Centrify Identity Broker Service and Centrify Privilege Elevation Service 5.5.0 (2018) Release Notes
© 2004-2018 Centrify Corporation.
This software is protected by international copyright laws.
All Rights Reserved.
Table of Contents
Centrify Identity Broker Service and Centrify Privilege Elevation Service (part of Centrify Infrastructure Services) centralize authentication and privileged user access across disparate systems and applications by extending Active Directory-based authentication, enabling use of Windows Group Policy and single sign-on. With Centrify Infrastructure Services, enterprises can easily migrate and manage complex UNIX, Linux and Windows systems, rapidly consolidate identities into the directory, organize granular access and simplify administration. Centrify Identity Broker Service, through Centrify's patented Zone technology, allows organizations to easily establish global UNIX identities, centrally manage exceptions on Legacy systems, separate identity from access management and delegate administration. Centrify's non-intrusive and organized approach to identity and access management results in stronger security, improved compliance and reduced operational costs.
An upgrade application note (/Documentation/centrify-upgrade-guide.pdf) is provided with this release to guide customers who have installed multiple Centrify packages. The document describes the correct order to perform updates such that all packages continue to perform correctly once upgraded. This document is also available online.
The Centrify Infrastructure Services related release notes and documents are available online at http://docs.centrify.com.
Centrify software is protected by U.S. Patents 7,591,005; 8,024,360; 8,321,523; 9,015,103; 9,112,846; 9,197,670; 9,378,391 and 9,442,962. (Ref: CS-44575)
For a list of the supported platforms by this release, refer to the 'Supported Platforms' section in the Centrify Infrastructure Services release notes.
For a list of platforms that Centrify will remove support in upcoming releases, refer to the 'Notice of Termination Support' section in the Centrify Infrastructure Services release notes.
For a complete list of platforms in all currently supported DirectControl Agent releases, refer to the 'Centrify Infrastructure Services' section in the document available from www.centrify.com/platforms.
· Open Source component upgrade
o Centrify PuTTY 5.5.0 is upgraded based on PuTTY 0.70 instead of 0.69. (Ref: CS-45038)
§ This includes the remaining fixes for CVE-2016-6167 potential malicious code execution via indirect DLL hijacking. For details, please refer to https://www.chiark.greenend.org.uk/~sgtatham/putty/changes.html.
o Centrify OpenSSH is upgraded based on OpenSSH 7.6p1 instead of 7.4p1. (Ref: CS-42772)
§ This includes several security fixes. This release also removes the support of RSA1 key. For details, please refer to http://www.openssh.com/txt/release-7.6 and http://www.openssh.com/txt/release-7.5.
o Centrify OpenSSL is upgraded based on OpenSSL 1.0.2n instead of 1.0.2k. (Ref: CS-43230)
§ This includes security fixes for CVE-2017-3735, CVE-2017-3736, CVE-2017-3737 and CVE-2017-3738. For details, please refer to https://www.openssl.org/news/secadv/20171207.txt and https://www.openssl.org/news/secadv/20171102.txt.
o Centrify curl is upgraded based on cURL 7.58.0 instead of 7.55.1. (Ref: CS-44742, CS-44447, CS-44736, CS-44737, CS-44738, CS-45132, CS-45133)
§ This includes security fixes for CVE-2017-8816, CVE-2017-8817, CVE-2017-8818, CVE-2018-1000005, CVE-2018-1000007, CVE-2017-1000257. For details, please refer to https://curl.haxx.se/docs/security.html.
· Product packaging changes
o On Solaris x86 and SPARC platforms, Centrify DirectControl package set and its add-on packages (openssh, nis and ldapproxy) are changed to 64-bit. Hence for compatibility reason, you must upgrade both DirectControl and DirectAudit packages together in this release. Because of this, previous versions of DirectSecure Agent for Solaris will not work with this release. (Ref: CS-43308, CS-44083, CS-44085, CS-44594, CS-45441)
o The required .NET framework is upgraded to version 4.6.2 in this release. (Ref: CS-44070, CS-44209, CS-45110, CS-45299)
§ If you operate in an offline or intranet mode that does not have internet access, you need to download the root certificate from Microsoft first or else the installation of .NET 4.6.2 will fail. Please see https://support.microsoft.com/en-us/help/3149737/.
