Centrify Infrastructure Services 2020 Agent for Windows 3.7.0 Release Notes

© 2007-2020 Centrify Corporation.

This software is protected by international copyright laws.

All Rights Reserved.

Contents

1.        About Centrify Agent for Windows 1

2.        Supported Platforms and System Requirements 1

3.        Feature Changes 1

3.1         Feature Changes in Agent for Windows 3.7.0 (Release 2020) 1

3.1.1        Security fixes 1

3.1.2        General 1

3.2         Feature Changes in Agent for Windows 3.6.1 (Release 19.9) 1

3.2.1        Security fixes 1

3.2.2        General 1

3.3         Feature Changes in Agent for Windows 3.6.0 (Release 19.6) 1

4.        Bugs Fixed 1

4.1         Bugs Fixed in Agent for Windows 3.7.0 (Release 2020) 1

4.2         Bugs Fixed in Agent for Windows 3.6.1 (Release 19.9) 1

4.3         Bugs Fixed in Agent for Windows 3.6.0 (Release 19.6) 1

5.        Known Issues 1

5.1         Installation and Uninstall 1

5.2         Configuration 1

5.3         Environment 1

5.4         RunAsRole 1

5.5         Desktop with Elevated Privileges 1

5.6         Roles and Rights 1

5.7         Compatibility with 3rd Party Products 1

5.8         Application Manager 1

5.9         Network Manager 1

5.10       Endpoint Enrollment 1

5.11       Centrify Agent for Windows 1

6.        Additional information and support 1

 

1.   About Centrify Agent for Windows

The Centrify Agent for Windows package contains software to support auditing, access control, and privilege management on Windows computers. Audit and Access features must be installed together but their services can be enabled separately on the Windows computers you want to manage.

For auditing, the Centrify Agent for Windows requires the Centrify Auditing & Monitoring Service feature set, which is available in Centrify Infrastructure Services. Centrify Auditing & Monitoring Service enables detailed auditing of user activity on a wide range of UNIX, Linux and Windows computers. With Centrify Auditing & Monitoring Service, you can perform immediate, in-depth troubleshooting by replaying user activity that may have contributed to system failures, spot suspicious activity by monitoring current user sessions, and improve regulatory compliance and accountability by capturing and storing detailed information about the applications used and the commands executed. If you enable auditing, the Centrify Agent for Windows records user activity on the Windows computer when it is installed.

For access control and privilege management, the Centrify Agent for Windows requires the Centrify Authentication Service and Centrify Privilege Elevation Service feature sets, which are available in Centrify Infrastructure Services. With Centrify Authentication Service and Centrify Privilege Elevation Service, you can configure and manage role-based access controls for Windows servers. The Centrify Agent for Windows extends the access control and privilege management features available for Linux and UNIX computers, so that you can use a single console to manage multiple platforms. You can deploy the Centrify Agent for Windows in a Windows-only environment or as part of a mixed environment that includes Windows, Linux, and UNIX computers.

Centrify Agent for Windows provides both privilege elevation and auditing functionalities, and for more information about the auditing feature, refer to the Centrify Auditing & Monitoring Service Release Notes for more detailed information.

You can obtain information about previous releases from the Centrify Support Portal, in the Documentation & Application Notes page.

Centrify software is protected by U.S. Patents 7,591,005; 8,024,360; 8,321,523; 9,015,103; 9,112,846; 9,197,670; 9,378,391 and 9,442,962. (Ref: CS-44575)

2.   Supported Platforms and System Requirements

For the list of the supported platforms by this release, refer to the "Supported Platforms" section in the Centrify Infrastructure Services release notes.

For the platforms to be removed support in coming releases, refer to the "Notice of Termination Support" section in the Centrify Infrastructure Services release notes.

For a complete list of supported platforms in the latest releases, refer to the 'Centrify Infrastructure Services' section in the document available from www.centrify.com/platforms.

