QUICK START GUIDE
Using Centrify Express on Amazon EC2
March 2011
This quick start guide shows how to use Centrify DirectControl Express within the
Amazon Elastic Compute Cloud (EC2) infrastructure to join hosted Linux systems into
Active Directory to centrally manage user authentication. Centralizing user accounts in
Active Directory simplifies both user access and administration of your cloud
infrastructure by leveraging a common set of user accounts and a single place to
administer user accounts. Centrify has pre-configured several Amazon Machine Images
(AMI) on popular Linux distributions with DirectControl Express to make it easier to get
started, this guide will show how to launch these Centrify provided Linux images and
join them to Active Directory.
Contents
Contents ............................................................................................................ 1
Introduction ...................................................................................................... 2
Centrify Express ............................................................................................. 2
Centrify Express AMI for Amazon EC2 ............................................................... 3
Centrify DirectManage Express ......................................................................... 4
Setting up the Required Environment ................................................................ 5
Amazon Web Services Account ......................................................................... 5
Active Directory Domain Services ..................................................................... 5
Setup Users and Groups within Active Directory ................................................. 5
Preparing the Environment for Express AMI Instance Auto-Join ............................ 6
Launching Centrify provided Amazon Machine Images (AMI) .......................... 10
Login to the AWS Management Console........................................................... 10
Launch an Instance of Centrify Express AMI..................................................... 11
Accessing the New AMI Instances ................................................................... 15
AD User Login via SSH .................................................................................. 15
© 2011 CENTRIFY CORPORATION. ALL RIGHTS RESERVED.
PAGE 1
CENTRIFY QUICK START
USING CENTRIFY EXPRESS ON AMAZON EC2
AD User Single Sign-on using PuTTY ............................................................... 16
Privileged Command Execution using sudo ...................................................... 19
Using DirectManage Express to Access and Manage Centrify Express Instances19
Adding EC2 Instances ................................................................................... 20
Accessing and Managing EC2 Instances ........................................................... 22
Benefits of Upgrading to Centrify Suite Standard, Enterprise or Platinum
Editions ..................................................................................................... 22
Frequently Asked Questions ............................................................................ 24
How to Contact Centrify ................................................................................... 25
Introduction
One of the primary benefits of using cloud servers is the extremely short time between a
decision to use another server to its production usage. Cloud services providing
Infrastructure as a Service offerings such as Amazon enable their customers to simply
clone an existing Linux or Windows machine image with a few pre-defined settings and
upon completion of the clone and launch of the image the new cloud server instance will
be available for use. However, the customer will need to login with the pre-configured
account and create additional user accounts as needed. This Quick Start Guide will show
how to leverage Active Directory to both manage the existing pre-defined accounts on
these cloud servers as well as to dynamically control user accounts, access and privileges
through centralized management within Active Directory.
Centrify Express
Centrify Express is a free version of the same Active Directory integration technology
that 3000+ enterprise customers currently have in production on hundreds of thousands of
servers. Centrify Express consists of:

Centrify DirectControl Express – An authentication agent that enables Active
Directory-based user account administration and password management as well as
single sign-on for UNIX, Linux and Mac systems.

Centrify DirectManage Express – A central management console to discover nonWindows systems, install DirectControl Express and join them to Active Directory.
Once the systems are joined to Active Directory the console provides an interface to
manage script execution as well as establish single sign-on enabled remote sessions.

Centrify-enabled Open Source Tools – enhances productivity with painless remote
terminal access with OpenSSH as well as remote file system access through Samba
where both are tightly integrated with Active Directory.
© 2011 CENTRIFY CORPORATION. ALL RIGHTS RESERVED.
PAGE 2
CENTRIFY QUICK START
USING CENTRIFY EXPRESS ON AMAZON EC2

Centrify Express for Cloud Servers – provides both preconfigured Amazon Machine
Images with Centrify Express pre-loaded as well as configuration scripts and
guidance on how to integrate cloud servers with Active Directory.

