Centrify® Windows Agent 3.1.0 Release Notes
© 2006-2013 Centrify Corporation.
This software is protected by international copyright laws.
All Rights Reserved.
Table
of Contents
1. About
Centrify Windows Agent 3.1.0 2
2. Supported platforms and system
requirements 3
2.1 Centrify Windows Agent - Access 3
2.2 Centrify Windows Agent - Audit 3
3. New
Features 4
3.1 New Features in Windows Agent
3.1.0 4
3.1.1 Centrify Windows Agent - Audit 4
3.1.2 Centrify Windows Agent - Access 4
3.2 New Features in Windows Agent
3.0.1 5
4. Bugs Fixed 5
4.1 Bugs Fixed in Windows Agent 3.1.0 5
4.1.1 Installation 5
4.1.2 Centrify Windows Agent - Audit 5
4.1.3 Centrify Windows Agent - Access 5
4.2 Bugs Fixed in Windows Agent 3.0.1 6
5. Known Issues 6
5.1 Installation and Uninstall 6
5.2 Centrify Windows Agent - Audit 7
5.3 Centrify Windows Agent - Access 8
5.3.1 General 8
5.3.2 Environment 8
5.3.3 RunAsRole 9
5.3.4 Desktop with Elevated
Privileges 9
5.3.5 Roles and Rights 10
5.3.6 Compatibility With 3rd
Party Products 11
5.3.7 Miscellaneous 13
6. Additional information and support 13
1. About Centrify Windows Agent 3.1.0
The Centrify Windows Agent package contains software to
support auditing, access control, and privilege management on Windows
computers. The Audit and Access features can be installed together or
separately on the Windows computers you want to manage.
For auditing, the Centrify Windows Agent requires the Centrify
DirectAudit feature set, which is available in Centrify Suite Enterprise
Edition. DirectAudit enables detailed auditing of user activity on a wide range
of UNIX, Linux and Windows computers. With DirectAudit, you can perform
immediate, in-depth troubleshooting by replaying user activity that may have
contributed to system failures, spot suspicious activity by monitoring current
user sessions, and improve regulatory compliance and accountability by capturing
and storing detailed information about the applications used and the commands
executed. If you enable auditing, the Centrify Windows Agent records user
activity on the Windows computer when it is installed. For a complete list of
the platforms supported, see DirectAudit
Supported Platforms.
For access control and privilege
management, the Centrify Windows Agent requires the Centrify DirectManage and
DirectAuthorize feature sets, which are available in Centrify Suite Standard
Edition. With DirectManage and DirectAuthorize, you can configure and manage role-based
access controls for Windows servers. The Centrify Windows Agent extends the access
control and privilege management features available for Linux and UNIX computers,
so that you can use a single console to manage multiple platforms. You can
deploy the Centrify Windows Agent in a Windows-only environment or as part of a
mixed environment that includes, Windows, Linux, and UNIX computers. For a
complete list of the platforms supported, see DirectAuthorize
UNIX Supported Platforms.
You can obtain information about previous releases from the
Centrify Support Portal, in the Documentation & Application Notes page.
Centrify Suite is protected by U.S. Patents 7,591,005,
8,024,360, and 8,321,523.
2. Supported platforms and system
requirements
For information about setting up a test environment for the
Centrify Windows Agent, see the Centrify Suite 2013 Evaluation Guide for
Windows. The Centrify Suite Evaluation Guide for Windows includes
common tasks and usage scenarios.
The Centrify Windows Agent – Access feature can be installed
on the following operating systems:
- Windows 2003 Server SP2 and later (64-bit)
- Windows 2003 Server R2 (64-bit)
- Windows 2008 Server (32-bit and 64-bit)
- Windows 2008 Server R2 (64-bit)
- Windows XP SP2 (64-bit)
- Windows 7 (32-bit and 64-bit)
In addition, the Centrify Windows Agent – Audit feature supports
the following platforms:
- Windows 2003 Server SP2 and later (32-bit and 64-bit)
- Windows 2003 Server R2 (32-bit and 64-bit)
- Windows 2008 Server (32-bit and 64-bit)
- Windows 2008 Server R2 (64-bit)
- Windows 2012 Server (64-bit)
- Windows XP SP3 (32-bit)
- Windows XP SP2 (64-bit)
- Windows 7 (32-bit and 64-bit)
- Windows 8 (32-bit and 64-bit)
3. New
Features
3.1 New
Features in Windows Agent 3.1.0
- Optional video capture auditing: In this release, you can
choose to enable or disable video capture auditing. By default, video
capture auditing is disabled for new installations. Disabling video capture
helps greatly to reduce the storage requirement for the audited sessions. To
use this feature, however, you must upgrade both the collector service and
the Centrify Windows Agent to the 2013.2 release.
