Centrify Infrastructure Services 2017.3 Agent for Windows 3.4.3 Release Notes

© 2007-2017 Centrify Corporation.

This software is protected by international copyright laws.

All Rights Reserved.


1.  About Centrify Agent for Windows 1

2. Supported Platforms and System Requirements 1

3.  Feature Changes 1

3.1 Feature Changes in Agent for Windows 3.4.3 (Suite 2017.3) 1

3.1.1 Centrify Agent for Windows – Access 1

3.2.2 Centrify Agent for Windows – Audit 1

3.2 Feature Changes in Agent for Windows 3.4.2 (Suite 2017.2) 1

3.2.1 Centrify Agent for Windows – Access 1

4. Bugs Fixed 1

4.1 Bugs Fixed in Agent for Windows 3.4.3 (Suite 2017.3) 1

4.1.1 Centrify Agent for Windows – Access 1

4.2 Bugs Fixed in Agent for Windows 3.4.2 (Suite 2017.2) 1

4.2.1 Centrify Agent for Windows – Access 1

5. Known Issues 1

5.1 Installation and Uninstall 1

5.2 Centrify Agent for Windows - Audit 1

5.3 Centrify Agent for Windows - Access 1

5.3.1 Configuration 1

5.3.2 Environment 1

5.3.3 RunAsRole 1

5.3.4 Desktop with Elevated Privileges 1

5.3.5 Roles and Rights 1

5.3.6 Compatibility with 3rd Party Products 1

5.3.7 Application Manager 1

5.3.8 Network Manager 1

6. Additional information and support 1


1.  About Centrify Agent for Windows

The Centrify Agent for Windows package contains software to support auditing, access control, and privilege management on Windows computers. The Audit and Access features can be installed together or separately on the Windows computers you want to manage.

For auditing, the Centrify Agent for Windows requires the Centrify Auditing & Monitoring Service feature set, which is available in Centrify Infrastructure Services. Centrify Auditing & Monitoring Service enables detailed auditing of user activity on a wide range of UNIX, Linux and Windows computers. With Centrify Auditing & Monitoring Service, you can perform immediate, in-depth troubleshooting by replaying user activity that may have contributed to system failures, spot suspicious activity by monitoring current user sessions, and improve regulatory compliance and accountability by capturing and storing detailed information about the applications used and the commands executed. If you enable auditing, the Centrify Agent for Windows records user activity on the Windows computer when it is installed.

For access control and privilege management, the Centrify Agent for Windows requires the Centrify Identity Broker Service and Centrify Privilege Elevation Service feature sets, which are available in Centrify Infrastructure Services. With Centrify Agent for Windows requires the Centrify Identity Broker Service and Centrify Privilege Elevation Service, you can configure and manage role-based access controls for Windows servers. The Centrify Agent for Windows extends the access control and privilege management features available for Linux and UNIX computers, so that you can use a single console to manage multiple platforms. You can deploy the Centrify Agent for Windows in a Windows-only environment or as part of a mixed environment that includes Windows, Linux, and UNIX computers.

You can obtain information about previous releases from the Centrify Support Portal, in the Documentation & Application Notes page.

Centrify software is protected by U.S. Patents 7,591,005; 8,024,360; 8,321,523; 9,015,103; 9,112,846; 9,197,670; 9,378,391 and 9,442,962. (Ref: CS-44575).

2. Supported Platforms and System Requirements

For the list of the supported platforms by this release, refer to the “Supported Platforms” section in the Centrify Infrastructure Services release notes.

For the platforms to be removed support in coming releases, refer to the “Notice of Termination Support” section in the Centrify Infrastructure Services release notes.

For a complete list of supported platforms in all releases, refer to the Cumulative Supported Platforms.

3.  Feature Changes

3.1 Feature Changes in Agent for Windows 3.4.3 (Suite 2017.3)

3.1.1 Centrify Agent for Windows – Access

·         Offline MFA mode will no longer be triggered during logon to the computer once the agent has successfully connected to the Cloud. The logon will fail if the cloud fails to authenticate the user, the user is not allowed to perform the MFA logon or the user is not assigned to any profile in the portal. (Ref: CS-44839, CS-44694)

·         The Centrify group policy "Specify a web proxy URL" now supports the disable feature so the agent will not use any proxy server url setting. (Ref: CS-44391)

·         Added self-service capability for a user to reset his password. This Self-Service Password Reset functionality works provided the Windows system has internet connectivity. (Ref: CS-43385, CS-44053)