§ The installation of .NET 4.6.2 will also fail if the URL cache on the destination computer does not contain an up-to-date Certificate Revocation List (CRL). To resolve this issue, please see: https://support.microsoft.com/en-sg/help/2694321/net-framework-4-update-error-generic-trust-failure-0x800b010b
o The CoreOS packages are now available for download via wget. Adcheck is now also available on CoreOS. (Ref: CS-44862, CS-44205, CS-45206)
o Centrify Express packages are no longer available on UNIX platforms, which include, AIX, HPUX, and Solaris. (Ref: CS-45040)
o This release of Centrify DirectControl Agent for *NIX will work with the following:
§ The latest released Centrify for DB2, Centrify for Samba and Centrify for SAP Netweaver ABAP SSO. (Ref: CS-44594)
· On Solaris x86 and SPARC platforms, DirectSecure Agent must be of Release 2018 or later. (Ref: CS-44594)
§ Centrify DirectAudit Agent of Release 2017 or later, except that
· On AIX, Linux PowerPC platforms, DirectAudit Agent must be of Release 2017.3 or later. (Ref: CS-44597, CS-44601, CS-44749)
· On Solaris x86 and SPARC platforms, DirectAudit Agent must be of Release 2018 or later. (Ref: CS-44594, CS-45441)
§ Centrify OpenSSH and Centrify OpenSSL of Release 2017 or later, except that
· On Linux PowerPC platforms, all packages must be of Release 2017.3 or later. (Ref: CS-44749, CS-44753)
· Fixed a security vulnerability in installation and upgrade of the Centrify DirectControl Agent package. (Ref: CS-45617)
· Enhancements for Microsoft Azure
o Centrify DirectControl Agent now supports Microsoft Azure Active Directory Domain Service. (Ref: CS-41785)
· Enhancements for AIX
o Active Directory user can now run 'chsec' command to update attributes of a local user. (Ref: CS-41449)
· Enhancements for CoreOS
o Additional Centrify DirectControl Agent functionalities are now supported inside the CoreOS container. Please refer to KB-9565 and user documentation for details. (Ref: CS-44544)
· Enhancements for local account management
o We now have options to instruct Centrify DirectControl Agent how strict the enforcement of local account management should be. Please see Configuration Parameters section below for details. (Ref: CS-44844)
· Enhancements for command-line tools
o The command 'adjoin' is enhanced with the following:
§ added a new option '-d, --forceDeleteObjWithDupSpn' to delete existing object(s) with duplicate Service Principal Name (SPN). (Ref: CS-44604)
§ added a new option '-r, --useConf enctype' to respect the encryption type(s) defined in 'msDS-SupportedEncryptionTypes' in Active Directory, or in the setting 'adclient.krb5.permitted.encryption.types' in centrifydc.conf, in this order, when performing self-serve join. (Ref: CS-44645)
§ added a new option '-r, --useConf spn' to respect the Service Principal Name (SPN) defined in the setting 'adclient.krb5.service.principals' in centrifydc.conf when performing self-serve join. (Ref: CS-44700)
· New feature supported
o A new feature 'Use My Account' is introduced in Centrify Admin Portal that allows a user to access a DirectControl-managed system using his/her currently logged-in account without entering the credential again. This is particularly useful in a smartcard use case where the user does not even know his/her password. There are a few configuration steps needed both on the target machine(s) and on the portal. Please refer to user documentation for details. (Ref: CS-45113, CS-45114)
The following parameters are added in centrifydc.conf:
- adclient.binding.dc.failover.delay: This parameter specifies the waiting time in minutes before the DirectControl Agent determines that a Domain Controller is no longer responding and needs a failover. The default is 0 meaning no waiting time. (Ref: CS-44591)
- adclient.local.account.manage.strict: This parameter turns on/off the strict enforcement mode for local account management. The default is false, meaning no strict enforcement. There are two sub-parameters, adclient.local.account.manage.strict.passwd and adclient.local.account.manage.strict.group, to further define if the enforcement applies to users and/or groups. When strict enforcement is turned on, unmanaged local user/group entries will be removed. However, switching back to no strict enforcement of local account management will not restore the unmanaged local user/group. (Ref: CS-44844)
- adclient.local.account.manage.strict.passwd: This parameter specifies if the strict enforcement of local account management applies to user entries or not. The default is false. This parameter takes effect only if adclient.local.account.manage.strict is set to true. If we enable the strict enforcement mode for user, any unmanaged local user entries, except the entry with uid 0, will be removed from /etc/passwd, as well as /etc/shadow if it exists, and any unmanaged users' extended attributes will be removed as well. (Ref: CS-44844)
- adclient.local.account.manage.strict.group: This parameter specifies if the strict enforcement of local account management applies to group entries or not. The default is false. This parameter takes effect only if adclient.local.account.manage.strict is set to true. If we enable the strict enforcement mode for group, any unmanaged local group entries, except the entry with gid 0, will be removed from /etc/group, and any unmanaged groups' extended attributes will be removed as well. (Ref: CS-44844)
- adclient.skip.inbound.trusts: This parameter controls if the DirectControl Agent sends network queries to inbound trusts or not. If it is set to true, all inbound trusts will not be built in domaininfomap and the probing of inbound trusts is skipped. The default is false. (Ref: CS-44718)
- queueable.random.delay.interval: This parameter controls whether or not to introduce a randomized delay in scheduling background tasks on a DirectControl-managed machine. This is to avoid multiple machines from overloading the Active Directory server due to a common event occurring at the same time, such as, joining to the same domain. The default is '0' (maximum randomized delay in minutes) meaning no delay. (Ref: CS-44592)
There is no parameter updated in or removed from centrifydc.conf in this release.