- Windows Vista is no longer supported in this release.
- Re-authentication: When a user creates a new desktop, or
switches to a desktop with elevated privileges, or deploys the “RunAs”
role to execute an operation, administrators can optionally require re-authentication.
If this option is enabled, users must re-enter their login password.
- Group privilege right: When using DirectManage Access
Manager to define a new Windows Application, Desktop, or Network Access
right, you can select a specific user account (as before) or use the login
user’s account credentials but with the elevated privileges of a specific
Active Directory or built-in group. If the latter, the rights of the
selected group will be added to the user’s account while still maintaining
the user’s context.
- Customize desktop: When users create a new desktop with
elevated privileges, they can customize the desktop background. For
example, users can select a different background color or an image to use
as wallpaper.
- Predefined application rights: Administrators can now
easily assign a subset of Local Administrator application rights to a
role. When using the DirectManage Access Manager to add rights to a role,
you can now choose from a list of predefined rights such as the right to
run Task Scheduler, Event Viewer, and Performance Monitor.
- RunAs enhancements: When launching an application using
“RunAs” role, the RunAs utility will start the target application and can
optionally wait until the application terminates, passing back the application
return code. If the application is a command line utility, the RunAs
utility will start a console and application inputs/outputs will be
redirected to it. This enhancement is intended to help scripting users
synchronize and verify their actions.
3.2 New
Features in Windows Agent 3.0.1
- This is a maintenance release.
4. Bugs Fixed
4.1 Bugs Fixed in
Windows Agent 3.1.0
- There is a one-minute delay in rebooting the machine after
upgrading the Centrify Windows Agent from Suite 2013 or Suite 2013.1.
The reboot delay is due to a bug in Suite 2013 Windows
Agent installer. The issue has been fixed in this release.
There will be no delay in rebooting the machine when upgrading Suite
2013.2 to a later release. (Ref: 44145)
- If some of the collectors are upgraded to Suite 2013 but
some of the collectors are still running at older version, Centrify
Windows Agent from Centrify Suite 2013 or Suite 2013.1 may not be able to
connect to the upgraded collectors. This issue has been fixed in this
release. (Ref: 38255)
- Centrify DirectAudit Agent Control Panel always shows
“Initializing” on some machines because of corrupted performance
counters. This issue has been fixed in this release. (Ref: 39077)
- The workaround suggested in Microsoft KB 896861 is now
compatible with the current version of Centrify Windows Agent - Access. (Ref:
37000)
- Restart and shutdown menu was not working on the desktop
with elevated privileges in the previous release. This issue has been
fixed in this release. (Ref: 40659)
- Starting from this release, reboot is not required after changing
the zone configuration. (Ref: 38527)
- Centrify Windows Agent has applied the workaround
suggested in http://support.microsoft.com/kb/936707
to avoid the long start up time. (Ref: 36165)
- Privilege elevation using Windows Rights for Internet
Explorer (IE) 8 or above is now supported. (Ref: 32671, 37587)
- If the UPN of the “Run as” user account included
"/" or "\" in its name, RunAsRole.exe or desktop
creation would fail. This issue has been fixed in this release. (Ref:
38407, 38450, 38683)
4.2 Bugs Fixed in
Windows Agent 3.0.1
- If both Audit and Access features are installed for the
Centrify Windows Agent, the log off menu cannot be shown on some machines.