Splunk for Centrify – Centrify provides additional reports and dashboards on top of
the Splunk platform.
Centrify Express provides the necessary Active Directory integration to enable
centralized control of user accounts, access controls and privilege authorizations. This
document will show how to use Centrify Express and Active Directory to control
Amazon AMI instances.
Centrify Express AMI for Amazon EC2
Centrify has created several Amazon Machine Images (AMI) with Centrify DirectControl
Express pre-installed on a few Linux distributions for use on Amazon EC2. These
Centrify Express AMIs will make it easier to get started using Centrify Express to
centrally manage authentication and access controls through Active Directory integration.
These Centrify AMIs are provided at no charge to Amazon EC2 users; however, standard
Amazon virtual machine charges will apply.
The Centrify Express AMIs have been built for the following operating systems:

Amazon Linux 1.0 64bit

Ubuntu 10.4 64bit

Fedora 13 64bit
Centrify has taken these base distributions as published by the operating system vendor
and made a few changes as described below.


The root account has been locked down.

Specifically, the password is randomized at first boot, and root is not
allowed to login via SSH into the system. This provides a more secure
environment where the root account is locked and any access will require
login using a normal user account leveraging sudo in order to run specific
commands with privilege which provides a more rich audit trail in syslog.

The local root account is configured to require the Active Directory
password for the “ec2.root” upon login as “root”. This configuration
ensures that your Active Directory infrastructure is in control of the login to
the newly created AMI Instance once it has been joined to Active Directory.
A local account named “centrify” should be used for local login where needed.

This account has an initial password set to “pass@123” which will only be
used for local configuration prior to joining Active Directory.
© 2011 CENTRIFY CORPORATION. ALL RIGHTS RESERVED.
PAGE 3
CENTRIFY QUICK START
USING CENTRIFY EXPRESS ON AMAZON EC2

After the system is joined to Active Directory, you will use the password of
an account name “ec2.centrify” in your own Active Directory in order to
login to this account. This configuration ensures that your Active Directory
infrastructure is in control of the login to the newly created AMI instance
once it has been joined to Active Directory.

The “centrify” account also has sudo permissions to do anything as root,
thus eliminating the need to use the root account.

These Amazon Images are configured to automatically join your Active Directory
domain controller upon boot in order to enable centralized authentication and access
controls using your Active Directory domain management tools. The Centrify agent
is configured to automatically join upon boot to the next available computer account
within a pool of accounts pre-configured in your Active Directory. When an instance
terminates, it leaves Active Directory to free up the computer account for the next
instance to be launched.

Existing Active Directory users can be granted login rights simply by adding them as
a member of the Active Directory group named “ec2.access”. This configuration
enables you to centrally control which of your users are authorized to login to the
new AMI instance. In order to grant your Active Directory users access, simply
create this group and add them as members; this will enable them to login with their
Active Directory user ID and password.