Please refer to the manual, Configuration and Tuning Reference Guide, for details.
· A new configuration parameter, 'RloginControlSsh', is added in 'sshd_config', to indicate if the setting 'rlogin = false' for normal user in '/etc/security/user' should also disallow SSH access or not. The default is 'yes', meaning that SSH access will be denied in such case. (Ref: CS-44247)
· We have made significant performance enhancements in this release. (Ref: CS-44705)
· Centrify OpenLDAP Proxy now provides performance statistics data gathering and reporting controlled by a new configuration parameter 'ldapproxy.performance.log.interval'. This parameter controls the number of seconds between log events that dump useful information about the statistics of search cache and authentication. The summary information (hits, misses, etc.) are DEBUG level events. The default is '0' meaning no statistics enabled. (Ref: CS-40012)
· A new authentication cache is added to improve the LDAP Proxy authentication performance. The validity of this new cache is controlled by a new configuration parameter, 'ldapproxy.cache.credential.expires 300', in slapd.conf. The default expiration is 300 seconds. (Ref: CS-44706)
· Report Center has been deprecated by Centrify Report Services since Release 2016 and is now no longer accessible from Access Manager. (Ref: CS-45568)
· Licensing Service and Licensing Report now support vault-based systems.
In this release, vault-based audited UNIX systems are counted as 'UNIX without license type' whereas vault-based audited Windows systems are counted as 'Windows Server'.
Note: You should use the new Licensing Service and Licensing Report if you want to use vault-based systems, or else, both UNIX and Windows vault-based audited systems may all be counted as 'UNIX without license type' and may be treated as orphan systems, as the previous versions of Licensing Service and Licensing Report do not support vault-based systems yet. (Ref: CS-45342)
· The SSH group policy 'Match Block' now supports Match block directives that have sub-directives. (Ref: CS-44660, CS-44652)
· The tool 'CopyGroupNested' now has a better logging feature. (Ref: CS-44339)
· The command-line tool 'zoneupdate' now supports event logging. (Ref: CS-44113)
· Open Source component upgrade
o Centrify curl is upgraded based on stock cURL 7.55.1. (Ref: CS-43826, CS-43327, CS-43822, CS-43823, CS-43824)
§ This includes several security fixes, e.g. CVE-2017-9502, CVE-2017-1000099, CVE-2017-1000100, and CVE-2017-1000101. Please refer to https://curl.haxx.se/changes.html for details.
· On Solaris SPARC, Linux PPC (not PPC64le), or zLinux (S390) platforms, if you want to upgrade from Suite 2017.1 or older, you must upgrade all installed packages to Release 2017.3 or later. (Ref: CS-44458, CS-44597, CS-44749, CS-44753, CS-45063)
· This release of Centrify DirectControl Agent for *NIX will work with the latest released Centrify for DB2, Centrify for Samba and Centrify for SAP Netweaver ABAP SSO.
· Fixed a security vulnerability in the command line utility "ksu". (Ref: CS-44567)
· CoreOS is supported. Due to the CoreOS architecture, only a subset of the DirectControl agent's functionality is supported. For example, there is no adcheck utility.
o Centrify packages on CoreOS are installed in a different location: /opt/ instead of /usr/share/.
o It has its own installation tarball as there is no package manager.
o It does not support the Centrify Express edition.
