Tips for finding Knowledge Articles

  • - Enter just a few key words related to your question or problem
  • - Add Key words to refine your search as necessary
  • - Do not use punctuation
  • - Search is not case sensitive
  • - Avoid non-descriptive filler words like "how", "the", "what", etc.
  • - If you do not find what you are looking for the first time,reduce the number of key words you enter and try searching again.
  • - Minimum supported Internet Explorer version is IE9
Home  >
article

[HowTo] setup Centrify Cclient for Windows to be able to use Offline login

Privileged Access Service ,  

23 November,21 at 11:21 PM

Introduction:

Starting with the 21.2 Centrify Cloud Suite release, Centrify Client now supports the ability to do an offline login.  By definition, offline login is an availability control used when the system cannot communicate to the realm that the system has joined ("enrolled" in Centrify terminology).  This may be due to service unavailability, connectivity issues, etc. The result is that the end-user is unable to access the system.

This offline login feature is available for both Windows and Linux for cclient, but for purpose of this article, we will just be focusing on the offline login using cclient on Windows.

To setup the offline passcode for Linux for cclient see the following techblog:  [HOWTO] setup Centrify Cclient for linux to be able to use Offline Passcode for login


Requirements:

1. The tenant version needs to be at version 21.2 or higher. 
2. Centrify Client for Windows (CentrifyCC) version needs to be at version 21.2 or higher


Steps to setup offline login:

1. Download and Install the Centrify Client for Windows on the Windows system.  
 
a. Download the Centrify Client for Windows from the Downloads section in the tenant under Centrify Clients for Windows. As noted above the tenant version will need to be version 21.2 or higher.

pic of downloads section in tenant


b. Browse to the location where the package (cagentinstaller.msi) was downloaded and double-click on it to install the CentrifyCC client.  

downloads folder on windows machine showing cagentinstaller.msi file

 
I. On the Installation Welcome Page, click Next.

User-added image


II. The enrollment can be done during the installation via the below form or after the installation via the command line.  If you would prefer to use the command line to do the cenroll, you can click Next without filling in any of the fields. If enrolling during the installation, provide the necessary information in the fields below and then click Next.

User-added image


III. Click on the Install button to continue the installation.

User-added image


IV. Once the Install finishes successfully, click the Finish button.

User-added image


2. Verify the version of the cclient is at least version 21.2 or higher. Open up a command prompt and run the cinfo -v command.

cmd prompt cinfo -v command output


3. If the machine was not enrolled to the tenant during the GUI cagent installation, enroll the machine to the tenant using the cenroll command in a cmd prompt run as Administrator.

User-added image

For more information on the cenroll command and the different options that can be used please see the Centrify documentation:
https://docs.centrify.com/Content/Infrastructure/enroll/svr-mgr-computer-cenroll.htm
https://docs.centrify.com/Content/Infrastructure/clients/cclient-commands.htm#cenroll


4. Run the cinfo command to verify the machine is enrolled.

cmd prompt showing cinfo command after enroll of system using cenroll command


5. In the tenant, browse to that newly enrolled system under Resources -> Systems

location of system in the tenant


6. Go to the Permissions section and click on the Add button. 

permissions of the system in the tenant


7. Search for a user, group, or role that you want to be able to access the system. Select that user, group, or role, and then click the Add button.

searching for user to add to permissions


8. Give the user, group, or role Agent Auth and Offline Rescue rights by checking the checkboxes for those rights. Verify the user, group, or role also has the View right. Click the Save button.
Note: You must have the Offline Rescue permission assigned to a user, role, or group on a system in order to retrieve the offline passcode.

permissions section of system showing view, agent auth and offline rescue rights checked for newly added user



9. Go back to the Windows system where the Centrify Client for Windows is installed. Attempt a login with the user to verify the login works while the system is in a connected state.

User-added image


10. Enter the password and click the Arrow Sign (->) to log into the system successfully.

User-added image



Test the offline login:

In this instance, the network cable was unplugged from the Windows system to simulate the machine no longer being connected to the network to be able to test the offline passcode.  
For Centrify Client for Windows, you can get the offline passcode either from the Admin Portal or from the Centrify mobile application.


Tenant Admin Portal offline passcode:

1. In order to see the offline passcode in the Admin Portal, users will need to be able to login to the Admin Portal with enough rights to be able to see the Resources -> Systems section and have the View permission for the machine set up with the offline passcode as mentioned above.  The Privileged Access Service User administrative right assigned to a role that the user is a member of should be sufficient.
 
a. In this environment, the user has been assigned to a role named Privilege Access Service User.

User-added image


 b. In the Administrative Rights section of that role, the Privileged Access Service User right has been assigned.

User-added image


2. Enter the username on the system's login screen. Click the Arrow Sign (->) to continue.

User-added image


3. Enter the password in the password prompt. Click the Arrow Sign (->) to continue.

User-added image


4. The system will prompt for the OTP (one-time passcode).

User-added image


5. Log in to the Admin Portal with the same user account, navigate to Resources -> Systems and check the box next to the system name. 

User-added image


6. From the Actions dropdown menu, click Show Offline Passcode.

User-added image


 7. A screen displays the offline passcode.

User-added image


8. Enter the offline passcode in the OTP screen on the system and click the Arrow Sign (->) to gain access to the system.

User-added image



Mobile Offline passcode:

1. Enter the username on the system's login screen. Click the Arrow Sign (->) to continue.

User-added image


2. Enter the password in the password prompt. Click the Arrow Sign (->) to continue.

User-added image


3. The system will prompt for the OTP (one-time passcode).

User-added image


4. In the Centrify mobile app, navigate and open the enrolled system.

User-added image


5. In the screen for the system, click Offline Passcode.  The passcode will be displayed below.

User-added image


6. Enter the offline passcode in the OTP screen on the system and click the Arrow Sign (->) to gain access to the system.

User-added image



For more information on the offline login for Centrify Clients, please see the Centrify documentation:
https://docs.centrify.com/Content/Infrastructure/clients/cclient-offline-passcode.htm