support-masthead

What's New in Centrify Support

At Centrify, we believe it is essential for our customers to stay abreast with the latest developments — be it product — or company related. Our ‘What’s New’ section provides you with complete details on recent product releases and announcements.

CENTRIFY ANNOUNCEMENTS


September 3, 2020

What's New in Centrify Zero Trust Privilege Services Release 2020

About Centrify Zero Trust Privilege Services

Centrify Zero Trust Privilege Services (formerly Centrify Infrastructure Services or Centrify Server Suite) is a comprehensive family of products aimed to provide organizations with powerful tools for Directory Integration, Privileged Account Management, and Access Controls. It consists of:

  • Centrify Privileged Access Service, which enables you to discover, manage, and apply policies to account passwords, secrets, as well as access rules for both privileged and unprivileged accounts. Centrify Privileged Access Service also offers centralized access to systems and session auditing when combined with the Centrify Audit & Monitoring Service.
  • Centrify Authentication Service is a "best-of-breed" Active Directory bridging solution that secures your platforms using the same authentication and Group Policy services deployed for your Windows Active Directory environment.
  • Centrify Privilege Elevation Service centrally manages and enforces role-based entitlements for fine-grained control of privileged user access and privileges on UNIX, Linux, and Windows systems.
  • Centrify Audit & Monitoring Service delivers auditing, logging, and real-time monitoring of privileged user activity on your Windows, UNIX, and Linux systems.

The net result for thousands of customers who have deployed Centrify Zero Trust Privilege Services is increased security, as well as improved compliance and operational efficiencies. Release 2020 is a major release that contains significant enhancements to security and functionality.

About Centrify Zero Trust Privilege Services Release 2020

Release 2020 is a major release for the calendar year 2020. It contains functionality additions for keytab management, design changes for domain and connector selection, local Windows users and group management, a marquee capability for X11 auditing, and more!

What's New in the Centrify Authentication and Centrify Privilege Elevation Service for UNIX and Linux

Centrify Authentication Service (formerly DirectControl) Agent
Agent version is 5.7.0

  • External keytab management: after successful password change and krb.keytab update, Centrify Authentication Service Agent will launch an optional user process/command to do user-specified action, controlled by the configuration parameter, 'adclient.krb5.password.change.hook'. Also enhanced the adkeytab command with a new option '-o/--copy' to copy the specified keys from an input keytab file into an output keytab file based on specified SPN.
  • Smarter domain controller and Centrify Gateway Connector selection: DC will now use the "next_closest_site" API to choose a connector and a domain controller based on the lowest site link cost before proceeding to search domain-wide. Controlled by a new configuration parameter 'adclient.next.closest.site.lookup.enabled'. This capability provides faster-time-to-failover selection and better availability.
  • Status updates: the Centrify Authentication Service Agent will now send periodic messages containing Agent and environment-specific data to the syslog and a computer object's postalAddress attribute in Active Directory.
  • Information for syslog updates include adinfo status details: HostName, DomainName, PreWin2kName, CurrentDC, PreferredSite, Zone, LastPasswordSet, CentrifyDC Mode, and the LicensedFeature. The interval is configurable through Group Policy, with default to 0 to disable the message and the message is prepended with the WATCH keyword for easy identification. This message is useful in Analytics, and SIEM software to monitor the healthiness of the Agent.
  • Information for Active Directory updates include: current domain controller, current connector, update timestamp, adclient process elapse time, computer uptime, connector uptime, and domain join time. Users can use this information for quick cloud deployment. Note: the update interval is controlled by the configuration parameter 'adclient.deploy.report.update.interval'.
  • MFA grace-period applies a pass through duration for multi-factor authentication (MFA) policy for Linux, UNIX, and Windows Servers. You can apply the pass-through duration based on the source and/or target. Once this feature is enabled, an end user will not be re-prompted for MFA credentials once he/she has successfully fulfilled MFA within the set duration.
  • CPU consumption alert: added the capability in Centrify Authentication Service watchdog to emit alert when adclient CPU consumption is above a specified threshold. Use the 'adclient.watch.cpu.utilization.warning.threshold' to configure the threshold value for CPU usage above which cdcwatch will write a WARN message. The default is -1, which means no threshold is set.
  • Centrify smart card support: added the support of smart card login on RHEL 8.

Centrify Authentication Service and Utilities Compatibility Notes
This release of the Centrify Authentication Service Agent for *NIX will work with the following:

  • The latest released Centrify for DB2 and Centrify for Samba.
  • Centrify Authentication Service Agent of Release 2017 or later, except:
  • On AIX, Linux PowerPC platforms, Centrify Audit & Monitoring Agent must be of Release 2017.3 or later.
  • On Solaris x86 and SPARC platforms, Centrify Audit & Monitoring Agent must be of Release 2018 or later.
  • Centrify OpenSSH of Release 2017 or later, except
  • On Linux PowerPC platforms, all packages must be of Release 2017.3 or later.
  • On Solaris x86 and SPARC platforms, Centrify OpenSSH must be version 2018 or later.

Centrify adedit

  • Added a new option '-notdelegateanyright' in 'precreate_computer' command. When this option is specified, the command will not set the security descriptor when creating a computer object

Centrify Access Manageer Console

  • Added a column 'Agent Version' in the Centrify Access Manager. Users can now see the Agent version without running a report.
  • Centrify Access Manager can now manage local Windows users and groups. PowerShell cmdlets, and audit trail events are also available for local Windows accounts management. For details, please refer to Administrator’s Guide for Windows.
  • Fixed self-service join status for computers that have been pre-created. Status is now shown un unjoined.

Centrify Group Policy Management

  • The group policy 'Computer Configuration' -> 'Windows Settings' -> 'Security Settings' -> 'Public Key Policies' -> 'Trusted Root Certification Authorities' is enhanced to validate and not install expired CA certificates to prevent the provisioning of expired certificates.

Centrify Licensing Service

  • Added a compression feature to the Licensing Report notification email. When the size of a Licensing Report is larger than the specified value of the registry key 'ReportNotificationCompressionThreshold' the report will be compressed into a zip file before sending out as the attachment in the notification email.

Centrify Zone Provisioning Agent

  • Enhanced the logic to tolerate a slow network. When accessing the Active Directory objects, the maximum tolerance before logging a performance warning in the Centrify logs is now configurable with a default value of 8 seconds.

For additional (and more detailed information) about the Agent, command-line utility enhancements, tooling improvements, and parameters, please refer to the Centrify Authentication Service release notes document.