For details of this new feature, please refer to user documentation. (Ref: CS-42928, CS-43287, CS-44082, CS-44205, CS-44515)
· DirectControl Agent for *NIX now supports Web Proxy Authentication for MFA. It also allows users to specify which web proxy server MFA authentication should go through. A new CLI, adwebproxyconf, is also added to configure this feature. For details of this new feature, please refer to user documentation. (Ref: CS-41754)
· dzdo now supports Role-based Access Control (RBAC) in SELinux. Two new fields, 'selinux_role' and 'selinux_type', are provided for users to specify the default role and type for privileged command execution when creating SELinux context. These settings can be overridden by the '-r'/'-t' command-line options respectively. Note that the settings are currently supported only on RHEL and effective only on machines with SELinux enabled and joined to a hierarchical zone. Access Manager console, Access Module for Powershell, adedit, and Sudoers Import have also been enhanced to support these settings. (Ref: CS-43255, CS-43788, CS-43794, CS-43820)
· The adkeytab command has added a new optional parameter, -y, --set-acct-enctype, for the --new / --adopt commands, to restrict the encryption types to those specified in "msDS-SupportedEncryptionTypes" attribute. If set, the adkeytab command will respect the encryption types defined in this attribute when it adds new Service Principal Name (SPN) or changes account password for this account. (Ref: CS-44314)
· A new command-line option "-T, --command-timeout" is added for dzdo command to specify the command timeout in seconds. The command will be terminated after the specified timeout expires. This setting works only if the parameter 'dzdo.user.command.timeout' is enabled in centrifydc.conf. (Ref: CS-43859)
· Audit trail events have been enhanced: (Ref: CS-43683, CS-43840, CS-43919, CS-44654)
o Login and dzdo privilege elevation events now show whether MFA is required or not. Note: This new field is always set to "N/A" on MacOS.
o MFA now shows only one summarized event per Centrify Identity Platform MFA transaction regardless of how many MFA challenges have been executed.
o DirectAduit session ID is now available in MFA challenge events.
o Note: the new version of dzdo and PAM authentication audit trail events introduced in Release 2017.3 cannot be reported by older versions of DirectAudit Audit Manager or PowerShell cmdlets. Please upgrade DirectAudit backend components (Audit Manager, collector, and databases) to Release 2017.3 or later. If you cannot upgrade the DirectAudit backend components, please contact Centrify Technical Support on information about patching the DirectAudit databases to support these new audit trail events.
· Centrify curl command now supports SPNEGO authentication. (Ref: CS-43894)
· The Login and Privilege Elevation profiles in previous "Settings>Authentication>Server and Workstation" tab in the Centrify Admin Portal are now regrouped under "Core Services>Login Policies" and "Core Services>Privilege Elevation Policies". Please note that not all the options are valid for MFA Login or Privilege Elevation. Here is the highlight (Ref: CS-43898):
o If you have previously created custom profiles in the Admin Portal, the new Admin Portal UI will provide an auto generated policies set "Infrastructure Policy (Auto generated)".
o However, some of the new options are supported only by 2017.3 agents, or 2017.2 agents (November 2017 update). For example, irrespective of the "Windows Workstation" setting, older agents will still use the "Unix and Windows Servers" policy even though the machine is a Workstation. Also, older agents do not support new options, such as "Device OS" and "Identity Cookie" in the authentication profiles for Login or Privilege Elevation.
The following parameters are added in centrifydc.conf:
- adclient.tcp.connect.timeout: This parameter specifies the timeout of all TCP port probing used in the DirectControl Agent. The default is 10 seconds. (Ref: CS-43841)
- adclient.user.name.max.exceed.disallow: This parameter specifies if the length of a UNIX user name can exceed the system defined login name maximum length. The default is false which means allow. Note this parameter only applies to hierarchical zones. (Ref: CS-42714)
- dzdo.user.command.timeout: This parameter allows a user to specify dzdo command execution timeout, with the new "-T, --command-timeout" option. The default is false. (Ref: CS-43859)
Please refer to the Configuration and Tuning Reference Guide for details.
