The Centrify Windows Agent package contains software to support auditing, access control, and privilege management on Windows computers. The Audit and Access features can be installed together or separately on the Windows computers you want to manage.

For auditing, the Centrify Windows Agent requires the Centrify DirectAudit feature set, which is available in Centrify Suite Enterprise Edition. DirectAudit enables detailed auditing of user activity on a wide range of UNIX, Linux and Windows computers. With DirectAudit, you can perform immediate, in-depth troubleshooting by replaying user activity that may have contributed to system failures, spot suspicious activity by monitoring current user sessions, and improve regulatory compliance and accountability by capturing and storing detailed information about the applications used and the commands executed. If you enable auditing, the Centrify Windows Agent records user activity on the Windows computer when it is installed. For a complete list of the platforms supported, see DirectAudit Supported Platforms.

For access control and privilege management, the Centrify Windows Agent requires the Centrify DirectManage and DirectAuthorize feature sets, which are available in Centrify Suite Standard Edition. With DirectManage and DirectAuthorize, you can configure and manage role-based access controls for Windows servers. The Centrify Windows Agent extends the access control and privilege management features available for Linux and UNIX computers, so that you can use a single console to manage multiple platforms. You can deploy the Centrify Windows Agent in a Windows-only environment or as part of a mixed environment that includes, Windows, Linux, and UNIX computers. For a complete list of the platforms supported, see DirectAuthorize UNIX Supported Platforms.

You can obtain information about previous releases from the Centrify Support Portal, in the Documentation & Application Notes page.

Centrify Suite is protected by U.S. Patents 7,591,005, 8,024,360, and 8,321,523.

2. Supported platforms and system requirements

For information about setting up a test environment for the Centrify Windows Agent, see the Centrify Suite 2013 Evaluation Guide for Windows. The Centrify Suite Evaluation Guide for Windows includes common tasks and usage scenarios.

2.1 Centrify Windows Agent - Access

The Centrify Windows Agent – Access feature can be installed on the following operating systems:

Windows 2003 Server SP2 and later (64-bit)
Windows 2003 Server R2 (64-bit)
Windows 2008 Server (32-bit and 64-bit)
Windows 2008 Server R2 (64-bit)
Windows XP SP2 (64-bit)
Windows 7 (32-bit and 64-bit)

2.2 Centrify Windows Agent - Audit

In addition, the Centrify Windows Agent – Audit feature supports the following platforms:

Windows 2003 Server SP2 and later (32-bit and 64-bit)
Windows 2003 Server R2 (32-bit and 64-bit)
Windows 2008 Server (32-bit and 64-bit)
Windows 2008 Server R2 (64-bit)
Windows 2012 Server (64-bit)
Windows XP SP3 (32-bit)
Windows XP SP2 (64-bit)
Windows 7 (32-bit and 64-bit)
Windows 8 (32-bit and 64-bit)

3. New Features

3.1 New Features in Windows Agent 3.1.0

3.1.1 Centrify Windows Agent - Audit

Optional video capture auditing: In this release, you can choose to enable or disable video capture auditing. By default, video capture auditing is disabled for new installations. Disabling video capture helps greatly to reduce the storage requirement for the audited sessions. To use this feature, however, you must upgrade both the collector service and the Centrify Windows Agent to the 2013.2 release.
Windows Vista is no longer supported in this release.

3.1.2 Centrify Windows Agent - Access

Re-authentication: When a user creates a new desktop, or switches to a desktop with elevated privileges, or deploys the “RunAs” role to execute an operation, administrators can optionally require re-authentication. If this option is enabled, users must re-enter their login password.
Group privilege right: When using DirectManage Access Manager to define a new Windows Application, Desktop, or Network Access right, you can select a specific user account (as before) or use the login user’s account credentials but with the elevated privileges of a specific Active Directory or built-in group. If the latter, the rights of the selected group will be added to the user’s account while still maintaining the user’s context.
Customize desktop: When users create a new desktop with elevated privileges, they can customize the desktop background. For example, users can select a different background color or an image to use as wallpaper.
Predefined application rights: Administrators can now easily assign a subset of Local Administrator application rights to a role. When using the DirectManage Access Manager to add rights to a role, you can now choose from a list of predefined rights such as the right to run Task Scheduler, Event Viewer, and Performance Monitor.
RunAs enhancements: When launching an application using “RunAs” role, the RunAs utility will start the target application and can optionally wait until the application terminates, passing back the application return code. If the application is a command line utility, the RunAs utility will start a console and application inputs/outputs will be redirected to it. This enhancement is intended to help scripting users synchronize and verify their actions.