What's New in Centrify Privilege Elevation Service for Windows

Agent version is 3.7.0

  • Automatic group provisioning: Centrify Agent for Windows can now automatically add Windows accounts with 'Windows console login' right and/or 'Windows remote login' right to the 'Allow log on locally' policy and/or the 'Remote Desktop Users' local group, if this feature is enabled via a registry setting.
  • Privilege elevation Mode: decouples the Centrify Authentication Service from the authorization service and allows a user to deactivate the access control mechanisms and deploy only the Privilege Agent for elevation.
  • Alternate account support: Centrify Agent for Windows now allows running applications using the logged-in user’s alternate account configured in the Centrify Privileged Access Service. For details on how to use this feature, please refer to the User’s Guide for Windows.
  • Status updates: Centrify Agent for Windows now emits heartbeat information to the Windows Application log at a controllable interval which can be used by the Centrify Privilege Threat Analytics Service and other SIEM tools for monitoring the Agent’s status and now writes the timestamp information to the Active Directory when the computer is joined to a zone.
  • Windows local user and group management: you can now manage local users and groups on Windows Systems that are joined to a zone in two modes: Detect and Enforce. For details, refer to the Administrator’s Guide for Windows.
  • Starting Release 2020, the 'Endpoint enrollment' feature (also known as 'Zero Sign-On') has been removed from the Centrify Agent for Windows.

Centrify Access Module for PowerShell

  • Added a new switch 'SkipPermissionSetting' in 'New-CdmManagedComputer' command to not set the security descriptor when creating a computer object.
  • Added the support of DN/SID/@/ADComputer to the command 'Get-CdmComputerRole -Computer'.

Centrify Windows SDK

  • Four methods are added to the Centrify Access API to help pre-create computers or computer zones without delegating permissions.

Centrify PuTTY 5.7.0

  • Centrify PuTTY is upgraded based on PuTTY v0.73 from v0.71.
  • This includes several security fixes, e.g. CVE-2019-17067, CVE-2019-17068, and CVE-2019-17069.

For additional (and more detailed information) about the Privilege Elevation Service for Windows(tm) refer to the Agent Release Notes document.

Note: The directory user must belong to a role that is mapped to the machine's local administrator group. Role mappings can be configured using the Centrify Client's local group mapping feature, located on the Windows system's Local Group Mapping page.

What's New in the Centrify Audit & Monitoring Service (formerly DirectAudit)

Agent version is 3.7.0

  • Status updates: The Centrify Audit & Monitoring Service Agent for *NIX & Windows now sends the following information in addition to the existing payload when sending its heartbeat: offline store size, despool rate, free disk space, AD site name, the status of session auditing, configuration/deployment mode, and status of advanced monitoring.
  • X11 Audit: The Centrify Audit & Monitoring Service now supports Linux Desktop auditing for GNOME (v3) desktop environments on RehHat/CentOS 6, 7 and 8 platforms.
  • End of session events: new audit trail events that can capture the start of session auditing and end of session auditing actions for an audited user have been added.
  • New Cmdlets: Centrify Audit Module for PowerShell has introduced a new cmdlet viz. New-CdaInstallation that can be used by administrators to create a new Centrify Audit & Monitoring Service installation from a command prompt

For additional (and more detailed information) about the Centrify Audit & Monitoring Service, please review the Centrify Audit & Monitoring Service release notes.

New Platform Support

Support is added to the following operating system platforms in this release:

  • CentOS 7.8, 8.1, 8.2 (x86_64)
  • Debian 9.12, 9.13, 10.2, 10.3, 10.4, 10.5 (x86_64)
  • Fedora 31, 32 (x86_64)
  • Oracle Linux 7.8, 8.1, 8.2 (x86_64)
  • Red Hat Enterprise Linux 7.8 (x86_64, PPC64, PPC64LE)
  • Red Hat Enterprise Linux 8.1, 8.2 (x86_64, PPC64LE)
  • Ubuntu Linux 20.04 (x86_64, PPC64EL)

To see all platforms in the Centrify Zero Trust Privilege Services within the extended support period, select “SEE ALL PLATFORM VERSIONS” at www.centrify.com/platforms.

To check whether your platform is at the end of life, click www.centrify.com/product-lifecycle and scroll down the page. (You will need your Centrify Support Portal Login to access this page.)

August 4, 2020

What's New in Centrify Privileged Access Service 20.4

SSH Key Management

In this upcoming release, we are extending the current SSH key vaulting features beyond key storage and log in.

The existing capabilities will be enhanced to support the following operations:

  • The ability to enable SSH key management, which allows for key rotation.
  • The ability to apply the following policies for the rotation of SSH keys:
    • SSH key rotation interval
    • Minimum SSH key age
    • SSH key generation algorithm
    • Clean-up intervals for retired SSH keys
  • The ability to leverage an account that has an SSH key for System and Account Discovery operations.
Whats New 20.4 Image 1
Discover Local Accounts with Specific Names

The Centrify Privileged Access Service Discovery tool is getting an upgrade to have a new Actions option that allows rules to be made around what specific local accounts to discover for particular system types.

Multiple account names can be specified by using a comma or semi-colon separated list.

Whats New 20.4 Image 2
Support for Clipboard Copy and Paste in Web-Based RDP Sessions

The user experience can be enhanced for Centrify Privileged Access Service vault-brokered RDP sessions by allowing for copy and paste of text and images.

  • The ability to enable or disable the clipboard for native and web-based RDP sessions.
  • The ability to copy and paste text and images for web-based RDP sessions while using the following browsers:
    • Google Chrome
    • Microsoft Edge
    • Microsoft Internet Explorer (*text only)
Whats New 20.4 Image 3
Whats New 20.4 Image 4
UAC Support for Centrify Client on Windows

End users can now log on to a Windows host machine using a non-privileged account and launch an application as administrator after satisfying UAC using a cloud user's credentials.

Note: The directory user must belong to a role that is mapped to the machine's local administrator group. Role mappings can be configured using the Centrify Client's local group mapping feature, located on the Windows system's Local Group Mapping page.

June 19, 2020

What's New in Centrify Privileged Access Service 20.3

Centrify Hyper-Scalable Privileged Access Service

Our new architecture for Customer Managed Clustering will provide the world’s first “shared-nothing” high availability and on-premises privileged access management (PAM) with cloud-first services.

Centrify Hyper-Scalable Privileged Access Service uses cloud-first technology for customer-managed installs that were honed from our SaaS offering with a web-tier, job scheduler, caching, and load balancing. In turn, it yields the following benefits for customers:

  • Upgrading has zero-downtime and is fully automatable.
  • Easy provisioning and management of cluster resources.
  • Allows for infinite horizontal scale-out.
  • Active-active web, background, and TCP relay nodes.
  • Consolidated diagnostic logging.
  • Continued support for high availability.
Support 20.3 Image 1
Resource Policies for Centrify Privileged Access Service

Sets were introduced in 2017 to improve the manageability of Centrify Privileged Access Service resource objects. In this new release, policies will be applicable to sets of resources. An example of a policy that administrators will be able to apply is multi-factor authentication (MFA) for login to systems on the built-in set of all systems and do the same for requiring MFA for checkout of account passwords.