Root privileges can also be centrally grant as needed. Users within your Active
Directory who are a member of the Active Directory group “ec2.admins” will be
given the rights to execute privileged commands via sudo once logged into the
Centrify Express AMI instance.
Centrify Express simplifies the management of user authentication so that you can
centrally manage all user accounts from Active Directory. As you bring new instances
online and join each one to Active Directory, your users will be able to login using their
Active Directory user IDs and passwords.
Centrify DirectManage Express
DirectManage Express provides an interface to make it easier to manage your cloud
server instances. It supports calling the EC2 APIs in order to perform initial discovery as
well as refresh the currently running instances within Amazon EC2. Once the EC2
instances have been added to this management tool, you can more easily perform various
remote administrative tasks, such initiating a PuTTY or WinSCP session through a rightclick task menu or to perform more advanced operations such as running customer scripts
across one or more systems.
© 2011 CENTRIFY CORPORATION. ALL RIGHTS RESERVED.
PAGE 4
CENTRIFY QUICK START
USING CENTRIFY EXPRESS ON AMAZON EC2
Setting up the Required Environment
Amazon Web Services Account
You will need to make sure that you have an AWS account setup so that you can log into
the AWS Management Console for EC2 in order to launch these Centrify Express AMIs.
Simply browse to http://aws.amazon.com/ and click on “Sign Up Now” button in order
to create your own AWS account. You will need your Amazon assigned Access Key as
well as the corresponding Secret Key
Active Directory Domain Services
While several organization may have their own Active Directory already setup and
running within the Enterprise, there are many ways to configure your existing Active
Directory to support the management of systems in the DMZ or on public networks such
as the Amazon Web Service cloud. This Quick Start Guide will keep things simple and
simply show how to use an isolated Active Directory domain that is setup outside the
firewall and completely independent of any existing internal Active Directory. We simply
need the common authentication infrastructure that AD provides to centralize account
administration across the AMI Instances that you will create in the cloud. Additionally,
you can configure a one-way trust with existing Active Directory Domains in order to
leverage the existing user accounts you may already have setup within the firewall.
For additional reading on how to leverage your existing Active Directory user accounts
for login to these hosted servers, Microsoft has documented guidance on other
configuration options:
Active Directory Domain Services in the Perimeter Network (Windows Server
2008)
(http://www.microsoft.com/downloads/en/details.aspx?displaylang=en&FamilyI
D=c1d0fd00-bf31-4b20-95c6-279a4ce7c2b4#tm )
You will also want to setup a DNS Server running on your Domain Controller configured
to require authentication for any DNS updates. We will use this DNS Server later as the
AMIs are configured to auto-update their public IP address with the hostname of the
joined computer account.
The remainder of this document will assume that you have a working Active Directory
Domain Controller that is hardened and publicly accessible (either running in your DMZ
or hosted on a Windows Server in EC2) by the Instances that will be launched in AWS.
Setup Users and Groups within Active Directory
In order to control the initial login user as well as root on the Centrify Express AMIs, you
will need to create the AD accounts that will be used by Centrify Express to enforce ADbased password authentication for both the “centrify” and “root” accounts.
© 2011 CENTRIFY CORPORATION. ALL RIGHTS RESERVED.
PAGE 5
CENTRIFY QUICK START
USING CENTRIFY EXPRESS ON AMAZON EC2
Create both an “ec2.centrify” and “ec2.root” user account within Active Directory and set
their passwords. You don’t need to do anything else to these accounts within Active
Directory. If you want to disable the ability to su to “root”, then simply disable the AD
account for “ec2.root”.
In order to grant Active Directory users the rights to login to any Express AMIs that you
launch, you will need to add these users to an Active Directory group called ec2.access.
Create an Active Directory Global Security Group called “ec2.access” and add your
authorized users to this group.
Additionally, you may have some users whose responsibilities require root privileges and
you can also centrally control which users are granted sudo permissions to run commands
as root. You simply need to create an Active Directory Global Security Group called
“ec2.admins” and add the Active Directory user accounts for your administrators to this
group. Anyone who is a member of this group can use the sudo command to run any
command with root privileges after validating their Active Directory password.
Preparing the Environment for Express AMI Instance Auto-Join
There are several ways to setup the AMI Instances to join Active Directory upon first
boot, however there are advantages and security tradeoffs with several of the possible
approaches.
Auto-join possible approaches:

The userid and password for an account that is authorized to join the system to
Active Directory could be handed off to the instance upon launch, however there is
no easy way to ensure the privacy of the password since it must be provided to the
Instance over an insecure channel.

A Kerberos credential (keytab or Kerberos ticket cache) for an account that is
authorized to join the system to Active Directory could also be provided upon
launch. DirectControl 4.4.3 has been enhanced to support a Kerberos authenticated
join to Active Directory, which could be used for automation within the Enterprise.
However, again there is no easy way to ensure privacy of this credential during the
launch of an EC2 Instance.

