Centrify Identity Broker Service and Centrify Privilege Elevation Service 5.4.2 (2017.2) Release Notes

© 2004-2017 Centrify Corporation.

This software is protected by international copyright laws.

All Rights Reserved.


Table of Contents

1.      About This Release. 2

2.      Feature Changes. 3

2.1.       Feature Changes in Centrify Identity Broker Service and Centrify Privilege Elevation Service 5.4.2 (2017.2) 4

General 4

Security Fix. 5

Centrify DirectControl Agent for *NIX.. 5

Centrify OpenLDAP Proxy. 6

Centrify Licensing Service. 7

Centrify Password Synchronization Extension. 7

Centrify Report Services. 7

Centrify Access Manager. 7

Centrify Access Module for PowerShell 8

Centrify adedit 8

2.2.       Feature Changes in DirectControl 5.4.1 (Suite 2017.1). 8

Security Fix. 8

General 8

Centrify DirectControl Agent for *NIX.. 9

Centrify Access Manager. 9

Centrify Report Services. 10

Centrify Access Module for PowerShell 10

Centrify adedit 10

3.      Bugs Fixed. 10

3.1.       Bugs Fixed in Centrify Identity Broker Service and Centrify Privilege Elevation Service 5.4.2 (2017.2) 10

Centrify DirectControl Agent for *NIX.. 10

Centrify OpenSSH.. 12

Centrify Access Manager. 12

Centrify Licensing Report. 12

Centrify Access Module for PowerShell 12

Centrify Group Policy Management. 12

Centrify Report Services. 13

Centrify Zone Provisioning Agent. 13

3.2.       Bugs Fixed in DirectControl 5.4.1 (Suite 2017.1). 13

Centrify DirectControl Agent for *NIX.. 13

Centrify Access Manager. 14

Centrify Report Services. 14

4.      Known Issues. 14

Centrify DirectControl Agent for *NIX.. 14

Smart Card. 16

Centrify Access Manager. 18

Centrify Access API for Windows. 18

Centrify Report Services. 18

5.      Additional Information and Support 19



1.     About This Release


Starting with this release (2017.2), Centrify Server Suite is renamed and is now a part of Centrify Infrastructure Services. It offers the following services:

§  Centrify Identity Broker Service

§  Centrify Privilege Elevation Service

§  Centrify Auditing & Monitoring Service.

The DirectControl Agent provides services for the Identity Broker Service and Privilege Elevation Service contained in the CentrifyDC packages. The DirectAudit Agent provides services for Auditing & Monitoring Service contained in the CentrifyDA packages.

Centrify Identity Broker Service and Centrify Privilege Elevation Service (part of Centrify Infrastructure Services) centralize authentication and privileged user access across disparate systems and applications by extending Active Directory-based authentication, enabling use of Windows Group Policy and single sign-on. With Centrify Infrastructure Services, enterprises can easily migrate and manage complex UNIX, Linux and Windows systems, rapidly consolidate identities into the directory, organize granular access and simplify administration. Centrify Identity Broker Service, through Centrify's patented Zone technology, allows organizations to easily establish global UNIX identities, centrally manage exceptions on Legacy systems, separate identity from access management and delegate administration.  Centrify’s non-intrusive and organized approach to identity and access management results in stronger security, improved compliance and reduced operational costs.

An upgrade application note (/Documentation/centrify-upgrade-guide.pdf) is provided with this release to guide customers who have installed multiple Centrify packages. The document describes the correct order to perform updates such that all packages continue to perform correctly once upgraded. This document is also available online.

The Centrify Infrastructure Services related release notes and documents are available online at http://docs.centrify.com.

Centrify software is protected by U.S. Patent No. 7,591,005, 8,024,360, 8,321,523, 9,015,103 B2, 9,112,846, 9,197,670 and 9,378,391. (Ref: CS-40830)

2.     Feature Changes


For a list of the supported platforms by this release, refer to the “Supported Platforms” section in the Centrify Infrastructure Services release notes.

For a list of platforms that Centrify will remove support in upcoming releases, refer to the “Notice of Termination Support” section in the Centrify Infrastructure Services release notes.

For a complete list of platforms in all currently supported DirectControl Agent releases, refer to the “Centrify Infrastructure Services” section in the document available from www.centrify.com/platforms.

