Yubico with Centrify for Mac - Deployment Guide

CENTRIFY DEPLOYMENT GUIDE Yubico with Centrify for Mac - Deployment Guide Abstract Centrify provides mobile device management and single sign-on services that you can trust and count on as a critical component of your corporate identity and access infrastructure. Our thorough approach to availability, reliability, scalability, security and privacy ensures that you can depend on Centrify as a trusted partner and provider.

Information in this document, including URL and other Internet Web site references, is subject to change without notice. Unless otherwise noted, the example companies, organizations, products, domain names, email addresses, logos, people, places and events depicted herein are fictitious, and no association with any real company, organization, product, domain name, e-mail address, logo, person, place or event is intended or should be inferred. Complying with all applicable copyright laws is the responsibility of the user. Without limiting the rights under copyright, no part of this document may be reproduced, stored in or introduced into a retrieval system, or transmitted in any form or by any means (electronic, mechanical, photocopying, recording, or otherwise), or for any purpose, without the express written permission of Centrify Corporation. Centrify may have patents, patent applications, trademarks, copyrights, or other intellectual property rights covering subject matter in this document. Except as expressly provided in any written license agreement from Centrify, the furnishing of this document does not give you any license to these patents, trademarks, copyrights, or other intellectual property. 2015 Centrify Corporation. All rights reserved. Centrify, DirectControl and DirectAudit are registered trademarks and Centrify Suite, DirectAuthorize, DirectSecure and DirectManage are trademarks of Centrify Corporation in the United States and/or other countries. Microsoft, Active Directory, Windows, Windows NT, and Windows Server are either registered trademarks or trademarks of Microsoft Corporation in the United States and/or other countries. The names of actual companies and products mentioned herein may be the trademarks of their respective owners. 2016 CENTRIFY CORPORATION. ALL RIGHTS RESERVED 2

Contents Overview... 4 CENTRIFY CAN LEVERAGE THE YUBIKEY FOR USE CASES SUCH AS:... 4 KEY BENEFITS... 4 Preparing your YubiKey... 5 PREPARING YOUR CA SERVER FOR YUBIKEY FOR CERTIFICATE BASED AUTHENTICATION... 5 PREPARING YOUR YUBIKEY FOR CERTIFICATE BASED AUTHENTICATION... 10 Preparing your Centrify Tenant for YubiKey authentication... 21 PREPARING YOUR CENTRIFY TENANT FOR CERTIFICATE BASED AUTHENTICATION... 21 PREPARING YOUR CENTRIFY TENANT FOR OATH-HOTP... 25 PREPARING YOUR YUBIKEY FOR OATH-HOTP AUTHENTICATION... 26 PREPARING YOUR CENTRIFY TENANT FOR OATH-HOTP CONTINUED... 29 Using your YubiKey for Certificate based authentication... 33 Using your YubiKey for OATH-OTP authentication... 38 Contact Centrify... 40 2016 CENTRIFY CORPORATION. ALL RIGHTS RESERVED 3

Overview As Verizon s 2016 Data Breach Investigations Report documents, nearly half of security incidents involve compromised credentials. Instead of burrowing through firewalls, attackers simply walk in the front door with stolen keys usernames and passwords. Once logged in, attackers branch out through the enterprise. As users increasingly embrace mobile devices and organizations move applications into the cloud, the risk grows. Attackers have even more user, system and application identities to target. How can organizations secure enterprise identities against cyberthreats that target today s hybrid IT environment of mobile, cloud and on-premises resources? Multi-factor authentication (MFA) is quickly emerging as the solution of choice. And yet, even MFA is only as good as the breadth of applications and systems it supports. Attackers target all users. Stealing an end-user s password allows them a foothold inside the organization, from which they seek out privileged accounts to get to servers and data. Organizations need MFA everywhere across all users end and privileged users, and across all systems VPN, cloud and on-premises applications, servers and privileged commands. Only then can MFA protect organizations against the leading point of attack in data breaches compromised credentials. Yubico and Centrify together provide context-based, adaptive authentication across all enterprise users and resources. Whether it s for PIV-based authentication, OATH One-time passwords, or as a physical NFC token for mobile devices Centrify and Yubico provides IT the flexibility to enforce security without user frustration. Centrify can leverage the YubiKey for use cases such as: Smartcard AD-based log in to Mac or Linux Re-authentication for privilege escalation on Windows Smartcard login to Centrify s cloud service for SSO, Secure Remote access, or administration YubiKey OATH OTP for as a second factor for secure SSO to individual cloud applications, or to a portal of cloud apps YubiKey as OATH OTP for MFA to servers for privileged session control YubiKey as physical NFC token for MFA to secure access to apps on mobile devices Key Benefits Simplify security: One platform secures all your users, and one YubiKey enables MFA across devices, apps, and servers Speed adoption: Users get secure access to the apps they need, from the devices they choose without training or confusion Save cost: Eliminate helpdesk calls for password reset thanks to secure SSO across devices Meet regulations: Enable BYOD while still complying with NIST regulations requiring smartcard authentication 2016 CENTRIFY CORPORATION. ALL RIGHTS RESERVED 4