3.2 New Features in Windows Agent 3.0.1

This is a maintenance release.

4. Bugs Fixed

4.1 Bugs Fixed in Windows Agent 3.1.0

4.1.1 Installation

There is a one-minute delay in rebooting the machine after upgrading the Centrify Windows Agent from Suite 2013 or Suite 2013.1. The reboot delay is due to a bug in Suite 2013 Windows Agent installer. The issue has been fixed in this release. There will be no delay in rebooting the machine when upgrading Suite 2013.2 to a later release. (Ref: 44145)

4.1.2 Centrify Windows Agent - Audit

If some of the collectors are upgraded to Suite 2013 but some of the collectors are still running at older version, Centrify Windows Agent from Centrify Suite 2013 or Suite 2013.1 may not be able to connect to the upgraded collectors. This issue has been fixed in this release. (Ref: 38255)
Centrify DirectAudit Agent Control Panel always shows “Initializing” on some machines because of corrupted performance counters. This issue has been fixed in this release. (Ref: 39077)

4.1.3 Centrify Windows Agent - Access

The workaround suggested in Microsoft KB 896861 is now compatible with the current version of Centrify Windows Agent - Access. (Ref: 37000)
Restart and shutdown menu was not working on the desktop with elevated privileges in the previous release. This issue has been fixed in this release. (Ref: 40659)
Starting from this release, reboot is not required after changing the zone configuration. (Ref: 38527)
Centrify Windows Agent has applied the workaround suggested in http://support.microsoft.com/kb/936707 to avoid the long start up time. (Ref: 36165)
Privilege elevation using Windows Rights for Internet Explorer (IE) 8 or above is now supported. (Ref: 32671, 37587)
If the UPN of the “Run as” user account included "/" or "\" in its name, RunAsRole.exe or desktop creation would fail. This issue has been fixed in this release. (Ref: 38407, 38450, 38683)

4.2 Bugs Fixed in Windows Agent 3.0.1

If both Audit and Access features are installed for the Centrify Windows Agent, the log off menu cannot be shown on some machines. This issue has been fixed in this release. (Ref: 34767)
Computers with Centrify Windows Agent - Access installed may lock out all users from using that machine, when one of the domain controllers in its domain reboots. This issue has been fixed in this release. (Ref: 40361)
Leading and trailing white spaces in the arguments specified in the Application right are now ignored. This is to make sure user can do Run As Role on the specified application even though the arguments don’t have matching leading or trailing white spaces. (Ref: 41178)

5. Known Issues

5.1 Installation and Uninstall

The Centrify Common Component should be the last Centrify Suite component uninstalled. If the component is uninstalled before other component, it must be reinstalled by the uninstall process to complete its task. (Ref: 36226)
Mounting the ISO from a network drive may result in error 1602 from setup.exe. The workaround is to mount the ISO from the local drive. (Ref: 35685)
If you intend to install the software on the desktop with elevated privilege, you should not check the "Run with UAC restrictions" option when creating the desktop. (Ref: 39725)

When you double-click on the Centrify Windows Agent msi and select the "repair" option, the existing files are replaced irrespective of their version number, even when they are identical. As a result, a prompt to restart the system is displayed as files that were in use were replaced. However, if you use the Easy Installer to do the repair and a file on the disk has the same version as the file that is part of the installer package, the installed file will not be replaced. Therefore, there will not be any prompt to restart the system. (Ref: 26561)