2.1.          Feature Changes in Centrify Identity Broker Service and Centrify Privilege Elevation Service 5.4.2 (2017.2)



·          Open Source component upgrade

o    Centrify PuTTY 5.4.2 is upgraded based on stock PuTTY 0.69. (Ref: CS-42664, CS-42839)

§  This includes security fixes for CVE-2016-6167 and CVE-2017-6542.

o    Centrify libcurl is upgraded based on stock cURL 7.54.0. (Ref: CS-42841, CS-42945)

§  This includes security fixes for CVE-2017-7407 and CVE-2017-7468.

o    Centrify dzdo is upgraded based on stock sudo 1.8.20p2. (Ref: CS-43244)

§  This includes security fixes for CVE-2017-1000367.

·          Product packaging changes

o    Due to the product name change described above, install.sh now uses the new product component names. Please check your scripts if you parse its outputs. (Ref: CS-43410, CS-43713)

o    As all user documents are now posted on the internet, http://docs.centrify.com , user documents are excluded from software bundles. You may download or search for the latest user documents on the internet instead. (Ref: CS-42848)

o    Starting with this release, we only support 64-bit architecture on the following platforms. Please note the corresponding packaging changes:

§  Solaris Sparc, Debian, RHEL, and SUSE platforms - The Centrify DirectControl package set and its add-on packages (nis and ldapproxy) are changed to 64-bit. The package still provides PAM and NSS 32-bit libraries to work with 32-bit programs. (Ref: CS-42816, CS-43158, CS-43306)

§  Linux PowerPC platforms - The names of Centrify DirectControl and its add-on packages (nis and ldapproxy) are changed, from *-ppc.rpm to *-ppc64.rpm, as we are now only support 64-bit OS on all Linux PowerPC platforms. The package still provides PAM and NSS 32-bit libraries to work with 32-bit programs. (Ref: CS-43228)

·          This release of Centrify DirectControl Agent for *NIX will work with the latest released Centrify for DB2, Centrify for Samba and Centrify for SAP Netweaver ABAP SSO. However, it does not work with any Centrify DirectSecure Agent for *NIX prior to release 2017.2. (Ref: CS-42573, CS-43528, CS-43932)

Security Fix


·          The security of the local inter-process communication protocol (LRPC2) has been enhanced by adding a signature to all messages (message signing). This enhancement is controlled by a new configuration parameter "lrpc2.message.signing". Please see Configuration Parameter section below for details. (Ref: CS-42573)

Centrify DirectControl Agent for *NIX


·          A new capability is added in certgp.pl to allow users to explicitly include/exclude some certificates. This feature is controlled by two new configuration parameters, gp.mappers.certgp.pl.additional.cafiles, and gp.mappers.certgp.pl.exclude.cacerts. (Ref: CS-43132)

Configuration Parameters

The following parameters are added in centrifydc.conf:

-    aix.cache.extended.attr.enable: This parameter specifies whether to enable caching of the default values of AIX extended attributes or not. The default is false. (Ref: CS-43082)

-    gp.mappers.certgp.pl.additional.cafiles: This parameter defines a list of certificate(s) to be included in certgp.pl. It can be a list of certificate file(s), e.g. "newcert.der", or a file which contains the list of certificate file(s), e.g. "file:/etc/centrifydc/certfile_included.list", to be included. The default is empty. (Ref: CS-42988)

-    gp.mappers.certgp.pl.exclude.cacerts: This parameter defines certificate(s) to be excluded in certgp.pl. It can be one or more fingerprint(s) of certificate(s), e.g. "F3D79384E55767A9681D0104FFF22C8980EAD06E", or a file which contains the list of fingerprint(s) of certificate(s), e.g. "file:/etc/centrifydc/fingerprint_excluded.list", to be excluded. The default is empty. (Ref: CS-42988)

-    krb5.sso.ignore.k5login: This parameter specifies whether adclient k5login module should ignore .k5login for SSO. The default is false. (Ref: CS-42140)

-    krb5.unique.cache.files: This parameter specifies whether a unique Kerberos ticket cache file is used for each login even from the same user. If this parameter is set to true, each Kerberos authentication will generate a different ticket cache file for a given user. If it is set to false, it may leave the second login instance without credential cache because the only cache file may have been cleaned up by the first logout. The default on Mac OS is set to false; otherwise it is set to true. (Ref: CS-42971)

-    lam.attributes.group.ignore: This parameter points to a file which contains a list of AIX group attributes that the LAM module should ignore and let AIX provide the default value or return ENOATTR. The default is "file:/etc/centrifydc/attributes.group.ignore". (Ref: CS-43082)

-    lam.attributes.user.ignore: This parameter points to a file which contains a list of AIX user attributes that the LAM module should ignore and let AIX provide the default value or return ENOATTR. The default is "file:/etc/centrifydc/attributes.user.ignore". (Ref: CS-43082)

-    lrpc2.message.signing: This parameter defines the LRPC2 message signing behavior. The value can be "disabled" – do not do LRPC2 message signing, "allowed" – do LRPC2 message signing if the peer allows or requires it, and "required" – must do LRPC2 message signing. The default is disabled. (Ref: CS-42573)

Please note that after you have upgraded to the 2017.2 version, if you set this parameter to "required", you will need to re-start the system.