·         Starting with this release of Centrify Agent, we support Mobile Device Management (MDM) on Windows 10. When the agent is enabled with the Centrify Identity Services Platform, an admin users can perform MDM enrollment on this device with Centrify Identity Services Platform through context menus in the Centrify system tray icon. (Ref: CS-43925)

·         Added a new command-line interface utility "dzleave" for leaving a machine's current zone. A machine restart is required for the agent feature to be fully disabled after leaving a zone. (Ref: CS-43874)

·         Added Analytics Audit Trail data to MFA Success/Failure events. In addition, MFA success/failure events are now one per MFA Session. In previous versions, DA Session ID was always displayed as "N/A". With this release, DA Session ID will display the correct value. (Ref: CS-44034)

·         The Login and Privilege Elevation profiles in previous "Settings>Authentication>Server and Workstation" tab in the Centrify Admin Portal are now regrouped under "Core Services>Login Policies" and "Core Services>Privilege Elevation Policies". Please note that not all the options are valid for MFA Login or Privilege Elevation. Here is the highlight (Ref: CS-43898):

o    If you have previously created custom profiles in the Admin Portal, the new Admin Portal UI will provide an auto generated policies set "Infrastructure Policy (Auto generated)".

o    However, some of the new options are supported only by 2017.3 agents, or 2017.2 agents (November 2017 update). For example, irrespective of the "Windows Workstation" setting, older agents will still use the "Unix and Windows Servers" policy even though the machine is a Workstation. Also, older agents do not support new options, such as "Device OS" and "Identity Cookie" in the authentication profiles for Login or Privilege Elevation.

·         Starting with this release, Audit-Trail event data is per MFA Session. If a user enters a two-level MFA Challenge and one of the challenge is incorrect, only one MFA Failure event is displayed. With previous releases, Audit-Trail event data (MFASuccess/MFAFailure) displayed were per challenge.  (Ref: CS-44435)

·         Offline passcode for multi-factor authentication is now supported on FIPS-enabled machines. (Ref: CS-44207)


3.2.2 Centrify Agent for Windows – Audit


3.2 Feature Changes in Agent for Windows 3.4.2 (Suite 2017.2)

3.2.1 Centrify Agent for Windows – Access

·         Starting with this release, Centrify Server Suite is renamed and is now a part of Centrify Infrastructure Services. It offers the following services:

• Centrify Identity Broker Service

• Centrify Privilege Elevation Service

• Centrify Auditing & Monitoring Service

·         Added support for configuring proxy and proxy credentials when joined to the zone. (Ref: CS-42992)

·         Added new Group Policy settings, Windows Settings\MFA Settings: "Configure multi-factor authentication lock screen grace period" and "Configure multi-factor authentication user privilege elevation grace period" to support a grace period for multi-factor authentication in lock screen and privilege elevation. (Ref: CS-41210)

·         Redesigned and migrated the Agent Control Panel into Centrify Agent Configuration as "Centrify Privilege Elevation Service Settings" and "Centrify Identity Services Platform Settings" dialogs. (Ref: CS-43149, CS-43150)

·         A new Centrify Agent Configuration Wizard is now launched at the end of installation to assist with configuring and enabling different Agent services and features. This Configuration Wizard can also be accessed in the Start Menu as "Agent Configuration". (Ref: CS-42830)

·         Added a new MFA diagnostics UI tool for troubleshooting MFA. (Ref: CS-43000)

·         In Agent Configuration, the Centrify Privilege Elevation Service will not be shown in the enabled service list and allowed service list when user is not a domain account. (Ref: CS-43403)

·         The group policy "Override a web proxy URL" has been deprecated and we now suggest using the new group policy "Specify a web proxy URL" instead. (Ref: CS-43694)

4. Bugs Fixed

4.1 Bugs Fixed in Agent for Windows 3.4.3 (Suite 2017.3)

4.1.1 Centrify Agent for Windows – Access

·         Fixed an issue where Centrify Agent for Windows would not verify the code signing certificate during Run with Privilege. If Publisher field is defined in Application right criteria, the fix will also check if the code signing certificate is properly trusted and the file has not been tampered with. (Ref: CS-43865)

·         Fixed an issue where, when a user joined a zone associated with a platform instance, enrollment to the platform instance will also occur. If enrollment failed, the user would not be able to use the MFA feature after joining a zone. (Ref: CS-43811)

·         Fixed an issue where for remote login, MFA login would fail if the user's local login had been denied. (Ref: CS-43784)