Another option is to configure the AMI instances to perform a Self-Service Join into
a pool of pre-created computer accounts. In this model, there is no need to provide
join credentials to the new Instance as it will try to join an existing Computer
account within the pool of sequential accounts until it succeeds. This has the added
benefit that upon successful join to Active Directory, you will know the computer
hostname.
© 2011 CENTRIFY CORPORATION. ALL RIGHTS RESERVED.
PAGE 6
CENTRIFY QUICK START
USING CENTRIFY EXPRESS ON AMAZON EC2
Active Directory Computer Account Pool
Centrify Express AMIs are configured to auto-join using the self-service join process at
boot or reboot in order to join the next available computer account in the Active
Directory pool of computer accounts setup for these EC2 Instances.
Pre-create a pool of computer accounts in Active Directory using a common hostname
prefix followed by a number from 1 to 100. You will need to provide the Hostname
Prefix to the Instance upon launch through the User Data interface in the AWS EC2
Console.

Precreate Computer Accounts - Right click on the Computers container and select
New, then Computer. Provide the name of the computer such as ec2host1 and click
Ok.
© 2011 CENTRIFY CORPORATION. ALL RIGHTS RESERVED.
PAGE 7
CENTRIFY QUICK START
USING CENTRIFY EXPRESS ON AMAZON EC2

Set the Permissions for Self Join - Select the new computer account and open the
Properties and select the Security tab. Then in the first box select SELF and in the
Permissions window scroll down and grant the Reset password right and click
Apply. This enables the new computer instances to reset their computer account as
they leave the Domain during ec2 Termination.
Locating Domain Controllers
In order for the new EC2 Instances to find your Active Directory Domain Controller, you
will need to provide both a valid resolv.conf and krb5.conf file. The resolv.conf file will
need to contain the IP Address of your Domain Controller as well as the domain identity
and search domain.
The resolv.conf file should contain the following entries for your domain:
search cloud.company.com
domain cloud.company.com
nameserver 192.168.1.2
© 2011 CENTRIFY CORPORATION. ALL RIGHTS RESERVED.
PAGE 8
CENTRIFY QUICK START
USING CENTRIFY EXPRESS ON AMAZON EC2
The krb5.conf file should contain the appropriate entries for your AD:
[libdefaults]
default_realm = CLOUD.COMPANY.COM
default_tgs_enctypes = aes256-cts aes128-cts arcfour-hmac-md5 descbc-md5 des-cbc-crc
default_tkt_enctypes = aes256-cts aes128-cts arcfour-hmac-md5 descbc-md5 des-cbc-crc
permitted_enctypes = aes256-cts aes128-cts arcfour-hmac-md5 des-cbcmd5 des-cbc-crc
dns_lookup_realm = true
dns_lookup_kdc = true
passwd_check_s_address = false
udp_preference_limit = 1
ccache_type = 3
kdc_timesync = 0
[domain_realm]
.cloud.company.com = CLOUD.COMPANY.COM
cloud.company.com = CLOUD.COMPANY.COM
server.cloud.company.com = CLOUD.COMPANY.COM
[realms]
CLOUD.COMPANY.COM = {
kdc = server.cloud.company.com:88
master_kdc = server.cloud.company.com:88
kpasswd = server.cloud.company.com:464
kpasswd_server = server.cloud.company.com:464
}
There are several ways to deliver these files to the EC2 Instance at boot, however an easy
way to do this is to create a S3 Bucket to store the files so they can be retrieved by the
script at boot. You will simply need to create an S3 Bucket, upload the 2 files created
above and set the permissions so that everyone can read the files as the images will need
to access the S3 Bucket and will not have an embedded credential.
NOTE: The name of the S3 Bucket is visible across customers so you need to
make sure that the Bucket name is unique.
Providing this information to new instances
In order to provide the information at launch to the new EC2 Instance, you will need to
enter User Data into the AWS EC2 Console to specify the Domain to join, the S3 Bucket
to retrieve the config files from and the hostname prefix to use for joining AD. This data
should be entered as shown below with no trailing characters.
DOMAIN=cloud.company.com|S3BUCKET=companyautojoin|HOSTNAME_PREFIX=ec2host|
Now that you have the environment setup, all that is left is to launch the EC2 Instance, it
will join AD and update it’s IP address, then you can login using your AD User account.
© 2011 CENTRIFY CORPORATION. ALL RIGHTS RESERVED.
PAGE 9
CENTRIFY QUICK START
USING CENTRIFY EXPRESS ON AMAZON EC2
Launching Centrify provided Amazon Machine Images (AMI)
Login to the AWS Management Console