The following parameters are updated in centrifydc.conf:

-    mac.protected.keychain.lock.inactivity: This configuration parameter locks the protected keychain when the Mac is idle for the specified number of minutes. Once enabled, this parameter takes effect at the next user login. Note: This parameter only works if "mac.protected.keychain.enable" is set to true. Leaving this unset will leave the corresponding keychain setting unchanged. The default is unset. (Ref: CC-46979)

-    mac.protected.keychain.lock.when.sleeping: This configuration parameter locks the protected keychain when the Mac sleeps. Once enabled, this parameter takes effect at the next user login. Note: This parameter only works if "mac.protected.keychain.enable" is set to true. Leaving this unset will leave the corresponding keychain setting unchanged. The default is unset. (Ref: CC-46979)

The following parameters are removed from centrifydc.conf:

-    logger.facility.adclient.audit: This parameter has been deprecated by logger.facility.adclient and is now removed. (Ref: CS-43032)

Please refer to the manual, Configuration and Tuning Reference Guide, for details.

Centrify OpenLDAP Proxy


·          A new configuration parameter, ldapproxy.cdctranslate.fetchbydnuid, is added in slapd.conf. This parameter controls if a search query for generic Active Directory user/group objects should be translated automatically into a search query for zone user/group instead. The default is false. (Ref: CS-42084)


The translation will take effect if this parameter is set to true, and the following 3 conditions are met in the search request:

1)  Search base: the first part of dn is "uid=<unixname>",

2)  Search scope: base (0)

3)  Search filter: (objectClass=*)

Centrify Licensing Service


·          The deprecated license key management (add/remove) function in Access Manager, Audit Manager, and Licensing Report is now removed. Please use the Centrify Licensing Service Control Panel to do license management for all components.

Note: Centrify Licensing Service needs to have access to a working Global Catalog (GC) for license management feature to function properly. (Ref: CS-40967, CS-40968, CS-43318)

Centrify Password Synchronization Extension


·          Password Synchronization now supports SHA-256 and SHA-512 hashes. SHA-256 hashes starting with "$5$" are generated using crypt(3)-SHA256 algorithm method and SHA-512 hashes starting with "$6$" are generated using crypt(3)-SHA512 algorithm method. SHA-256 and SHA-512 hashes can be controlled using registry setting (Registry Key: HKLM/Software/Centrify/EncryptionType, Type: REG_DWORD). The value of the registry key defines which algorithm is used - '1': MD5 hash; '2': SHA-256 hash; '3': SHA-512 hash. (Ref: CS-40277)

Centrify Report Services


·          A more frequent synchronization schedule than once a day is supported. You may now set the interval up to every 1 hour. (Ref: CS-42600)

·          The ability to monitor zones in other domains is now supported. (Ref: CS-43083)

·          Multiple users per the entry, "member: ", in local group profile is supported. (Ref: CS-42951)

·          Report Services now supports using Managed Service Account (MSA) to retrieve information from Active Directory (AD). (Ref: CS-43176)

Centrify Access Manager


·          Access Manager now supports more than 1000 members in a local group. (Ref: CS-42949)

·          Access Manager and the ADUC Property Page Extension now support the ability to create a Centrify hierarchical zone without creating the corresponding zone_nis_servers group. You use registry setting to control the behavior. (Registry Key: HKEY_CURRENT_USER\Software\Centrify\CIMS, ValueName: NoNisServersGroup, Type: DWORD, Value - '1': do not generate zone_nis_servers group; '0' or unspecified: generate zone_nis_servers group.) (Ref: CS-43109)

Centrify Access Module for PowerShell


·          A new parameter, NoNisServersGroup, is added to the command, New-CdmZone, to allow user to create a hierarchical zone without generating the corresponding zone_nis_servers group. (Ref: CS-43110)

Centrify adedit


·          adedit now supports more than 256 characters in the "member" field setting of its "set_local_group_profile_field" function. (Ref: CS-42823)