This issue has been fixed in this release. (Ref: 34767)
- Computers with Centrify Windows Agent - Access installed
may lock out all users from using that machine, when one of the domain
controllers in its domain reboots. This issue has been fixed in this
release. (Ref: 40361)
- Leading and trailing white spaces in the arguments
specified in the Application right are now ignored. This is to make sure
user can do Run As Role on the specified application even though the
arguments don’t have matching leading or trailing white spaces. (Ref:
41178)
5. Known Issues
5.1
Installation and Uninstall
- The Centrify Common Component should be the last Centrify
Suite component uninstalled. If the component is uninstalled before other
component, it must be reinstalled by the uninstall process to complete its
task. (Ref: 36226)
- Mounting the ISO from a network drive may result in error
1602 from setup.exe. The workaround is to mount the ISO from the local
drive. (Ref: 35685)
- If you intend to install the software on the desktop with
elevated privilege, you should not check the "Run with UAC
restrictions" option when creating the desktop. (Ref: 39725)
- When you double-click on the Centrify Windows Agent msi
and select the "repair" option, the existing files are replaced
irrespective of their version number, even when they are identical. As a
result, a prompt to restart the system is displayed as files that were in
use were replaced. However, if you use the Easy Installer to do the repair
and a file on the disk has the same version as the file that is part of
the installer package, the installed file will not be replaced. Therefore,
there will not be any prompt to restart the system. (Ref: 26561)
- When the Centrify Windows Agent is either installed or
uninstalled and the prompt for a machine restart is deferred using the
“restart later” option or ignored, other components of DirectManage may
display errors due to an incomplete installation. A restart is mandatory
if requested after install or uninstall operation. (Ref: 36307)
- The component selection page of the installer for the
Centrify Windows Agent installer does not allow specifying separate
installation locations for each individual component. All the components
selected on this page get installed in the same location. Therefore, the
Browse button remains disabled when user highlights individual components
in the component selection tree. The Browse button is enabled only when
the user highlights the top node of the component selection tree. (Ref:
34772)
- Users may notice a few "Side by side"
configuration errors in the Event Viewer after installing the Centrify
Windows Agent, if Microsoft KB945140 related components have been
installed on the local machine previously. These errors will go away after
you restart the computer and have no functional effect. (Ref: 35302)
- If you uninstall the Centrify Windows Agent while the DirectAudit
Agent Control Panel is open, files needed by the uninstall process may be
blocked. You should close the DirectAudit Agent Control Panel for a
successful conclusion to the uninstall process. (Ref: 25753)
- User must restart the computer after uninstalling the Centrify
Windows Agent - Access feature. Failure to do so will result in error
message such as "A local error has occurred" if the user tries
to access other Centrify components (e.g. Centrify DirectManage Audit
Collector Control Panel or Centrify DirectManage Audit Manager) or if the
user tries to install other Centrify DirectManage Audit or DirectManage Access
components. (Ref: 40085)
- If you have installed the Access feature of Centrify
Windows Agent from Centrify Suite 2013 and are trying to upgrade the
component to the latest version, you may see the following error during
the installation process, "Service 'DirectAuthorize Agent' could not
be installed. Verify that you have sufficient privileges to install system
services." If you see this error message, it typically indicates that
the existing service is taking longer time to stop and hence the new
service is not getting installed. When you see this error, wait for some
time (typically 30 seconds) and click on Retry button on the error message
box. (Ref: 47270)
5.2 Centrify Windows Agent - Audit
- Hardware acceleration may slow down console login. With
Windows XP and Windows Server 2003, you may experience slow login
performance if hardware acceleration is set to full. This issue only
affects local logins. It does not affect Remote Desktop (RDP) sessions. To
work around this issue, set hardware acceleration to none. (Ref: 24777)
- On audited Windows XP machines, the mouse cursor may
flicker when DirectAudit is enabled. When using RDP to access the machine
remotely, this issue may manifest itself by the RDP mouse pointer moving
back a few pixels from where it was placed. This is a bug with Windows XP
and is not expected to be fixed by Microsoft. (Ref: 24307)
- On Windows XP and Windows Server 2003, when a user is in
screen-saver mode, a session will be suspended after ~20 seconds of
monitoring and a new session will be started when the screen-saver is
dismissed. However, if a user reactivates a session before the 20 second
time period expires, the session should resume. (Ref: 25112)
- The offline data location (and subdirectories below it) is
expected to be a location dedicated to spooling, for example c:\spool. If
the offline data location is changed, all files in the old location
(including subdirectories and their contents) are moved to the new
location. This may cause problems if the old location was not exclusively
for spooling use. For example, choosing c:\ as the original spool location
and d:\spool as the new location would cause all files on the c:\ drive to
be copied to d:\spool. (Ref: 26592)
- The optional video capture feature requires both the
Collector and the DirectAudit Agent to use 2013.2. If any of collectors or
agents are running an older version, video data may still be recorded even
though you have turned it off in Suite 2013 Update 2 Audit Manager. (Ref:
44064)
- Remote logon failure
audit trail message on Windows 7, Windows 2008 and Windows 2008 R2 cannot
be recorded. (Ref: 47232)
5.3 Centrify
Windows Agent - Access
- The Forest analysis operation in DirectManage Access
Manager is not designed to find Windows-specific issues. (Ref: 38254,
43185)
- One-way trust environments and selective two-way external
trusts are not supported. Both Windows machines and Centrify zones are
required to be in the same forest or different forests with a two-way
forest trust established. (Ref: 40713, 44644, 44647, 44657, 40643, 40650,
45341, 45372)
- Environment with no Global Catalog is not supported. (Ref:
46577)
- DirectAuthorize for Windows requires machine time to be
synchronized with domain controller. VMware virtual machine has a known
issue that its time may not be synchronized with domain controller. This
problem occurs more often on a overloaded virtual machine host. If the
system clocks on the local Windows computer and the domain controller are
not synchronized, DirectAuthorize for Windows does not allow any domain
users to login. You can try the following KB from VMware to fix the time
synchronization issue. http://kb.vmware.com/selfservice/microsites/search.do?language=en_US&cmd=displayKC&externalId=1189
(Ref: 47795)
- The "Run as role..." context menu is not
displayed when you right-click “Start > All Programs >
Administrative Tools > Active Directory Users and Computers” on a
domain client computer with Windows Server 2003 Service Pack 1
Administration Tools Pack installed. This issue occurs on windows XP,
Windows 2003, and Windows 2003 R2. The workaround is to create a shortcut
with target C:\WINDOWS\system32\dsa.msc. The "Run as Role..."