Policies will be able to be applied to sets of the following resource objects:

  • Accounts
  • Domains
  • Databases
  • Systems
  • SSH Keys
  • Secrets

Easily identify the policy summary and the sources (Default, Global, Set, or Resource Object override).

Support 20.3 Image 2
Inventory of Resources and Users

Administrators will be able to obtain better visibility of Centrify Privileged Access Service resources and users via an enhanced dashboard that accounts for the inventory in the portal. The Resource Counts dashboard will display the systems, databases, accounts, services, clients, and users that are in the service as of the last daily snapshot.

Support 20.3 Image 3
SSH Resource Profile Enhancements

An SSH Resource Profile can be created to define a custom system and specify how Centrify Privileged Access Service should interact with a device that supports the SSH protocol. In the 20.3 release, we will be enhancing the SSH Resource Profiles so that they can be grouped into sets for permissions management. We will also support the ability to import and export these profiles so that they can be shared between different environments. This will be a step towards our future plans of the Centrify Integration Hub, which will be a self-service portal that will allow custom device and application plugins for privileged sessions and password management to be shared by customers, partners, and third-party software vendors in the Centrify community.

Support 20.3 Image 4
Client-Driven Password Reconciliation for Local Accounts

Out-of-sync passwords can interrupt IT operations and impact security. Centrify supports automatic password reconciliation using shared accounts (multi-phase). The Centrify Client will enable the following account operations without reliance on the Centrify Gateway Connector:

  • Password Reset
  • Account Unlock (Only for Windows)
  • Password Rotation
  • Account Status Verification
  • System Connection Verification
  • Proxy Account Management

The Centrify Client will be the preferred reconciliation method, If both the Centrify Client and Centrify Gateway Connector are present, and fall back to the Centrify Gateway Connector automatically if connectivity fails.

Support 20.3 Image 5
Client Delegated Machine Credentials

Centrify Delegated Machine Credentials leverage the OAUTH2-based credentials and machine identity of the Centrify Clients for Centrify Privileged Access Service to delegate API access to applications.

  • Uses machine identity to build a strong authenticated relationship with Centrify Privileged Access Service.
  • Brokers out this trust to be utilized by applications and clients for automation and application-to-application password management (AAPM) use cases.
  • Requires a Centrify Client to be enrolled on the target machine with the Centrify Delegated Machine Credentials feature enabled.
Support 20.3 Image 6

May 21, 2020

What's New in Centrify Privileged Access Service 20.2

Centrify External Credential Storage Plugin for ServiceNow MID Server

Solutions, like ServiceNow IT Operations Management (ITOM), make use of the ServiceNow MID Server to perform inventory and orchestration tasks. The Centrify External Credential Storage Plugin is a MID Server integration for ServiceNow's ITOM applications. For example, ServiceNow Discovery can use the account credentials from the Centrify Privileged Access Service vault to scan the network and collect information on Linux, UNIX, and Windows servers in an environment.

This release of the Centrify External Credential Storage Plugin for ServiceNow MID Server will allow:

  • ServiceNow MID Server to retrieve local account credentials from the Centrify Privileged Access Service vault.
  • Secure inventory discovery and orchestration by leveraging vaulted credentials
What's New PAS 20.2

More information on our partnership with ServiceNow can be found at https://www.centrify.com/partners/zero-trust-network/servicenow/

March 4, 2020

What's New in PAS 20.1

Automatic Password Reconciliation for Local Accounts on UNIX and Linux Systems

Out of sync passwords can interrupt IT operations and impact security. This new feature will extend the support of a privileged local administrative account to reconcile passwords of local accounts on UNIX and Linux, without manual administrative intervention. This will guarantee that Centrify is the single source of truth for passwords used to access infrastructure. Systems with managed local accounts enabled for automatic maintenance will have password updates that happen automatically when the stored credentials don't match the local password on the system.

What's New PAS 20.1

Centrify Integration Hub (Phase I): SSH Self-Service Resource Profiles

The ability to add thousands of different device types that support the SSH protocol is now supported in the form of SSH Self-Service Resource Profiles. This is the first phase of what will become the Centrify Integration Hub self-service portal for custom device and application plugins. The Centrify Integration Hub with SSH Self Service Resource Profiles will provide the tools necessary to create, test, and validate numerous custom SSH device plugins, called Resource Profiles, in a self-service model. The SSH device profiles will allow for customizations to be made to specific systems and account operations from password management to password reconciliation.

In Phase I of the Centrify Integration Hub, we present the following features for SSH Self-Service Resource Profiles:

  • Resource Profiles for SSH-enabled devices.
  • Provides the ability to define custom system profiles leveraging the Expect framework.
  • Includes support for Credential Verification, Password Rotation, Password Reconciliation, and Proxy Accounts.
  • Delivers an SSH Test Kit for validating functionality.
What's New PAS 20.1

December 27, 2019

About Centrify Zero Trust Privilege Services

Centrify Zero Trust Privilege Services (formerly Centrify Infrastructure Services or Centrify Server Suite) is a comprehensive family of products aimed to provide organizations with powerful tools for Directory Integration, Privileged Account Management, and Access Controls. It consists of:

  • Privileged Access Service enables you to discover, manage, apply policy to account passwords, secrets, as well as access rules for both privileged and unprivileged accounts PAS also offers centralized access to systems and session auditing when combined with the Audit and Monitoring Service.
  • Authentication Service is a "best of breed" Active Directory bridging solution that secures your platforms using the same authentication and Group Policy services deployed for your Windows Active Directory environment.
  • Privilege Elevation Service centrally manages and enforces role-based entitlements for fine-grained control of user access and privileges on UNIX, Linux and Windows systems.
  • Audit & Monitoring Service delivers auditing, logging and real-time monitoring of user activity on your Windows, UNIX and Linux systems.

The net result for thousands of customers who have deployed Centrify Services is increased security, improved compliance and operational efficiencies. Release 19.6 is a major release that contains significant enhancements to security and functionality.

About Release 19.9

Release 19.9 is a minor update, however it includes key capabilities for customers using the MS PAM component of the Microsoft Enhanced Security Administrative Environment (MS PAM), customers leveraging Smart Cards on RHEL platforms on Citrix VDA, plus includes the first phase of the modernization of the Direct Audit capabilities.