2.2.          Feature Changes in DirectControl 5.4.1 (Suite 2017.1)

Security Fix

·         The zip files for all Windows components in this release as well as in all releases in Centrify Download Center will now unpack into clean folders that contain only the software installation package. This is to avoid potential DLL hijacking vulnerability. (Ref: CS-42388, CS-42826)

·         Sensitive data is encrypted in the local inter-process communication within Centrify *NIX components. (Ref: CS-42688)



·          Open Source component upgrade

o    Centrify OpenSSL 5.4.1 is upgraded based on stock OpenSSL 1.0.2k. (Ref: CS-42511)

§  This includes security fixes for CVE-2017-3731, CVE-2017-3732 and CVE-2016-7055.

o    Centrify OpenSSH 5.4.1 is upgraded based on stock OpenSSH 7.4p1. (Ref: CS-42390)

§  This includes security fixes for CVE-2016-10009, CVE-2016-10010, CVE-2016-10011 and CVE-2016-10012.

§  This release removes server support for the SSH v.1 protocol.

o    Centrify libcurl is upgraded based on stock curl 7.53.1. (Ref: CS-42667)

§  This includes security fixes for CVE-2017-2629, CVE-2016-9594, CVE-2016-9586, CVE-2016-9952 and CVE-2016-9953. (Ref: CS-42663)

Centrify DirectControl Agent for *NIX


·          By default, the Multi-Factor Authentication (MFA) feature now verifies the Centrify Identity Platform server certificate as per HTTPS protocol.  The root CA bundle may not be present in some Unix operating systems, or may not have unexpired certificates for the certificate issues.  If you encounter SSL errors in MFA operations, you need to update the root certificate authorities (CA) bundle for your *nix agents.   Optionally, you can disable HTTPS server validation by setting the parameter adclient.cloud.skip.cert.verification to true.   Also, you can specify an alternate root certificate authorities (CA) bundle using the adclient.cloud.cert.store parameter.  (Ref: CS-39870, CS-42742)

·          For users who require infinite credential renewal (as specified in krb5.cache.infinite.renewal.batch.users and krb5.cache.infinite.renewal.batch.groups), if the user's keytab /var/centrifydc/renewal/keytab_<uid> is available, we will do initial Kerberos cache acquisition in addition to renewal. (Ref: CS-42378)

Configuration Parameters

centrifydc.conf has been updated to add the following parameters:

-    adclient.cloud.cert.store: This parameter specifies the root CA bundle that adclient uses to verify the server certificate presented by Centrify Identity Platform. When it is not set, adclient uses the root CA bundle that openssl uses. When it is set, adclient uses the specified CA bundle instead. Please ensure the file is valid and the store is updated with the required certificates. The default is not set. This parameter is effective only when the parameter adclient.cloud.skip.cert.verification is set to false. (Ref: CS-42742)

-    adclient.cloud.skip.cert.verification: Centrify MFA support in DirectControl requires the use of HTTPS protocol to communicate with Centrify Identity Platform.   Starting in Suite 2017.1, the *nix agent verifies that certificate presented by Centrify Identity Platform as a security feature specified in HTTPS protocol.   This parameter specifies whether to bypass this validation step. The default is false (i.e., always verifies server certificate). (Ref: CS-42742)

-    krb5.conf.k5login.directory: This parameter specifies an alternative location for a user’s .k5login files. It has no default setting. If it is not set, the user’s .k5login file will be set as {%home_dir}/.k5login. For example, if it is set to <k5login_directory>, the user’s .k5login file will be set as <k5login_directory>/<user’s unixname>. (Ref: CS-40289)

Centrify Access Manager


·          Role assignment supports a description field in hierarchical zones and the corresponding support is now added to Access Manager and Report Services in this release. (Ref: CS-38603, CS-38741)

·          DirectControl now allows customers to store their own information as custom attributes in role definition, role assignment and computer role definition. This capability has been added in Access Manager, Report Services, Access Module for PowerShell, DirectControl SDK and adedit command module.