When the Centrify Windows Agent is either installed or uninstalled and the prompt for a machine restart is deferred using the “restart later” option or ignored, other components of DirectManage may display errors due to an incomplete installation. A restart is mandatory if requested after install or uninstall operation. (Ref: 36307)
The component selection page of the installer for the Centrify Windows Agent installer does not allow specifying separate installation locations for each individual component. All the components selected on this page get installed in the same location. Therefore, the Browse button remains disabled when user highlights individual components in the component selection tree. The Browse button is enabled only when the user highlights the top node of the component selection tree. (Ref: 34772)
Users may notice a few "Side by side" configuration errors in the Event Viewer after installing the Centrify Windows Agent, if Microsoft KB945140 related components have been installed on the local machine previously. These errors will go away after you restart the computer and have no functional effect. (Ref: 35302)
If you uninstall the Centrify Windows Agent while the DirectAudit Agent Control Panel is open, files needed by the uninstall process may be blocked. You should close the DirectAudit Agent Control Panel for a successful conclusion to the uninstall process. (Ref: 25753)
User must restart the computer after uninstalling the Centrify Windows Agent - Access feature. Failure to do so will result in error message such as "A local error has occurred" if the user tries to access other Centrify components (e.g. Centrify DirectManage Audit Collector Control Panel or Centrify DirectManage Audit Manager) or if the user tries to install other Centrify DirectManage Audit or DirectManage Access components. (Ref: 40085)
If you have installed the Access feature of Centrify Windows Agent from Centrify Suite 2013 and are trying to upgrade the component to the latest version, you may see the following error during the installation process, "Service 'DirectAuthorize Agent' could not be installed. Verify that you have sufficient privileges to install system services." If you see this error message, it typically indicates that the existing service is taking longer time to stop and hence the new service is not getting installed. When you see this error, wait for some time (typically 30 seconds) and click on Retry button on the error message box. (Ref: 47270)

5.2 Centrify Windows Agent - Audit

Hardware acceleration may slow down console login. With Windows XP and Windows Server 2003, you may experience slow login performance if hardware acceleration is set to full. This issue only affects local logins. It does not affect Remote Desktop (RDP) sessions. To work around this issue, set hardware acceleration to none. (Ref: 24777)
On audited Windows XP machines, the mouse cursor may flicker when DirectAudit is enabled. When using RDP to access the machine remotely, this issue may manifest itself by the RDP mouse pointer moving back a few pixels from where it was placed. This is a bug with Windows XP and is not expected to be fixed by Microsoft. (Ref: 24307)
On Windows XP and Windows Server 2003, when a user is in screen-saver mode, a session will be suspended after ~20 seconds of monitoring and a new session will be started when the screen-saver is dismissed. However, if a user reactivates a session before the 20 second time period expires, the session should resume. (Ref: 25112)
The offline data location (and subdirectories below it) is expected to be a location dedicated to spooling, for example c:\spool. If the offline data location is changed, all files in the old location (including subdirectories and their contents) are moved to the new location. This may cause problems if the old location was not exclusively for spooling use. For example, choosing c:\ as the original spool location and d:\spool as the new location would cause all files on the c:\ drive to be copied to d:\spool. (Ref: 26592)
The optional video capture feature requires both the Collector and the DirectAudit Agent to use 2013.2. If any of collectors or agents are running an older version, video data may still be recorded even though you have turned it off in Suite 2013 Update 2 Audit Manager. (Ref: 44064)
Remote logon failure audit trail message on Windows 7, Windows 2008 and Windows 2008 R2 cannot be recorded. (Ref: 47232)

5.3 Centrify Windows Agent - Access

5.3.1 General

The Forest analysis operation in DirectManage Access Manager is not designed to find Windows-specific issues. (Ref: 38254, 43185)

5.3.2 Environment

One-way trust environments and selective two-way external trusts are not supported. Both Windows machines and Centrify zones are required to be in the same forest or different forests with a two-way forest trust established. (Ref: 40713, 44644, 44647, 44657, 40643, 40650, 45341, 45372)

Environment with no Global Catalog is not supported. (Ref: 46577)
DirectAuthorize for Windows requires machine time to be synchronized with domain controller. VMware virtual machine has a known issue that its time may not be synchronized with domain controller. This problem occurs more often on a overloaded virtual machine host. If the system clocks on the local Windows computer and the domain controller are not synchronized, DirectAuthorize for Windows does not allow any domain users to login. You can try the following KB from VMware to fix the time synchronization issue. http://kb.vmware.com/selfservice/microsites/search.do?language=en_US&cmd=displayKC&externalId=1189 (Ref: 47795)

