Using MFA for Server Suite

As a Server Suite customer, you can configure multi-factor authentication (MFA) on the Delinea Platform.

Requirements for Platform MFA for Server Suite

Before you begin, be sure the following prerequisites are met:

• You must have the Delinea Platform tenant installed and configured. See Getting Started.

• The Delinea Platform tenant must have the MFA for Server Suite feature enabled. Contact your Delinea customer support representative to request this feature.

• You can also choose to have the Privilege Control for Servers (PCS) feature enabled as a companion feature. If you do not intend to use Privilege Control for Servers (PCS) on the platform tenant, we recommend the PCS feature should be disabled. Again, contact your Delinea customer support representative.

• Your Server Suite agents must be version 6.0.1 or later. Agents can be downloaded from the download section in the Delinea Support portal.

Overview of Platform MFA for Server Suite

To configure the Delinea Platform and Server Suite to use MFA, you must perform some setup steps on both the platform and Server Suite.

On the Delinea Platform:

• Configure identity policies and authentication profiles. See Configuring Identity Policies for Server Suite.

• Create an authorization policy. See Configuring Authorization Policies for Server Suite MFA.

• Deploy the IWA certificate. See Configuring IWA Certificate for the Connector.

On Server Suite:

• Configure the zone in Access Manager. See Configuring the Zone.

• Assign users to a role that requires MFA login and test the login. See Assigning Users to an MFA Required Role.

• Configure users in Access Manager to use MFA when privilege elevation occurs with the Delinea Platform and test it. See Configuring Server Suite Users to Use MFA Upon Platform Privilege Elevation.

Configuring Identity Policies for Server Suite

This section describes how to configure identity policies and authentication profiles.

Configuring Identity Policies for Server Suite

To configure identity policies for users and enable IWA on the identity policy that applies to all users:

1. Choose Access > Identity Policies.

2. Either click Create New or edit the default policy.

   Note: The policy needs to apply to the agent machine accounts so they can use IWA.

3. In the Authentication tab, in the Other Settings section, click Edit.

4. Select Allow IWA connections.

5. Click Save.

The Connector is deployed in the same domain as the Server Suite instance.

Adding Authentication Profiles

To verify that the Delinea Connector is deployed and create the required authentication profiles:

1. Log in to the Delinea Platform tenant with an AD user to verify that the Delinea Connector is working.

   If successful, you can now configure two MFA authentication profiles: one for login and one for privilege elevation.

2. In the left navigation, choose Settings. In the MFA and Security section, choose Authentication profiles.

3. Click Add Authentication Profile and make the following settings to configure the profile that will be used for login:

   • Profile Name: Server-Suite-Login-MFA.

   • Description: The authentication profile that is used for Server Suite login MFA challenges.

   • In Challenge pass-through duration, select No pass-through if you want the MFA challenge to be presented every time.

   • In Authentication challenges, under Challenge 1, select all the available options for users that you want to use.

     Do not select the following challenges:

     • Do not select password. The user has already entered the password to log in.

     • Do not select FIDO2. This is unsupported.

4. Click Save.

5. Click Add Authentication Profile and make the following settings to configure the profile that will be used for privilege elevation:

   • Profile Name: Server-Suite-Privilege-Elevation-MFA.

   • Description: The authentication profile is used for Server Suite privilege elevation MFA challenges.

   • In Challenge pass-through duration, select No pass-through if you want the MFA challenge to occur every time.

   • Under Authentication challenges, in Challenge 1, select Password.

   • In Challenge 2, select all the available options for users that you want to use.

     Do not select the following challenges:

     Do not select password. The user has already entered the password to log in.

     Do not select FIDO2. This is unsupported.

6. Click Save.

Configuring Authorization Policies for Server Suite MFA

The Delinea Platform provides two types of authorization policy specifically for use with Server Suite. When using the Delinea Platform with Server Suite, you can define only these two types of policies:

• Server Suite MFA on Privilege Elevation

• Server Suite MFA on Login

Create two new authorization policies using the Server Suite templates. First, create a Server Suite login MFA policy, then a privilege elevation MFA policy.

To create the login MFA policy:

1. From the left navigation of the Delinea Platform tenant, choose Policies.

2. Click Create policy.

3. In Policy Type, select Server Suite MFA on Login.

4. Click Select template and make the following settings:

   • Policy name: Server Suite Login MFA Policy.

   • Description: This policy is used for Server Suite users to be prompted for MFA at login.

   • In State, select Enabled.

5. Click Add Subjects and select the AD users or groups that will be challenged for MFA.

6. In Multi-Factor authentication, select Require MFA, and select the authentication profile you created earlier, Server-Suite-Login-MFA.

7. Click Save.

To create the privilege elevation MFA policy:

1. Click Create policy.

2. In Policy Type, select Server Suite MFA on Privilege Elevation.

3. Click Select template and make the following settings:

   • Policy name: Server Suite Privilege Elevation MFA Policy.

   • Description: This policy is used for Server Suite users to be prompted for MFA at Privilege Elevation.

   • In State, select Enabled.