·         Fixed an Blue Screen of Death (BSOD) issue that could occur when a domain user would attempt to lock screen in Windows 10 version 1709. (Ref: CS-44446)

·         Fixed an issue where normal user could launch Agent Configuration when UAC is off which would result in multiple error prompts. (Ref: CS-43456, CS-43407)

·         Fixed an incompatibility issue in Centrify Agent for Windows which could cause some third party services, such as Microstrategy Intelligent Server, to fail to start. (Ref: CS-44512)

4.2 Bugs Fixed in Agent for Windows 3.4.2 (Suite 2017.2)

4.2.1 Centrify Agent for Windows – Access

·         Fixed an issue where a black log on screen could occur when the Windows log on screen had timed out when a MFA email challenge was unable to authenticate the user in time. (Ref: CS-42818)

·         Fixed an issue where high CPU usage of the agent could be observed if rescue rights were assigned to a local group containing an Active Directory (AD) group of many users. (Ref: CS-43166)

·         Fixed an issue where Network Manager could fail to update the IP settings of adapters whose name was a number. (Ref: CS-43052)

·         Fixed an issue where Network Manager would warn the user that all bits in the host address portion were set to 0 if the subnet was which would prevent the user from saving the IP settings. (Ref: CS-43089)

·         Fixed an issue where by default, .NET 4.5 would not communicate via TLS 1.2. Now, if available, TLS 1.2 will be used by default without additional system configuration and an older version of the protocol will be used if unavailable. (Ref: CS-43014)

·         Fixed an issue where MFA login would fail with cross forest users (B2B Tenant). (Ref: CS-43343)

·         Fixed a bug where attempting to launch SQL Server Management Studio as an admin AD user with Centrify Windows Agent - Access installed would fail. (Ref: CS-43124)

·         Fixed an issue where Network Manager would fail to update IPv4 DHCP enabled status if the adapter was unplugged from Ethernet or disconnected from Wi-Fi. (Ref: CS-43051)

5. Known Issues

5.1 Installation and Uninstall

·         Upgrading from the beta build to this version may result in offline MFA mode if there are multiple authentication servers registered in your AD forest. To resolve this, uninstall the beta build first and then install this new version. (Ref: CS-41915)

·         Upgrading Windows while the Agent is installed will result in a failure of the Windows upgrade. The workaround is to uninstall the agent before performing the upgrade or perform a fresh Windows install without keeping existing applications and settings. (Ref: CS-42200)

·         Currently the MFA login feature is not supported on Windows Server 2016 "Server Core" systems. This feature component will not be installed on Windows Server 2016 "Server Core" systems. (Ref: CS-42192, CS-42527)

·         The Centrify Common Component should be the last Centrify Server Suite component uninstalled. If the component is uninstalled before other component, it must be reinstalled by the uninstall process to complete its task. (Ref: 36226a)

·         If you intend to install the software on the desktop with elevated privilege, you should not check the “Run with UAC restrictions” option when creating the desktop. (Ref: 39725b)

·         When you double-click on the Centrify Agent for Windows msi and select the “repair” option, the existing files are replaced irrespective of their version number, even when they are identical.  As a result, a prompt to restart the system is displayed as files that were in use were replaced. However, if you use the Easy Installer to do the repair and a file on the disk has the same version as the file that is part of the installer package, the installed file will not be replaced. Therefore, there will not be any prompt to restart the system. (Ref: 26561a)

·         When the Centrify Agent for Windows is either installed or uninstalled and the prompt for a machine restart is deferred using the “restart later” option or ignored, other components of DirectManage may display errors due to an incomplete installation. A restart is mandatory if requested after install or uninstall operation. (Ref: 36307a)

·         Users may notice a few “Side by side” configuration errors in the Event Viewer after installing the Centrify Agent for Windows, if Microsoft KB945140 related components have been installed on the local machine previously. These errors will go away after you restart the computer and have no functional effect. (Ref: 35302a)

·         If you uninstall the Centrify Agent for Windows while the DirectAudit Agent Control Panel is open, files needed by the uninstall process may be blocked. You should close the DirectAudit Agent Control Panel for a successful conclusion to the uninstall process. (Ref: 25753a)

·         If you have installed the Access feature of Centrify Agent for Windows from Centrify Server Suite 2013 and are trying to upgrade the component to the latest version, you may see the following error during the installation process, “Service ‘DirectAuthorize Agent’ could not be installed. Verify that you have sufficient privileges to install system services.” If you see this error message, it typically indicates that the existing service is taking longer time to stop and hence the new service is not getting installed.  When you see this error, wait for some time (typically 30 seconds) and click on Retry button on the error message box. (Ref: 47270a)