Preparing your YubiKey for Certificate authentication Yubico Documentation: Yubico Downloads: Yubico Tech Support: https://www.yubico.com/support/documentation/ https://www.yubico.com/support/download/ https://www.yubico.com/support/contact/ Preparing your CA Server for Yubikey for Certificate based authentication To enable Certificate based authentication you need to configure your Certificate Authority to issue Smart Card User Certificates. This chapter outlines the steps to create a Smart Card User Certificate Template 1. Log on to your Certificate Authority Server 2. Start the Certificate Authority Snap-in 3. Within the CA snap-in right click on Certificate Templates and click on Manage 2016 CENTRIFY CORPORATION. ALL RIGHTS RESERVED 5

6. Under the Request Handling tab select Allow private key to be exported and Prompt the user during enrollment 7. Under the Security tab select the Enroll Allow for Authenticated Users 2016 CENTRIFY CORPORATION. ALL RIGHTS RESERVED 7

8. Under the Subject Name tab select Common Name from the Subject name format dropdown menu and click OK 9. Back in Certificate Authority snap-in right click on Certificate Templates and select New Certificate Template to Issue 2016 CENTRIFY CORPORATION. ALL RIGHTS RESERVED 8

Preparing your Yubikey for Certificate based authentication Yubico Documentation: https://www.yubico.com/support/documentation/ 1. Generate a User Authentication Certificate using the template as described in the previous chapter NOTE: There are different ways to generate user authentication certificates. It is beyond the scope of this document to provide detailed instructions on all possible methods to create user authentication certificates and focus only on one of the methods available to create certificates. In this document we use a Windows system to request user authentication certificate. 2. Log onto a windows domain joined system with the user account for which you want to create a user authentication certificate 3. Click on Start and type mmc 4. Click on mmc to start the Microsoft Management Console 2016 CENTRIFY CORPORATION. ALL RIGHTS RESERVED 10

9. Within the mmc console right click on Personal and select All Tasks Request New Certificate 10. Click on Next to continue 11. Select Active Directory Enrollment Policy and click on Next 2016 CENTRIFY CORPORATION. ALL RIGHTS RESERVED 13

12. Select the Certificate template created in the previous chapter and click on Enroll 13. Browse to the Certificate in Certificates Current User Personal Certificates, right click on the new Smart Card Logon Certificate and click on Open 2016 CENTRIFY CORPORATION. ALL RIGHTS RESERVED 14

14. Select the Details tab and click on Copy to File 15. On the Wizard prompt click on Next to continue 16. Select Yes, export the private key and click on Next 2016 CENTRIFY CORPORATION. ALL RIGHTS RESERVED 15

19. Save the file to your local hard drive with a descriptive filename 20. Click on Finish to complete the export process 21. You now should have a pfx certificate file on your local system 2016 CENTRIFY CORPORATION. ALL RIGHTS RESERVED 17

22. You need to first download and install the YubiKey Personalization Tools and PIV Manager from the Yubico download site at https://www.yubico.com/support/download/ and install these on the system from which you will authenticate. 23. Start the Yubico PIV Manager 24. After starting the PIV Manager insert your YubiKey into a USB slot on your system 25. You will be prompted to enter a 6-8 character Pin at first plugin. Enter a Pin and click OK 26. Within the PIV Manager click on Certificates 27. Select Import from file 2016 CENTRIFY CORPORATION. ALL RIGHTS RESERVED 18

28. Confirm the Warning to continue 29. Select the User Authentication Certificate you created earlier and click on Open 30. Enter the password you configured during export of the certificate 2016 CENTRIFY CORPORATION. ALL RIGHTS RESERVED 19