3.   Feature Changes

3.1    Feature Changes in Agent for Windows 3.7.0 (Release 2020)

3.1.1       Security fixes

N/A

3.1.2       General

·         Centrify Agent for Windows can now automatically add Windows accounts with 'Windows console login' right and/or 'Windows remote login' right to the 'Allow log on locally' policy and/or the 'Remote Desktop Users' local group if this feature is enabled via a registry setting. (Ref: CS-48495)

·         Starting Release 2020, Centrify Agent for Windows allows running applications using the logged-in user’s alternate account configured in the Privileged Access Service. For details on how to use this feature, please refer to the User’s Guide for Windows. (Ref: CS-48521)

·         Centrify Agent for Windows now emits heartbeat information to the Windows Application log at controllable interval which can be used by the Centrify Analytics and other SIEM tools for monitoring agent’s status. (Ref: CS-48044)

·         Starting Release 2020, you can manage local accounts on Windows Systems joined to a zone. For details, refer to the Administrator’s Guide for Windows. (Ref: CS-46257, CS-47718)

·         Centrify Agent for Windows now writes the timestamp information to the Active Directory when the computer is joined to a zone. (Ref: CS-42383)

·         Starting Release 2020, the 'Endpoint enrollment' feature (also known as 'Zero Sign-On') has been removed from the Centrify Agent for Windows. (Ref: CS-48797)

3.2    Feature Changes in Agent for Windows 3.6.1 (Release 19.9)

3.2.1       Security fixes

·         Fixed a security vulnerability that allowed an attacker to perform remote code execution - related to .NET framework vulnerability detailed in CVE-2012-0161. (Ref: CS-48321)

3.2.2       General

N/A

3.3    Feature Changes in Agent for Windows 3.6.0 (Release 19.6)

·         dzleave CLI now allows to specify an option to remove role assignment from computer zone. (Ref: CS-47639)

·         Implemented the ability to export single zone info (roles and rights) without identifiable environment info and to import such exports in the new environment. (Ref: CS-47645)

·         Agent now supports using 3rd party MFA provider for privilege elevation and secure desktop MFA via RADIUS server. (Ref: CS-47649)

·         Added new PowerShell Cmdlets Join-CdmZone and Exit-CdmZone for joining (and leaving) Windows System to (from) a zone. New cmdlets support PSCredential object to specify administrator's credential in secure way. (Ref: CS-47640)

·         The agent now supports finding the tenant and connectors by Tenant ID. For machines that are joined to a zone, use Access Manager to specify the tenant ID on zone properties. For machines not joined to a zone, use the GP "Specify the Platform Instance ID to use (when the agent is not joined to a zone)" to specify the tenant ID, or use Agent Configuration Panel to set the tenant ID when adding the identity platform service. (Ref: CS-48037)

4.   Bugs Fixed

4.1    Bugs Fixed in Agent for Windows 3.7.0 (Release 2020)

·         Fixed an issue that previously prevented a rescue user from logging on to the machine in rescue mode. (Ref: CS-48762)

·         Fixed an issue with filesystem filter that previously caused a memory leak. (Ref: CS-48523)

·         Fixed an issue that previously resulted into failure in matching application criteria while performing "Run with Privilege" action against an MSI file on a system with Turkish locale. (Ref: CS-48499)

·         Fixed an issue in the screen lock functionality on the privilege desktop by introducing a new NoLockScreen registry setting. Also, the installer now shows a warning message when Secure Boot BIOS settings are detected on Win 8, Server 2012 or above platforms. (Ref: CS-48498, CS-48525)

·         Fixed an issue in the MFA login that previously prevented the custom message (configured in RADIUS) from being displayed. To facilitate this fix, a new registry setting viz. MfaPromptAttribute has been introduced. If present, the value of this registry can be used to specify a custom prompt. (Ref: CS-49007)

4.2    Bugs Fixed in Agent for Windows 3.6.1 (Release 19.9)

·         Provided an option to specify the default timeout value for the service control manager in the registry. (Ref: CS-48339)

·         Fixed an issue that caused the agent to enter rescue mode after upgrade when machine is disconnected from AD. (Ref: CS-48344, CS-48308)