What's new in the Authentication Service and Privilege Service for UNIX and Linux 19.9

DirectControl Agent
  • Agent version is 5.6.1
  • Enhanced Support for the Microsoft Enhanced Security Administrative Environment (MS ESAE)
    Centrify DirectControl Agent's Microsoft Privilege Access Management (PAM) Privilege Escalation feature is enhanced to support single sign-on (SSO) scenario. Note: After the user has been granted elevation and added to the PAMGroup, the user is required to re-obtain a new ticket-granting ticket (TGT) for SSO login.
  • Smart Card Support for Citrix VDA
    Centrify DirectControl Agent can now integrate with Citrix Linux Virtual Delivery Agent to support smart card login on Red Hat platforms.
DirectControl and Utilities Compatibility Notes

This release of Centrify DirectControl Agent for *NIX will work with the following:

  • The latest released Centrify for DB2 and Centrify for Samba.
  • Centrify DirectAudit Agent of Release 2017 or later, except:
  • On AIX, Linux PowerPC platforms, DirectAudit Agent must be of Release 2017.3 or later.
  • On Solaris x86 and SPARC platforms, DirectAudit Agent must be of Release 2018 or later.
  • Centrify OpenSSH of Release 19.6.
  • Centrify OpenSSH of Release 2017 or later, except
  • On Linux PowerPC platforms, all packages must be of Release 2017.3 or later.
  • On Solaris x86 and SPARC platforms, Centrify OpenSSH must be version 2018 or later.
Access Manager Console
  • Fixed a security vulnerability that allowed an attacker to perform remote code execution - related to .NET framework vulnerability detailed in CVE-2012-0161.
Centrify Group Policy Management
  • Added the GP mapper script to distribute CA Bundle for AIX and HPUX.
Centrify Report Services
  • Added the support of using PostgreSQL instead of MS SQL Server as the database for Centrify Report Services. The version of PostgreSQL must be 11 or above. Please note that Centrify reports cannot be used if the database engine is PostgreSQL

For additional (and more detailed information) about the agent, command line utilities enhancements, tooling improvements and parameters, refer to the Centrify DirectControl release notes document.

What's new in Privilege Service for Windows™

Agent version is 3.6.1

Security Fixes
  • Fixed a security vulnerability that allowed an attacker to perform remote code execution - related to .NET framework vulnerability detailed in CVE-2012-0161.

For additional (and more detailed information) about the Privilege Elevation Service for Windows(tm) refer to the Agent Release Notes document.

What's new in the Audit and Monitoring Service

  • DirectAudit now supports auditing of Windows and Linux systems that are enrolled with the Centrify cloud platform and may not be joined to an Active Directory domain.
  • DirectAudit has introduced a new component named “Audit Extension for Centrify Client” which facilitates auditing of Windows systems that are enrolled with the Centrify cloud platform.
Centrify DirectAudit Collector
  • DirectAudit Collector now supports auditing of both Active Directory joined systems and the systems enrolled with the Centrify cloud platform using an SSL/TLS based communication channel.
Centrify Audit Analyzer and Session Player
  • Audit Analyzer console's results pane now displays audited session's identifier (a.k.a. SessionId) for each of the returned results.
Centrify DirectAudit Agent for UNIX/Linux
  • Centrify DirectAudit Agent for Linux now facilitates auditing of Linux systems that are not joined to an Active Directory domain.
  • The '/sbin/shutdown' has now been added to the list of nologin shells viz. nss.nologin.shell.
  • The following programs have been added to the default value of nss.program.ignore: polkitd, abrtd, dbus-daemon, systemd-tmpfiles, systemd-journald and crond.
Centrify Direct Audit Module for PowerShell

Centrify Audit Module for PowerShell now supports permanent deletion of audit trail events based on the specified search criteria

Security Fixes
  • Fixed a security vulnerability that allowed an attacker to perform remote code execution - related to .NET framework vulnerability detailed in CVE-2012-0161.

For additional (and more detailed information) about the the Auditing and Monitoring Service, please review the DirectAudit release notes.

New Platform Support

In this release, we have added support for these new platforms:

  • CentOS 7.7 (x86_64)
  • CentOS 8.0 (x86_64)
  • Debian 9.10, 9.11, 10.0, 10.1 (x86_64)
  • Oracle Linux 8.0 (x86_64)
  • Oracle Linux 7.7 (x86_64)
  • Red Hat Enterprise Linux 7.7 (x86_64, PPC64, PPC64LE)
  • Ubuntu Linux 19.10 (x86_64, PPC64EL)

To see all platforms in the Centrify Infrastructure Services within the extended support period, select “SEE ALL PLATFORM VERSIONS” in www.centrify.com/platforms.

To check whether your platform is end of life, click www.centrify.com/product-lifecycle and scroll down the page. (You will need your Centrify Support Portal Login to access this page.)

Notice of Termination of Support

In this release, we are removing support for the following platforms:

  • Fedora 29

This is the last release in which we'll support these platforms:

  • Amazon Linux (2017-09)
  • Debian 8.x
  • Ubuntu 19.04
  • Windows 7
  • Windows 2008R2

For more detailed information about supported platforms and notices of termination, review the lifecycle policies pages https://www.centrify.com/support/customer-support-portal/policies/product-lifecycle/versions/ or review the Zero Trust Privilege Services release notes.

December 17, 2019

New Features - Centrify Privileged Access Service

Automatic password reconciliation for local accounts on Windows systems

Out of sync passwords can interrupt IT operations and impact security. This new feature will extend the support of a privileged domain administrative account to reconcile passwords of Windows local accounts, without manual administrative interaction. This will guarantee that Centrify is the single source of truth for passwords used to access infrastructure. Windows systems with managed local accounts enabled for maintenance will have password updates that happen automatically when the stored credentials are incorrect. In addition, these accounts can also be enabled to be unlocked if they are in a locked state.

What's New 12/17 Img01
Local client support for RDP and SSH on Mac

Macs are first-class citizens in the world of IT administration and require full functionality for remote system management. Centrify adds support for local RDP and SSH clients on Mac. IT admins can launch remote sessions and connect with thick clients installed on their local machine.

What's New 12/17 Img01
Administrative Bulk Actions for Systems and Accounts

Administrators will gain the ability to do actions to systems and accounts in bulk from the PAS UI.

The following actions will be simple to do on multiple systems and accounts with a few clicks.

  • Delete systems by multi-select
  • Delete systems by manual or dynamic sets
  • Delete, Manage, and Rotate accounts by multi-select
  • Delete, Manage, and Rotate accounts manual or dynamic sets
What's New 12/17 Img03
What's New 12/17 Img04
Enhanced Support for LDAP

The Centrify Privileged Access Service is extending supportability for generic LDAP servers with the ability to customize LDAP attributes and schemas. LDAP user and group attribute names for non-standard and custom LDAP schemas can be added, mapped, and tested for validity.

Highlights

  • Improved unique identifier support
  • Improved support for LDAP groups
  • Support for password change and resets
  • Improved site awareness using native methods
  • Improved search capability by understanding native methods
  • Validated support for Radiant Logic’s federated identity service, RadiantOne Federated Identity (FID)
  • Support for other LDAP vendors to come in the future
What's New 12/17 Img05
FIDO2 Support for multi-factor authentication

Centrify has supported Fast IDentity Online (FIDO) for years and is a member of the FIDO alliance. FIDO2 is an authentication standard hosted by FIDO Alliance. FIDO2 cryptographic login credentials are unique across every website, never leave the user’s device and are never stored on a server. Since FIDO cryptographic keys are unique for each internet site, they cannot be used to track users across sites. This security model eliminates the risks of phishing, forms of password theft, and replay attacks. Also, this provides better alignment with NIST 800-53 high-assurance authentication controls.