Preparing your Centrify Tenant for YubiKey authentication Depending on which authentication method you want to use there are different steps you need to take to prepare your Centrify tenant for Yubico usage. Centrify currently does not support Yubico OTP or Challenge Response authentication mechanisms. Preparing your Centrify tenant for Certificate based authentication To prepare your Centrify tenant for Yubico certificate based authentication you first need to issue certificates to your users and assign / issue those certificates to the Yubikey using the Yubico PIV Manager. Please see the Preparing your Yubikey for Certificate based authentication chapter in this document. Once you have your YubiKey with the certificate you need to upload the CA Cert Chain that was used to sign the user certificates on the YubiKey to your Centrify tenant. 1. Log on to your Centrify tenant using administrative credentials 2. Go to Settings 3. Click on Authentication 4. Click on Certificate Authorities 5. Click on Add 2016 CENTRIFY CORPORATION. ALL RIGHTS RESERVED 21

6. Enter the Name for your CA Cert Chain 7. Click on Browse to upload the CA Cert Chain from your Certificate Authority 8. Select your CA Cert and click Open 2016 CENTRIFY CORPORATION. ALL RIGHTS RESERVED 22

11. Make sure you enabled Use certificates for authentication in your MFA Policy. For details on how to configure Policies please review the Managing Policies Online Help 12. Go to Policies 13. Select the policy configured for MFA 14. Expand Login Policies and Select Centrify Portal 15. Check that Use Certificate for Authentication is enabled (by default this is enabled) 16. You now should be able to log on using Certificate based authentication using your YubiKey. Please review the next chapter Using your YubiKey for authentication for details. 2016 CENTRIFY CORPORATION. ALL RIGHTS RESERVED 24

Preparing your Centrify tenant for OATH-HOTP To prepare your Centrify tenant you need to configure your YubiKey for HOTP (not to be confused with TOTP, which is the default setting in the bulk upload template) and then upload the user specific YubiKey settings to the Centrify tenant using the bulk upload template. NOTE: HOTP OTP at machine logon to a Macintosh is currently not supported. 1. Log on to your Centrify tenant using administrative credentials 2. Go to Settings 3. Click on Authentication 4. Click on OATH Tokens 5. Click on Bulk Token Import 6. Within the Bulk Token Import dialog click on the Bulk Authentication Token Import Template to download the.csv template you need to use to import Users Token configuration settings 2016 CENTRIFY CORPORATION. ALL RIGHTS RESERVED 25

Preparing your Yubikey for OATH-HOTP authentication 7. To continue you need to first download and install the YubiKey Personalization Tools from the Yubico download site at https://www.yubico.com/support/download/ and install these on the system from which you will authenticate. 8. Insert your YubiKey into your PC 9. Open the Yubico Personalization Tool NOTE: If you use your YubiKey for the first time you might be prompted to enter a 6 or 8 digit pin. Configure a 6 to 8 digit pin to continue. 10. Click on OATH-HOTP 11. Select Advanced to continue to the OATH-HOTP configuration 12. Select a Configuration Slot 13. Uncheck the OATH Token Identifier Leave all other values to default 14. Click on Generate 15. With the YubiKey inserted click on Write Configuration 16. Copy the Secret Key to your Clipboard to paste it into the Bulk upload template 2016 CENTRIFY CORPORATION. ALL RIGHTS RESERVED 26

17. Open the Bulk Authentication Token Import Template using either Excel or Notepad NOTE: When using Excel to edit.csv files make sure you save the file in.csv format or the import will fail. It is safer to use Notepad to edit the file, but it makes it more difficult to read the file. 18. Enter the User Principal Name (the username used for authentication) 19. Paste the Secret Key copied from step 15 above into the Secret Key field 20. Enter the Account Name (First Last Name) 21. Enter the Issuer (Company Name) 22. Change the Type to HOTP DO NOT SKIP THIS STEP OR AUTHENTICATION WILL FAIL NOTE: Save the file in.csv format Leave all other values to default 2016 CENTRIFY CORPORATION. ALL RIGHTS RESERVED 28

Preparing your Centrify tenant for OATH-HOTP CONTINUED 1. Back in the Centrify tenant under Settings Authentication OATH Tokens click on Bulk Token Import 2. Select the Bulk Upload file you just created 3. Click on Next 4. At the confirmation screen click Next 2016 CENTRIFY CORPORATION. ALL RIGHTS RESERVED 29

5. Enter an email address for report delivery 6. Click Confirm 7. Once the import is complete the token will show in the OATH Token list. This process can take up to 5min and you will need to refresh your browser for the list to populate. 2016 CENTRIFY CORPORATION. ALL RIGHTS RESERVED 30