Login to the AWS Management Console for EC2 at http://console.aws.amazon.com ,
make sure to select EC2 in the drop down list.

Select the Amazon data center nearest you. (Note: Our plan is to have these AMIs
published to US-West, US-East and EMEA)

Create a Security Group called Express in order to grant access to the Instances with
the following open ports.
© 2011 CENTRIFY CORPORATION. ALL RIGHTS RESERVED.
PAGE 10
CENTRIFY QUICK START
USING CENTRIFY EXPRESS ON AMAZON EC2
Launch an Instance of Centrify Express AMI
On either the EC2 Dashboard page or Instances page, click on the Launch Instance
button, then select Community AMIs and search for Centrify-DirectControl.

Click the Select button for the AMI that you want to launch. Accept the defaults for
most options except you should select the Express Security Group.
© 2011 CENTRIFY CORPORATION. ALL RIGHTS RESERVED.
PAGE 11
CENTRIFY QUICK START
USING CENTRIFY EXPRESS ON AMAZON EC2

Specify the number of Instances that you want to launch. The auto-join solution
allows you to start up several instances and have them all join to AD at login.
© 2011 CENTRIFY CORPORATION. ALL RIGHTS RESERVED.
PAGE 12
CENTRIFY QUICK START
USING CENTRIFY EXPRESS ON AMAZON EC2

Tell the new Instances what Domain to join, which S3 Bucket to retrieve the
resolv.conf and krb5.conf files from and what hostname prefix to use during the join
process.

In the User Data field enter the appropriate values for DOMAIN,
S3BUCKET and HOSTNAME_PREFIX.

Ex. “DOMAIN=cloud.mycompany.com|S3BUCKET=mycompanyautojoin|HOSTNAME_PREFIX=ec2host|”
© 2011 CENTRIFY CORPORATION. ALL RIGHTS RESERVED.
PAGE 13
CENTRIFY QUICK START
USING CENTRIFY EXPRESS ON AMAZON EC2

SSH Keys are not needed once the Instances are joined to Active Directory since
Kerberos will be used for all Key Exchange and session encryption of the SSH
session.

Once you click “Launch”, the Instance(s) will be started and join Active Directory so
that you can login with your Active Directory user accounts.
NOTE: Once you launch a new AMI Instance, you will be charged by Amazon based on
the length of time that this instance remains running. If you want to stop the charges to
your account, make sure to terminate any running instances.
© 2011 CENTRIFY CORPORATION. ALL RIGHTS RESERVED.
PAGE 14
CENTRIFY QUICK START
USING CENTRIFY EXPRESS ON AMAZON EC2
Accessing the New AMI Instances
AD User Login via SSH
Once the Instance is running, click on the new Instance to find the Public DNS
information for the Instance so that you can launch an SSH client and login with any of
your AD User accounts who are a member of the “ec2.access” Group within AD. You
can either click on Connect in the Task menu or simply highlight the Instance and look at
the properties panel in the lower portion of the Console.
© 2011 CENTRIFY CORPORATION. ALL RIGHTS RESERVED.
PAGE 15
CENTRIFY QUICK START
USING CENTRIFY EXPRESS ON AMAZON EC2