context menu can be displayed if you right-click this shortcut. (Ref:
32370)
- The "RunAsRole.exe /wait" command line utility
cannot redirect the input/output of the application if you log on remotely
to a Windows XP, Windows 2003 or Windows 2003 R2 machine. (Ref: 45042)
- If you use the "RunAsRole.exe /wait" command to run
a Python script, the input/output cannot be redirected for versions of
Python below 3.0.0. (Ref: 45061)
- When running "RunAsRole.exe /wait sc.exe" with
no argument provided to sc.exe, sc.exe will prompt
Would you like to see help for the QUERY and QUERYEX
commands? [ y | n ]:
Typing ‘y’ or ‘n’ doesn’t do
anything because the input cannot be successfully redirected to sc.exe. (Ref: 47016)
- On a desktop with elevated privileges, if you open the
Task Manager and select “File > New Task” to run an application
without selecting the "Create this task with administrative
privileges" option, the application will be launched on the default desktop.
This issue occurs when User Account Control (UAC) is enabled. (Ref: 32169)
- Sometimes the Centrify icon cannot be shown in the
notification area of the taskbar if a user logs onto the computer
immediately after starting the computer. This issue does not happen if a remote
desktop is used to access the computer. This issue happens on Windows XP,
Windows 2003, and Windows 2003 R2. Log in again later to resolve the
issue. (Ref: 37119)
- If the sAMAccountName attribute of an Active Directory
account is changed while the old account name is still cached on the
computer, you may see the following error message when creating a new
desktop or using “Run as role” with a right configured to run as the
modified user account:
==================================================================
Failed to open new desktop. Right xxx references
bad user account.
==================================================================
The workaround is to restart the
computer. (Ref: 35124)
- On a desktop with elevated privileges, if you use “Control
Panel > Programs > Programs and Features” to uninstall a program,
you may see the following warning message and cannot uninstall the
software.
========================================================================
The system
administrator has set policies to prevent this installation.
========================================================================
This issue happens when User
Account Control (UAC) is enabled and when "Run with UAC restrictions"
is selected when creating the new desktop. (Ref: 33384)
- When you open the Start menu "Help and Support"
item on a desktop with elevated privileges, the Windows Help and Support
is launched on the default desktop. Switch to the default desktop to view
the information. (Ref: 32147)
- If you shut down, restart, or log off from a desktop with
elevated privileges, all running applications are terminated forcibly
without being prompted to save any open documents. (Ref: 40749)
- You cannot launch Windows Security Options using “Start
menu -> Windows Security” on a privilege desktop with elevated
privileges when using a remote desktop connection. You must switch back to
the default desktop to continue. (Ref: 45995)
- Installation of IE9 on desktops with elevated privileges may
cause the privileged desktop to become unusable. Use “RunAsRole” for installation
of IE9 instead. (Ref: 44930)
- You cannot use the Start menu option "Switch
User" while you are using a role-based, privileged desktop. To use
the "Switch User" shortcut, change from the privileged desktop
to your default Windows desktop. From the default desktop, you can then
select Start > Switch User to log on as a different user. (Ref: 39011)
- Windows Network Access rights do not take effect on a
Linux or UNIX machines. If you select a role to start a program or create
a desktop that contains a Network Access right, you can only use that role
to access Windows computers. The Windows computers you access over the
network must be joined to a zone that honors the selected role. The
selected role cannot be used to access any Linux or UNIX server computers
on the network. (Ref: 32980)
- Network Access rights are not supported on the Windows
2008 R2 Terminal Server if “RDC Client Single Sign-On for Remote Desktop
Services” is enabled on the client side. (Ref: 34368)
- To elevate privileges to the "Run as" account
specified in a Windows right, the “run as” account must have local logon
rights. If you have explicitly disallowed this right, you may receive an
error such as "the user has not been granted the requested logon type