· OpenLDAP Proxy now supports anonymous query for rootDSE. (Ref: CS-43986, CS-27196)
· OpenLDAP Proxy also adds the support to the filter "(&(objectClass=posixGroup)(memberUid=*))". (Ref: CS-44421)
· Report Services now support Delegation Report and Effective Delegation Report which provide information of who can do what as defined in Centrify Access Manager. Note you need to provide additional permission in the service account to read ACE for the report. (Ref: CS-44055, CS-43685, CS-44103)
· The performance of "Right Summary Report" is further optimized by leveraging some newly added views. Here are the corresponding new views, EffectiveAuthorizedUserPrivilegesSummary, EffectiveAuthorizedUserPrivilegesSummary_Classic, EffectiveAuthorizedUserPrivilegesSummary_Hierarchical, and EffectiveLocalUserPrivilegesSummary. (Ref: CS-43482, CS-43477)
· The Microsoft SQL Server 2012 SP3 – Express is now bundled in Centrify Report Services package. This version of SQL server supports TLS 1.2. Thus, the size of the installer ISO has increased by ~1 GB. (Ref: CS-43572)
· Added support in console and sudoers import for SELinux Role-based Access Control (RBAC). Users can now set SELinux role and type by using the SELinux Setting button in Access Manager> Property page of the Command Right object> Attributes tab, or using the ROLE and TYPE fields in Import Sudoers file. These settings are supported only on RHEL and effective only on machines with SELinux enabled and joined to a hierarchical zone. (Ref: CS-43788, CS-43820)
· Added support for SELinux RBAC. Users can now set SELinux role and type using SELinuxRole and SELinuxType with New-CdmCommandRight and Set-CdmCommandRight cmdlets. Note such settings are supported only on RHEL and effective only on machines with SELinux enabled and joined to a hierarchical zone. (Ref: CS-43794)
· The registry option SkipOfflineDomain was used to skip only the "server not operational" error in order to continue provisioning. Now it will skip other errors as well. (Ref: CS-43243)
· Logging in CopyGroup tool is improved in this release. (Ref: CS-44321)
· Added a new switch "-nonisserversgroup" to adedit command "create_zone" to allow users to create a hierarchical/classic zone without generating the corresponding zone_nis_servers group. (Ref: CS-43111)
· The adedit commands, "set_dzc_field" and "get_dzc_field", are enhanced to support the new fields, selinux_role and selinuz_type, for SELinux RBAC. (Ref: CS-43255)
· Fixed an upgrade issue resulting with EXIT CODE 26 on Solaris 11.3. (Ref: CS-45048)
· Several packaging issues, e.g. missing configuration file mark, etc., are now fixed. (Ref: CS-40755)
· AIX related fixes
o Fixed a problem which causes login failure for some users even if they have 'login-all' role. (Ref: CS-44942)
o Centrify DirectControl Agent crashes on AIX 7.1 with TL5 installed due to some function compatibility. This is fixed. (Ref: CS-44918)
· Multi-Factor Authentication (MFA)
o MFA may use a different authentication profile at the wrong time if 'Time Range' or 'Date Range' rule setting is set to 'User Local Time'. This is fixed. (Ref: CS-44940, CS-44984)
o MFA sometimes may not be able to locate the correct connector right, after Centrify DirectControl Agent restarts, resulting in SSH login fails. This is fixed. (Ref: CS-44964)
o MFA may not work on docker images until you touch the file /etc/centrifydc/centrifydc.conf. This is fixed. (Ref: CS-44886)
· Centrify Network Information Service (NIS) and Centrify NIS Server
o Added systemd support in adnisd init script on SuSE, Debian, and RHEL platforms. Also fixed several wrong log messages related to niswatch. (Ref: CS-44860)
· Centrify for DB2
o Centrify for DB2 does not function correctly if the corresponding Active Directory object has no UNIX name. This is fixed. (Ref: CS-45567)
· Command-line tools
o The command 'adcheck' does not honor the 'dns.servers' setting in centrifydc.conf when performing DNS check (DNSPROBE). This is fixed. (Ref: CS-45018)
o The command 'adjoin' now always uses the Domain Controller specified with '-s, --server'. (Ref: CS-44293)
o Fixed a bug that the command 'adjoin' fails to add a computer to the associated group of a computer role, if the computer was already pre-created in zone. (Ref: CS-45294)
o The command 'dzdo -l' wrongly returns exit code '1' in Release 2017.3. This is fixed. (Ref: CS-45590)
o The command 'id' shows duplicate groups for the specified user when the group has more than one profiles in the zone hierarchy. This is fixed. (Ref: CS-44799)
· Audit trail support in Centrify OpenSSH can now coexist with other audit mechanisms that come with the operating system. (Ref: CS-44605)
· The performance of 'sftp' and 'scp' is now improved by utilizing the hardware acceleration in Solaris 11.2 or above with SPARC T4 or newer CPU. For details, please refer to the corresponding Centrify Knowledge Base article. (Ref: CS-40402)
· The rescue mode is now extended to the use case when Centrify OpenSSH is used for Single-Sign-On login with Multi-Factor Authentication (SSOMFA). If Centrify OpenSSH can communicate with Centrify DirectControl Agent but the agent fails to connect to Centrify Identity Platform because of configuration or network problems, it will fall into rescue mode. In this case, if the user being authenticated has 'rescue Rights' role assigned, login is allowed; if not, login will be denied at once. Note that the 'Rescue Rights' role setting is now supported in both Centrify Auditing and Monitoring Service as well as Multi-Factor Authentication (MFA) for GUI and Centrify OpenSSH login but not for MFA used in 'dzdo execute' commands. (Ref: CS-44626)