Note: This new feature only applies to hierarchical zones. (Ref: CS-42598, CS-42670, CS-42687, CS-42746, CS-42752, CS-42751, CS-42750, CS-42842)

Centrify Report Services


·          Report Services now supports the description field of a role assignment in a hierarchical zone in various report views. (Ref: CS-38741)

·          Report Services now supports the newly added custom attribute in role definition, role assignment and computer role in a hierarchical zone in various report views. (Ref: CS-42842, CS-42598)

·          Additional performance optimization is applied to Login Summary Report in this release. (Ref: CS-42720)

Centrify Access Module for PowerShell


·          Added a new property, CustomAttributes, to New-CdmRole, Set-CdmRole, New-CdmRoleAssignment, Set-CdmRoleAssignment, New-CdmComputerRole and Set-CdmComputerRole to allow users to manage this record per their needs. (Ref: CS-42750)

Centrify adedit


·          adedit now supports a new "customattr" field for role assignment, role and computer role in a hierarchical zone. (Ref: CS-42751)

3.     Bugs Fixed

3.1.          Bugs Fixed in Centrify Identity Broker Service and Centrify Privilege Elevation Service 5.4.2 (2017.2)

Centrify DirectControl Agent for *NIX


·          Cross-forest authentication with preferred login domains is now supported. (Ref: CS-43231)

·          adauto.pl now supports asynchronous reload and handling of empty map. (Ref: CS-43246)

·          The adjoin command still synchronizes time with the domain controller even when the property, adclient.sntp.enabled, is set to false in centrifydc.conf. It is now fixed. (Ref: CS-43229)

·          The DirectControl agent daemon, adclient, now checks for uid/uname conflict with multiple UNIX profiles and rejects the conflicting profiles. Preference is given to the profile defined closer to the joined zone. (Ref: CS-39720)

·          Fixed a bug that requires restarting adclient due to mismatched encryption type, after migrating Domain Functional Level from Windows 2003 to Windows 2008. (Ref: CS-43207)

·          Fixed a bug that incorrectly causes an error message "ERROR <bg:krb5.conf> daemon.main update /etc/krb5.conf failed with error...Krb5 Config file update: Cannot find KDC for requested realm" when Global Catalog (GC) is blocked. (Ref: CS-42760)

·          Fixed a bug in the Kerberos library specific to encryption types RC4 and DES, which are the default encryption types used in Windows Server 2003 Domain Functional Level. The symptom is a failure in fetching certificates from CA, resulting in a warning message: “… certificate request failed on CA … - Attempt to access past end of buffer”. (Ref: CS-43718)

·          Fixed a bug that incorrectly generates a warning message "… WARN <fd:## PAMUserLoggedOut2 > daemon.ipcclient2 Problem processing logged out user xxxxx: stat ccache:No credentials cache found" during logout if the user logged in via a trusted SSH connection. (Ref: CS-43650)

·          Fixed a bug on AIX WPAR zone that dzdo will fail and falsely complain “no tty present and no askpass program specified”. (Ref: CS-43766)

·          Fixed a bug that centrifydc.conf is incorrectly truncated when a machine’s disk is full. (Ref: CS-40844)

·          On Linux platforms, fixed an issue in PAM module that running the command su from root to non-root user does not create home directory. (Ref: CS-42878)

·          Fixed a bug on AIX that limits the login user name to only 8 characters. Now it follows the login_max setting in sysconf. (Ref: CS-42713)

·          Packaging fixes

o    Some RPM packages for the Centrify DirectControl Agent for *NIX, such as CentrifyDC-openldap and CentrifyDC-openssl, no longer advertise libraries that are for Centrify internal use. (Ref: CS-43257)

o    Fixed several bugs that cause the rpmlint command to report "file-not-utf8", "postin-without-ldconfg" and "postun-without-ldconfig" errors. (Ref: CS-43279, CS-43283)

o    Fixed a bug in the RPM specification files that causes the check in Oracle Linux or Red Hat Enterprise Linux Security Technical Implementation Guide (STIG) to falsely complain that executables got modified. (Ref: CS-43636)

o    Fixed a bug that causes upgrading with install.sh from v5.4.0 to v5.4.1 to fail due to the file ownership issue. (Ref: CS-43517)

o    Fixed the open source package license statements and stripped the libraries in RPM packages. (Ref: CS-43310, CS-43311)

Centrify OpenSSH


·          Fixed a bug on Red Hat that the SSH daemon does not properly support SELinux. Centrify OpenSSH is now updated based on Fedora patch: openssh-7.4p1-4 + 0.10.3-1 (Ref: CS-43254)

Centrify Access Manager


·          The following limitations are fixed (Ref: CS-43402):

o    The Members node under Computer Role node can only show at most 1500 members of computer role.

o    At most 1499 members will be preserved while deleting any member from it. It is now fixed.

