created in Lab 7)
8. Click Save
10. Login to the Admin Portal as Laura Bennett (lbennett@omicron.lab)

(Password:Centr1fy)

12. Right Click helpdesk.omicron.lab/root account and Checkout
13. Prior to having the options to view or copy the password, you will be prompted to answer
a Security Question
14. Once you answer the security question, enter your password and confirm you can
retrieve the password.
15. Right Click helpdesk.omicron.lab/root account and Checkin

Lab 15 - Configure Request Workflow

In this exercise, you will configure request workflow to the finance team to
perform secure remote login into the payroll system – without providing
the shared account password.
Username: afoster
Password: Centr1fy
Password: Centr1fy
PART I: Configure Workflow on Privilege Accounts
5. Click on appserver.omicron.lab
6. Click on Permissions
7. Click Add
8. Add Privilege Access Users with View Permissions
9. Click on Accounts
10. Click Omicron-A account

12. Click Add
13. Add Privilege Access Users with View and Checkout Permissions
14. Click Save
PART II: Configure Windows Account for Workflow
15. Click appserver.omicron.lab/ Omicron-A account
16. Click Workflow
17. Change Enable Account Workflow to Yes
18. Click Add
19. Change the Approver Type to Specified User or Role
20. Click Add
21. Search and add Alex Foster AFoster@omicron.lab
22. Click Save
PART III: Configure UNIX ROOT Account for Workflow
24. Click payroll.omicron.lab/ root account
25. Click Workflow
26. Change Enable Account Workflow to Yes
27. Click Add
28. Change the Approver Type to Specified User or Role
29. Click Add
30. Search and add Alex Foster (afoster)

31. Click Save
PART IV: Test Workflow
33. Login as Laura Bennett (LBennett)
35. Right Click on appserver.omicron.lab and Click Select/ Request Account
36. Click on Omicron-A and click Select
37. Fill out the Request Login Form and Click Submit
38. Logout of Admin Portal
39. Login to Admin Portal as Kim Rogers (krogers)
41. Right Click on payroll/ root account and select Request Checkout
42. Fill out the Request Checkout Form and Click Submit
44. Login as Alex Foster (AFoster)
45. Under Access, Click Requests
46. Click on each Pending Request
47. Click Approve (Each request must be addressed individually)
48. Click Submit
50. Login as Laura Bennett (LBennett)

52. Confirm the Request has been approved
54. Right click on appserver.omicron.lab/ Omicron-A account and Select Login
A Secure Remote Session will now be established.
55. Close the Session
57. Login as Kim Rogers (KRogers)
59. Confirm the Requests have been approved
61. Right Click on the payroll/ root account and Click Checkout
62. Click Show Password to see the current password.
63. Click Close
64. Right Click the payroll/ root account and Click Checkin
65. Log Out of Admin Portal

Lab 16 - Configure Account Unlock and

Self-Service
In this exercise, you will configure account unlock and password self-service
using multifactor authentication.
Username: afoster
Password: Centr1fy
Password: Centr1fy
6. Under User Security Policies, Click Self Service
7. Under Account Unlock, Click Enable Account Unlock
8. Click Allow for Active Directory
9. Use the Drop-Down Menu to select the Account Unlock Authentication Profile.
Select Add New Profile
10. Name the New Profile Omicron Account Unlock
11. Set Challenge 1 to use two (2) Security Question

12. Do not set Challenge 2
13. Set the Challenge Pass-through to 10 minutes.
14. Click Ok
15. Click Save
16. Under Active Directory Self Service Settings, Select the Use These Credentials option
and enter the username and password for Alex Foster.
Username: afoster
Password: Centr1fy
17. Click Save
Switch to appserver.omicron.lab
18. Login to the system using the wrong password for jmiller until the account is locked.
Switch to centrify.omicron.lab
19. Login to the Admin Portal as JMiller
20. Confirm the Security Question was requested after the password.
What about users whose accounts were locked and need their password
reset?
22. Login to the Admin Portal as Alex Foster (afoster)
25. Under User Security Policies, Click Self Service
26. Under Password Reset, Enable Password Reset for Active Directory Users