4.3    Bugs Fixed in Agent for Windows 3.6.0 (Release 19.6)

·         Fixed an issue that caused agent to terminate unexpectedly. (Ref: CS-47503)

·         fixed an issue that caused mouse cursor to be displayed at an offset from the actual location after switching to secure desktop. (Ref: CS-47556)

·         Fixed an issue where notification icon would be left displayed on the desktop after the notification window is closed. (Ref: CS-47676)

·         Fixed issue that prevented DISM from mounting a WIM image on a folder of a local hard disk. (Ref: CS-47765)

·         Fixed an issue that prevented launching of the browser by clicking on "Browse" option of IIS. (Ref: CS-48043)

·         Fixed an issue that caused IE browser to open on Default desktop when it's open through IIS Manager on Privileged Desktop. (Ref: CS-47502)

·         Fixed an issue that caused Chrome Browser to be open in default desktop at the end of installation or upgrade even when installation or upgrade were started from privileged desktop. (Ref: CS-45503)

·         Fixed an issue, which prevented adding "Privilege Elevation Services" if the client machine is joined to Read Only DC. (Ref: CS-48090)

5.   Known Issues

5.1    Installation and Uninstall

·         Upgrading from the beta build to this version may result in offline MFA mode if there are multiple authentication servers registered in your AD forest. To resolve this, uninstall the beta build first and then install this new version. (Ref: CS-41915)

·         Upgrading Windows while the Agent is installed will result in a failure of the Windows upgrade. The workaround is to uninstall the agent before performing the upgrade or perform a fresh Windows install without keeping existing applications and settings. (Ref: CS-42200)

·         Currently the MFA login feature is not supported on Windows Server 2016 "Server Core" systems. This feature component will not be installed on Windows Server 2016 "Server Core" systems. (Ref: CS-42192, CS-42527)

·         The Centrify Common Component should be the last Centrify Server Suite component uninstalled. If the component is uninstalled before other component, it must be reinstalled by the uninstall process to complete its task. (Ref: 36226a)

·         If you intend to install the software on the desktop with elevated privilege, you should not check the “Run with UAC restrictions” option when creating the desktop. (Ref: 39725b)

·         When you double-click on the Centrify Agent for Windows msi and select the “repair” option, the existing files are replaced irrespective of their version number, even when they are identical.  As a result, a prompt to restart the system is displayed as files that were in use were replaced. However, if you use the Easy Installer to do the repair and a file on the disk has the same version as the file that is part of the installer package, the installed file will not be replaced. Therefore, there will not be any prompt to restart the system. (Ref: 26561a)

·         When the Centrify Agent for Windows is either installed or uninstalled and the prompt for a machine restart is deferred using the “restart later” option or ignored, other components of DirectManage may display errors due to an incomplete installation. A restart is mandatory if requested after install or uninstall operation. (Ref: 36307a)

·         Users may notice a few “Side by side” configuration errors in the Event Viewer after installing the Centrify Agent for Windows, if Microsoft KB945140 related components have been installed on the local machine previously. These errors will go away after you restart the computer and have no functional effect. (Ref: 35302a)

·         If you uninstall the Centrify Agent for Windows while the DirectAudit Agent Control Panel is open, files needed by the uninstall process may be blocked. You should close the DirectAudit Agent Control Panel for a successful conclusion to the uninstall process. (Ref: 25753a)

·         If you have installed the Access feature of Centrify Agent for Windows from Centrify Server Suite 2013 and are trying to upgrade the component to the latest version, you may see the following error during the installation process, “Service ‘DirectAuthorize Agent’ could not be installed. Verify that you have sufficient privileges to install system services.” If you see this error message, it typically indicates that the existing service is taking longer time to stop and hence the new service is not getting installed.  When you see this error, wait for some time (typically 30 seconds) and click on Retry button on the error message box. (Ref: 47270a)