· The ldapsearch does not work using nisNetgroupTriple as filter while setting objectClass to nisNetGroup. This is fixed. (Ref: CS-44857)
· The Setup wizard option 'Generate Centrify recommended deployment structure' does not grant correct rights on the license container when generating deployment structure, and hence fails to generate structure under 'OU' with a name containing a slash. This is now fixed. (Ref: CS-44823)
· Access Manager now handles Domain Controller replication conflicts better. (Ref: CS-43394)
· The Centrify API for Windows Reference, centrify-win-api-ref.chm, and the Centrify API for Windows Programmer's Guide, Centrify-win-progguide.pdf, are updated to show the usage of custom attributes in role definition, role assignment and computer role definition. (Ref: CS-43856)
· The Group Policy 'Enforce Screen Locking' does not work on Ubuntu platforms. This is fixed. (Ref: CS-44985)
· We have made more performance improvements in Report Services. (Ref: CS-44895, CS-44372)
· Zone Provisioning Agent may search from a wrong domain when resolving primary group member. This is fixed. (Ref: CS-45139)
· In classic zones, 'get_zone_user_field gecos' incorrectly returns the user's 'description' attribute which is different from the result of 'getent passwd'. This is fixed. (Ref: CS-44757)
· Centrify products which use Centrify OpenSSL libraries can now utilize the Intel AES-NI hardware acceleration if it is supported by machine/hardware (Linux and Solaris). Please note that such optimization exists only in the 64bit Centrify OpenSSL for Solaris on x86_64. (Ref: CS-44397)
· A new switch is added to control if user can login with name longer than system maximum login length or not. This applies to both Active Directory users and local users in hierarchical zones. (Ref: CS-42714, CS-43825)
· The adinfo command with option "-t" can now show nscd status and nscd configuration. In Solaris 11, it prints the nscd configurations in adinfo_support.txt instead. (Ref: CS-21754)
· The "adinfo -y domain" command now shows the trusted domain prefix IDs. (Ref: CS-44565)
· Fixed a bug that caused the adquery command to return duplicate group entries. (Ref: CS-43252)
· The configuration parameter, adclient.get.primarygroup.membership, does not work as expected. It is now fixed. (Ref: CS-44057)
· One-way cross-forest trust users are incorrectly prompted for expired password when it is not expired. It is now fixed. (Ref: CS-42584)
· On AIX, the Local Account Handling will now disallow empty password hash in /etc/security/passwd for enabled users. If the password hash is empty, it is set to "*". (Ref: CS-44415)
· On Solaris, /etc/certs/ca-certificates.crt is added to CentrifyDC and CentrifyDC-curl SSL CA bundle file search list. (Ref: CS-44248)
· Fixed an issue in Centrify OpenSSH on AIX/HPUX where SSOMFA feature cannot work as expected. (Ref: CS-43873)
· Access Manager did not allow assignment of role to the same assignee in different start or end times under the same zone, same computer or same computer role. This is now supported in hierarchical zones. (Ref: CS-43451)
· In an environment where child domain users cannot read objects in the forest root domain, errors may occur during zone creation and adding users to zone. It is now fixed. (Ref: CS-43835)
· Access Manager cannot successfully finish the Identity Platform connection test in an environment where TLS 1.0 is not allowed. It is now fixed. (Ref: CS-43951)
· If a user selects "Allow the computer to join itself to the zone" in "Precreate Computer Profile Wizard", the operation may fail if the account specified in "Allow this user, group or computer to join the computer to the zone" does not exist. It is now fixed. (Ref: CS-43420)
· The task name "Initialize data for DirectAuthorize" is changed to "Enable Privilege Elevation for Classic Zone" in the Centrify Access Manager Zone Delegation Wizard as well as in Delegation Report or Effective Delegation Report to reflect the actual usage. (Ref: CS-44506, CS-44520)
· The default install path of Centrify Access API for Windows has been changed to "C:\Program Files\Centrify\Access API for Windows\" in Identity Broker & Privilege Elevation Service 5.4.2. PowerShell sample scripts are now updated to use the new default install path. (Ref: CS-43896)
· PowerShell cmdlet did not allow assignment of role to the same assignee in different start or end times under the same zone, same computer or same computer role. This is now supported in hierarchical zones. (Ref: CS-43451)
· The Centrify Audit Trail Settings group policy template is now installed by Centrify Group Policy Management Editor Extension. (Ref: CS-44013)
· Report Services can now skip Computer Zone containers with unexpected CN name format and allow synchronization to continue. (Ref: CS-43911)
· Zone Provisioning Agent can provision users in Domain Users group only if it is explicitly assigned as the source group but not if Domain Users group is a member of another provisioning group. It is now fixed. (Ref: CS-35047)
· The "Save As…" button in Zone Provisioning Agent (ZPA) configuration panel now save logs for both ZPA service and ZPA configuration panel. (Ref: CS-44031)
· In an environment where child zone user cannot access forest root domain, errors may occur while building domain tree in Domain Browser or clicking the Apply button. It is now fixed. (Ref: CS-44208)
· CopyGroupNested.exe tool fails to run with empty prefix. It is now fixed. (Ref: CS-44627)
The following sections describe common known issues or limitations associated with this Centrify Infrastructure Services release.