27. Use the Drop-Down menu to select the Password Reset Authentication Profile.
Select Omicron Account Unlock
28. Click Save
29. Login to the system using the wrong password for jmiller until the account is locked.
31. Login to the Admin Portal as Joe Miller (JMiller)
32. Click Forgot Password
33. Answer the Security Questions and Click Next
34. Type and Confirm New Password ZeroTru5t
35. Once your Password is changed, Click Start Over to relogin
36. After entering your password, you will be prompted to answer the security question
again, to unlock the account.
37. Login to the system using the NEW password for Joe Miller (jmiller) to confirm the
successful login.


Lab 17 - Manage Active Sessions

In this exercise you will open an active session to monitor the live activity
and terminate all sessions still active.
1. Login to appserver.omicron.lab
Username: afoster
Password: Centr1fy
2. Login to the Admin Portal as Kim Rogers (KRogers)
4. Right Click on the payroll/ root account and select Login.
A secure remote session will be displayed.
Username: afoster
Password: Centr1fy
Password: Centr1fy
8. Click Dashboards
9. Change the Dashboard to Overview

10. In the lower right corner are the active sessions.
Click on the session and use the blue Actions button to watch the active session.
You can switch back to the appserver and type common UNIX commands and they will
appear in the monitored session.
Terminate the Active Session
11. Leave the active session open and return to the Admin Portal.
12. Select the active session and use the blue Actions button to terminate the session.
A message will appear on both the monitored session and on the secure remote session
running on the appserver indicating the session has been closed by the administrator.

Lab 18 - Configure and Run Reports

In this exercise, you will need to run selective reports.
For this exercise you will need to power up the domain controller
(dc.omicron.lab), the new Windows server (centrify.omicron.lab), the Windows Application
Server (appserver.omicron.lab), the Windows database Server (database.omicron.lab), and
the two (2) UNIX systems (helpdesk and payroll).
Username: afoster
Password: Centr1fy
Password: Centr1fy
4. Click Reports
5. Click Built-in reports
6. Click Effective Rights
7. Click User to Object and Check Systems
8. Use the blue Actions button and click Export Report
9. Select CSV Format and enter a name for the report.
10. From the list of available systems, select the appserver
11. Click OK
The report will be generated and downloaded. Open the report to view the report details.


Lab 19 - Dedicate Centrify Connector

In this exercise you will dedicate the payroll system with the specific Centrify
Connector.
Username: afoster
Password: Centr1fy
Password: Centr1fy
5. Click the payroll.omicron.lab system
6. Click Connectors
7. Change the Connector option to choose and select the appserver.
8. Click Save.


__________________________________________________________________________
__________________________________________________________________________
__________________________________________________________________________
__________________________________________________________________________
__________________________________________________________________________
__________________________________________________________________________
__________________________________________________________________________
__________________________________________________________________________
__________________________________________________________________________
__________________________________________________________________________
__________________________________________________________________________
__________________________________________________________________________
__________________________________________________________________________
__________________________________________________________________________
__________________________________________________________________________
__________________________________________________________________________
__________________________________________________________________________
__________________________________________________________________________
__________________________________________________________________________
__________________________________________________________________________
__________________________________________________________________________
__________________________________________________________________________
__________________________________________________________________________
__________________________________________________________________________
__________________________________________________________________________
__________________________________________________________________________
__________________________________________________________________________
©2019 Centrify Corporation. All Rights Reserved

©2019 Centrify Corporation. All Rights Reserved

CentrifyZTP-Corev19.6 - Lab Guide FY2019 PDF

Încărcat de

Informații document

Titlu original

Drepturi de autor

Formate disponibile

Partajați acest document

Partajați sau inserați document

Opțiuni de partajare

Vi se pare util acest document?

