© 2006-2013 Centrify Corporation.
This software is protected by international copyright laws.
All Rights Reserved.
Table of Contents
The Centrify Windows Agent supports both DirectAuthorize and DirectAudit.
Centrify DirectAudit enables detailed auditing and logging of user activity on UNIX and Windows systems. With DirectAudit you can perform immediate, in-depth troubleshooting by replaying user activity that may have contributed to system failures, or spot suspicious activity through real-time monitoring of current user sessions.
DirectAudit supports auditing of the widest range of UNIX, Linux and Windows systems in the industry. Over 400 different server platforms are supported. See DirectAudit Supported Platforms for a complete list.
DirectAuthorize for Windows provides access control and privilege management for Windows server platforms. These components extend the Centrify UNIX product suite to the Windows arena, and may be used both in a Windows-only deployment as well as a mixed Windows and UNIX deployment (for more information see DirectAuthorize UNIX Supported Platforms).
This software package contains the Centrify Agent for Windows for Audit and Access.
The Centrify Windows Agent for Audit is installed on an audited Windows system. It captures user activity and spools audited data for transmission to the Audit Collector. The Centrify Windows Agent for Audit will log audited data to the Windows event logs and databases on the Audit Server.
The Centrify Windows Agent - Audit in this package can be installed on the following operating systems.
· Windows 2003 Server SP2 and later (32-bit and 64-bit)
· Windows 2003 Server R2 (32-bit and 64-bit)
· Windows 2008 Server (32-bit and 64-bit)
· Windows 2008 Server R2 (64-bit)
· Windows 2012 Server (64-bit)
· Windows XP SP3 (32-bit or 64-bit)
· Windows Vista SP2 and later (32-bit and 64-bit)
· Windows 7 (32-bit and 64-bit)
· Windows 8 (32-bit and 64-bit)
Note: In this document, all references to “Windows” apply equally to all supported Windows platforms unless specifically excluded.
For information about installing Centrify Windows Agent for Audit, see the Centrify Suite 2013 Windows Evaluation Guide, to step through common tasks and test scenarios related to Windows components.
· Hardware acceleration may slow console login. With Windows XP and Windows Server 2003, you may experience slow login performance if hardware acceleration is set to full. This issue only affects local logins. It does not affect Remote Desktop (RDP) sessions. To work around this issue, set hardware acceleration to none.
· On audited Windows XP machines, the mouse cursor may flicker when DirectAudit is enabled. When using RDP to access the machine remotely this issue may manifest itself by the RDP mouse pointer moving back a few pixels from where it was placed. This is a bug with Windows XP and is not expected to be fixed by Microsoft.
· On Windows XP and Windows Server 2003, when a user is in screen-saver mode, a session will be suspended after ~20 seconds of monitoring and a new session will be started when the screen-saver is dismissed. However, if a user reactivates a session before the 20 second time period expires, the session should resume.
· If you uninstall the Centrify Windows Agent for Audit while the Audit Agent panel is open, files needed by the uninstall process may be blocked, you will need to close the Audit Agent panel for a successful conclusion to the uninstall process.
· The offline data location (and subdirectories below it) is expected to be a location dedicated to spooling, for example c:\spool. If the offline data location is changed, all files in the old location (including subdirectories and their contents) are moved to the new location, and this may cause problems if the old location was not exclusively for spooling use. For example, choosing c:\ as the original spool location and d:\spool as the new location would cause all files on drive c to be copied to d:\spool.
· If Agent software is installed, configured, and running on an audited machine, the audited session data is spooled on the local disk even if the Audit Collector, Audit Store or Audit Management Server databases are not yet ready. Once these components are ready, spooled data is written to Audit Management Server database enabling a session to be playable.
· On Windows2003 and Windows XP, when using the Easy installer, if you change the startup Service Property you may receive an ‘Access Denied’ message. Changes to this property have been disabled to ensure against unauthorized termination of services. However, this behavior differs from Windows 2008 and later platforms where the properties are grayed out to prevent the user from selecting them. This behavior related to properties is platform specific and is expected in these Windows platforms.