·         Centrify Agent for Windows and its installer are built on .NET. Therefore, .NET is always installed as a pre-requisite before the agent is installed. If .NET is removed from the system later, Centrify Agent for Windows will not run properly. User will also experience problem when trying to remove Centrify Agent for Windows from the system. To properly uninstall Centrify Agent for Windows, please make sure Centrify Agent for Windows is uninstalled before .NET. (Ref: 39051a)

·         The list of rescue users is stored in different places in Suite 2013.3 (or previous releases) and Suite 2014 and this list is not automatically migrated to its new location when upgrading from Suite 2013.3 or a previous release to Suite 2014. Because of this, it’s highly recommended that Centrify Agent for Windows should not be upgraded in disconnected mode (i.e. when the system cannot connect to the Active Directory). If a system is upgraded in disconnected mode, the list of rescue users will be lost and only local administrators will be able to login to the system after reboot. (Ref: 57622a)

·         If you install Access feature of Centrify Agent for Windows without installing the Audit feature, the registry key value for HKEY_LOCAL_MACHINE\SOFTWARE\Centrify\AuditTrail\AuditTrailTargets is set to zero as expected, which means the audit trail is not sent to DirectAudit Audit Store database. However, if you try to change the installed features list of Centrify Agent for Windows and add the Audit feature later, the change process does not automatically set the AuditTrailTargets value to the expected new value of 1, which means to send audit trail data to DirectAudit Audit Store database.  This is a known issue and workaround is to set this value manually to 1 after the installer finishes the process of adding new feature. (Ref: 59353b)

·         If you have installed the Access feature of Centrify Agent for Windows from earlier version and then upgraded the component to the latest version while the Agent for Windows is not currently connected to any Active Directory domain controller, only users who have been assigned a role with rescue rights will be able to log on to the computer until the connection to Active Directory is restored. (Ref: 58858b)

5.2    Configuration

·         In a cross-forest environment, forest A user cannot enroll a device joined to forest B when forest A does not have a connector. (Ref: CS-44805)

·         When a machine that has MFA for Windows login enabled is reconfigured to connect to a different forest, the previous setting for the authentication server may no longer be valid. However, if there are Group Policy login settings applied to the machine in the new forest, the new settings will be enabled when the Group Policy Editor refreshes. (Ref: CS-41928)

·         In Windows 2016 and Win10, during the login process, selecting SMS or using other mechanisms like Security Question/Phone call/Password/Email/Mobile for MFA and clicking the “Commit” button will be intermittently unresponsive. (Ref: CS-41699)

·         It can take a long time for users in offline mode to be re-prompted for their passcode.

In the event that the Agent cannot connect to the Centrify Authentication Server, and a user is required to enter an offline passcode, it can take up to several minutes for the agent to re-prompt for the passcode if the user enters it incorrectly. If the user tries to cancel login by pressing "back" or by switching the user, the login screen may become unresponsive. This time lag between an incorrect passcode and the re-prompt can also occur when a user incorrectly enters their offline passcode for privilege elevation. (Ref: CS-41302)

·         Administrator should always leave the zone before joining the computer to a different domain.  Otherwise, DirectAuthorize may not function correctly after the computer is joined to a different domain. (Ref: 54278b)

·         In some large environment with multiple domain controllers, it may take up to one minute for the new zone setting in Centrify Agent Configuration to take effect. (Ref: 58128b)

·         If one of the Global Catalog servers is unavailable, user may not be able to configure the zone for Centrify Agent for Windows. (Ref: 58621b)

·         Microsoft normally automatically distributes and installs root certificates to the Windows system from trusted Certificate Authorities (CA) and users are seamlessly able to use a secure connection by trusting a certificate chain issued from the trusted CA. However, this mechanism may fail if the system is in a disconnected environment where access to Windows Update is blocked or this feature of automatic root certificate installation is disabled. Without updates on the certificate trust list (CTL), the default CTLs on the system may not be adequate for secure connections of Centrify multi-factor authentication especially for older versions of Windows such as Windows 7 and Windows Server 2008 R2. To ensure the success of Centrify multi-factor authentication, user may need manually distribute and install the latest CTLs and the required root certificate to systems in a disconnected environment. See Centrify KB-6724 for further information. (Ref: CS-39703)

 

5.3    Environment

·         On Windows 10 and Win2K16 machines with Centrify Privilege Elevation Service, following will occur (Ref: CS-43883):

• Pop up an error dialog several seconds after clicking "Open file location" in the context menu of a shortcut on the start menu. Explorer windows will display correctly.

