Centrify Authentication Service and Centrify Privilege Elevation Service 5.5.3 (Release 19.2) Release Notes

© 2004-2018 Centrify Corporation.

This software is protected by international copyright laws.

All Rights Reserved.

 

Table of Contents

1.      About This Release. 2

2.      Feature Changes. 3

2.1.       Feature Changes in Centrify Authentication Service and Centrify Privilege Elevation Service 5.5.3 (Release 19.2)  3

General 3

Security Fix. 4

Centrify DirectControl Agent for *NIX.. 4

Centrify OpenLDAP Proxy. 4

2.2.       Feature Changes in Centrify Authentication Service and Centrify Privilege Elevation Service 5.5.2 (Release 18.11)  5

General 5

Security Fix. 5

Centrify DirectControl Agent for *NIX.. 6

Centrify adedit 8

Centrify OpenSSH.. 8

Centrify OpenLDAP Proxy. 8

Centrify Access Manager. 8

Centrify Access Module for PowerShell 8

Centrify Licensing Service. 9

Centrify Group Policy Management 9

Centrify Report Services. 9

Centrify Zone Provisioning Agent 9

3.      Bugs Fixed. 9

3.1.       Bugs Fixed in Centrify Authentication Service and Centrify Privilege Elevation Service 5.5.3 (Release 19.2) 9

3.2.       Bugs Fixed in Centrify Authentication Service and Centrify Privilege Elevation Service 5.5.2 (Release 18.11)  9

General 9

Centrify DirectControl Agent for *NIX.. 10

Centrify adedit 11

Centrify OpenSSH.. 11

Centrify OpenLDAP Proxy. 11

Centrify Access Manager. 11

Centrify Access API for Windows. 11

Centrify Licensing Service. 11

Centrify Group Policy Management 11

Centrify Report Services. 11

Centrify Zone Provisioning Agent 11

4.      Known Issues. 12

Centrify DirectControl Agent for *NIX.. 12

Smart Card. 13

Centrify Report Services. 15

5.      Additional Information and Support 16

 

1.     About This Release

 

Centrify Authentication Service and Centrify Privilege Elevation Service (part of the product category Centrify Infrastructure Services) centralize authentication and privileged user access across disparate systems and applications by extending Active Directory-based authentication, enabling use of Windows Group Policy and Single-Sign-On. With Centrify Infrastructure Services, enterprises can easily migrate and manage complex UNIX, Linux and Windows systems, rapidly consolidate identities into the directory, organize granular access and simplify administration. Centrify Authentication Service, through Centrify's patented Zone technology, allows organizations to easily establish global UNIX identities, centrally manage exceptions on Legacy systems, separate identity from access management and delegate administration.  Centrify's non-intrusive and organized approach to identity and access management results in stronger security, improved compliance and reduced operational costs.

An upgrade application note (/Documentation/centrify-upgrade-guide.pdf) is provided with this release to guide customers who have installed multiple Centrify packages. The document describes the correct order to perform updates such that all packages continue to perform correctly once upgraded. This document is also available online.

The Centrify Infrastructure Services related release notes and documents are available online at http://docs.centrify.com.

Centrify software is protected by U.S. Patents 7,591,005; 8,024,360; 8,321,523; 9,015,103; 9,112,846; 9,197,670; 9,378,391 and 9,442,962. (Ref: CS-44575)

2.     Feature Changes

 

For a list of the supported platforms by this release, refer to the 'Supported Platforms' section in the Centrify Infrastructure Services release notes.

For a list of platforms that Centrify will remove support in upcoming releases, refer to the 'Notice of Termination Support' section in the Centrify Infrastructure Services release notes.

For a complete list of supported platforms in the latest releases, refer to the 'Centrify Infrastructure Services' section in the document available from www.centrify.com/platforms.

2.1.          Feature Changes in Centrify Authentication Service and Centrify Privilege Elevation Service 5.5.3 (Release 19.2)

General

 

·          Release 19.2 is a new feature release affecting only the *NIX packages for Centrify Authentication Service and Centrify Privilege Elevation Service. You may find all other packages from Release 18.11. Also, all the supported platforms are same as Release 18.11.