5.3.3 RunAsRole

The "Run as role..." context menu is not displayed when you right-click “Start > All Programs > Administrative Tools > Active Directory Users and Computers” on a domain client computer with Windows Server 2003 Service Pack 1 Administration Tools Pack installed. This issue occurs on windows XP, Windows 2003, and Windows 2003 R2. The workaround is to create a shortcut with target C:\WINDOWS\system32\dsa.msc. The "Run as Role..." context menu can be displayed if you right-click this shortcut. (Ref: 32370)
The "RunAsRole.exe /wait" command line utility cannot redirect the input/output of the application if you log on remotely to a Windows XP, Windows 2003 or Windows 2003 R2 machine. (Ref: 45042)
If you use the "RunAsRole.exe /wait" command to run a Python script, the input/output cannot be redirected for versions of Python below 3.0.0. (Ref: 45061)
When running "RunAsRole.exe /wait sc.exe" with no argument provided to sc.exe, sc.exe will prompt

Would you like to see help for the QUERY and QUERYEX commands? [ y | n ]:

Typing ‘y’ or ‘n’ doesn’t do anything because the input cannot be successfully redirected to sc.exe. (Ref: 47016)

5.3.4 Desktop with Elevated Privileges

On a desktop with elevated privileges, if you open the Task Manager and select “File > New Task” to run an application without selecting the "Create this task with administrative privileges" option, the application will be launched on the default desktop. This issue occurs when User Account Control (UAC) is enabled. (Ref: 32169)
Sometimes the Centrify icon cannot be shown in the notification area of the taskbar if a user logs onto the computer immediately after starting the computer. This issue does not happen if a remote desktop is used to access the computer. This issue happens on Windows XP, Windows 2003, and Windows 2003 R2. Log in again later to resolve the issue. (Ref: 37119)
If the sAMAccountName attribute of an Active Directory account is changed while the old account name is still cached on the computer, you may see the following error message when creating a new desktop or using “Run as role” with a right configured to run as the modified user account:

==================================================================

Failed to open new desktop. Right xxx references bad user account.

==================================================================

The workaround is to restart the computer. (Ref: 35124)

On a desktop with elevated privileges, if you use “Control Panel > Programs > Programs and Features” to uninstall a program, you may see the following warning message and cannot uninstall the software.

========================================================================

The system administrator has set policies to prevent this installation.

========================================================================

This issue happens when User Account Control (UAC) is enabled and when "Run with UAC restrictions" is selected when creating the new desktop. (Ref: 33384)

When you open the Start menu "Help and Support" item on a desktop with elevated privileges, the Windows Help and Support is launched on the default desktop. Switch to the default desktop to view the information. (Ref: 32147)
If you shut down, restart, or log off from a desktop with elevated privileges, all running applications are terminated forcibly without being prompted to save any open documents. (Ref: 40749)
You cannot launch Windows Security Options using “Start menu -> Windows Security” on a privilege desktop with elevated privileges when using a remote desktop connection. You must switch back to the default desktop to continue. (Ref: 45995)
Installation of IE9 on desktops with elevated privileges may cause the privileged desktop to become unusable. Use “RunAsRole” for installation of IE9 instead. (Ref: 44930)
You cannot use the Start menu option "Switch User" while you are using a role-based, privileged desktop. To use the "Switch User" shortcut, change from the privileged desktop to your default Windows desktop. From the default desktop, you can then select Start > Switch User to log on as a different user. (Ref: 39011)