Este necorespunzător acest conținut?

Drepturi de autor:

Formate disponibile

CentrifyZTP-Corev19.6 - Lab Guide FY2019 PDF

Încărcat de

Drepturi de autor:

Formate disponibile

Technical Training

Centrify Zero Trust Privilege

Revision 2019-Q3-v19 ©2019 Centrify Corporation. All Rights

This page is intentionally left blank.

2 ©2019 Centrify Corporation. All Rights Reserved

3 ©2019 Centrify Corporation. All Rights Reserved

This page is intentionally left blank.

4 ©2019 Centrify Corporation. All Rights Reserved

About this Guide

5 ©2019 Centrify Corporation. All Rights Reserved

Computer System Configuration

Hostname Hardware Software & Configuration

DC.OMICRON.LAB 2 Processor OS: Windows 2012 R2

APPSERVER.OMICRON.LAB 2 Processor OS: Windows 2012 R2

HELPDESK.OMICRON.LAB 2 Processor OS: CentOS 6.6

6 ©2019 Centrify Corporation. All Rights Reserved

PAYROLL.OMICRON.LAB 2 Processor OS: CentOS 6.6

CENTRIFY.OMICRON.LAB 4 Processor OS: Windows 2012 R2

DATABASE.OMICRON.LAB 2 Processor OS: Windows 2012 R2

7 ©2019 Centrify Corporation. All Rights Reserved

Active Directory Identities

Given Name Username Password Group Memberships AD Context

Amy Houston ahouston Centr1fy Domain Users OU=Staff,

Bradley Adams badams Centr1fy Domain Users OU=Staff,

Carol Nichols cnichols Centr1fy Domain Users OU=Staff,

Joe Miller jmiller Centr1fy Domain Users OU=Staff,

8 ©2019 Centrify Corporation. All Rights Reserved

John Smith jsmith Centr1fy Domain Users OU=Staff,

Kim Rogers krogers Centr1fy Domain Users OU=Staff,

Mia Thompson mthompson Centr1fy Domain Users OU=Staff,

Sam Nguyen snguyen Centr1fy Domain Users OU=Staff,

Given Name Username Password Group Memberships

ROOT root password1

9 ©2019 Centrify Corporation. All Rights Reserved

10 ©2019 Centrify Corporation. All Rights Reserved

2. Install and Configure Centrify Connector ....…….……………………………… 17

3. Customize and Configure Portal …….………………………………… 21

4. Complete Global Configuration Settings …….………………………………… 25

5. Configure Domain Administrative Account .……………………………………… 29

6. Create and Configure Roles with Administrative Rights ………………...…………… 31

7. Create and Configure Authentication Profiles …... .………………………………… 35

8. Import Systems Using Bulk Import Template …….………………………………… 37

9. Configure Discovery Profiles …….………………………………… 39

10. Create New Sets …….………………………………… 41

11. Configure Properties for Local and Shared Accounts …………………..………… 45

12. Configure Secrets …….………………………………… 49

13. Configure Multifactor Authentication for Secure Remote Login …………………… 53

14. Configure Multifactor Authentication for Password Check-out .…………………… 55

15. Configure Request Workflow …….………………………………… 57

16. Configure Account Unlock and Self Service ……………………………………… 61

17 Manage Active Sessions …….………………………………… 65

18. Configure and Run Reports …….………………………………… 67

19. Dedicate Centrify Connector …….………………………………… 69

11 ©2019 Centrify Corporation. All Rights Reserved

12 ©2019 Centrify Corporation. All Rights Reserved

Lab 1 - Install Centrify Identity Platform

STAGE 1: Install Centrify Identity Platform

3. The Centrify Installation Wizard will be displayed.

4. Accept the terms of the license agreement

Repeat this set with the license key

13 ©2019 Centrify Corporation. All Rights Reserved

No change is required. Click Next

No change is required. Click Next