For the most up to date list of known issues, please login to the Customer Support Portal at http://www.centrify.com/support and refer to Knowledge Base articles for any known issues with the release.
· Known issues with Multi-Factor Authentication (MFA)
If MFA is enabled but the parameter "adclient.legacyzone.mfa.required.groups" is set to a non-existent group, all AD users will be required for MFA. The workaround is to remove any non-existent groups from the parameter. (Ref: CS-39591b)
User specified Web Proxy Server won't work properly if 'negotiate' authentication type is used and proxy user's password/machine's password is configured to be cached in an RODC. (Ref: CS-44177)
· Known issues with AIX
On AIX, upgrading DirectControl agent from 5.0.2 or older versions in disconnected mode may cause unexpected behavior. The centrifydc service may be down after upgrade. It's recommended not to upgrade DirectControl agent in disconnected mode. (Ref: CS-30494a)
Some versions of AIX cannot handle user name longer than eight characters. As a preventive measure, we have added a new test case in the adcheck command to check if the parameter LOGIN_NAME_MAX is set to 9. If yes, adcheck will show a warning so that users can be aware of it. (Ref: CS-30789a)
· Known issues with Fedora 19 and above (Ref: CS-31549a, CS-31730a)
There are several potential issues on Fedora 19 and above:
1) The adcheck command will fail if the machine does not have Perl installed.
2) Group Policy will not be fully functional unless Text/ParseWords.pm is installed.
· Known issues with RedHat
When logging into a RedHat system using an Active Directory user that has the same name as a local user, the system will not warn the user of the conflict, which will result in unpredictable login behavior. The workaround is to remove the conflict or login with a different AD user. (Ref: CS-28940a, CS-28941a)
· Known issues with rsh / rlogin (Ref: IN-90001)
- When using rsh or rlogin to access a computer that has DirectControl agent installed, and where the user is required to change their password, users are prompted to change their password twice. Users may use the same password each time they are prompted and the password is successfully changed.
· Known issues with compatibility
Using DirectControl 4.x agents with Access Manager 5.x (Ref: IN-90001)
- DirectControl 4.x agents can join classic zones created by Access Manager 5.x. It will ostensibly be able to join a DirectControl 4.x agent to a hierarchical zone as well, but this causes failure later as such behavior is undefined.
Default zone not used in DirectControl 5.x (Ref: IN-90001)
- In DirectControl 4.x, and earlier, there was a concept of the default zone. When Access Manager was installed, a special zone could be created as the default zone. If no zone was specified when joining a domain with adjoin, the default zone would be used.
- This concept has been removed from DirectControl 5.0.0 and later as it is no longer relevant with hierarchical zones. In zoned mode, a zone must now always be specified.
- A zone called "default" may be created, and default zones created in earlier versions of Access Manager may be used, but the name must be explicitly used.