4. Click Add Subjects and select the AD users or groups that will be challenged for MFA.

5. In Multi-Factor authentication, select Require MFA, and select the authentication profile you created earlier, Server-Suite-Privilege-Elevation-MFA.

6. Click Create Policy.

Configuring IWA Certificate for the Connector

To configure the IWA certificate for the Delinea Connector, see Obtaining a Delinea Connector IWA Host Certificate .

Configuring the Zone

Configuring the zone allows you to link Server Suite with the Delinea Platform, enabling MFA capabilities for the chosen zone.

Before enabling MFA for any server, ensure you are logged in to the Delinea Platform and have set up the required MFA authentication mechanisms.

To configure MFA for a specific zone in Server Suite using the Delinea Platform: 

1. Log in to the Server Suite Access Manager.

2. Right-click on the zone you want to configure for MFA.

3. Click Properties.

4. In the Platform tab, select Browse, then select the Delinea Platform tenant.

Assigning Users to an MFA Required Role

After configuring the zone for MFA, set up users in Server Suite's Access Manager to enable MFA at login with the Delinea Platform.

Adding MFA for Login

To set up users and enable MFA at login:

1. If you are not already logged in, log in to the Server Suite Access Manager.

2. Choose Zone > Computers.

3. Select the computer in the zone that you previously set up in the Delinea Platform instance.

4. Right-click Role Assignments

5. Select the default role Require MFA for Login.

6. Select the users or group of users to apply the role to.

   Users must have access to the server for this to work.

Testing MFA for Login for Server Suite Agents

To test the MFA for login that you set up in the previous section, perform the following in Server Suite:

1. Navigate to the server where you applied the Require MFA for Login role.

2. Log in with an elevated user account.

3. Flush the cache for Server Suite. Use the following to speed up the cache update: 

   • Linux: adflush

   • Windows: dzflush

4. (Linux only) Restart the Linux agent.

   service centrifydc restart

5. Update the group policies on the server by running the following: 

   • Linux: adgpupdate

   • Windows: gpupdate /force

6. Open a new connection to the server.

7. Log in with the user account that has the new role applied.

Configuring Server Suite Users to Use MFA Upon Platform Privilege Elevation

You can configure users in Access Manager to require MFA when privilege elevation occurs on the Delinea Platform. To enable this, create a command or elevated desktop and establish a role for testing MFA during elevation.

To enable MFA for privilege elevation with the Delinea Platform, perform the following in Server Suite:

1. Navigate to the zone that you previously set up in the Delinea Platform instance.

2. Choose Zone > Role Definitions.

3. Click Create Role.

4. Enter a name for your role.

The rest of this procedure changes based on whether you are using Unix/Linux or Windows.

Linux

1. Go to Unix Role Definitions.

2. Right-click on Commands and select New Command. Fill out the fields as follows: 

   • Name: View local logs

   • Command: cat /var/log/messages

     This command works on most Linux versions, but the path may vary on other platforms.

3. In the Run As tab, keep the default settings to run as root using dzdo.

4. In the Attributes tab, configure the following steps: 

   • Select Re-authenticate current user.

   • Ensure that Use Password is not selected.

   • Select Require Multi-Factor Authentication.

Windows

1. Go to Windows Right Definitions.

2. Right-click Desktop and select New Windows Desktop. Make the following settings: 

• In the General tab, set Name to Local Administrator Desktop with MFA.

• In the Run As tab, select Add Built-in Groups, then choose Administrators and click OK.

• Select Re-authenticate Current User.

• Remove the check mark from Current User Credentials.

• Select Require Multi-factor Authentication.

3. Click OK.

4. Right-click the role that you created previously and select Add Right.

5. Select the right Local Administrator Desktop with MFA.

6. Click OK.

7. Right-click the computer in the zone you previously set up in the Platform Instance and the login for MFA testing and select Role Assignments.

8. Find the role you created earlier and select it.

9. Choose the users or group of users to apply the role to.

   Users must have access to the server for this to work.

Testing MFA for Privilege Elevation for Server Suite Agents

Testing MFA for privilege elevation is essential for enhancing security on Server Suite Agents. This procedure provides an extra layer of protection against unauthorized access to privileged accounts on both Linux and Windows servers.

To test MFA for privilege elevation for Server Suite Agents, perform the following in Server Suite:

1. Navigate to the server where you applied the role you created earlier.

2. Flush the cache for Server Suite. To speed up the cache update run the following: 

   • Linux: adflush

   • Windows: dzflush

3. (Linux only) Restart the Linux agent.

   service centrifydc restart

4. Update the group policies on the server by running the following:

   • Linux: adgpupdate

   • Windows: gpupdate /force

5. Open another connection to Server Suite.

6. Log in with the user account to which you applied the new role.

7. Test privilege elevation:

   • In Linux, run: 

     dzdo cat /var/log/messages

   • In Windows: 

     1. Navigate to the taskbar.

     2. Right-click the Delinea Agent taskbar icon and select New Desktop.

     3. Choose Local Administrator Desktop with MFA.

8. Enter the required information for the MFA challenges when prompted.