·          Compatibility (Ref: CS-47393)

This release of Centrify DirectControl Agent for *NIX will work with the following:

·         The latest released Centrify for DB2 and Centrify for Samba. (Ref: CS-44594)

·         Centrify DirectAudit Agent of Release 2017 or later, except

§  On AIX, Linux PowerPC platforms, DirectAudit Agent must be of Release 2017.3 or later. (Ref: CS-44597, CS-44601, CS-44749)

§  On Solaris x86 and SPARC platforms, DirectAudit Agent must be of Release 2018 or later. (Ref: CS-44594)

·         Centrify OpenSSH of Release 2017 or later, except

§  On Linux PowerPC platforms, all packages must be of Release 2017.3 or later. (Ref: CS-44749, CS-44753)

§  On Solaris x86 and SPARC platforms, Centrify OpenSSH must be of Release 2018 or later. (Ref: CS-44594)

Security Fix

 

·          N/A

Centrify DirectControl Agent for *NIX

 

·          Update krb5.conf whenever connected Domain Controller is changed (Ref: CS-47423)

Every time when DirectControl agent switches Domain Controller (DC) bindings, the corresponding DC information are now updated into krb5.conf accordingly, so that other Kerberized programs will be able to use the newly selected DCs. This behavior is controlled by a new configuration parameter, adclient.dc.switch.update.krb5.conf, in centrifydc.conf.

-    adclient.dc.switch.update.krb5.conf: This parameter controls whether DirectControl agent should update server entries in krb5.conf according to the change of selected Domain Controller (DC), either due to DC/site failover or rebinding of LDAP bindings to the preferred site. The default is true.

Centrify OpenLDAP Proxy

 

·          Support for RFC2307 NIS NetGroup object (Ref: CS-47424)

Added the support to use the native Active Directory (AD) RFC2307 nisNetGroup objects instead of Centrify’s nisNetGroup objects. This support is useful when the user environment has a lot of netgroups.

As native AD objects are used, users can also take advantage of using Microsoft APIs to do netgroup provisioning.

This support is controlled by a configuration parameter, ldapproxy.netgroup.use.rfc2307nisnetgroup, in slapd.conf. When the parameter is set to true, ldapproxy searches the RFC2307 nisNetGroup instead of Centrify's nisNetGroup objects for netgroup information. The default is false, which is the existing behavior of using Centrify’s nisNetGroup objects for netgroup information.

2.2.          Feature Changes in Centrify Authentication Service and Centrify Privilege Elevation Service 5.5.2 (Release 18.11)

General

 

·          Open Source component upgrade

·         Centrify curl is upgraded based on curl 7.61.1 instead of 7.61.0. (Ref: CS-47114)

§  This includes security fixes for CVE-2018-14618. For details, please refer to https://curl.haxx.se/docs/security.html.

·         Centrify OpenSSL is upgraded based on OpenSSL 1.0.2p instead of 1.0.2o. (Ref: CS-46958, CS-45793)

§  This includes security fixes for CVE-2018-0732, and CVE-2018-0737. For details, please refer to https://www.openssl.org/news/vulnerabilities-1.0.2.html and https://www.openssl.org/news/cl102.txt. 

·          Compatibility (Ref: CS-47393)

This release of Centrify DirectControl Agent for *NIX will work with the following:

·         The latest released Centrify for DB2 and Centrify for Samba. (Ref: CS-44594)

·         Centrify DirectAudit Agent of Release 2017 or later, except

§  On AIX, Linux PowerPC platforms, DirectAudit Agent must be of Release 2017.3 or later. (Ref: CS-44597, CS-44601, CS-44749)

§  On Solaris x86 and SPARC platforms, DirectAudit Agent must be of Release 2018 or later. (Ref: CS-44594)

·         Centrify OpenSSH of Release 2017 or later, except

§  On Linux PowerPC platforms, all packages must be of Release 2017.3 or later. (Ref: CS-44749, CS-44753)

§  On Solaris x86 and SPARC platforms, Centrify OpenSSH must be of Release 2018 or later. (Ref: CS-44594)