Centrify Licensing Report


·          The previous versions of Licensing Report will fail to send reports to Centrify with the error message, "Unable to send report to Centrify Support Portal because the server is not available for this request.", because the receiving end does not allow TLS v1.0 anymore. This is now fixed in release 2017.2 by enabling TLS v1.1/1.2 by default. Note: you now need to upgrade to Centrify Licensing Report 2017.2 v5.4.2 to send report to Centrify. (Ref: CS-43850)

Centrify Access Module for PowerShell


·          The command to create/update local group profile, New-CdmLocalGroupProfile and Set-CdmLocalGroupProfile, may not work well if there are more than 1000 members in a local group. It is now fixed. (Ref: CS-42950)

·          The command to create match-criteria, New-CdmMatchCriteria, always set the boolean field, -IsArgumentExactMatch, to true if any Argument parameter is passed into the command and there is no way to reset it back to false. It is now fixed. The new behavior is that it defaults to false unless set to true by the user. (Ref: CS-43552)

Centrify Group Policy Management


·          The group policy, Copy Files, cannot load all trusted domains in one forest for the source file. It is now fixed. (Ref: CS-35765)

Centrify Report Services


·          When Report Services is configured to Domain mode, the report data of deleted domains cannot be cleaned up if Microsoft Distributed Transaction Coordinator (MSDTC) is turned off in the machines running Report Services or Report database. It is now fixed. (Ref: CS-43130)

·          The synchronization logic is revised to avoid unnecessary consecutive update cycles for background job. If an interactive force update request is made while another update is in progress, users will be prompted to choose "yes" to abort the running update, "no" to wait for completion, or "cancel" to abandon the force update request. (Ref: CS-43350)

Centrify Zone Provisioning Agent


·          The commands, CopyGroup and CopyGroupNested, may fail due to Active Directory replication delay. It is now fixed. The CopyGroup and CopyGroupNested tools now also support specifying the domain controller to use. (Ref: CS-42590)

3.2.          Bugs Fixed in DirectControl 5.4.1 (Suite 2017.1)

Centrify DirectControl Agent for *NIX


·          If a user was previously locked out in connected mode due to maximum password attempts, he is not allowed to login in disconnected mode even after the lockout duration has passed. This is now fixed. (Ref: CS-42236)

·          The agent may fail to start in FIPS enabled mode when the configuration parameter, adclient.krb5.keytab.clean.nonfips.enctypes, is set to true. This is now fixed. (Ref: CS-42970)

·          Fixed an issue that even though the agent updates the users' and services accounts' Kerberos ccache at regular interval, the Kerberos ccache still expires before the next renewal cycle. (Ref: CS-42995)

·          If a value specified in the Windows hostname-to-kerberos realm mappings Group Policy setting contains extra whitespace after the multi-value separator, it could cause duplicated entries in the domain realm section in the krb5.conf. This is now fixed. (Ref: CS-42537)

·          Password expiration for one-way trust user will now be based on the Kerberos ticket upon user first login. If the Kerberos ticket is not available, it is computed using the joined domain's password expiration policy.  (Ref: CS-42658)

·          The following feature fix in DirectControl agent 5.3.1 (Suite 2016.1) February 2017 Update is also in DirectControl agent 5.4.1 (Suite 2017.1):

o    DirectControl agent can now authenticate one-way trust users when only KDC and Kpasswd ports are opened in user domain's domain controller. Note: this fix is NOT in DirectControl agent 5.4.0 (Suite 2017). (Ref: CS-42509, CS-42516)

Centrify Access Manager


·          A new predefined application right, Centrify Utility - Network Manager, is introduced in Access Manager to grant access to run Network Manager. (Ref: CS-42674)

·          Access Manager may generate a warning message "Failed to resolve assembly ..." in the console log. This warning message does not affect the operations of the Access Manager console. It is now fixed. (Ref: CS-40909)

·          Zone loading may be slow in an environment where the response of Global Catalog is slow. The performance is enhanced in this release by caching and optimizing Global Catalog accesses. (Ref: CS-42711)

Centrify Report Services


·          Fixed a bug that caused an unexpected error while running Report Services Configuration Wizard on a machine with Windows 10 version 1703. Note: If you are using Windows 10 version 1703, Centrify recommends you to use Task Manager to verify that the process Centrify.Report.TempService is not running, and terminate such process before upgrading Centrify Report Services. (Ref: CS-43004)

4.     Known Issues


The following sections describe common known issues or limitations associated with this Centrify Infrastructure Services release.


For the most up to date list of known issues, please login to the Customer Support Portal at http://www.centrify.com/support and refer to Knowledge Base articles for any known issues with the release.