· When the Centrify Windows Agent for Audit is repaired using “Centrify DirectAudit Agent64.exe", a pop-up dialog with the message below appears after the repair operation. You must restart your system for configuration changes made to Centrify DirectAudit 201x Agent x.x.x-xxx to take effect. Click Yes to restart now or No if you plan to manually restart later.
When you double-click on the msi and select the "repair" option, the repair starts in "emus" mode. See options e, m, u and s in the link below.
In this mode, the existing files are replaced irrespective of their version number, even when they are identical. Under "emus" mode, all files are replaced and a prompt for "system restart" is displayed as files that were in use were replaced.
When using the Easy Installer with the "repair" option, it starts the repair in "omus" mode. See options o, m, u, and s in the link above.
In this mode, if a file installed on the disk has the same version as the file that is part of the installer package, the installed file will not be replaced. This means there will not be any prompt for "system restart”.
If the repair option of Easy installer is changed from "omus" to "emus" mode, files are repaired unnecessarily and the user will lose any customizations done to the mmc files. The current behavior for repair in “omus” mode is as designed and is not planned to change.
· Microsoft SQL Server 2005 (the release version and service packs) and earlier versions are not supported on Windows Server 2012 or Windows 8.
The Centrify Windows Agent for Access plays a core part in authentication and authorization logic through role-based access control and privilege management on specific Windows computers you want to manage. By using DirectManage Access Manager and the Centrify Windows Agent for Access, you can develop fine-grain control over who has access to Windows computers and limit the use of administrative accounts and passwords. Specifically, through this functionality:
· Users logging on to the computer must be assigned a role that permits login.
· Users assigned to a role with applications rights can run a specific application with elevated privileges.
· Users assigned to a role with desktop rights can create new Windows desktops that enable them to run all local applications with elevated privileges.
· Users assigned to a role with network access rights can connect to network resources with elevated privileges.
The Centrify Windows Agent for Access in this package can be installed on the following operating systems.
· Windows 2003 Server SP2 and later (64-bit)
· Windows 2003 Server R2 (64-bit)
· Windows 2008 Server (32-bit and 64-bit)
· Windows 2008 Server R2 (64-bit)
· Windows XP SP3 (64-bit)
· Windows 7 (32-bit and 64-bit)
· Centrify Windows Agent for Access does not support Windows 8 and Windows 2012. Support is planned for a subsequent release of the product.
· At the end of the Centrify Windows agent installation, a user is prompted to restart the machine. Choosing to do so via the install program prompt may not work; if you do not see a prompt, please restart the machine manually.
· The Centrify Common Component should be the last Centrify suite related component uninstalled. If it was uninstalled earlier, it will need to be reinstalled by the uninstall process to complete its task.
· When the Centrify Windows Agent for Access is either installed or uninstalled and the prompt for a machine restart is deferred using the “restart later” option or ignored, other components of DirectManage Windows may display errors due to an incomplete installation. A restart is mandatory if requested after install or uninstall operation.
· Mounting the ISO from a network drive may result in error 1602 from setup.exe. The workaround is to mount the ISO from the local drive.
· When the Centrify Windows Agent for Access is already installed and the installer is run again with the Modify option selected, the Next button remains in an enabled state on the component selection page even if there is no change made to the selection. If a user decides to proceed without making any changes, the installer will perform a repair.
· The component selection page of the installer for the Centrify Windows Agent for Access installer does not allow specifying separate installation location for each individual component. All the components selected on this page get installed in the same location. Therefore, the Browse button remains disabled when user highlights individual components in the component selection tree. The Browse button is enabled only when the user highlights the top node of the component selection tree.
· Users may notice a few "Side by side" configuration errors in the Event Viewer after installing the Centrify Windows Agent for Access, if Microsoft KB945140 related components have been installed on the local machine previously. These errors will go away after you restart the computer and have no functional effect.