Security Fix

 

·          N/A

Centrify DirectControl Agent for *NIX

 

·          Added support of SMB3 in Centrify SMB stack. This enables the agent to retrieve group policies or files from SMB shares on Windows 8, Windows 2012 or above that requires data encryption. (Ref: CS-30935)

·          Implemented mechanisms to prevent forged host ticket (aka. "silver ticket" attack). To prevent PAC spoofing, a new setting, krb5.pac.validation, is added to configure whether Agent should validate PAC in the user ticket with KDC before using the information such as user's group membership in the PAC. By default, PAC validation is disabled. (Ref: CS-39827)

·          Extended the NSS support for mail aliases on zone enabled AD users. (Ref: CS-45499)

·          Enhanced the Multi-Factor Authentication performance to prefer connectors in the same subnet and then in the same Active Directory site. This enhancement does not apply to AIX platforms. (Ref: CS-45588)

·          Added an option to ignore 'gid override' of the primary group when checking for primary group members. (Ref: CS-46835)

·          Added a provision to support alternate password hash for Solaris disabled users. (Ref: CS-47275)

·          Added the support for MIT Kerberos commands or programs linked with MIT Kerberos library (release 1.13 or above) to inter-operate with Centrify KCM service on Solaris platforms. (Ref: CS-46466)

DirectControl Command Line Utilities

·          Added the support of the command "adinfo -y domain" to print out the domain prefix IDs by which DirectControl algorithm uses to generate unique UNIX user (UID) and group (GID) IDs. This new feature is to allow users to better control how the UIDs/GIDs are generated in relation to a domain (SID) and it is only for hierarchical zones. (Ref: CS-46478)

·          Added a new option "-I, --noprompt" to "adjoin" and "adleave" commands. If there are no credentials found, when this option is specified, the command will not prompt for password and just fails. (Ref: CS-46695)

Audit Trail Events

·          Added new "dzdo" audit trail events for dzdo command execution starts/ends. With these new audit trail events, users can determine how long an elevated privilege command has run. (Ref: CS-45228)

·          Added new "Kerberos" audit trail events for KCM Kerberos credential access. (Ref: CS-44042)

·          Added new "PAM" audit trail events for user logins to the system in rescue mode. (Ref: CS-45603)

Configuration Parameters

Added the following parameters in centrifydc.conf:

-    adclient.krb5.conf.domain_realm.anysite: The krb5.conf [ realm ] section is updated with information of KDC's from the preferred site. Setting this parameter to true will extend this to include all reachable KDC's regardless of site. The default is false. (Ref: CS-47422)

-    audittrail.<product>.<component>.overrides: Please refer to the description for audittrail.<product>.<component>.targets below. (Ref: CS-46740)

-    audittrail.<product>.<component>.targets: This parameter and audittrail.<product>.<component>.overrides together allow users to enable/disable audit trail events per product/component. Note: Please refer to documentation for the complete list of product and component (also called category). Please also replace any space in product/component name with '_' when specifying the parameters. The value for product/component overrides or targets setting is a bit mask same usage as in audittrail.targets. There is no default value for product/component targets setting, and the default value for product/component overrides is '0', meaning that this product/component observes the global setting. (Ref: CS-46740)

-    krb5.pac.validation: When performing credential verification, a service ticket is fetched for the local system. After the credential is verified, the PAC information in the service ticket will be used by the local system. Before using the user's PAC, user can select to verify if the PAC is from a trusted KDC to prevent a well-known "silver ticket" attack. This setting takes effect when krb5.verify.credentials is true or when DirectControl is using user's PAC from a service ticket. However, this setting does not apply to PAC retrieved using S4U2Self protocol. There are 3 possible values:

1.  disabled (default) - No PAC Validation will be done at all.

2.  enabled - If PAC Validation fails, PAC is still used, and user login is allowed.

3.  enforced - If PAC Validation fails, PAC is discarded, and user login is denied.