Centrify DirectControl Agent for *NIX


·          Known issues with Multi-Factor Authentication (MFA)

If MFA is enabled but the parameter "adclient.legacyzone.mfa.required.groups" is set to a non-existent group, all AD users will be required for MFA. The workaround is to remove any non-existent groups from the parameter. (Ref: CS-39591b)

·          Known issues with AIX


On AIX, upgrading DirectControl agent from 5.0.2 or older versions in disconnected mode may cause unexpected behavior. The centrifydc service may be down after upgrade. It's recommended not to upgrade DirectControl agent in disconnected mode. (Ref: CS-30494a)


Some versions of AIX cannot handle user name longer than eight characters. As a preventive measure, we have added a new test case in the adcheck command to check if the parameter LOGIN_NAME_MAX is set to 9. If yes, adcheck will show a warning so that users can be aware of it. (Ref: CS-30789a)


·          Known issues with Fedora 19 and above (Ref: CS-31549a, CS-31730a)


There are several potential issues on Fedora 19 and above:

1)    The adcheck command will fail if the machine does not have Perl installed.

2)    Group Policy will not be fully functional unless Text/ParseWords.pm is installed.


·         Known issues with RedHat

When logging into a RedHat system using an Active Directory user that has the same name as a local user, the system will not warn the user of the conflict, which will result in unpredictable login behavior. The workaround is to remove the conflict or login with a different AD user. (Ref: CS-28940a, CS-28941a)

·          Known issues with rsh / rlogin (Ref: IN-90001)


-    When using rsh or rlogin to access a computer that has DirectControl agent installed, and where the user is required to change their password, users are prompted to change their password twice. Users may use the same password each time they are prompted and the password is successfully changed.


·          Known issues with compatibility 


Using DirectControl 4.x agents with Access Manager 5.x (Ref: IN-90001)


-    DirectControl 4.x agents can join classic zones created by Access Manager 5.x. It will ostensibly be able to join a DirectControl 4.x agent to a hierarchical zone as well, but this causes failure later as such behavior is undefined.


Default zone not used in DirectControl 5.x (Ref: IN-90001)


-    In DirectControl 4.x, and earlier, there was a concept of the default zone. When Access Manager was installed, a special zone could be created as the default zone. If no zone was specified when joining a domain with adjoin, the default zone would be used.


-    This concept has been removed from DirectControl 5.0.0 and later as it is no longer relevant with hierarchical zones. In zoned mode, a zone must now always be specified.


-    A zone called "default" may be created, and default zones created in earlier versions of Access Manager may be used, but the name must be explicitly used.


Smart Card


·          There is a Red Hat Linux desktop selection issue found in RHEL 7 with smart card login.  When login with smart card, if both GNOME and KDE desktops are installed, user can only log into GNOME desktop even though "KDE Plasma Workspace" option is selected. (Ref: CS-35125a)


·          On RHEL 5.10 and 5.11, if "Smart Card Support" is enabled and a smartcard is inserted on the login screen, a PIN prompt may not show up until you hit the "Enter" key. The workaround is to replace libsoftokn3.so with the old one on RHEL 5.9, which is a shared object file in NSS package. (Ref: CS-35038a)


·          On RHEL 5.10 and 5.11, if "Smart Card Support" is enabled and "Card Removal Action" is configured as "Lock", the screen will be locked several seconds after login with smart card. The workaround is to replace libsoftokn3.so with the old one on RHEL 5.9, which is a shared object file in NSS package. (Ref: CS-33871a)


·          When a SmartCard user attempts to login on Red Hat 6.0 with a password that has expired, the authentication error message may not mention that authentication has failed due to an expired password. (Ref: CS-28305a)


·          On RedHat, any SmartCard user will get a PIN prompt even if he's not zoned, even though the login attempt will ultimately fail. This is a divergence from Mac behavior - On Mac, if a SmartCard user is not zoned, Mac doesn't even prompt the user for PIN. (Ref: CS-33175c)


·          If a SmartCard user's Active Directory password expires while in disconnected mode, the user may still be able to log into their machine using their expired password. This is not a usual case, as secure SmartCard AD environments usually do not allow both PIN and Password logins while using a Smart Card. (Ref: CS-28926a)


·          In order to login successfully in disconnected mode (Ref: CS-29111a):

o    For a password user:

§  A password user must log in successfully once in connected mode prior to logging in using disconnected mode. (This is consistent with other DirectControl agent for *NIX behavior)

o    For a SmartCard user:

§  The above is not true of SmartCard login. Given a properly configured RedHat system with valid certificate trust chain and CRL set up, a SmartCard user may successfully login using disconnected mode even without prior successful logins in connected mode.

