Introduction:Starting with the 21.2 Centrify Cloud Suite release, Centrify Client now supports the ability to do an offline login. By definition, offline login is an availability control used when the system cannot communicate to the realm that the system has joined ("enrolled" in Centrify terminology). This may be due to service unavailability, connectivity issues, etc. The result is that the end-user is unable to access the system.
This offline login feature is available for both Windows and Linux for cclient, but for purpose of this article, we will just be focusing on the offline login using cclient on Windows.
To setup the offline passcode for Linux for cclient see the following techblog:
[HOWTO] setup Centrify Cclient for linux to be able to use Offline Passcode for loginRequirements:1. The tenant version needs to be at version 21.2 or higher.
2. Centrify Client for Windows (CentrifyCC) version needs to be at version 21.2 or higher
Steps to setup offline login:1. Download and Install the Centrify Client for Windows on the Windows system.
a. Download the
Centrify Client for Windows from the
Downloads section in the tenant under
Centrify Clients for Windows. As noted above the tenant version will need to be version 21.2 or higher.
b. Browse to the location where the package (
cagentinstaller.msi) was downloaded and double-click on it to install the CentrifyCC client.
I. On the Installation Welcome Page, click
Next.
II. The enrollment can be done during the installation via the below form or after the installation via the command line. If you would prefer to
use the command line to do the cenroll, you can click
Next without filling in any of the fields. If enrolling during the installation, provide the necessary information in the fields below and then click
Next.
III. Click on the
Install button to continue the installation.
IV. Once the Install finishes successfully, click the
Finish button.
2. Verify the version of the cclient is at least version 21.2 or higher. Open up a command prompt and run the
cinfo -v command.
3. If the machine was not enrolled to the tenant during the GUI cagent installation, enroll the machine to the tenant using the
cenroll command in a cmd prompt run as Administrator.
For more information on the cenroll command and the different options that can be used please see the Centrify documentation:
https://docs.centrify.com/Content/Infrastructure/enroll/svr-mgr-computer-cenroll.htmhttps://docs.centrify.com/Content/Infrastructure/clients/cclient-commands.htm#cenroll4. Run the
cinfo command to verify the machine is enrolled.
5. In the tenant, browse to that newly enrolled system under
Resources -> Systems
6. Go to the
Permissions section and click on the
Add button.
7. Search for a user, group, or role that you want to be able to access the system. Select that user, group, or role, and then click the
Add button.
8. Give the user, group, or role
Agent Auth and
Offline Rescue rights by checking the checkboxes for those rights. Verify the user, group, or role also has the
View right. Click the
Save button.
Note: You must have the Offline Rescue permission assigned to a user, role, or group on a system in order to retrieve the offline passcode.
9. Go back to the Windows system where the Centrify Client for Windows is installed. Attempt a login with the user to verify the login works while the system is in a connected state.
10. Enter the password and click the
Arrow Sign (->) to log into the system successfully.
Test the offline login:In this instance, the network cable was unplugged from the Windows system to simulate the machine no longer being connected to the network to be able to test the offline passcode.
For Centrify Client for Windows, you can get the offline passcode either from the
Admin Portal or from the
Centrify mobile application.
Tenant Admin Portal offline passcode:1. In order to see the offline passcode in the Admin Portal, users will need to be able to login to the Admin Portal with enough rights to be able to see the
Resources -> Systems section and have the
View permission for the machine set up with the offline passcode as mentioned above. The
Privileged Access Service User administrative right assigned to a role that the user is a member of should be sufficient.
a. In this environment, the user has been assigned to a role named
Privilege Access Service User.
b. In the Administrative Rights section of that role, the
Privileged Access Service User right has been assigned.
2. Enter the username on the system's login screen. Click the
Arrow Sign (->) to continue.
3. Enter the password in the password prompt. Click the
Arrow Sign (->) to continue.
4. The system will prompt for the OTP (one-time passcode).
5. Log in to the Admin Portal with the same user account, navigate to
Resources -> Systems and check the box next to the system name.
6. From the
Actions dropdown menu, click
Show Offline Passcode.
7. A screen displays the offline passcode.
8. Enter the offline passcode in the OTP screen on the system and click the
Arrow Sign (->) to gain access to the system.
Mobile Offline passcode:1. Enter the username on the system's login screen. Click the
Arrow Sign (->) to continue.
2. Enter the password in the password prompt. Click the
Arrow Sign (->) to continue.
3. The system will prompt for the OTP (one-time passcode).
4. In the Centrify mobile app, navigate and open the enrolled system.
5. In the screen for the system, click
Offline Passcode. The passcode will be displayed below.
6. Enter the offline passcode in the OTP screen on the system and click the
Arrow Sign (->) to gain access to the system.
For more information on the offline login for Centrify Clients, please see the Centrify documentation:
https://docs.centrify.com/Content/Infrastructure/clients/cclient-offline-passcode.htm
[HOWTO] setup Centrify Cclient for linux to be able to use Offline Passcode for login