• No responses to the following actions

  • Clicking "Open file location" in the context menu of a shortcut on desktop

  • Clicking "Open file location" in the context menu of a shortcut on the Centrify Start menu in the Privileged Desktop

  • Slow response to "OK", "Cancel" in the shortcut property page after "Open file location" in the general tab is clicked. The dialog will close after several seconds.

·         On some Windows 10 machines, the smart card login option may not be displayed if another credential method has been recently used. To display the smart card login option, remove and insert a smart card into the reader. This will cause the login screen to reload and will display the smart card login option. (Ref: CS-41282)

·         Centrify Agent for Windows requires you to patch to at least build 10.0.14393 on Windows 10 and Windows Server 2016 to use MFA features. (Ref: CS-41387)

·         Selective two-way external trusts are not supported. Both Windows machines and Centrify zones are required to be in the same forest or different forests with a two-way forest trust established. (Ref: 40713b, 44644b, 44647b, 44657b, 40643b, 40650b, 45341b, 45372b)

·         Environment with no Global Catalog is not supported. (Ref: 46577a)

·         DirectAuthorize for Windows requires machine time to be synchronized with domain controller. VMware virtual machine has a known issue that its time may not be synchronized with domain controller. This problem occurs more often on an overloaded virtual machine host. If the system clocks on the local Windows computer and the domain controller are not synchronized, DirectAuthorize for Windows does not allow any domain users to login. You can try the following KB from VMware to fix the time synchronization issue. http://kb.vmware.com/selfservice/microsites/search.do?language=en_US&cmd=displayKC&externalId=1189 (Ref: 47795b)

 

5.4    RunAsRole

·         If you use the “RunAsRole.exe /wait” command to run a Python script, the input/output cannot be redirected for versions of Python below 3.0.0. (Ref: 45061a)

·         Run As Role menu is not available on the start screen in Windows 8 or Windows 2012 or later because Microsoft doesn’t support any custom context menu on the start screen.  User has to go to the Windows desktop in order to launch an application using Run As Role context menu. (Ref: 35487a)

·         On Windows 8, Windows 8.1, Windows Server 2012 and Windows Server 2012 R2, use “Run as role” with Local Administrators group privilege on Control Panel does not have sufficient permission to add printers if the printer drivers are not pre-installed on the computer. The workaround is to define a role run as a user with Local Administrator privilege or with a group as a member of Local Administrators group. (Ref: 68826a)

·         The “Run as role” for Windows Media Player is not recommended. Please use privilege desktop instead. (Ref: 55615a)

·         When running “RunAsRole.exe /wait sc.exe” with no argument provided to sc.exe, sc.exe will prompt

Would you like to see help for the QUERY and QUERYEX commands? [ y | n ]:

Typing ‘y’ or ‘n’ doesn’t do anything because the input cannot be successfully redirected to sc.exe. (Ref: 47016b)

·         It is not recommended to change zone via Run As Role since the role that is in use may no longer be available once after leaving from the previous zone during the change zone process. (Ref: 58043a)

·         On Windows Server 2008 R2 and Windows 7, if the Agent machine has no internet connection and the .NET CLR settings (checkCertificateRevocationList) is set to True, the MFA authentication will be failed because the CLR is unable to verify the certificate through internet. The workaround is to enable the internet connection or turn off the CLR settings (set checkCertificateRevocationList to False which is also the default value). (Ref: CS-40147)

5.5    Desktop with Elevated Privileges

·         In desktop with elevated privilege a mouse left click does not work for SysTray Icons that involve opening the WinRT(or new Window) UI. The Systray icons affect are Time, Volume Control, or any third party icons on Windows 10/2016. (Ref: CS-39454)