§  If certificate trust chain is not configured properly on the RedHat system, the SmartCard user's login attempt will fail.

§  If the SmartCard user's login certificate has been revoked, and the RedHat system has a valid CRL that includes this certificate, then the system will reject the user.


·          After upgrading from DirectControl version 5.0.4 to version 5.1, a Smartcard user may not be able to login successfully. The workaround is to run the following CLI commands:


sudo rm /etc/pam_pkcs11/cacerts/*

sudo rm /etc/pam_pkcs11/crls/*

sudo rm /var/centrify/net/certs/*


then run adgpupdate. (Ref: CS-30025c)


·          When CRL check is set via Group Policy and attempting to authenticate via Smartcard, authentication may fail. The workaround is to wait until the Group Policy Update interval has occurred and try again or to force an immediate Group Policy update by running the CLI command adgpupdate. (Ref: CS-30090c)


·          After upgrading from DirectControl agent Version 5.0.4 to version 5.1.1, a SmartCard user may not be able to authenticate successfully. The workaround is to perform the following CLI command sequence:


sctool -d

sctool -e

sudo rm /etc/pam_pkcs11/cacerts/*

sudo rm /etc/pam_pkcs11/crls/*

sudo rm /var/centrify/net/certs/*"



and then re-login using the SmartCard and PIN. (Ref: CS-30353c)


·          A name-mapping user can unlock screen with password even though the previous login was with PIN. (Ref: CS-31364b)


·          Need to input PIN twice to login using CAC card with PIN on RedHat. It will fail on the first input but succeed on the second one. (Ref: CS-30551c)


·          Running “sctool –D” with normal user will provide wrong CRL check result. The work-around is to run it as root. (Ref: CS-31357b)

·          Screen saver shows password not PIN prompt (Ref: CS-31559a)


Most smart card users can log on with a smart card and PIN only and cannot authenticate with a user name and password. However, it is possible to configure users for both smart card/PIN and user name/password authentication. Generally, this set up works seamlessly: the user either enters a user name and password at the log on prompt, or inserts a smart card and enters a PIN at the prompt.

However, for multi-user cards, it can be problematic when the screen locks and the card is in the reader. When a user attempts to unlock the screen, the system prompts for a password, not for a PIN, although the PIN is required because the card is in the reader. If the user is not aware that the card is still in the reader and enters his password multiple times, the card will lock once the limit for incorrect entries is reached.

On RHEL 7, an authenticated Active Directory user via smart card cannot login again if the smart card is removed.   This is due to a bug in RHEL 7, https://bugzilla.redhat.com/show_bug.cgi?id=1238342.  This problem does not happen on RHEL6. (Ref: CSSSUP-6914c)

Centrify Access Manager


·          Access Manager cannot successfully finish the Identity Platform connection test in an environment where TLS 1.0 is not allowed. This is because by default, .NET 4.5 does not communicate via TLS 1.2. In an environment where TLS 1.0 is not allowed, a registry key can be set to force the use of TLS 1.2 on all .NET application when available with the following setting:

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NETFramework\v4.0.30319]"SchUseStrongCrypto"=dword:00000001. After setting the key, reopen the Access Manager console and run Identity Platform connection test again. (Ref: CS-43951)

Centrify Access API for Windows


·          The default install path of Centrify Access API for Windows has been changed to "C:\Program Files\Centrify\Access API for Windows\" in Centrify Identity Broker Service 5.4.2. Please update the path in the script accordingly before running any PowerShell sample script, or else it will fail. (Ref: CS-43896)

Centrify Report Services


·          The SQL Server Availability Group feature in SQL Server 2012 is not supported. (Ref: CS-39674a)

5.     Additional Information and Support


In addition to the documentation provided with this package and on the web, you can find the answers to common questions and information about any general or platform-specific known limitations as well as tips and suggestions from the Centrify Knowledge Base.


The Centrify Resources web site provides access to a wide range of information including analyst report, best practice brief, case study, datasheet, ebook, white papers, etc., that may help you optimize your use of Centrify products. For more information, see the Centrify Resources web site:


You can also contact Centrify Support directly with your questions through the Centrify Web site, by email, or by telephone. To contact Centrify Support or to get help with installing or using this version of Centrify Infrastructure Services, send email to support@centrify.com or call 1-669-444-5200, option 2. For information about purchasing or evaluating Centrify products, send email to info@centrify.com.