On a Mac, open a Terminal window and type “ssh <ad-username>@<public DNS>”
substituting the actual Public DNS value after the @ sign. Once logged in, the home
directory will be created automatically as the user logs into the system.
You can also login to the system using it’s Active Directory computer name, which will
be registered in your DNS so that you don’t have to find the public DNS name of the new
instance. This helps to provide single sign-on through PuTTY.
AD User Single Sign-on using PuTTY
Single Sign-on requires that the client workstations that you use will be able to both find
the IP address of the host that you are connecting to as well as be able to request a
Kerberos ticket for the destination host. For this example, we will login as an end user on
the Domain Controller and launch the Centrify version of PuTTY to get signed onto the
AMI Instance without having to type user credentials. Even better is that host
authentication is performed based on a Kerberos Key Exchange which is completely
automatic, meaning that you don’t need to manage ssh host keys anymore.
© 2011 CENTRIFY CORPORATION. ALL RIGHTS RESERVED.
PAGE 16
CENTRIFY QUICK START
USING CENTRIFY EXPRESS ON AMAZON EC2
The Domain Controller in the DMZ that we are using is running the Microsoft DNS
Server that is configured to require authentication for all updates. Centrify provides a
command line tool called addns as part of Centrify Express that is called during the boot
process to securely update the AD DNS Server with the IP address of the AMI Instance
after successfully joining Active Directory. This ensures that the DNS Server has the
correct public IP address of the AMI Instance associated with the AD computer account
name that was used to join AD. Now that DNS has the proper IP Address entry for the
new Instance associated with one of the computer accounts, we can login as an end user
using PuTTY. You will only need to enter the Active Directory computer account name
of the new Instance.
© 2011 CENTRIFY CORPORATION. ALL RIGHTS RESERVED.
PAGE 17
CENTRIFY QUICK START
USING CENTRIFY EXPRESS ON AMAZON EC2
Navigate to the Kerberos configuration in the SSH node under Connection and check the
box to “Attempt Kerberos auth (SSH-2)”.
Click Open in order to establish a Kerberos authenticated connection to the Active
Directory integrated AMI Instance.
© 2011 CENTRIFY CORPORATION. ALL RIGHTS RESERVED.
PAGE 18
CENTRIFY QUICK START
USING CENTRIFY EXPRESS ON AMAZON EC2
As you can see, the logged in user is able to authenticate to this AMI Instance without
having to enter a userid or password since PuTTY was able to obtain a Kerberos Service
Ticket for the remote host and the Centrify OpenSSH Server was configured to
authenticate the user based on GSSAPI, which enables Single Sign-On.
Privileged Command Execution using sudo
Users who are a member of the ec2.admin Group in AD will be able to run any command
with root privileges simply by using the sudo command in front of their privileged
command.
Additionally, if you want to modify the permissions granted to the ec2.admins group or
create additional groups and manage their sudo rights, you can modify the /etc/sudoers
file to contain additional entries such as the 2 below that Centrify has added to the default
/etc/sudoers file.
Centrify
ALL = (ALL) NOPASSWD: ALL
ec2.admins ALL = (ALL) PASSWD:
ALL
Using DirectManage Express to Access and Manage Centrify Express Instances
DirectManage Express provides an interface to make it easier to manage your EC2
Instances once they are running. In order for DirectManage to enable management of the
Instances, it will need to have the new instances added to it’s database which can easily
be done calling the EC2 APIs with your AWS account credentials to retrieve the list of
currently running instances within Amazon EC2.
© 2011 CENTRIFY CORPORATION. ALL RIGHTS RESERVED.
PAGE 19
CENTRIFY QUICK START
USING CENTRIFY EXPRESS ON AMAZON EC2
Adding EC2 Instances
To add the currently running EC2 Instances, simply select the “Add Computer” task from
the right click task menu. Then select “Discover computers from cloud” and the wizard
will ask for your Amazon Secret Key and Access Key so that it can login to retrieve the
information.
You will also be asked for login credentials in order to access the EC2 Instances. Since
the EC2 Instance will be joined to AD automatically, you can use any of your AD
accounts that is a member of both the ec2.access and ec2.admin Groups since those
accounts will be able to both login and execute commands with privileges. You should
provide the login name of the AD account and specify that it should use sudo for
privilege elevation. As an example, you could use an account called dm.manager created
for this specific purpose.
© 2011 CENTRIFY CORPORATION. ALL RIGHTS RESERVED.
PAGE 20
CENTRIFY QUICK START
USING CENTRIFY EXPRESS ON AMAZON EC2
Once the wizard has completed, you will see the console start to add the EC2 Instances to
the list of computers that it can manage.
© 2011 CENTRIFY CORPORATION. ALL RIGHTS RESERVED.
PAGE 21
CENTRIFY QUICK START
USING CENTRIFY EXPRESS ON AMAZON EC2
Accessing and Managing EC2 Instances
Once the EC2 Instances have been added, you can more easily perform various remote
administrative tasks such as to initiate a PuTTY or WinSCP session or to perform more
advanced operations such as to run custom scripts across one or more systems.