·         Server Manager cannot be started on multiple desktops at the same time. The bug exists on Windows 2012R2, 2016. (Ref: CS-42060)

·         On a desktop with elevated privileges on Windows 8, 10 & 2016, the search for files or folders will be intermittently disabled from the Start menu ("Start" menu > "Search" > "For Files or Folders…"). (Ref: CS-42066)

·         On a desktop with elevated privileges, if you open the Task Manager and select “File > New Task” to run an application without selecting the “Create this task with administrative privileges” option, the application will be launched on the default desktop. This issue occurs when User Account Control (UAC) is enabled. (Ref: 32169a)

·         If the sAMAccountName attribute of an Active Directory account is changed while the old account name is still cached on the computer, you may see the following error message when creating a new desktop or using “Run as role” with a right configured to run as the modified user account:

“Failed to open new desktop. Right xxx references bad user account.”

The workaround is to restart the computer. (Ref: 35124a)

·         On a desktop with elevated privileges, if you use “Control Panel > Programs > Programs and Features” to uninstall a program, you may see the following warning message and cannot uninstall the software.

“The system administrator has set policies to prevent this installation.”

This issue happens when User Account Control (UAC) is enabled and when “Run with UAC restrictions” is selected when creating the new desktop. (Ref: 33384a)

·         When you open the Start menu “Help and Support” item on a desktop with elevated privileges, the Windows Help and Support is launched on the default desktop. Switch to the default desktop to view the information. (Ref: 32147a)

·         If you shut down, restart, or log off from a desktop with elevated privileges, all running applications are terminated forcibly without being prompted to save any open documents. (Ref: 40749a)

·         You cannot launch Windows Security Options using “Start menu -> Windows Security” on a privilege desktop with elevated privileges when using a remote desktop connection. You must switch back to the default desktop to continue. (Ref: 45995b)

·         Installation of IE9 on desktops with elevated privileges may cause the privileged desktop to become unusable. Use “RunAsRole” for installation of IE9 instead. (Ref: 44930a)

·         You cannot use the Start menu option “Switch User” while you are using a role-based, privileged desktop. To use the “Switch User” shortcut, change from the privileged desktop to your default Windows desktop. From the default desktop, you can then select Start > Switch User to log on as a different user. (Ref: 39011b)

·         On a DirectAuthorize desktop using a role with local administrator privilege, the Stand By option in the shutdown menu does not work.  This is a known issue and will be addressed in future release. (Ref: 58280a)

·         VMWare registers to run VMwareUser.exe on the guest operating system to enable user to copy and paste text between the guest and managed host operating systems. Creating multiple desktops with different user accounts causes multiple VMwareUser.exe are run in different user accounts in the same logon session.  VMwareUSer.exe cannot support this scenario and therefore an error message is displayed on the default desktop which blocks all the UI operation on the new desktop. To workaround this problem, user can disable the VMWare user program on the guest machine by deleting the registry value name “VMware User Process” from HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run. (Ref: 49268a)

·         On a privileged desktop on Windows 8, Windows 8.1, Windows 2012 and Windows 2012 R2, you may not be able to access the VMware shared folder. (Ref: 40686c)

·         Windows logo key keyboard shortcuts are not supported on privileged desktop. Depends on the key and operation system, the shortcut could either have no effect or its effect is applied to the default desktop instead. (Ref: 47588b)

·         A Start menu on privileged desktop on Windows 8, Windows 8.1, Windows 2012 and Windows 2012 R2, to make up for a limitation of Windows 8, Windows 8.1, Windows 2012 and Windows 2012 R2. In addition, navigating to a Modern Start screen to use Modern-style apps from a privileged desktop is not possible from either the charm bar or using a Windows. Note: you must switch back to the default desktop in order to go to Modern Start screen. (Ref: 41245c)