·         Centrify Agent for Windows and its installer are built on .NET. Therefore, .NET is always installed as a pre-requisite before the agent is installed. If .NET is removed from the system later, Centrify Agent for Windows will not run properly. User will also experience problem when trying to remove Centrify Agent for Windows from the system. To properly uninstall Centrify Agent for Windows, please make sure Centrify Agent for Windows is uninstalled before .NET. (Ref: 39051a)

·         The list of rescue users is stored in different places in Suite 2013.3 (or previous releases) and Suite 2014 and this list is not automatically migrated to its new location when upgrading from Suite 2013.3 or a previous release to Suite 2014. Because of this, it’s highly recommended that Centrify Agent for Windows should not be upgraded in disconnected mode (i.e. when the system cannot connect to the Active Directory). If a system is upgraded in disconnected mode, the list of rescue users will be lost and only local administrators will be able to login to the system after reboot. (Ref: 57622a)

·         If you install Access feature of Centrify Agent for Windows without installing the Audit feature, the registry key value for HKEY_LOCAL_MACHINE\SOFTWARE\Centrify\AuditTrail\AuditTrailTargets is set to zero as expected, which means the audit trail is not sent to DirectAudit Audit Store database. However, if you try to change the installed features list of Centrify Agent for Windows and add the Audit feature later, the change process does not automatically set the AuditTrailTargets value to the expected new value of 1, which means to send audit trail data to DirectAudit Audit Store database.  This is a known issue and workaround is to set this value manually to 1 after the installer finishes the process of adding new feature. (Ref: 59353b)

·         If you have installed the Access feature of Centrify Agent for Windows from earlier version and then upgraded the component to the latest version while the Agent for Windows is not currently connected to any Active Directory domain controller, only users who have been assigned a role with rescue rights will be able to log on to the computer until the connection to Active Directory is restored. (Ref: 58858b)

5.2 Centrify Agent for Windows - Audit

·         When a user disconnects and then later reconnects to an existing user session from a switch user operation, a successful logon audit trail message will not be logged after the user has reconnected to the session though authentication. This does not apply when the user is performing lock and unlock operations or the logon method is different from the previous login (remote vs. console logon). (Ref: CS-41453)

·         There will be no audit trail event generated when a user fails to login and unlock a computer on Windows Server 2008 R2 and Windows 7. (Ref: CS-41455)

·         The offline data location (and subdirectories below it) is expected to be a location dedicated to spooling, for example c:\spool. If the offline data location is changed, all files in the old location (including subdirectories and their contents) are moved to the new location. This may cause problems if the old location was not exclusively for spooling use. For example, choosing c:\ as the original spool location and d:\spool as the new location would cause all files on the c:\ drive to be copied to d:\spool. (Ref: 26592a)

·         The optional video capture feature requires both the Collector and the DirectAudit Agent to use 2013.2 or later. If any of collectors or agents are running an older version, video data may still be recorded even though you have turned it off in Suite 2013 Update 2 Audit Manager. (Ref: 44064a)

·         If Centrify Agent for Windows is auditing a Windows 8 or Windows 2012 system, the Indexed Event List of the corresponding audited session will not show any events for the applications that are using the Metro User Interface. The Metro UI is not supported. (Ref: 56556b)

·         Upon making changes to Group Policy “Centrify Audit Trail Setting” > “Centrify Common Setting” > “Send audit trail to log file”, it would require reboot of the client computer (agent) for this setting to be effective despite the Group Policy has already been refreshed on the client computer. (Ref: 73368b)

·         Some events related to the login script are not listed in the indexed events list. The login script cannot be audited for an initial few seconds because the DirectAudit software has not completed its setup. (Ref: 26286a)

5.3 Centrify Agent for Windows - Access

5.3.1 Configuration

·         When installed on a machine with the Centrify client agent, certain Windows device management software (e.g. SCCM client) will set the "ManagedExternally" flag, signaling the MDM agent that the device is managed externally and is not to be registered with a MDM service. In this case, Centrify will not be able to MDM manage the Windows device. (Ref: CS-44549)

·         In a cross-forest environment, forest A user cannot enroll a device joined to forest B when forest A does not have a connector. (Ref: CS-44805)

·         During Agent Configuration > "Add Services" > "Centrify Identity Services Platform" in a cross-forest environment, forest B user will not be able to correctly detect the currently available tenant(s) for a machine joined to forest A. (Ref: CS-44811)