Remote Session – You can right click on a computer and launch a remote PuTTY or
WinSCP session

Run Script – DirectManage supports running scripts on one or more computers.
These scripts can be either Linux shell scripts which will be delivered to the remote
system and executed or they can be LUA scripts that run on the local Windows
computer with the ability to call other Windows APIs such as to access Active
Directory in addition to remote command execution on the Linux system.

Manage Software – DirectManage can also manage the software installed on a
computer, which in most environments would be used to install Centrify Suite and
join Active Directory. However in this environment, DirectManage can be used to
upgrade the pre-installed Centrify Suite Express to Centrify Suite Standard or
Enterprise Edition in order to use the more advanced features where needed.
Benefits of Upgrading to Centrify Suite Standard, Enterprise or Platinum Editions
The focus of this document was to show how to integrate Centrify Express AMI
Instances into Active Directory in order to centralize administration of user accounts and
access controls as well as provide single sign-on for users accessing those instances. You
can also upgrade Centrify Express and gain additional centralized controls, user session
auditing as well as hardened network access controls.
© 2011 CENTRIFY CORPORATION. ALL RIGHTS RESERVED.
PAGE 22
CENTRIFY QUICK START
USING CENTRIFY EXPRESS ON AMAZON EC2
Centrify Suite Standard Edition builds on Centrify Express by providing Active
Directory Group Policy enforcement, extending the access control model to support
multiple Zones as well as to enforce fine grained role-based privileges through
DirectAuthorize.

Group Policy – Windows administrators will be familiar with Group Policy as a
way to define system policies that are automatically enforced and periodically
updated once the machine joins Active Directory. Centrify provides hundreds of
Group Policy settings to control both the DirectControl agent, OpenSSH settings,
and iptables firewall settings to name a few.

Centrify Zones – While Centrify Express enables all users in Active Directory to
login with system generated Linux profiles, Zones was designed to enable
administrators to define the Linux profile for users of a group of systems.
Administration of these groups of systems, aka Zones, can be delegated to various
administrators. This guide showed how to use an Active Directory group to control
which users are authorized to login to a system, however this cannot be easily
managed centrally. Zones provides centralized control over user access, requiring
users to be members of the Zone in order to login to the computer in that Zone.