5.3.5 Roles and Rights

Windows Network Access rights do not take effect on a Linux or UNIX machines. If you select a role to start a program or create a desktop that contains a Network Access right, you can only use that role to access Windows computers. The Windows computers you access over the network must be joined to a zone that honors the selected role. The selected role cannot be used to access any Linux or UNIX server computers on the network. (Ref: 32980)
Network Access rights are not supported on the Windows 2008 R2 Terminal Server if “RDC Client Single Sign-On for Remote Desktop Services” is enabled on the client side. (Ref: 34368)
To elevate privileges to the "Run as" account specified in a Windows right, the “run as” account must have local logon rights. If you have explicitly disallowed this right, you may receive an error such as "the user has not been granted the requested logon type at this computer" when attempting to use the right. (Ref: 34266)
If your computer network is spread out geographically, there may be failures in NETBIOS name translation. If a NETBIOS name is used, Active Directory attempts to resolve the NETBIOS name based on the domain controller that the user belongs to, which in a multi-segment network might fail. Therefore, Network Access rights might not work as expected if the remote server is located using NETBIOS name. You may need to consult your network administrator to work around this issue. (Ref: 39087)

5.3.6 Compatibility With 3^rd Party Products

Centrify Windows Agent - Access does not support Citrix XenApp in this version. Support is being investigated for a future release. (Ref: 33786)
The startup path for “SharePoint 2010 Management Shell” and “Exchange Management Shell” may set to C:\Windows instead of user home directory if it is launched via RunAsRole.exe or from a desktop with elevated privilege. (Ref: 38814, 46943)
If "Windows Security Essentials" software is installed, an error message appears after you create a new desktop.

===========================================================================

Microsoft Security Client

An error has occurred in the program during initialization. If this program

continues, please contact your system administrator

Error code: 0x80070005

===========================================================================

This issue happens on Windows XP, Windows 2003, and Windows 2003 R2. This error message can be safely ignored. (Ref: 37687)

On a desktop with elevated privileges, if you install McAfee Security Scan products and click "View Readme", the Readme.html is shown on the default desktop. Similar issues may happen with other third party programs. The alternate way to view the Readme.html on the desktop of a managed computer is to open the Readme.html file directly. (Ref: 34642)
Attempting to enable Kerberos authentication for Oracle databases will fail. This issue is being brought to the attention of Oracle Support for a resolution in upcoming releases. (Ref: 33835)
For SQL Server clusters used with Windows 2003 Servers, the SQL Network Name resource must have Kerberos Authentication enabled before you install the Centrify Windows Agent – Access feature. For information about how to enable Kerberos Authentication of virtual servers, refer to this article: http://technet.microsoft.com/en-us/library/cc780918%28v=ws.10%29.aspx. (Ref: 38333)
The Microsoft Snipping Tool utility has a bug that prevents it from running on a desktop with elevated privileges. (Ref: 31931)
Some applications do not use the process token to check the group membership. They check the user’s group membership on its own. Therefore, any Windows rights configured to use a privileged group will not take effect in these applications. The workaround is to use a privileged user account instead of a privileged group. Here is the list of known application with this issue:

vCenter Server 5.1
SQL Server
Exchange 2010

(Ref: 45318, 45218, 43779)

Privilege elevation using Windows Rights for Internet Explorer (IE) 7 is not supported. (Ref: 33425)
Privilege elevation using Windows rights for "File Server Management" is not supported on Windows 2003 or Windows 2003 R2. (Ref: 45797)
Privilege elevation using Windows rights for "Remote Desktop" is not supported. (Ref: 45222)
VirtualDesktop is not compatible with Centrify Suite 2013 Update 2. Users should use the Centrify system tray applet to create virtual desktop instead. (Ref: 44641)
Privilege elevation using Windows rights for taskmgr.exe, explorer.exe, and cmd.exe are not recommended. A user granted privileges with Windows rights is implicitly granted to run any executable under the same privilege. (Ref: 45861, 40525)

5.3.7 Miscellaneous

No user should ever stop the DirectAuthorize service even though an administrative user can technically do so. This issue will be addressed in an upcoming release. (Ref: 33632)

6. Additional information and support

In addition to the documentation provided with this package, see the Centrify Knowledge Base for answers to common questions and other information (including any general or platform-specific known limitations), tips, or suggestions. You can also contact Centrify Support directly with your questions through the Centrify Web site, by email, or by telephone.

To contact Centrify Support or to get help with installing or using this version of Centrify Windows Agent software, send email to Support or call 1-408-542-7500, option 2.

For information about purchasing or evaluating Centrify products, send email to info.