·         The Zero Sign On (ZSO) feature is only effective when tenant has activated "External CA Certificate Feature" in current Cloud release. (Ref: CS-44461)

·         On Windows 7 and Windows Server 2008 R2, the logon screen will always show the same user as the last logged-on user no matter who logged onto the machine before. (Ref: CS-44563)

·         Some Windows device management software (e.g. SCCM client) will set the ManagedExternally flag that indicates to the MDM agent that the device is managed externally and is not to be registered with an MDM service. When that software is installed on the client agent, Centrify will be unable to MDM manage the Windows device. (Ref: CS-44549)

·         Enrolling your device (MDM) will fail the enrollment process when providing only alternative administration privilege. To successfully enroll, the account should have local administration privilege. (Ref: CS-44511)

·         When a machine that has MFA for Windows login enabled is reconfigured to connect to a different forest, the previous setting for the authentication server may no longer be valid. However, if there are Group Policy login settings applied to the machine in the new forest, the new settings will be enabled when the Group Policy Editor refreshes. (Ref: CS-41928)

·         In Windows 2016 RTM Std edition, during the login process, selecting SMS for MFA and clicking “Commit” button will be intermittently unresponsive. (Ref: CS-41699)

·         It can take a long time for users in offline mode to be re-prompted for their passcode.

In the event that the Agent cannot connect to the Centrify Authentication Server, and a user is required to enter an offline passcode, it can take up to several minutes for the agent to re-prompt for the passcode if the user enters it incorrectly. If the user tries to cancel login by pressing "back" or by switching the user, the login screen may become unresponsive. This time lag between an incorrect passcode and the re-prompt can also occur when a user incorrectly enters their offline passcode for privilege elevation. (Ref: CS-41302)

·         Administrator should always leave the zone before joining the computer to a different domain.  Otherwise, DirectAuthorize may not function correctly after the computer is joined to a different domain. (Ref: 54278b)

·         In some large environment with multiple domain controllers, it may take up to one minute for the new zone setting in Centrify Agent Configuration to take effect. (Ref: 58128b)

·         If one of the Global Catalog servers is unavailable, user may not be able to configure the zone for Centrify Agent for Windows. (Ref: 58621b)

·         Microsoft normally automatically distributes and installs root certificates to the Windows system from trusted Certificate Authorities (CA) and users are seamlessly able to use a secure connection by trusting a certificate chain issued from the trusted CA. However, this mechanism may fail if the system is in a disconnected environment where access to Windows Update is blocked or this feature of automatic root certificate installation is disabled. Without updates on the certificate trust list (CTL), the default CTLs on the system may not be adequate for secure connections of Centrify multi-factor authentication especially for older versions of Windows such as Windows 7 and Windows Server 2008 R2. To ensure the success of Centrify multi-factor authentication, user may need manually distribute and install the latest CTLs and the required root certificate to systems in a disconnected environment. See Centrify KB-6724 for further information. (Ref: CS-39703)


5.3.2 Environment

·         On Windows 10 and Win2K16 machines with Centrify Privilege Elevation Service, following will occur (ref: CS-43883):

• Pop up an error dialog several seconds after clicking "Open file location" in the context menu of a shortcut on the start menu. Explorer windows will display correctly.

• No responses to the following actions

  • Clicking "Open file location" in the context menu of a shortcut on desktop

  • Clicking "Open file location" in the context menu of a shortcut on the Centrify Start menu in the Privileged Desktop

  • Slow response to "OK", "Cancel" in the shortcut property page after "Open file location" in the general tab is clicked. The dialog will close after several seconds.

·         On some Windows 10 machines, the smart card login option may not be displayed if another credential method has been recently used. To display the smart card login option, remove and insert a smart card into the reader. This will cause the login screen to reload and will display the smart card login option. (Ref: CS-41282)

·         Centrify Agent for Windows requires you to patch to at least build 10.0.14393 on Windows 10 and Windows Server 2016 to use MFA features. (Ref: CS-41387)

·         Selective two-way external trusts are not supported. Both Windows machines and Centrify zones are required to be in the same forest or different forests with a two-way forest trust established. (Ref: 40713b, 44644b, 44647b, 44657b, 40643b, 40650b, 45341b, 45372b)

·         Environment with no Global Catalog is not supported. (Ref: 46577a)