Centrify will be leveraging the WebAuthn API to enable password-less authentication to the Privileged Access Service using either on-device or external authenticators. On-device authenticators are biometric authenticators integrated into the device hardware. Popular examples are Apple Touch ID and Face ID, Windows Hello, and fingerprint scanners. External authenticators are security keys that you plug into the device's USB port; for example, a YubiKey.

What's New 12/17 Img06
Centrify Client Auditing

Audit for the new generation Centrify Clients. This new generation of client-based auditing will be independent from Active Directory, allowing for more flexible and scalable deployments. Please look forward to some of the following benefits with this release.

  • Deploy the Audit and Monitoring agent on the Centrify Client for Windows or Linux without Active Directory (AD)
  • Secure data path over HTTPS
  • Improves the ability to deploy Auditing in DMZs or IaaS where AD is not available
What's New 12/17 Img07
Offline Login on Centrify Client for Windows

The Centrify Privileged Access Service introduces a new permission called “Offline Rescue” to improve the availability controls for Windows systems. This permission allows an end-user to have the ability to use a passcode to log into a system that is offline.

  • OTP settings for Key Algorithm, number of digits, and counter period can be configured
  • Offline passcode can be retrieved from the system properties
  • Support for other Unix/Linux to come in the future
What's New 12/17 Img08
What's New 12/17 Img09

September 12, 2019

About Centrify Zero Trust Privilege Services

Centrify Zero Trust Privilege Services (formerly Centrify Infrastructure Services or Centrify Server Suite) is a comprehensive family of products aimed to provide organizations with powerful tools for Directory Integration, Privileged Account Management, and Access Controls. It consists of:

  • Privileged Access Service enables you to discover, manage, apply policy to account passwords, secrets, as well as access rules for both privileged and unprivileged accounts PAS also offers centralized access to systems and session auditing when combined with the Audit and Monitoring Service.
  • Authentication Service is a "best of breed" Active Directory bridging solution that secures your platforms using the same authentication and Group Policy services deployed for your Windows Active Directory environment.
  • Privilege Elevation Service centrally manages and enforces role-based entitlements for fine-grained control of user access and privileges on UNIX, Linux and Windows systems.
  • Audit & Monitoring Service delivers auditing, logging and real-time monitoring of user activity on your Windows, UNIX and Linux systems.

The net result for thousands of customers who have deployed Centrify Services is increased security, improved compliance and operational efficiencies. Release 19.6 is a major release that contains significant enhancements to security and functionality.

What's new in the Authentication Service and Privilege Service for UNIX and Linux 19.6

Special Note on FIPS Mode

As part of this release, we updated the OpenSSL library, which is not yet FIPS-validated by the supplier. When OpenSSL releases a FIPS-certified version, Centrify will QA it and subsequently issue an update. Until then, Centrify recommends that customers relying on FIPS-certified products should not upgrade to this release version.

Open Source and Shared Component Upgrades
DirectControl Agent
  • Agent version is 5.6.0
  • Added a feature on DirectControl Agent installer for Ubuntu to support the adapter library /lib/i386-Linux-gnu/ which hosts all 32-bit libraries on a 64-bit Ubuntu host.

Command Line Utilities

  • adcdiag improvements:
  • Improved timestamps when probing connectors.
  • New 'adclient.cloud.connector' parameter to limit the probes to a specific connectors.
  • Added the option "adcdiag -z" to display the Centrify Identity Platform configurations for the joined zone.
  • Added the option "adcdiag -l connectors -I ❮tenantid❯" to show the connectors for the specific tenant ID only.
  • Added the qualifier "-d, --visible" for the "-l instances" or "-l connectors" option in adcdiag to show the instances or connectors only if they are visible to DirectControl agent.
  • adcheck has been enhanced to verify if the name service cache daemon (ncsd) is installed in the system.
  • adjoin now supports parallel execution when using the --precreate command to pre-create computers in a zone during provisioning.
  • adjoin and adleave support automatic sasauth PAM configuration update.
  • adkeytab now supports an --interactive switch along with the --adopt command as an alternative to --newpasswd to prevent entering a password in clear text on the command line.
  • adleave improvements
  • There are two new options to remove role assignments from computer zone and computer zone itself when leaving a zone:
  • -o, --removecomputerzone, to remove computer zone from Active Directory.
  • -O, --removemachinescope, to remove Direct Authorize scope from Active Directory.
  • added option -k, --removekeytab to adleave command to remove krb5.keytab file on successful leave. Without this option, adleave will only clean up keytab entries but not remove key table file.
  • adsyncignore improvements:
  • New the --case option to do case-sensitive comparisons to AD user/group names. By default, it will do case-insensitive comparison.
  • New --dzcache option as a performance improvement. When this option is specified, the adsyncignore command will use the DZ cache from DirectControl agent instead of walking through the zone tree to check user visibility in the joined zone. This can usually improve the performance, especially when there is a lot of role assignments, and a lot of users who have complete Unix profiles but do not have role assigned.
  • adedit improvements:
  • Added an option '-notdelegateanyright' for adedit 'create_zone' command. By default, the switch is false, which means same behavior as before. If the switch is on, 'create_zone' will not set any security descriptor to the newly created zone object.
  • Added the support of a new zone field 'tenantid' for hierarchical zones in adedit 'get_zone_field' and 'set_zone_field' commands.
  • Behavior change: DirectControl command line utilities run by non-root users will now write kset files to /tmp instead of /var/centrifydc/user. The directory /var/centrifydc/user is now obsolete.
DirectControl and Utilities Compatibility Notes

This release of Centrify DirectControl Agent for *NIX will work with the following:

  • The latest released Centrify for DB2 and Centrify for Samba.
  • Centrify DirectAudit Agent of Release 2017 or later, except
  • On AIX, Linux PowerPC platforms, DirectAudit Agent must be of Release 2017.3 or later.
  • On Solaris x86 and SPARC platforms, DirectAudit Agent must be of Release 2018 or later.
  • Centrify OpenSSH of Release 19.6.

As Centrify Deployment Manager is already discontinued after Release 18.11, Deployment Manager cannot deploy this release of Centrify DirectControl Agent for *NIX.

Notes for the OpenSSL libraries update

(*) OpenSSL and OpenSSH: This is a major upgrade from v1.0.2 to v1.1.1 which means the internal openssl library and APIs are not backward compatible. Centrify OpenSSH is also upgraded based on openssh v7.9p1 because of this reason. Several algorithms, EVP_sha, EVP_dss, EVP_dss1, EVP_ecdsa, are deprecated in OpenSSL v1.1.1 and hence no longer supported by our products, e.g. adcert, in this release.