· You should not uncheck "run with highest privilege" for local Admin desktops when installing the software.
· DirectAuthorize Service has an Authenticode signature to ensure file integrity. A bug in the .NET Framework causes applications with Authenticode signatures to take longer to start. A workaround is suggested in the MSDN KB article http://support.microsoft.com/kb/936707
· The Forest analysis operation in DirectManage Access Manager is not designed to find Windows machine specific issues.
· The "Run as role..." context menu is not displayed when you right-click.
Start > All Programs > Administrative Tools > Active Directory Users and Computers
on a domain client computer with Windows Server 2003 Service Pack 1 Administration Tools Pack installed. This issue occurs on windows XP, Windows 2003 and Windows 2003 R2.The workaround is to create a shortcut with target C:\WINDOWS\system32\dsa.msc. The "Run as Role..." context menu can be displayed if you right-click this shortcut.
· The "Run as role” menu item for both the Windows Control Panel and the Windows Explorer is not supported on Windows XP, Windows 2003 and Windows 2003 R2.
· Users may attempt to launch the Internet Explorer (IE) on a self-desktop or by using “run as role” with self-role. Although this is expected to be a border line use case, it should be noted that IE fails to launch in this manner.
· On a privileged desktop, if you open the Task Manager, select “File > New Task” to run an application without selecting the "Create this task with administrative privileges" option, the application will be launched on the default desktop. This issue occurs when (User Account Control) UAC is enabled.
· Sometimes the Centrify icon cannot be shown in the notification area of the taskbar if a user logs onto the computer immediately after starting the computer. This issue does not happen if remote desktop is used to access the computer. This issue happens on Windows XP, Windows 2003, and Windows 2003 R2. Logging in again later will resolve the issue.
· If the sAMAccountName attribute of an Active Directory account is changed while the old account name is still cached on the computer, you may see the following error message when creating a new desktop or using “Run as role” with a right configured to run as the modified user account:
Failed to open new desktop. Right xxx references bad user account.
The workaround is to restart the computer.
· On a privileged desktop, if you use “Control Panel > Programs > Programs and Features” to uninstall a program, you may see the following warning message and be unable to uninstall the software.
The system administrator has set policies to prevent this installation.
This issue happens when User Account Control (UAC) is enabled and when "Run with highest privileges" is deselected when creating the new desktop.
· The Desktop, Network Access and Application rights using the Local administrators group as the “Run As” account is not supported on domain controllers.
· It is not possible to “Run as role” and open a desktop if the “Run as” user's UPN name includes "/" or "\".
· Fast user-switching is not available from a privileged desktop. Use the default desktop for fast user-switching.
· Centrify Windows Agent for Access takes some time to start up after a reboot. Before the Centrify Windows Agent for Access is up and running, no user is allowed to logon. If Centrify Windows Agent for Access cannot come up in 3 minutes, the system will enter rescue mode. In rescue mode, only users assigned to a role with rescue right are allowed to logon. If no user has been assigned to a role with rescue right, only domain administrator and local administrator are allowed to logon.
· Centrify Windows Agent for Access does not support Citrix XenApp in this version. Such support is being investigated for a future release.
· If "Windows Security Essentials" software is installed, an error message appears on the new desktop after you create a new desktop.
Microsoft Security Client
An error has occurred in the program during initialization. If this program
continues, please contact your system administrator
Error code: 0x80070005
This issue happens on Windows XP, Windows 2003, and Windows 2003 R2. This error message can be safely ignored.
· Use of Centrify Windows Agent for Access along with 3rd party desktop products is not supported.
· On a privileged desktop, if you install McAfee Security Scan products and click "View Readme", the Readme.html is shown on the default desktop instead. Similar issues may happen with other third party programs. The alternate way to view the Readme.html on the desktop of a managed computer is to open the Readme.html file directly.