·         DirectAuthorize for Windows requires machine time to be synchronized with domain controller.  VMware virtual machine has a known issue that its time may not be synchronized with domain controller.  This problem occurs more often on an overloaded virtual machine host.  If the system clocks on the local Windows computer and the domain controller are not synchronized, DirectAuthorize for Windows does not allow any domain users to login.  You can try the following KB from VMware to fix the time synchronization issue.   http://kb.vmware.com/selfservice/microsites/search.do?language=en_US&cmd=displayKC&externalId=1189 (Ref: 47795b)


5.3.3 RunAsRole

·         If you use the “RunAsRole.exe /wait” command to run a Python script, the input/output cannot be redirected for versions of Python below 3.0.0. (Ref: 45061a)

·         Run As Role menu is not available on the start screen in Windows 8 or Windows 2012 or later because Microsoft doesn’t support any custom context menu on the start screen.  User has to go to the Windows desktop in order to launch an application using Run As Role context menu. (Ref: 35487a)

·         On Windows 8, Windows 8.1, Windows Server 2012 and Windows Server 2012 R2, use “Run as role” with Local Administrators group privilege on Control Panel does not have sufficient permission to add printers if the printer drivers are not pre-installed on the computer. The workaround is to define a role run as a user with Local Administrator privilege or with a group as a member of Local Administrators group. (Ref: 68826a)

·         The “Run as role” for Windows Media Player is not recommended. Please use privilege desktop instead. (Ref: 55615a)

·         When running “RunAsRole.exe /wait sc.exe” with no argument provided to sc.exe, sc.exe will prompt

Would you like to see help for the QUERY and QUERYEX commands? [ y | n ]:

Typing ‘y’ or ‘n’ doesn’t do anything because the input cannot be successfully redirected to sc.exe. (Ref: 47016b)

·         It is not recommended to change zone via Run As Role since the role that is in use may no longer be available once after leaving from the previous zone during the change zone process. (Ref: 58043a)

·         On Windows Server 2008 R2 and Windows 7, if the Agent machine has no internet connection and the .NET CLR settings (checkCertificateRevocationList) is set to True, the MFA authentication will be failed because the CLR is unable to verify the certificate through internet. The workaround is to enable the internet connection or turn off the CLR settings (set checkCertificateRevocationList to False which is also the default value). (Ref: CS-40147)

5.3.4 Desktop with Elevated Privileges

·         Choosing the "Store" app in the Centrify Agent for windows desktop task bar will fail to to launch the App Store. (Ref: CS-44892)

·         When you have opened Internet Explorer (IE) in default desktop, IE browser may go to default desktop if it is opened on privileged desktop. This is related to IE frame merging feature. (Ref: CS-43457)

·         In desktop with elevated privilege a mouse left click does not work for SysTray Icons that involve opening the WinRT(or new Window) UI. The Systray icons affect are Time, Volume Control, or any third party icons on Windows 10/2016. (Ref: CS-39454)

·         Server Manager cannot be started on multiple desktops at the same time. The bug exists on Windows 2012R2, 2016. (Ref: CS-42060)

·         On a desktop with elevated privileges on Windows 8, 10 & 2016, the search for files or folders will be intermittently disabled from the Start menu (""Start" menu > "Search" > "For Files or Folders…" ).  (Ref: CS-42066)

·         On a desktop with elevated privileges, if you open the Task Manager and select “File > New Task” to run an application without selecting the “Create this task with administrative privileges” option, the application will be launched on the default desktop. This issue occurs when User Account Control (UAC) is enabled. (Ref: 32169a)

·         If the sAMAccountName attribute of an Active Directory account is changed while the old account name is still cached on the computer, you may see the following error message when creating a new desktop or using “Run as role” with a right configured to run as the modified user account:

“Failed to open new desktop. Right xxx references bad user account.”

The workaround is to restart the computer. (Ref: 35124a)

·         On a desktop with elevated privileges, if you use “Control Panel > Programs > Programs and Features” to uninstall a program, you may see the following warning message and cannot uninstall the software.

“The system administrator has set policies to prevent this installation.”