(**) FIPS Mode: There is no FIPS mode support in this version. That means, all affected Centrify products will not support FIPS mode in this release. For example, DirectControl agent will ignore the FIPS mode related group policy, 'Use FIPS compliant algorithms for encryption, hashing and signing', and the centrifydc.conf parameter, 'fips.mode.enable'.

Centrify-enhanced OpenSSH
  • Added a feature to allow remote root execution of commands without allowing remote login by root. Note: Please contact Centrify Support if you want to use it.
  • Added a new option GSSAPIKexAlgorithms in ssh_config and sshd_config to specify the list of key exchange algorithms that are accepted by GSSAPI key exchange. Possible values are gss-gex-sha1-, gss-group1-sha1-, gss-group14-sha1-. The default is 'gss-gex-sha1-, gss-group1-sha1-, gss-group14-sha1-'. This option only applies to protocol version 2 connections using GSSAPI.
Access Manager Console
  • Implemented the ability to export single zone info (roles and rights) without identifiable environment info and to import such exports in the new environment.
  • Added the console support to manage AIX extended attributes of users, groups, local users, and local groups.
  • Added the console support for the alternate nisNetGroup from RFC2307 schema. Access Manager now shows one more node named 'NIS NetGroups (RFC2307)' under each zone's 'UNIX Data' node. User could use RFC2307 schema nisNetGroup Active Directory object to manage NIS net groups under this new node for larger groups without worrying about 1024 characters limitation. Sample C# programs and PowerShell scripts are also provided in Centrify Access SDK to show how to manage this feature. Note: The usage of this nisNetGroup is controlled by the parameter 'ldapproxy.netgroup.use.rfc2307nisnetgroup' in the slapd.conf of Centrify OpenLDAP Proxy.
  • Added the console support in the Platform tab of the Zone Properties page to manage both the Centrify Identity Platform instance (tenant) ID and URL.

Centrify Access Module for PowerShell

  • Added a switch 'SkipPermissionSetting' in the cmdlet 'New-CdmZone' to not set the security descriptor when creating a zone. Note: This switch does not work on SFU zones yet.
  • Added a parameter 'Computer' in the cmdlet 'Get-CdmComputerRole' to get a list of computer roles for a specified computer from the zone hierarchy.
  • Added in the cmdlet 'Set-CdmRoleAssignment' the ability to update the description of a role assignment, and, similarly, in another cmdlet 'Get-CdmRoleAssignment' the ability to get the description of a role assignment.
  • Added a switch 'OverrideZPA' in the cmdlets 'Remove-CdmUserProfile' and 'Remove-CdmGroupProfile' to allow users to remove user and group profiles when auto-provisioning for profiles is enabled.
  • Added a parameter 'TenantId' to the cmdlets 'New-CdmZone', 'Set-CdmZone' for users to set the 'TenantId' property for a zone and added a property 'TenantId' to the 'CdmZone' object.
Centrify Group Policy Management
  • Added a selection of the populating location in the group policies 'Specify user names to ignore (lookup)' and 'Specify group names to ignore (lookup)' to select whether to populate the user/group names directly into the Centrify DirectControl configuration file or into the user/group ignore files. The default is Centrify DirectControl configuration file.
  • On Solaris, added a Group Policy to install AD certificates to standard system certificate store.
  • On Solaris, added a Group Policy to install AD certificates to standard system certificate store.
Centrify Zone Provisioning Agent
  • Added an event log message to show the summary of a provisioning process. The summary information includes the start time, end time and elapsed time of the provisioning process, the count of objects provisioned and the count of objects de-provisioned.

For additional (and more detailed information) about the agent, command line utilities enhancements, tooling improvements and parameters, refer to the Centrify DirectControl release notes document.

What's New in Privilege Service for Windows(tm) 19.6

Agent version is 3.6.0

Command Line Utilities
  • dzleave CLI now allows to specify an option to remove role assignment from computer zone information in Active Directory.
Privilege Elevation MFA now supports RADIUS

This capability is being introduced to assist organizations wanting to leverage their existing MFA provider not for authentication but for Privilege Elevation on Windows (Run with Privilege, New Desktop). Note that this capability is not available for the RunAsRole.exe utility. Configuration is performed via Group Policy and RADIUS secrets via Centrify DirectAuthorize PowerShell Module.

Centrify DirectAuthorize PowerShell Module

Provides these commandlets:

  • Join-CdmZone for joining a Centrify Zone. This command supports the Windows SecureString (PSCredential) class for improved automation in public and private clouds.
  • Exit-CdmZone for leaving a Centrify Zone. This command supports the Windows SecureString (PSCredential) class for improved automation in public and private clouds.
  • Set-RadiusSecret for provisioning the RADIUS secret in each independent system for MFA on Privilege Elevation via RADIUS.
Behavior Change

The DirectAuthorize Windows agent now supports finding the tenant and connectors by Tenant ID. For machines that are joined to a zone, use Access Manager to specify the tenant ID on zone properties. For machines not joined to a zone, use the GP "Specify the Platform Instance ID to use (when the agent is not joined to a zone)" to specify the tenant ID, or use Agent Configuration Panel to set the tenant ID when adding the identity platform service.

For additional (and more detailed information) about the Privilege Elevation Service for Windows(tm) refer to the Agent Release Notes document.

What's New in the Auditing and Monitoring Service 19.6

Centrify DirectAudit Collector
  • Updated encryption algorithm used in communications to Audit Collectors from 3DES to AES.
  • Upgrade compression library (quicklz) to the latest stable version.
Centrify Audit Analyzer and Session Player
  • Session player now generates audit trail events when user starts playing a session.
  • Session player now allows auditors to update the review status of the audited session.
Centrify Agent for Windows
  • Updated encryption algorithm used in communications to Audit Collectors from 3DES to AES.
  • Upgrade compression library (quicklz) to the latest stable version.
DirectAudit Compatibility Notes

The minimum Centrify DirectControl Agent for *NIX version required by this version of the service is 5.4.0 (Release 2017) with the following exceptions:

  • On AIX, Linux PowerPC platforms, Centrify DirectControl Agent must be Release 2017.3 or later.
  • On Solaris x86 and SPARC platforms, Centrify DirectControl Agent must be Release 2018 or later because the Solaris x86 packages have been changed to 64-bit in this release - The packages still provide 32-bit libraries to work with 32-bit programs.

For additional (and more detailed information) about the the Auditing and Monitoring Service, please review the DirectAudit release notes.

New Platform Support 19.6

In this release, we have added support for these new platforms:

  • Debian 9.7, 9.8, 9.9 (x86_64)
  • IBM VIOS 3.x (PPC)
  • Red Hat Enterprise Linux 8 (x86_64, PPC64, PPC64LE)
  • Ubuntu Linux 19.04 (x86_64, PPC64EL)
  • Windows Server 2019 (LTSC)

To see all platforms in the Centrify Infrastructure Services within the extended support period, select “SEE ALL PLATFORM VERSIONS” in www.centrify.com/platforms.

