While many vendors claim support for Kerberos, only Centrify provides native support for all the complexity and nuance of Active Directory. The Centrify UNIX Agent has robust support for automatic discovery of the nearest domain controller, the global catalog, one/two-way trusts, multi-site environments, domain controller failover and disjoint Active Directory-DNS namespaces.
The Most Enterprise-Ready Solution for Integrating Linux & UNIX Systems with Active Directory
The Centrify UNIX Agent includes a wide range of configuration parameters and self-tuning features that reduce the amount of manual configuration needed. This enables the agent to maintain communication with domain controllers ― even in environments, where DNS is not properly configured.
While lab environments often have simple DNS configurations that make joining Active Directory simple, actual production environments are more complex:
- DNS is often not maintained in parallel with Active Directory.
- When a domain controller is changed or retired, DNS is frequently not updated, resulting in stale DNS “srv” records that include non-existent or unhealthy domain controllers.
- Active Directory integration solutions that worked in the test lab can prove unusable in production, with long delays in logging in as a system searches for a domain controller, or lockouts when authentication fails.
- Similar issues exist for environments with complex trust relationships or disjoint namespaces.
Centrify's Active Directory support, developed and validated through our experience with thousands of servers in real-world environments, make the Centrify Authentication Service the most enterprise-ready solution for integrating Linux and UNIX systems with Active Directory. Centrify does this with advanced features such as:
- Intelligent Domain Controller Discovery: The Centrify Agent validates the domain controllers' health and builds a priority list of domain controllers with a tolerance of stale DNS “srv” records.
- Dynamic Domain Controller Selection: At join and login time, the highest priority domain controller is examined for health, responsiveness and availability, ensuring a quick, reliable response.
- Dynamic DNS Selection: Like the Dynamic Domain Controller Selection, at login time any DNS queries are sent to multiple DNS servers, with the quickest response used. This enhances login speed and reduces bottlenecks and single points of failure.
- Tolerance of Missing DNS Configuration in Resolv.Conf: In large, established *NIX environments, DNS might not exist or be configured on all servers. The Centrify Agent can be configured to work in this environment.
- Support for Disjoint Namespaces: In large enterprises, the DNS namespace is often different from the Active Directory domain (for example, centrify.com versus corp.centrify.com). When Centrify joins a system to Active Directory, we can add additional aliases so that single sign-on (SSO) will work. For example, you can use PuTTY to connect to myserv.centrify.com or myserv.corp.centrify.com and SSO will work as expected.
- Hardened Support for Complex Trusts: When a system is joined to Active Directory, enhanced mapping of trust relationships (forest, domain, one-way, two-way, transitive) ensures the login experience is seamless.
- Enhanced Network Resiliency: Additional enhancements ensure quicker response and failover in a variety of environments, including offline access, VPN (PPTP, IPSEC, Cisco), wireless, and remote across a WAN.
- Automatic Registration with Active Directory DNS Server: When a system is joined to Active Directory, the Centrify Agent automatically registers new system with DNS to ensure others can find and seamlessly access newly joined systems.
centrify authentication service
The Centrify Authentication Service data sheet outlines how customer can go beyond the vault and properly verify who requests privileged access. This can be achieved by leveraging enterprise directory identities, eliminating local accounts, and decreasing the overall number of accounts and passwords, therefore reducing the attack surface.