at this computer" when attempting to use the right. (Ref: 34266)
- If your computer network is spread out geographically,
there may be failures in NETBIOS name translation. If a NETBIOS name is
used, Active Directory attempts to resolve the NETBIOS name based on the
domain controller that the user belongs to, which in a multi-segment network
might fail. Therefore, Network Access rights might not work as expected if
the remote server is located using NETBIOS name. You may need to consult
your network administrator to work around this issue. (Ref: 39087)
- Centrify Windows Agent - Access does
not support Citrix XenApp in this version. Support is being investigated
for a future release. (Ref: 33786)
- The startup path for “SharePoint 2010 Management Shell”
and “Exchange Management Shell” may set to C:\Windows instead of user home
directory if it is launched via RunAsRole.exe or from a desktop with
elevated privilege. (Ref: 38814, 46943)
- If "Windows Security Essentials" software is
installed, an error message appears after you create a new desktop.
===========================================================================
Microsoft Security Client
An error has occurred in the
program during initialization. If this program
continues, please contact your
system administrator
Error code: 0x80070005
===========================================================================
This issue happens on Windows XP,
Windows 2003, and Windows 2003 R2. This
error message can be safely ignored. (Ref: 37687)
- On a desktop with elevated privileges, if you install McAfee
Security Scan products and click "View Readme", the Readme.html
is shown on the default desktop. Similar issues may happen with other
third party programs. The alternate way to view the Readme.html on the
desktop of a managed computer is to open the Readme.html file directly. (Ref:
34642)
- Attempting to enable Kerberos authentication for Oracle
databases will fail. This issue is being brought to the attention of
Oracle Support for a resolution in upcoming releases. (Ref: 33835)
- For SQL Server clusters used with Windows 2003 Servers,
the SQL Network Name resource must have Kerberos Authentication enabled
before you install the Centrify Windows Agent – Access feature. For information
about how to enable Kerberos Authentication of virtual servers, refer to
this article: http://technet.microsoft.com/en-us/library/cc780918%28v=ws.10%29.aspx. (Ref: 38333)
- The Microsoft Snipping Tool utility has a bug that
prevents it from running on a desktop with elevated privileges. (Ref:
31931)
- Some applications do not use the process token to check
the group membership. They check the user’s group membership on its
own. Therefore, any Windows rights configured to use a privileged group
will not take effect in these applications. The workaround is to use a privileged
user account instead of a privileged group. Here is the list of known
application with this issue:
- vCenter Server 5.1
- SQL Server
- Exchange 2010
(Ref: 45318, 45218, 43779)
- Privilege elevation using Windows Rights for Internet
Explorer (IE) 7 is not supported. (Ref: 33425)
- Privilege elevation using Windows rights for
"File Server Management" is not supported on Windows 2003 or
Windows 2003 R2. (Ref: 45797)
- Privilege elevation using Windows rights for
"Remote Desktop" is not supported. (Ref: 45222)
- VirtualDesktop is not compatible with Centrify
Suite 2013 Update 2. Users should use the Centrify system tray applet to
create virtual desktop instead. (Ref: 44641)
- Privilege elevation using Windows rights for taskmgr.exe,
explorer.exe, and cmd.exe are not recommended. A user granted privileges
with Windows rights is implicitly granted to run any executable under
the same privilege. (Ref: 45861, 40525)
5.3.7 Miscellaneous
- No user should ever stop the DirectAuthorize service even
though an administrative user can technically do so. This issue will be
addressed in an upcoming release. (Ref: 33632)
6. Additional
information and support
In addition to the documentation provided with this package,
see the Centrify Knowledge Base for answers to common questions and other
information (including any general or platform-specific known limitations),
tips, or suggestions. You can also contact Centrify Support directly with your
questions through the Centrify Web site, by email, or by telephone.
To contact Centrify Support or to get help with installing
or using this version of Centrify Windows Agent software, send email to Support or call 1-408-542-7500,
option 2.
For information about purchasing or evaluating Centrify
products, send email to info.