To check whether your platform is end of life, click www.centrify.com/product-lifecycle and scroll down the page. (You will need your Centrify Support Portal Login to access this page.)

Notice of Termination of Support 19.6

In this release, we are removing support for the following platforms:

  • Fedora 28
  • IBM VIOS 2.x
  • Ubuntu 14.04 LTS
  • Ubuntu 18.10

This is the last release in which we'll support these platforms:

  • Amazon Linux (2017-09)
  • Debian 8.x
  • Fedora 29
  • Ubuntu 19.04
  • Windows 2008R2
  • Windows 7 (x64)

For more detailed information about supported platforms and notices of termination, please review the Zero Trust Privilege Services release notes.

Centrify DirectSecure

From release 20.1 and onwards, Centrify DirectSecure will be completely deprecated and the following changes will be implemented:

  • DirectSecure will not be updated beyond the 5.4.2 version (2017.2 release).
  • The Core Support for version 5.4.2 will be provided till October 2020.
  • The Extended Support for version 5.4.2 will be provided till October 2022.
  • Beyond these support packages, there will be no further releases or support.
Alternatives for Centrify DirectSecure

Unfortunately, there are no other recommended alternatives for DirectSecure provided by Centrify.

New Features - Centrify Privileged Access Service 19.5

Privileged Access Request application update for ServiceNow’s New York release

The ServiceNow integration for PAS enables IT users to request temporary or permanent access to the specific systems or network devices they need to manage, checkout the password, or request a new role assignment associated with a specific resource from the ServiceNow asset management database. This release updates the certification of the integration for the most recent ServiceNow release, New York.

Centrify Support Diagram 1
Documentation enhancements for integrating with Okta and Azure Active Directory Identity Providers

Integrations with Identity Providers can allow for federated user authentication from other directory sources into Centrify Privileged Access Service. This release will include documentation on how to configure SAML-based single sign-on for integrating the Privileged Access Service with both Okta and Microsoft Azure Active Directory.

Centrify Support Diagram 2

June 28, 2019

What’s New in Centrify Privileged Access Service 19.4

New Features -Centrify Privileged Access Service
Enhancements for an easy onboarding experience

Improvements to the existing Quick Start wizard, which include a Getting Started wizard for easy onboarding. System administrators will be guided through Connector installation and an import of up to 20 systems.

  • Allows for a quick discovery of Active Directory-joined Windows servers
  • Supports the option to discover and manage the local administrator accounts
 
Whats New 19.4 Image 001
 

Improved VMWare Support

We are improving our support for VMWare VMkernel systems and accounts. In this release, we will add the functionality of managing local accounts for VMKernel on ESXi hypervisor versions 5.5 and higher.

  • Enables shared account password management on VMWare VMkernel systems
  • Allows remote login access to VMWare VMkernel systems with account credentials and SSH keys
 
Whats New 19.4 Image 002
 

We are also enhancing the VMWare vSphere client desktop application. This will allow login to VMWare vSphere via vaulted account credentials and SSH keys using the desktop application.

 
Whats New 19.4 Image 003
 

Improved Database Performance

Performance at enterprise scale is a feature. Improved PAS architecture and queries for PostgreSQL enable fast page loads and queries for enterprise scale resource and account loads.

  • Orders of magnitude improvements for page loads and database queries
  • Scales to large enterprise deployment scale
  • Requires upgrade to version 19.4 database

If you are a customer using Centrify cloud service, no action is needed. These enhancements will be part of the 19.4 deployment.

For customers who are using on-premises deployment, please follow:
https://centrify.force.com/support/Article/KB-11818-How-To-Enable-FastDB-on-Customer-Managed-Privilege-Access-Service-PostgreSQL-Database to enable the feature.

 

The return of minutes in windowed workflow requests

The ability to specify windowed workflow requests in intervals of minutes instead of hours is coing back to the Privileged Access Service. This will allow users to specify their just-in-time login and checkout access requests down to the minute for granular time selection.

 
19.4 Workflow – Windowed Login Request by Minute
Whats New 19.4 Image 004
 
19.3 Workflow – Windowed Login Request by Hour
Whats New 19.4 Image 005
 

Extended support of account soft locks for Active Directory and LDAP

In order to prevent Denial of Service (DOS) attacks, we are extending the account lock capabilities of our Centrify Directory Users to Active Directory (AD) and LDAP Users. This feature will set a soft lock in the Privileged Access Service for an account that has attempted to login more than a set number of invalid attempts. This will prevent the account that is locked from accessing Centrify services. The number of maximum consecutive bad password attempts, capture window, and lockout duration before a password re-attempt is allowed can be customized to be a policy level below the AD or LDAP policy threshold.

 
Whats New 19.4 Image 006
 
 
Whats New 19.4 Image 007
 
Whats New 19.4 Image 008
 

Enhanced support for Federated Login

Light Federation allows for federated users to be mapped to existing non-federated directory users in a Centrify tenant. Federation can now be configured to make account mapping disabled, optional, or required for users that are coming from an external source directory (A Federated Centrify Directory, A Federated Idaptive Directory, A Federated Active Directory). This feature will enable users to be provisioned with access rights into the Centrify Privileged Access Service (PAS) before they login for the first time. With the enhanced Light Federation support, customers will receive the following:

  • Support for granting PAS administrative rights to federated users by giving those rights to an existing mapped directory service account.
  • Support for optionally creating a Centrify Directory user when there is no existing account to map.
  • Support for synchronizing federated user attributes with a mapped user’s attributes.
  • Support for adding existing mapped users to federated groups.
  • Support for access policies that control multi-factor authentication (MFA).
  • Support for OAuth credentials for non-interactive federated authentication, which is primarily a feature that is used for Centrify PAS Client authentication.
 
Whats New 19.4 Image 009
 

New Centrify Privileged Access Service (PAS) Client for Windows

The new Centrify Client for Windows works with the PAS platform to provide brokered authentication to Windows systems. By using the common code of the Centrify Client for Linux, we are able to achieve synergy between PAS clients. This client is lightweight, easy to deploy, and ideal for customers that have IaaS or DMZ use cases. The following benefits will be provided with the client for Windows:

  • Multi-directory support (AD, LDAP, Google, and Centrify Directories)
  • Conditional Access
  • Multi-step and Multi-factor Authentication
  • Password-less login with “Use my Account”
  • CLI Tooling to interact with PAS
  • Local Group Mapping
 
Whats New 19.4 Image 010
Whats New 19.4 Image 011
 
Whats New 19.4 Image 012
 
 
Whats New 19.4 Image 013
 
 
 

April 16, 2019

What’s New in Centrify Privileged Access Service 19.3

Privileged Access Request application update for new ServiceNow releases

The ServiceNow integration for PAS comprises support for access request to PAS systems, PAS accounts and Zone roles in an Active Directory domain using a ServiceNow workflow. This release updates the certification of the integration for recent ServiceNow releases.