Note: Setting this to enabled/enforced will have significant impact on user login and user's group fetch performance. (Ref: CS-39827, CS-46564)

-    nss.alias.source: This parameter specifies the source to look up aliases. There are three possible values: nismaps, mail, and proxyaddress. The default is nismaps which means the logic will look up alias from NisMaps. If you want to look up alias from zone enabled AD user objects, you have the option of either by the attribute "mail" or "proxyaddresses". Note: AD users with empty "mail"/"proxyAddresses" are considered as invalid alias entries even if users exist and are zone enabled. To use the attribute "proxyaddresses", you need to include it in the adclient.custom.attributes.user parameter since it is a custom attribute; otherwise it will fall back to "nismaps". (Ref: CS-45499)

There is no parameter changed in, or removed from, centrifydc.conf in this release.

Please refer to the manual, Configuration and Tuning Reference Guide, for details.

Centrify adedit

 

·          Added a new command "forest_from_domain" in the command utility "adedit". It can be used to get the forest name given a domain name. (Ref: CS-46628)

·          Added the support of "sid2iddomainmap" field in the commands "set_zone_field" and "get_zone_field" for the domain prefix IDs by which DirectControl algorithm uses to generate unique UNIX user (UID) and group (GID) IDs. Also added a new option "-domainidmap" in the commands "sid_to_uid" and "sid_to_id" to support the generation of UID/GID with the new algorithm. This new feature is to allow users to better control how the UIDs/GIDs are generated in relation to a domain (SID) and it is only for hierarchical zones. (Ref: CS-46213)

Centrify OpenSSH

 

·          N/A

Centrify OpenLDAP Proxy

 

·          Added the support of the critical search extension flag ('!') with pagedResults control (e.g. -E '!pr=50') on LDAP search results. (Ref: CS-46512)

Centrify Access Manager

 

·          Added the support in zone property pages to allow users to specify the domain prefix IDs by which DirectControl algorithm uses to generate unique UNIX user (UID) and group (GID) IDs. This new feature is to allow users to better control how the UIDs/GIDs are generated in relation to a domain (SID) and it is only for hierarchical zones. (Ref: CS-46192)

Centrify Access Module for PowerShell

 

·          Added a new parameter, "SidToIdDomainMap", in the cmdlets, "New-CdmZone" and "Set-CdmZone", to allow users to specify the domain prefix IDs by which DirectControl algorithm uses to generate unique UNIX user (UID) and group (GID) IDs. This new feature is to allow users to better control how the UIDs/GIDs are generated in relation to a domain (SID) and it is only for hierarchical zones. (Ref: CS-46174)

Centrify Licensing Service

 

·          N/A

Centrify Group Policy Management

 

·          N/A

Centrify Report Services

 

·         Added the capability in Centrify Report Services Configuration Wizard to deploy Centrify reports onto any accessible SQL Service Reporting Services. (Ref: CS-46219)

·         Packaged Microsoft SQL Server 2016 Express with Advanced Services SP2 for Centrify Report Services in Centrify Infrastructure Services ISO. (Ref: CS-40928)

 

·         Improved the performance of resolving computer roles applicable to the joined computer. (Ref: CS-46559)

 

Centrify Zone Provisioning Agent

 

·          Added in provisioning profiles the support of the domain prefix IDs by which DirectControl algorithm uses to generate unique UNIX user (UID) and group (GID) IDs. This new feature is to allow users to better control how the UIDs/GIDs are generated in relation to a domain (SID) and it is only for hierarchical zones. (Ref: CS-46173)

3.     Bugs Fixed

3.1.          Bugs Fixed in Centrify Authentication Service and Centrify Privilege Elevation Service 5.5.3 (Release 19.2)

 

·          There is no bug fix in Release 19.2.

