Centrify Express 2014

Authenticate Cross-Platform Systems to Active Directory

Centrify DirectControl Express is the key component of Centrify Express. It is a limited-functionality version of the same enterprise-hardened Centrify DirectControl technology currently used by Centrify's 5,000+ customers for Active Directory integration. By natively joining non-Windows systems to Active Directory, DirectControl Express unlocks the power of Kerberos and LDAP, and in doing so provides a single sign-on experience based on the user's existing Active Directory credentials while at the same time enforcing Active Directory password policies. The bottom line is with Centrify Express you get more functionality and more to upgrade to when compared to other free offerings.

Join UNIX, Linux and Mac OS X systems to Active Directory

DirectControl Express allows you to quickly and easily join a non-Microsoft system to an Active Directory domain, thereby giving you the advantage of a single administrative tool to administer authentication across a heterogeneous computing environment.

Give Users Single Sign-on with Their Active Directory Account

Users can simply type in their Active Directory username or password to login into a non-Microsoft system. Unlike other Active Directory integration solutions, DirectControl Express does not force users to type in their domain name every time they login.

Quickest to Install and Deploy

Only Centrify DirectControl Express gives users a handy pre-install check that runs prior to installation to ensure a painless installation experience. Our installation process also automates the join process, so no need to mess around with typing a bunch of commands to join your systems to Active Directory. In addition, when used in conjunction with DirectManage Express, only Centrify delivers a free Active Directory integration solution that can push its agent out to hundreds of systems from a centralized console.

Full Support for Active Directory Policies

DirectControl Express talks directly to Active Directory; therefore, all of Active Directory's built-in password policy features are supported as well as the flexible user-naming conventions of Active Directory users.

Cross-Domain Authentication

Users who are authenticated members of a remote domain can access a UNIX, Linux or Mac system joined to another domain if the appropriate cross-domain trust relationship has been established. This is the same behavior that users would expect in an all-Windows environment.

Gold Standard Kerberos

Leveraging the MIT reference implementation of Kerberos, DirectControl delivers the most compatible and mature approach to Kerberos-based Active Directory authentication for enterprise authentication. While many platforms offer some type of Kerberos support, setting up and administering the Kerberos service to talk with Active Directory securely and reliably can be a complex task on non-Microsoft platforms. With the DirectControl agent installed, the host platform becomes Active Directory-aware and can take advantage of DirectControl services, including automatic updates of Keytab files and Keytab versioning, automatic time synchronization with Active Directory, local caching for disconnected mode, and dynamic DNS support. This greatly simplifies initial configuration and provides a much higher degree of maintainability and reliability.

Microsoft Certified

Centrify DirectControl is the only Active Directory integration solution that has successfully passed the strict set of Microsoft tests administered by VeritTest/Lionbridge for Windows 2003, Windows 2008 and Windows 2008 R2.

More to Upgrade To

Centrify DirectControl Express is a subset of the full-featured DirectControl solution, which is part of a suite of solutions called the Centrify Suite. So not only can you upgrade from DirectControl Express to the full-featured DirectControl that offers Group Policy, reporting, Zone-based access control, migration tools, etc. but depending on the Centrify Suite edition you want, you can also upgrade to role-based authorization via DirectAuthorize, user-level auditing via DirectAudit, server isolation and encryption of data-in-motion via DirectSecure, user account administration and provisioning via the full-featured version of DirectManage, and SSO for web applications, SAP and databases.

Differences with the Full-Featured Version of DirectControl

High-Level Functional Differences

The primary difference between Centrify DirectControl Express and the full featured version of DirectControl is that DirectControl Express is primarily useful on smaller sets of systems that just need proven Active Directory authentication, while the full-featured version of Centrify DirectControl is required in larger environments that need more centralized control on the identity, access control, privilege level, reporting and auditing of user activities. Other capabilities found in the full-featured version of DirectControl include Group Policy, migration tools, Zone-based access control, the ability to map multiple UIDs to a single Active Directory account, compliance reporting, etc.

Also please note that the full-featured version of DirectControl is delivered as part of our Standard Edition of the Centrify Suite, which includes DirectAuthorize and DirectManage. In effect, Centrify offers three products versus a single point product as part of our base commercial offering. Customers also upgrading to the Enterprise, Platinum or Application editions of the Centrify Suite also get the full-featured version of DirectControl as part of all Centrify Suite editions. In other words, the primary benefits of upgrading to the Centrify Suite are centralized user provisioning, Group Policy, reporting, and Zone-based access control, as well as centralized roles and rights, user session auditing, server isolation, encryption of data-in-motion, and application SSO. In addition, customers of the Centrify Suite can purchase technical support and maintenance. Organizations can easily upgrade from Centrify Express to the Centrify Suite, if needed.

Differences in How UNIX Attributes Are Handled

Besides the high-level functional differences noted above, it should also be pointed out that DirectControl Express handles UIDs differently from the full-featured version of DirectControl. In DirectControl Express, when an Active Directory user logs in to a UNIX or Linux computer for the first time, DirectControl automatically generates a UID and GID and establishes a user's home directory with all of the associated profile and configuration files.

Therefore, when you join multiple UNIX, Linux or Mac OS X computers to a domain, any Active Directory user who logs on to more than one computer will have the same DirectControl-generated UID on each machine so that you don't have to worry about file and resource ownership issues. Note that anyone with a valid Active Directory username and password can log in to a DirectControl Express-managed system unless you control who can and cannot log in by configuring pam.allow and pam.deny configuration parameters.

DirectControl Express does not store UIDs inside Active Directory, nor can you manipulate a users' UNIX UID or GID via a tool such as Active Directory Users and Computers (ADUC). That also means with DirectControl Express you cannot map multiple UIDs to a single Active Directory account.

This is in comparison to the full-featured version of DirectControl, which allows you to migrate and store UIDs in Active Directory as well as centrally provision users, control access, assign fine-grained roles and rights and audit user sessions. The licensed version of DirectControl also provides migration tools to import existing UIDs into Active Directory, map multiple UIDs to a single Active Directory account, control which Active Directory accounts can log in to which group of UNIX or Linux systems, and provides delegated administration of who can enable which users to access specific groups of systems. For more details, see Centrify DirectControl Zones.

"With the free Centrify Express offering, organizations of all shapes and sizes can quickly and easily integrate desktops and servers running Ubuntu 10.04 LTS with Active Directory."


Matt Asay
COO, Canonical