·         The Challenge Pass-Through Duration setting is currently not supported for Centrify Windows multi-factor authentication. The Challenge Pass-Through Duration setting does not require a user, who has successfully met a multi-factor authentication challenge, to re-authenticate through mfa to use an mfa-required right or role if that user chooses the same challenge mechanism when prompted within the duration specified in the setting. (Ref: CS-39432)

 

5.6    Roles and Rights

·         No 'Require multi-factor authentication' system right for the predefined 'Windows Login' role. To define this system right for MFA, use the pre-defined Require MFA for logon role, or create a new custom role. (Ref: CS-40888)

·         Windows Network Access rights do not take effect on a Linux or UNIX machines. If you select a role to start a program or create a desktop that contains a Network Access right, you can only use that role to access Windows computers. The Windows computers you access over the network must be joined to a zone that honors the selected role. The selected role cannot be used to access any Linux or UNIX server computers on the network. (Ref: 32980a)

·         Network Access rights are not supported on the Windows 2008 R2 Terminal Server if “RDC Client Single Sign-On for Remote Desktop Services” is enabled on the client side. (Ref: 34368b)

·         To elevate privileges to the “Run as” account specified in a Windows right, the “run as” account must have local logon rights. If you have explicitly disallowed this right, you may receive an error such as “the user has not been granted the requested logon type at this computer” when attempting to use the right. (Ref: 34266a)

·         If your computer network is spread out geographically, there may be failures in NETBIOS name translation. If a NETBIOS name is used, Active Directory attempts to resolve the NETBIOS name based on the domain controller that the user belongs to, which in a multi-segment network might fail. Therefore, Network Access rights might not work as expected if the remote server is located using NETBIOS name. You may need to consult your network administrator to work around this issue. (Ref: 39087a)

·         File hash matching criteria in the Application right is not supported for a file larger than 500MB.  This is to make sure DirectAuthorize does not spend too much CPU and memory resources to calculate the file hash.  User trying to import a file with the size larger than 500MB will see an empty value for the file hash field. (Ref: 56778a)

·         For a small set of application, enabled matching criterion - “Product Name”, “Product version”, “Company”, “File Version” or “File Description” of a Windows Application Right may fail to match after upgrading agent under the following conditions: - Any value for the enabled matching criteria is defined by either import from a process or file - The matching criteria is defined by 5.1.3 or 5.2.0 DirectManage Access Manager since the number of affected application is expected to be relatively low, proactively updating the defined matching criteria of Windows Application Right is not necessary. (Ref: 60053a)

·         Smart card users can continue to use their own smart card to logon, but there will be no Centrify MFA features applied to smart card users. (Ref: CS-41539)

5.7    Compatibility with 3rd Party Products

 

·         MFA may be skipped when connecting through XenDesktop because the Citrix Credential Provider may be used instead of the Centrify Credential Provider. The workaround is to disable the Citrix Credential Provider through the Group Policy "Centrify Settings\Windows Settings\MFA Settings\Specify the credential providers to exclude from the logon screen." (Ref: CS-46744)

·         VirtualDesktop is not compatible with Centrify Agent for Windows. Users should use the Centrify system tray applet to create virtual desktop instead. (Ref: 44641b)

·         Attempting to launch SCOM Operation Console on privileged desktops will fail if there is an existing instance on other desktops and a new SCOM Operation Console will be started on the desktop with the existing instance. The workaround is to close all existing instances before starting a new SCOM Operation Console. (Ref: CS-43790)

·         The startup path for “SharePoint 2010 Management Shell” and “Exchange Management Shell” may set to C:\Windows instead of user home directory if it is launched via RunAsRole.exe or from a desktop with elevated privilege. (Ref: 38814b, 46943b)

·         On a desktop with elevated privileges, if you install McAfee Security Scan products and click “View Readme”, the Readme.html is shown on the default desktop. Similar issues may happen with other third party programs. The alternate way to view the Readme.html on the desktop of a managed computer is to open the Readme.html file directly. (Ref: 34642a)

·         Attempting to enable Kerberos authentication for Oracle databases will fail. This issue is being brought to the attention of Oracle Support for a resolution in upcoming releases. (Ref: 33835b)