3.2.          Bugs Fixed in Centrify Authentication Service and Centrify Privilege Elevation Service 5.5.2 (Release 18.11)

General

 

·          Packaging

·         Fixed the packaging scripts on CentrifyDC/CentrifyDA packages to remove confusing and useless "Provides" from CentrifyDA and CentrifyDC-openssh RPMs. (Ref: CS-47226)

Centrify DirectControl Agent for *NIX

 

·          Fixed a bug so that User Principal Name (UPN) should be used, if exists, for user name in audit trail events. (Ref: CS-45475)

·          Fixed a bug in the handling of cached objects with unknown origin where it shows a repeating warning message in the log like this "... adclient[...]: WARN <... NSSGetCurrentGroupData > daemon.ipcclient2 Unable to retrieve current group information: ADAttribute '_server' is empty". (Ref: CS-47239)

·          Fixed a bug in the sorting of internal group member list where pam.allow.groups is not working after upgrading. (Ref: CS-47279)

·          Fixed a bug in the installer where it fails to upgrade openssl, openldap, curl packages using individual installer commands with "-u" option. (Ref: CS-46863, CS-46856)

·          Fixed a bug in in the nis service where niswatch daemon is not able to restart the service if the firewall is set to block access to the local host by allowing alternate configuration using interface address instead of local host loop-back address. (Ref: CS-45302)

DirectControl Command Line Utilities

·          Fixed a bug in the command "adcheck" on AIX where it fails to check disk space requirement. (Ref: CS-47029)

·          Fixed a bug in services, like SMB and NTP, that DirectControl agent does not bind to the Domain Controller in the preferred or closest site as other services do. (Ref: CS-45936)

·          Changed the behavior of the command 'adwebproxyconf -D' to not only delete http proxy credential from local machine, but also reset http proxy server, http authentication type and http authentication required configurations to default value in centrifydc.conf. This makes the behavior consistent between 'adwebproxyconf -D' and 'adwebproxyconf -S'. (Ref: CS-46769)

·          Renamed the option '-y cloud' to '-y cip' in command "adinfo" to correctly reflect that the output is related to Centrify Identity Platform. The old option '-y cloud' is still supported for compatibility purpose but it will soon be deprecated. (Ref: CS-46560)

·          Removed a misleading line showing an incorrect value for "Domain controller type" in verbose mode print-out of the command "adcheck". Please instead use the field "domainControllerFunctionality" for the same purpose. (Ref: CS-46861)

Centrify adedit

 

·          N/A

Centrify OpenSSH

 

·          N/A

Centrify OpenLDAP Proxy

 

·          N/A

Centrify Access Manager

 

·          Fixed a bug in "Orphan zone data objects and invalid data links" of forest analysis where the one-way trusted cross forest AD user will be marked as orphan if the local domain admin does not have enough right to access it. (Ref: CS-46004)

·          Fixed a bug in "Sudoers Import" where it fails to identify sudoers file with Digest_Spec under any commands defined in Cmnd_Alias definition. (Ref: CS-45945)

·          Fixed a bug in "list role assignments" and "add member" operations of a newly created computer role where it fails sometimes in a multiple domain controller environment. (Ref: CS-47241)

Centrify Access API for Windows

 

·          N/A

Centrify Licensing Service

 

·          N/A

Centrify Group Policy Management

 

·          N/A

Centrify Report Services

 

·          Fixed a bug in zone mode where it fails to synchronize some Active Directory objects such as user, group and computer. (Ref: CS-46923)

·          Fixed a bug in permission validation where it incorrectly flags "insufficient permission" to access report database. (Ref: CS-47379)

Centrify Zone Provisioning Agent

 

·          N/A

4.     Known Issues

 

The following sections describe common known issues or limitations associated with this Centrify Infrastructure Services release.

 

For the most up to date list of known issues, please login to the Customer Support Portal at http://www.centrify.com/support and refer to Knowledge Base articles for any known issues with the release.

Centrify DirectControl Agent for *NIX

 

·          Known issues with Multi-Factor Authentication (MFA)

If MFA is enabled but the parameter "adclient.legacyzone.mfa.required.groups" is set to a non-existent group, all AD users will be required for MFA. The workaround is to remove any non-existent groups from the parameter. (Ref: CS-39591b)

·          Known issues with AIX

 

On AIX, upgrading DirectControl agent from 5.0.2 or older versions in disconnected mode may cause unexpected behavior. The centrifydc service may be down after upgrade. It's recommended not to upgrade DirectControl agent in disconnected mode. (Ref: CS-30494a)

 

Some versions of AIX cannot handle user name longer than eight characters. As a preventive measure, we have added a new test case in the adcheck command to check if the parameter LOGIN_NAME_MAX is set to 9. If yes, adcheck will show a warning so that users can be aware of it. (Ref: CS-30789a)

 

·          Known issues with Fedora 19 and above (Ref: CS-31549a, CS-31730a)

 

There are several potential issues on Fedora 19 and above:

1)    The adcheck command will fail if the machine does not have Perl installed.