8. Make sure that you enabled OATH-OTP within your MFA Policy. For details on how to configure Policies please review the Managing Policies Online Help 9. Go to Policies 10. Select the Policy enabled for MFA (For details on how to configure Policies please review the Managing Policies Online Help) 11. Expand User Security Policies 12. Click on OATH OTP 13. Set Allow OATH OTP integration to Yes 14. Make sure you select OATH-OTP as one of the available mechanisms for your MFA Authentication Profiles 15. Go to Settings Authentication Authentication Profiles Select the Authentication Profile you want to use for MFA 2016 CENTRIFY CORPORATION. ALL RIGHTS RESERVED 31

Preparing your Mac for Certificate based authentication at Machine logon To authenticate using a Yubikey with a user authentication certificate at machine logon your Mac must be joined to the Active Directory Domain against which you are authenticating using the Centrify DirectControl Agent. Installing the Centrify Direct Control Agent 1. Download and install the Centrify DirectControl agent onto the Mac system at the Support Portal Download Center. 2. Once installed run the Centrify AD Check agent to verify the ability to join your Mac to Active Directory 3. Open the Centrify Join Assistant from 4. Complete the Centrify Join Assistant wizard to join your Mac to your Active Directory Domain 5. Download and install the Macintosh version of the Yubico Authenticator for Desktop 2016 CENTRIFY CORPORATION. ALL RIGHTS RESERVED 33

8. Click on the Smart Card Assistant 9. Make sure Smart Card Support is enabled. If your Smart Card Support is disabled click on the lock in the upper right-hand corner and click Enable 2016 CENTRIFY CORPORATION. ALL RIGHTS RESERVED 35

10. With your YubiKey inserted click on Refresh. Your YubiKey should now be listed 11. Shut down or reboot your Mac with your YubiKey inserted in the USB slot 12. At the logon prompt you should be prompted to enter the PIN for your YubiKey 13. Enter your PIN and you are logged on to your Mac desktop with the User Certificate from the YubiKey 2016 CENTRIFY CORPORATION. ALL RIGHTS RESERVED 36

Using your YubiKey for Certificate based authentication Once you have your YubiKey and the Centrify tenant configured for Certificate based authentication plug your YubiKey into the USB port on the system from which you want to log on to the Centrify Portal 1. In your browser go to your Centrify tenant 2. While the Yubikey with the Certificate is plugged in you will be prompted to use the Certificate for authentication 3. Select the appropriate Certificate and click OK 4. If your cookie has expired or this is the first time you are using your Yubikey you will be prompted to enter the PIN for your Yubikey 5. Enter the PIN and click OK to sign into your Centrify tenant 2016 CENTRIFY CORPORATION. ALL RIGHTS RESERVED 37

Using your YubiKey for OATH-OTP authentication Once you have your YubiKey and the Centrify tenant configured for OATH-OTP plug your YubiKey into the USB port on the system from which you want to log on to the Centrify Portal 1. In your browser go to your Centrify tenant 2. Enter the Username for which the YubiKey is configured and click on Next 3. Select YubiKey from the authentication dropdown (The name displayed here is what you entered in step 30 in chapter Preparing your Centrify Tenant for OATH-OTP ) 4. Select the Enter Verification Code field until you see a blinking cursor in the beginning of the field 2016 CENTRIFY CORPORATION. ALL RIGHTS RESERVED 38

5. With the Enter Verification Code field selected press the green Y on your YubiKey and the Verification Code will be entered into the browser automatically NOTE: If you selected Configuration Slot 2 in step 10 in chapter Preparing your Centrify Tenant for OATH- OTP you will need to hold the key for 2-3 sec) 6. You are now automatically logged on to your Centrify Portal using OATH-OTP 2016 CENTRIFY CORPORATION. ALL RIGHTS RESERVED 39

Contact Centrify Centrify strengthens enterprise security by managing and securing user identities from cyber threats. As organizations expand IT resources and teams beyond their premises, identity is becoming the new security perimeter. With our platform of integrated software and cloud-based services, Centrify uniquely secures and unifies identity for both privileged and end users across today s hybrid IT world of cloud, mobile and data center. The result is stronger security and compliance, improved business agility and enhanced user productivity through single signon. Over 5000 customers, including half of the Fortune 50 and over 80 federal agencies, leverage Centrify to secure identities. Learn more at www.centrify.com. Santa Clara, California: +1 (669) 444-5200 Email: sales@centrify.com EMEA: +44 (0) 1344 317950 Web: www.centrify.com Asia Pacific: +61 1300 795 789 Brazil: +55 11 3958 4876 Latin America: +1 305 900 5354 Copyright 2005-2015 Centrify Corporation. 2016 CENTRIFY CORPORATION. ALL RIGHTS RESERVED 40