· There is a Red Hat Linux desktop selection issue found in RHEL 7 with smart card login. When login with smart card, if both GNOME and KDE desktops are installed, user can only log into GNOME desktop even though "KDE Plasma Workspace" option is selected. (Ref: CS-35125a)
· On RHEL 5.10 and 5.11, if "Smart Card Support" is enabled and a smartcard is inserted on the login screen, a PIN prompt may not show up until you hit the "Enter" key. The workaround is to replace libsoftokn3.so with the old one on RHEL 5.9, which is a shared object file in NSS package. (Ref: CS-35038a)
· On RHEL 5.10 and 5.11, if "Smart Card Support" is enabled and "Card Removal Action" is configured as "Lock", the screen will be locked several seconds after login with smart card. The workaround is to replace libsoftokn3.so with the old one on RHEL 5.9, which is a shared object file in NSS package. (Ref: CS-33871a)
· When a SmartCard user attempts to login on Red Hat 6.0 with a password that has expired, the authentication error message may not mention that authentication has failed due to an expired password. (Ref: CS-28305a)
· On RedHat, any SmartCard user will get a PIN prompt even if he's not zoned, even though the login attempt will ultimately fail. This is a divergence from Mac behavior - On Mac, if a SmartCard user is not zoned, Mac doesn't even prompt the user for PIN. (Ref: CS-33175c)
· If a SmartCard user's Active Directory password expires while in disconnected mode, the user may still be able to log into their machine using their expired password. This is not a usual case, as secure SmartCard AD environments usually do not allow both PIN and Password logins while using a Smart Card. (Ref: CS-28926a)
· In order to login successfully in disconnected mode (Ref: CS-29111a):
o For a password user:
§ A password user must log in successfully once in connected mode prior to logging in using disconnected mode. (This is consistent with other DirectControl agent for *NIX behavior)
o For a SmartCard user:
§ The above is not true of SmartCard login. Given a properly configured RedHat system with valid certificate trust chain and CRL set up, a SmartCard user may successfully login using disconnected mode even without prior successful logins in connected mode.
§ If certificate trust chain is not configured properly on the RedHat system, the SmartCard user's login attempt will fail.
§ If the SmartCard user's login certificate has been revoked, and the RedHat system has a valid CRL that includes this certificate, then the system will reject the user.
· After upgrading from DirectControl version 5.0.4 to version 5.1, a Smartcard user may not be able to login successfully. The workaround is to run the following CLI commands:
sudo rm /etc/pam_pkcs11/cacerts/*
sudo rm /etc/pam_pkcs11/crls/*
sudo rm /var/centrify/net/certs/*
then run adgpupdate. (Ref: CS-30025c)
· When CRL check is set via Group Policy and attempting to authenticate via Smartcard, authentication may fail. The workaround is to wait until the Group Policy Update interval has occurred and try again or to force an immediate Group Policy update by running the CLI command adgpupdate. (Ref: CS-30090c)
· After upgrading from DirectControl agent Version 5.0.4 to version 5.1.1, a SmartCard user may not be able to authenticate successfully. The workaround is to perform the following CLI command sequence:
sudo rm /etc/pam_pkcs11/cacerts/*
sudo rm /etc/pam_pkcs11/crls/*
sudo rm /var/centrify/net/certs/*"
and then re-login using the SmartCard and PIN. (Ref: CS-30353c)
· A name-mapping user can unlock screen with password even though the previous login was with PIN. (Ref: CS-31364b)
· Need to input PIN twice to login using CAC card with PIN on RedHat. It will fail on the first input but succeed on the second one. (Ref: CS-30551c)
· Running “sctool –D” with normal user will provide wrong CRL check result. The work-around is to run it as root. (Ref: CS-31357b)
· Screen saver shows password not PIN prompt (Ref: CS-31559a)
Most smart card users can log on with a smart card and PIN only and cannot authenticate with a user name and password. However, it is possible to configure users for both smart card/PIN and user name/password authentication. Generally, this set up works seamlessly: the user either enters a user name and password at the log on prompt, or inserts a smart card and enters a PIN at the prompt.
However, for multi-user cards, it can be problematic when the screen locks and the card is in the reader. When a user attempts to unlock the screen, the system prompts for a password, not for a PIN, although the PIN is required because the card is in the reader. If the user is not aware that the card is still in the reader and enters his password multiple times, the card will lock once the limit for incorrect entries is reached.
On RHEL 7, an authenticated Active Directory user via smart card cannot login again if the smart card is removed. This is due to a bug in RHEL 7, https://bugzilla.redhat.com/show_bug.cgi?id=1238342. This problem does not happen on RHEL6. (Ref: CSSSUP-6914c)
· The SQL Server Availability Group feature in SQL Server 2012 is not supported. (Ref: CS-39674a)
In addition to the documentation provided with this package and on the web, you can find the answers to common questions and information about any general or platform-specific known limitations as well as tips and suggestions from the Centrify Knowledge Base.
The Centrify Resources web site provides access to a wide range of information including analyst report, best practice brief, case study, datasheet, ebook, white papers, etc., that may help you optimize your use of Centrify products. For more information, see the Centrify Resources web site:
You can also contact Centrify Support directly with your questions through the Centrify Web site, by email, or by telephone. To contact Centrify Support or to get help with installing or using this version of Centrify Infrastructure Services, send email to email@example.com or call 1-669-444-5200, option 2. For information about purchasing or evaluating Centrify products, send email to firstname.lastname@example.org.