2)    Group Policy will not be fully functional unless Text/ParseWords.pm is installed.

 

·         Known issues with RedHat

When logging into a RedHat system using an Active Directory user that has the same name as a local user, the system will not warn the user of the conflict, which will result in unpredictable login behavior. The workaround is to remove the conflict or login with a different AD user. (Ref: CS-28940a, CS-28941a)

·          Known issues with rsh / rlogin (Ref: IN-90001)

 

-    When using rsh or rlogin to access a computer that has DirectControl agent installed, and where the user is required to change their password, users are prompted to change their password twice. Users may use the same password each time they are prompted and the password is successfully changed.

 

·          Known issues with compatibility 

 

Using DirectControl 4.x agents with Access Manager 5.x (Ref: IN-90001)

 

-    DirectControl 4.x agents can join classic zones created by Access Manager 5.x. It will ostensibly be able to join a DirectControl 4.x agent to a hierarchical zone as well, but this causes failure later as such behavior is undefined.

 

Default zone not used in DirectControl 5.x (Ref: IN-90001)

 

-    In DirectControl 4.x, and earlier, there was a concept of the default zone. When Access Manager was installed, a special zone could be created as the default zone. If no zone was specified when joining a domain with adjoin, the default zone would be used.

 

-    This concept has been removed from DirectControl 5.0.0 and later as it is no longer relevant with hierarchical zones. In zoned mode, a zone must now always be specified.

 

-    A zone called "default" may be created, and default zones created in earlier versions of Access Manager may be used, but the name must be explicitly used.

 

Smart Card

 

·          Release 18.8 includes an update to Coolkey to support Giesecke & Devrient 144k, Gemalto DLGX4-A 144, and HID Crescendo 144K FIPS cards. However, this has caused known issues that may cause CAC cards to only work sporadically. A workaround for CAC cards is to wait for it to prompt for PIN and Welcome, without removing the card, and then try again. (Ref: CC-58013)

 

·          There is a Red Hat Linux desktop selection issue found in RHEL 7 with smart card login.  When login with smart card, if both GNOME and KDE desktops are installed, user can only log into GNOME desktop even though "KDE Plasma Workspace" option is selected. (Ref: CS-35125a)

 

·          On RHEL 5.10 and 5.11, if "Smart Card Support" is enabled and a smartcard is inserted on the login screen, a PIN prompt may not show up until you hit the "Enter" key. The workaround is to replace libsoftokn3.so with the old one on RHEL 5.9, which is a shared object file in NSS package. (Ref: CS-35038a)

 

·          On RHEL 5.10 and 5.11, if "Smart Card Support" is enabled and "Card Removal Action" is configured as "Lock", the screen will be locked several seconds after login with smart card. The workaround is to replace libsoftokn3.so with the old one on RHEL 5.9, which is a shared object file in NSS package. (Ref: CS-33871a)

 

·          When a SmartCard user attempts to login on Red Hat 6.0 with a password that has expired, the authentication error message may not mention that authentication has failed due to an expired password. (Ref: CS-28305a)

 

·          On RedHat, any SmartCard user will get a PIN prompt even if he's not zoned, even though the login attempt will ultimately fail. This is a divergence from Mac behavior - On Mac, if a SmartCard user is not zoned, Mac doesn't even prompt the user for PIN. (Ref: CS-33175c)

 

·          If a SmartCard user's Active Directory password expires while in disconnected mode, the user may still be able to log into their machine using their expired password. This is not a usual case, as secure SmartCard AD environments usually do not allow both PIN and Password logins while using a Smart Card. (Ref: CS-28926a)

 

·          To login successfully in disconnected mode (Ref: CS-29111a):

·         For a password user:

§  A password user must log in successfully once in connected mode prior to logging in using disconnected mode. (This is consistent with other DirectControl agent for *NIX behavior)

·         For a SmartCard user:

§  The above is not true of SmartCard login. Given a properly configured RedHat system with valid certificate trust chain and CRL set up, a SmartCard user may successfully login using disconnected mode even without prior successful logins in connected mode.

