Starting with the 21.2 Centrify Cloud Suite release, Centrify Client now supports the ability to do an offline login. By definition, offline login is an availability control used when the system cannot communicate to the realm that the system has joined ("enrolled" in Centrify terminology). This may be due to service unavailability, connectivity issues, etc. The result is that the end-user is unable to access the system.
This offline login feature is available for both Windows and Linux for cclient, but for purpose of this article we will just be focusing on the offline login using cclient on Linux.Requirements:
1. The tenant version needs to be at 21.2 or higher.
2. Centrify Client for Linux (CentrifyCC) version needs to be 21.2 or higherSteps to setup offline login:
1. Download and Install the Centrify Client for Linux on the Linux system. There are a couple of ways this can be done.
a. Download the Centrify Client for Linux from the Downloads
section in the tenant under Centrify Clients for Linux. As noted above the tenant version will need to be 21.2 or higher.
Use native package manager to install the CentrifyCC client. For example, on a CentOS or RHEL based system, a rpm command similar to below could be used:rpm -Uvh CentrifyCC-<OS>.<arch>.rpm
b. Configure the Centrify yum repo and use command "yum install CentrifyCC
" to install the CentrifyCC client.
For more information on using the yum repo from Centrify, please see the below documentation:https://docs.centrify.com/Content/Infrastructure/clients/client-yum-apt.htm
2. Once the client is installed verify the version is at least 21.2. Run command cinfo -v
3. Enroll machine to tenant using the cenroll
For more information on the cenroll
command and the different options that can be used please see the Centrify documentation:https://docs.centrify.com/Content/Infrastructure/enroll/svr-mgr-computer-cenroll.htm
4. Run the cinfo
command to verify machine is enrolled.
5. In the tenant, browse to that newly enrolled system under Resources -> Systems
6. Go to the Permissions
section and click on the Add
7.Search for a user, group or role that you want to be able to access the system, select that user, group, or role, and then click the Add
8. Give the user, group, or role the Agent Auth
and Offline Rescue
rights by checking the checkboxes for those rights. Verify the user, group, or role also has the View
right. Click the Save
button.Note: You must have the Offline Rescue permission set on a system in order to retrieve the offline passcode.
9. Go back to the Linux system where the Centrify Client for Linux was installed. Attempt a login with the user to verify the login works while the system is in a connected state.
10. Enter the Password and click Sign In
to successfully access the system.Test the offline login:
In this instance, the network cable was unplugged from the Linux system to simulate the machine no longer being connected to the network to be able to test the offline passcode. For Centrify Client for Linux, the offline passcode from the Admin Portal is the only available option right now. Linux support for mobile offline passcodes will be in an upcoming release.
1. In order to see the offline passcode, users will need to be able to login to the tenant with enough rights to be able to see the Resources -> Systems
section of the tenant and have the View
permission for the machine setup with the offline passcode as mentioned above. The Privilege Access Service User
right assigned to a role that user is a member of should be sufficient.
a. In this environment, the user has been assigned to the Privilege Access Service User Role.
b. In the Administrative Rights
section of that role, the Privilege Access Service User Right
has been assigned.
2. Login to an offline system with a passcode from the Admin Portal. Enter the username on the system's login screen. Click Next
3. Enter the password in the password prompt. Click Sign In
4. The system will prompt for the OTP (one time passcode).
5. Login to the Admin Portal with the same user Account, navigate to Resources -> Systems
and check the box next to the system name.
6. From the Actions
dropdown menu, click Show Offline Passcode
7. A screen displays the offline passcode.
8. Enter the offline passcode in the OTP screen on the system and click Sign In
to gain access to the system.
For more information on the offline login for Centrify Clients please see the Centrify documentation:https://docs.centrify.com/Content/Infrastructure/clients/cclient-offline-passcode.htm