Role-based Privileges with DirectAuthorize – Sudo was used in this guide to grant
the centrify account and any users in the ec2.admins group within AD to be able to
run any command as root. While this configuration will centralize the management
of root privileges, you would need to manually configure additional policies to
provide appropriate rights to other administrative roles. DirectAuthorize provides a
centralized admin interface to enable describing any number of Roles and granting
these Roles a set of access rights and command privileges. This makes it easier to
create additional Roles for Web Developers or Database Admins, granting the
appropriate Rights based on their Role.
Centrify Suite Enterprise Edition contains all the functionality of Standard Edition
with the addition of user session level auditing. Many of the events that take place on
these AMI Instances will be logged into syslog and you could configure the rollup of the
logs to a central server, the logs typically don’t provide the level of insight into the actual
activities on the systems that is needed to understand what is being done on the system.
DirectAudit is designed to record the user sessions, sending the data off to a centralized
SQL Server where you can browse the sessions by user or by server as well as search for
sessions that contain specific strings on the input or output. Once an “interesting” session
is found you can replay the session to see exactly what someone was doing on your AMI
Instance. This level of visibility is increasingly important since the Instances running in
EC2 are publicly accessible within a hosted environment vs. inside your on-premise data
center where you can assure a certain level of physical and network security.
Centrify Suite Platinum Edition extends the access controls provided in Standard
Edition by enabling what Microsoft calls Server and Domain Isolation. DirectSecure will
enforce the Microsoft IPsec Security Policies that describe how computers authenticate
© 2011 CENTRIFY CORPORATION. ALL RIGHTS RESERVED.
PAGE 23
CENTRIFY QUICK START
USING CENTRIFY EXPRESS ON AMAZON EC2
and communicate with each other. This will establish a dynamic peer-to-peer virtual
private network where each computer can be configured to require mutual PKI or
Kerberos based authentication and optionally encrypt network traffic between trusted
hosts. Since this leverages IPsec in Transport Mode, the policies can be applied for
specific ports and between specific computers. This enables you to define a policy that
would allow public communications on port 80 for a web site, but require mutual
authentication and encryption between the web server and any trusted web developers or
any communications to back end database servers.
Centrify Application Single Sign-on Modules are available for several applications and
databases to enable Active Directory based single sign-on. Several modules are available
for web platforms such as Apache, Tomcat, JBoss, WebLogic and WebSphere, as well as
applications such as DB2 and SAP. Additionally, several other applications can be
configured to use Active Directory user accounts if the are compatible with PAM (for
UNIX based Active Directory userid and password based login), LDAP (for Active
Directory userid and password based login) or GSSAPI (for Active Directory based
Kerberos single sign-on based login).
Frequently Asked Questions
Question. What are the charges for using these Centrify Express AMIs?
Answer. There is no additional charge from Centrify, only the base fees that Amazon
charges based on the type and size of the Instances.
Question. Do I need to use SSH keys to login?
Answer. No. One of the benefits of using Active Directory and Kerberos to login is the
use of Kerberos tickets.
Question. Is the traffic between these AMIs and the Active Directory protected? Are
user passwords protected during the login process?
Answer. Yes, Active Directory uses secured protocols leveraging the Kerberos
infrastructure that is an integrated part of Active Directory. All communications with
Active Directory Domain Controllers is Kerberized in order to both ensure that trusted
systems are talking with each other after mutual authentication and that the
communications between them is secured through Kerberos signed and sealed
communications.
© 2011 CENTRIFY CORPORATION. ALL RIGHTS RESERVED.
PAGE 24
CENTRIFY QUICK START
USING CENTRIFY EXPRESS ON AMAZON EC2
How to Contact Centrify
North America
Europe, Middle East, Africa
(And All Locations Outside EMEA)
(EMEA)
Centrify Corporation
785 N. Mary Avenue, Suite 200
Sunnyvale, CA 94085
United States
Centrify EMEA
Lilly Hill House
Lilly Hill Road
Bracknell, Berkshire RG12 2SJ
United Kingdom
Sales:
+1 (408) 542-7500
Sales:
Enquiries:
Web site:
info@centrify.com
www.centrify.com
© 2011 CENTRIFY CORPORATION. ALL RIGHTS RESERVED.
+44 (0) 1344 317950
PAGE 25