§  If certificate trust chain is not configured properly on the RedHat system, the SmartCard user's login attempt will fail.

§  If the SmartCard user's login certificate has been revoked, and the RedHat system has a valid CRL that includes this certificate, then the system will reject the user.

 

·          After upgrading from DirectControl version 5.0.4 to version 5.1, a Smartcard user may not be able to login successfully. The workaround is to run the following CLI commands:

 

sudo rm /etc/pam_pkcs11/cacerts/*

sudo rm /etc/pam_pkcs11/crls/*

sudo rm /var/centrify/net/certs/*

 

then run adgpupdate. (Ref: CS-30025c)

 

·          When CRL check is set via Group Policy and attempting to authenticate via Smartcard, authentication may fail. The workaround is to wait until the Group Policy Update interval has occurred and try again or to force an immediate Group Policy update by running the CLI command adgpupdate. (Ref: CS-30090c)

 

·          After upgrading from DirectControl agent Version 5.0.4 to version 5.1.1, a SmartCard user may not be able to authenticate successfully. The workaround is to perform the following CLI command sequence:

 

sctool -d

sctool -e

sudo rm /etc/pam_pkcs11/cacerts/*

sudo rm /etc/pam_pkcs11/crls/*

sudo rm /var/centrify/net/certs/*"

adgpupdate

 

and then re-login using the SmartCard and PIN. (Ref: CS-30353c)

 

·          A name-mapping user can unlock screen with password even though the previous login was with PIN. (Ref: CS-31364b)

 

·          Need to input PIN twice to login using CAC card with PIN on RedHat. It will fail on the first input but succeed on the second one. (Ref: CS-30551c)

 

·          Running “sctool –D” with normal user will provide wrong CRL check result. The work-around is to run it as root. (Ref: CS-31357b)

·          Screen saver shows password not PIN prompt (Ref: CS-31559a)

 

Most smart card users can log on with a smart card and PIN only and cannot authenticate with a user name and password. However, it is possible to configure users for both smart card/PIN and user name/password authentication. Generally, this set up works seamlessly: the user either enters a user name and password at the log on prompt, or inserts a smart card and enters a PIN at the prompt.

However, for multi-user cards, it can be problematic when the screen locks and the card is in the reader. When a user attempts to unlock the screen, the system prompts for a password, not for a PIN, although the PIN is required because the card is in the reader. If the user is not aware that the card is still in the reader and enters his password multiple times, the card will lock once the limit for incorrect entries is reached.

On RHEL 7, an authenticated Active Directory user via smart card cannot login again if the smart card is removed.   This is due to a bug in RHEL 7, https://bugzilla.redhat.com/show_bug.cgi?id=1238342.  This problem does not happen on RHEL6. (Ref: CSSSUP-6914c)

Centrify Report Services

 

·          The SQL Server Availability Group feature in SQL Server 2012 is not supported. (Ref: CS-39674a)

5.     Additional Information and Support

 

In addition to the documentation provided with this package and on the web, you can find the answers to common questions and information about any general or platform-specific known limitations as well as tips and suggestions from the Centrify Knowledge Base.

 

The Centrify Resources web site provides access to a wide range of information including analyst report, best practice brief, case study, datasheet, ebook, white papers, etc., that may help you optimize your use of Centrify products. For more information, see the Centrify Resources web site:

www.centrify.com/resources

You can also contact Centrify Support directly with your questions through the Centrify Web site, by email, or by telephone. To contact Centrify Support or to get help with installing or using this software, send email to support@centrify.com or call 1-669-444-5200, option 2. For information about purchasing or evaluating Centrify products, send email to info@centrify.com.