This issue happens when User Account Control (UAC) is enabled and when “Run with UAC restrictions” is selected when creating the new desktop. (Ref: 33384a)

·         When you open the Start menu “Help and Support” item on a desktop with elevated privileges, the Windows Help and Support is launched on the default desktop. Switch to the default desktop to view the information. (Ref: 32147a)

·         If you shut down, restart, or log off from a desktop with elevated privileges, all running applications are terminated forcibly without being prompted to save any open documents. (Ref: 40749a)

·         You cannot launch Windows Security Options using “Start menu -> Windows Security” on a privilege desktop with elevated privileges when using a remote desktop connection. You must switch back to the default desktop to continue. (Ref: 45995b)

·         Installation of IE9 on desktops with elevated privileges may cause the privileged desktop to become unusable. Use “RunAsRole” for installation of IE9 instead. (Ref: 44930a)

·         You cannot use the Start menu option “Switch User” while you are using a role-based, privileged desktop. To use the “Switch User” shortcut, change from the privileged desktop to your default Windows desktop. From the default desktop, you can then select Start > Switch User to log on as a different user. (Ref: 39011b)

·         On a DirectAuthorize desktop using a role with local administrator privilege, the Stand By option in the shutdown menu does not work.  This is a known issue and will be addressed in future release. (Ref: 58280a)

·         VMWare registers to run VMwareUser.exe on the guest operating system to enable user to copy and paste text between the guest and managed host operating systems. Creating multiple desktops with different user accounts causes multiple VMwareUser.exe are run in different user accounts in the same logon session.  VMwareUSer.exe cannot support this scenario and therefore an error message is displayed on the default desktop which blocks all the UI operation on the new desktop. To workaround this problem, user can disable the VMWare user program on the guest machine by deleting the registry value name “VMware User Process” from HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run. (Ref: 49268a)

·         On a privileged desktop on Windows 8, Windows 8.1, Windows 2012 and Windows 2012 R2, you may not be able to access the VMware shared folder. (Ref: 40686c)

·         Windows logo key keyboard shortcuts are not supported on privileged desktop. Depends on the key and operation system, the shortcut could either have no effect or its effect is applied to the default desktop instead. (Ref: 47588b)

·         A Start menu on privileged desktop on Windows 8, Windows 8.1, Windows 2012 and Windows 2012 R2, to make up for a limitation of Windows 8, Windows 8.1, Windows 2012 and Windows 2012 R2. In addition, navigating to a Modern Start screen to use Modern-style apps from a privileged desktop is not possible from either the charm bar or using a Windows. Note: you must switch back to the default desktop in order to go to Modern Start screen. (Ref: 41245c)

·         The Challenge Pass-Through Duration setting is currently not supported for Centrify Windows multi-factor authentication. The Challenge Pass-Through Duration setting does not require a user, who has successfully met a multi-factor authentication challenge, to re-authenticate through mfa to use an mfa-required right or role if that user chooses the same challenge mechanism when prompted within the duration specified in the setting. (Ref: CS-39432)


5.3.5 Roles and Rights

·         No 'Require multi-factor authentication' system right for the predefined 'Windows Login' role. To define this system right for MFA, use the pre-defined Require MFA for logon role, or create a new custom role. (Ref: CS-40888)

·         Windows Network Access rights do not take effect on a Linux or UNIX machines. If you select a role to start a program or create a desktop that contains a Network Access right, you can only use that role to access Windows computers. The Windows computers you access over the network must be joined to a zone that honors the selected role. The selected role cannot be used to access any Linux or UNIX server computers on the network. (Ref: 32980a)

·         Network Access rights are not supported on the Windows 2008 R2 Terminal Server if “RDC Client Single Sign-On for Remote Desktop Services” is enabled on the client side. (Ref: 34368b)

·         To elevate privileges to the “Run as” account specified in a Windows right, the “run as” account must have local logon rights. If you have explicitly disallowed this right, you may receive an error such as “the user has not been granted the requested logon type at this computer” when attempting to use the right. (Ref: 34266a)

·         If your computer network is spread out geographically, there may be failures in NETBIOS name translation. If a NETBIOS name is used, Active Directory attempts to resolve the NETBIOS name based on the domain controller that the user belongs to, which in a multi-segment network might fail. Therefore, Network Access rights might not work as expected if the remote server is located using NETBIOS name. You may need to consult your network administrator to work around this issue. (Ref: 39087a)

·         File hash matching criteria in the Application right is not supported for a file larger than 500MB.  This is to make sure DirectAuthorize does not spend too much CPU and memory resources to calculate the file hash.  User trying to import a file with the size larger than 500MB will see an empty value for the file hash field. (Ref: 56778a)

·         For a small set of application, enabled matching criterion - “Product Name”, “Product version”, “Company”, “File Version” or “File Description” of a Windows Application Right may fail to match after upgrading agent under the following conditions: - Any value for the enabled matching criteria is defined by either import from a process or file - The matching criteria is defined by 5.1.3 or 5.2.0 DirectManage Access Manager since the number of affected application is expected to be relatively low, proactively updating the defined matching criteria of Windows Application Right is not necessary. (Ref: 60053a)