·         The Microsoft Snipping Tool utility has a bug that prevents it from running on a desktop with elevated privileges. (Ref: 31931a)

·         Some applications do not use the process token to check the group membership. They check the user’s group membership on its own. Therefore, any Windows rights configured to use a privileged group will not take effect in these applications. The workaround is to use a privileged user account instead of a privileged group. Here is the list of known application with this issue:

1.  vCenter Server 5.1

2.  SQL Server

3.  Exchange 2010 or above 

4.  SCOM 2007

(Ref: 45318a, 45218a, 43779a, 38016a)

·         Privilege elevation using Windows Rights for Internet Explorer (IE) 7 is not supported. (Ref: 33425a)

·         Privilege elevation using Windows rights for “Remote Desktop” is not supported. (Ref: 45222b)

·         Privilege elevation using Windows rights for taskmgr.exe, explorer.exe, and cmd.exe are not recommended. A user granted privileges with Windows rights is implicitly granted to run any executable under the same privilege. (Ref: 45861a, 40525a)

·         Users may notice an error and cannot install ActivClient after installing Centrify Agent for Windows. During the installation of ActivClient, it attempts to change the local security setting. However, there is a known issue for Centrify Agent for Windows of blocking the local security setting (Ref: 63609b). Therefore, users may not be able to install ActivClient successfully after installing Centrify Agent for Windows. We suggest installing ActivClient before installing Centrify Agent for Windows. If Centrify Agent for Windows has been installed, please uninstall it and follow the installation sequence suggested. This issue happens on Windows 8.1 and Windows 2012 R2 only. (Ref: 76016b)

·         McAfee Virus scan enterprise blocks our kerberos/authentication binaries(Dzkerberos.dll & DzMsv1_0.dll) from loading into lsass.exe on Windows server 2008 R2 Sp1. (Ref: CS-42755)

·         McAfee Virus scan may block the Centrify Agent for Windows from registering the LSA packages while joining the system to a zone. The zone join operation now detects the same and shows a warning to the user. (Ref: CS-48893)

5.8    Application Manager

·         Application Manager does not support Server Core edition of Windows. (Ref: CS-40656)

·         Application Manager may not be able to generate Audit Trail event for the uninstall, change or repair operations which require reboot. (Ref: CS-45641)

 

5.9    Network Manager

·         Network Manager does not support Server Core edition of Windows. (Ref: CS-42675)

5.10  Endpoint Enrollment

·         When a Windows machine is enrolled by a user as a personal device and subsequently that user is disabled, after upgrading the product, there is no way to let another user to enroll a personal device for that machine. The workaround is to remove the service "Centrify Identity Services Platform" in Agent Configuration and add that service again. (Ref: CS-44514)

5.11  Centrify Agent for Windows

·         Auditing status is incorrectly displayed on Authorization Center and the desktop notification message when the following Group Policies are enabled:

- Audited user list

- Non-audited user list

(Ref: CS-46321)

·         Centrify Agent for Windows installation may prematurely end on systems that have Citrix Virtual Delivery Agent version 7.9 or higher installed. Please refer to the Centrify Knowledge Base for possible workarounds to deploy Centrify Agent for Windows on systems affected by this issue. (Ref: CS-46288)

6.   Additional information and support

In addition to the documentation provided with this package, see the Centrify Knowledge Base for answers to common questions and other information (including any general or platform-specific known limitations), tips, or suggestions. You can also contact Centrify Support directly with your questions through the Centrify Web site, by email, or by telephone.

The Centrify Resources web site provides access to a wide range of information including analyst report, best practice brief, case study, datasheet, ebook, white papers, etc., that may help you optimize your use of Centrify products. For more information, see the Centrify Resources web site:

www.centrify.com/resources

To contact Centrify Support or to get help with installing or using this version of Centrify Agent for Windows software, send email to Support or call 1-669-444-5200, option 2.

For information about purchasing or evaluating Centrify products, send email to info.