· Attempting to enable Kerberos authentication for Oracle databases will fail. This issue is being brought to the attention of Oracle Support for a resolution in upcoming releases.
· For SQL Server clusters used with Windows 2003 Servers, the SQL Network Name resource must have Kerberos Authentication enabled before you install the Centrify Windows Agent for Access. For steps on how to enable Kerberos Authentication of virtual servers, please refer to this information: http://technet.microsoft.com/en-us/library/cc780918%28v=ws.10%29.aspx
· The Microsoft Snipping Tool utility has a bug that prevents it from running on an privileged desktop.
· “Run as role” does not work with IE7. An error message "The RUNAS command is not supported" is shown when running IE7 with “Run as Role”, see http://support.microsoft.com/kb/922980IE8 and IE9 may fail when you launch IE directly or you use “Run as Role on a privileged desktop if User Account Control (UAC) is on and "Run with highest privileges" is not selected when you create the desktop. After IE8 or IE9 fails, an "Internet Explorer has stopped working" dialog is shown on the default desktop.
The workaround is to use “Run as role” to launch IE8 or IE9 on the default desktop.
· After you install the Centrify Windows Agent for Access on a Windows 2008 32 bit computer (without R2) that is joined to a zone and log in as a normal AD user, the Internet Explorer version 7 (IE7) stops working. This problem is not visible in IE8 and later.
· The Microsoft Exchange Server 2007 SP3 Active Directory Schema is distinct from that of the Microsoft Exchange Server 2010 for both SP1 and SP2
1. with a single Exchange Server 2007 SP3 installed (Single domain)
- A normal user needs the local right and network right simultaneously to create a new mailbox.
2. with multiple Exchange Servers 2007 SP3 installed.
- A normal user, just with network right can create a new mailbox, since it will automatically connect to another exchange server.
3. with a single or multiple Exchange Servers 2010 SP1/SP2 installed.
- The Active Directory Schema is in line with the use cases designed and expected.
- It can create a new mailbox just with local role or network role to elevate privilege. Its design is different from Exchange Server 2007.
· The Windows Network Right will not take effect on a Linux or UNIX machine. You are asked to pick a role to launch a program or create a desktop. If the selected role contains the Network Right, the selected role will be used to access only Windows server machines on the network if those Windows server machines are joined to a zone that honors the selected role. The selected role will not be used to access any Linux/UNIX server machines on the network.
· No user should ever stop the DirectAuthorize service even though an administrative user can technically do so. This issue will be addressed in an upcoming release.
· The Network rights are not supported on the Windows 2008 R2 Terminal Server if “RDC Client Single Sign-On for Remote Desktop Services” is enabled on the client side.
· The workaround suggested in Microsoft KB 896861 is not compatible with the current version of Centrify Windows Agent for Access.
· In order to elevate privileges to the "run as" account specified in Windows rights, it requires local logon right assigned to the “run as” account. If you have explicitly disallowed this right, you may receive an error such as "the user has not been granted the requested logon type at this computer" when attempting to use the right.
· When you open the Start menu "Help and Support" item on a privileged desktop, the Windows Help and Support is launched on the default desktop rather than the privileged desktop. Switch to the default desktop to view the information.
· If your computer network is spread out geographically, there may be failures in NETBIOS name translation. When a NETBIOS name is being used, the domain controller that user belongs to is used to resolve the NETBIOS name, which in a multi-segment network may fail. The Network Access Right might not work as expected if the server machine is located using NETBIOS name when it cannot be resolved. You may need to consult your Network Administrator to work around this issue.
In addition to the documentation provided with this package, see the Centrify Knowledge Base for answers to common questions and other information (including any general or platform-specific known limitations), tips, or suggestions. You can also contact Centrify Support directly with your questions through the Centrify Web site, by email, or by telephone.
To contact Centrify Support or to get help with installing or using this version of Centrify Windows Agent software, send email to
Support or call 1-408-542-7500, option 2.
For information about purchasing or evaluating Centrify products, send email to info.