·         Smart card users can continue to use their own smart card to logon, but there will be no Centrify MFA features applied to smart card users. (Ref: CS-41539)

5.3.6 Compatibility with 3rd Party Products


·         XenDesktop is not supported. Do not enable privilege elevation or identity service on XenDesktop Virtual Desktop Agent to avoid any unexpected behavior like session could be terminated properly. (Ref: CS-43815)

·         The startup path for “SharePoint 2010 Management Shell” and “Exchange Management Shell” may set to C:\Windows instead of user home directory if it is launched via RunAsRole.exe or from a desktop with elevated privilege. (Ref: 38814b, 46943b)

·         On a desktop with elevated privileges, if you install McAfee Security Scan products and click “View Readme”, the Readme.html is shown on the default desktop. Similar issues may happen with other third party programs. The alternate way to view the Readme.html on the desktop of a managed computer is to open the Readme.html file directly. (Ref: 34642a)

·         Attempting to enable Kerberos authentication for Oracle databases will fail. This issue is being brought to the attention of Oracle Support for a resolution in upcoming releases. (Ref: 33835b)

·         The Microsoft Snipping Tool utility has a bug that prevents it from running on a desktop with elevated privileges. (Ref: 31931a)

·         Some applications do not use the process token to check the group membership. They check the user’s group membership on its own. Therefore, any Windows rights configured to use a privileged group will not take effect in these applications. The workaround is to use a privileged user account instead of a privileged group. Here is the list of known application with this issue:

1.  vCenter Server 5.1

2.  SQL Server

3.  Exchange 2010 or above 

4.  SCOM 2007

(Ref: 45318a, 45218a, 43779a, 38016a)

·         Privilege elevation using Windows Rights for Internet Explorer (IE) 7 is not supported. (Ref: 33425a)

·         Privilege elevation using Windows rights for “Remote Desktop” is not supported. (Ref: 45222b)

·         VirtualDesktop is not compatible with Centrify Agent for Windows – Access. Users should use the Centrify system tray applet to create virtual desktop instead. (Ref: 44641b)

·         Privilege elevation using Windows rights for taskmgr.exe, explorer.exe, and cmd.exe are not recommended. A user granted privileges with Windows rights is implicitly granted to run any executable under the same privilege. (Ref: 45861a, 40525a)

·         Users may notice an error and cannot install ActivClient after installing Centrify Agent for Windows. During the installation of ActivClient, it attempts to change the local security setting. However, there is a known issue for Centrify Agent for Windows of blocking the local security setting (Ref: 63609b). Therefore, users may not be able to install ActivClient successfully after installing Centrify Agent for Windows. We suggest installing ActivClient before installing Centrify Agent for Windows. If Centrify Agent for Windows has been installed, please uninstall it and follow the installation sequence suggested. This issue happens on Windows 8.1 and Windows 2012 R2 only. (Ref: 76016b)

·         McAfee Virus scan enterprise blocks our kerberos/authentication binaries(Dzkerberos.dll & DzMsv1_0.dll) from loading into lsass.exe on Windows server 2008 R2 Sp1. (Ref: CS-42755)

·         Attempting to launch SCOM Operation Console on privileged desktops will fail if there is an existing instance on other desktops and a new SCOM Operation Console will be started on the desktop with an existing instance. The workaround is to close all existing instances before starting a new SCOM Operation Console. (Ref: CS-43790)

5.3.7 Application Manager

·         Application Manager does not support Server Core edition of Windows. (Ref: CS-40656)


5.3.8 Network Manager

·         Network Manager does not support Server Core edition of Windows. (Ref: CS-42675)

6. Additional information and support

In addition to the documentation provided with this package, see the Centrify Knowledge Base for answers to common questions and other information (including any general or platform-specific known limitations), tips, or suggestions. You can also contact Centrify Support directly with your questions through the Centrify Web site, by email, or by telephone.

The Centrify Resources web site provides access to a wide range of information including analyst report, best practice brief, case study, datasheet, ebook, white papers, etc., that may help you optimize your use of Centrify products. For more information, see the Centrify Resources web site:


To contact Centrify Support or to get help with installing or using this version of Centrify Agent for Windows software, send email to Support or call 1-669-444-5200, option 2.

For information about purchasing or evaluating Centrify products, send email to info.