Centrify Integration for ServiceNow is now certified on:

  • ServiceNow London release
  • ServiceNow Madrid release
 
Privileged Access Request Image
 
 

March 8, 2019

What’s New in Centrify Privileged Access Service 19.2

PAS Integration with SailPoint IdentityIQ PAM Module

Combining role-based access control with attestation and remediation from the industry leaders – Centrify and SailPoint

SailPoint IdentityIQ is the industry-leading IAM application focusing on attestation and remediation, access request, and user provisioning.

Centrify’s integration with SailPoint enables organizations to accelerate the adoption of crucial governance and compliance processes for identity and access management.

  • Provisioning users into Centrify PAS Roles or Sets
  • SailPoint PAM Module containers map to Centrify PAS Roles and Sets
    • Provision users into Centrify PAS Roles
    • Grant user permissions on Centrify PAS Sets
  • Attestation of user rights and permissions from PAS
 
Whats New 3/8/19 Image 1
 

Use and manage secrets in an RBAC hierarchy

Role-based access control is the proven methodology for managing distributed access to critical information. Centrify adds an RBAC hierarchy to file and text secrets.

  • Define who can edit and use Secrets within a Secret and folder hierarchy
  • You control:
    • The hierarchy (‘Secret and folder’)
    • Who can edit/use Secrets in which folder
    • Who can create/delete new folders in the hierarchy
    • Who can move Secrets and folders
  • Virtually unlimited namespace for Secrets
  • Standard for managing Secrets in DevOps
    • Secure API access to hierarchy and Secrets
 
Whats New 3/8/19 Image 2

SailPoint IdentityIQ connector integration enhancements

For customers who enable self-service for their users within SailPoint IdentityIQ, the Centrify Connector Integration offers unique value for self-service access request to systems and accounts managed by PAS.

The connector integration is enhanced to enable access request to Centrify Zone roles, in addition to resources and accounts managed by PAS.

Access request from within SailPoint IIQ to:

  • Centrify Zone roles
    • Writes new Zone information to Active Directory
    • User access updates based on agent settings
 
Whats New 3/8/19 Image 3

New UI for system and account tiles in old User Portal

The new Centrify PAS user interface puts a laser focus on managing your IT infrastructure. IT system and account logins for low privileged users (such as Help Desk) now appear in a user Workspace.

User Portal tiles for PAS systems and accounts are migrated into a new Workspace user interface.

  • New “My System Accounts” table in the user Workspace
  • Automatically migrates existing tiles
  • Portal Login permission is changed to Workspace Login
    • Accounts with this permission will appear in the user Workspace
  • Enables users without PAS administrative rights to access systems and accounts
    • Minimizes user interface for these users
 
Whats New 3/8/19 Image 4
 

New Features - Centrify Infrastructure Services

The 19.2 release of infrastructure services contains enhancements to use the LDAP proxy to access NIS Netgroups from RFC2307 data in Active Directory and some Kerberos enhancements.

 
 

January 28, 2019

What’s New in Centrify Privileged Access Service 19.1

Force rotation of account passwords

Security incidents may require an immediate update to all, or a selection of, an organization’s managed account passwords.

  • Enable PAS administrators to rotate managed account passwords on demand.
  • Select from Managed Accounts list
  • Starts password rotation job immediately
  • Email notification when job is complete
  • Activity and job history status of all password rotations
  • Independent of scheduled password rotation policy
 
Rotate Password Screenshot
 
Force Rotation of Account Passwords Screenshot
 

Escrow encrypted password catalog

Secure, encrypted catalog for operational recovery of infrastructure supporting the solution.

In parallel with HA/DR, keep an optional daily backup of your passwords.

  • Encrypted file (CSV)
  • All account passwords
  • Intended for highly privileged administrators
  • OpenPGP key
  • Encrypted file e-mailed on a periodic daily schedule
  • Configured through the REST API
 

December 18, 2018

What's New in Centrify 18.11

NEW CENTRIFY INFRASTRUCTURE SERVICES FEATURES:

Linux and UNIX
  • The Centrify SMB stack has been upgraded to support SMBv3. This enables the agent to retrieve group policies or files from SMB shares configured with that level of encryption.
  • New mechanisms to prevent forged host ticket (aka. "silver ticket" attack).
  • New extended support for the NSS mail aliases on zone enabled AD users.
  • Enhanced the Multi-Factor Authentication performance to prefer connectors in the same subnet and then in the same Active Directory site.
  • Solaris improvements
    • Alternate password hash for Solaris disabled users are now supported.
    • MIT Kerberos commands or programs linked with MIT Kerberos library (release 1.13 or above) to inter-operate with Centrify KCM service on Solaris.
  • Improvements to Audit Trail
    • New Centrify-enhanced sudo audit trail events for dzdo command execution starts/ends.
    •  
    • New Kerberos audit trail events for KCM Kerberos credential access.
  • Improvements to CLI tooling (adinfo, adjoin, adleave).
  • Added the support in zone property pages to allow users to specify the domain prefix IDs to improve entropy for UID and GID generation.
 
Centrify Agent for WindowsTM
  • Justification for Privilege Elevation and ITSM Validation.
  • New capability to specify an alternative Centrify Zone user for Privilege Elevation (Run with Privilege/New Desktop).
  • YubiKey is now supported as a second factor for offline login.
  • New integration with McAfee Endpoint Drive Encryption software that enables features such as Auto Pre-boot and Password Synchronization.
  • Enhanced the Multi-Factor Authentication performance to prefer connectors in the same subnet and then in the same Active Directory site.
  • Diagnostics are now accessible diagnostics from the Centrify systray.
  • Improved tooling (dzinfo.exe, dzleave.exe).
 
Direct Audit
  • New system platform affinity allows for the separation of Windows or UNIX session and event data into different audit stores.
  • The default database shipped with the product has changed to Microsoft SQL Server Express 2016.
 
Centrify Cloud Agent for WindowsTM Preview
  • Leverage connected directories (Active Directory, LDAP, Google Directory or Centrify Directory) to provide brokered authentication to stand-alone Windows systems.
  • Multiple access methods: Direct, Gateway-based via RDP Client, Gateway-based using Web Client.
  • Password-less Web RDP access with “Use My Account” feature.
  • Multi-step/Multi-factor authentication policy.
  • Conditional Access Rules.
  • Role to Windows Group Mapping.
 
Utilities and Open Source Components
  • LDAP Proxy utility extended to support the critical extension flag “!” to allow for paged results.
  • Centrify Reports now can deploy pre-canned reports onto any accessible SQL Service Reporting Services.
  • Updates to Centrify OpenSSL (now based on OpenSSL 1.0.2o) and Centrify cURL (now based on cURL 7.61.1).
 

NEW CENTRIFY INFRASTRUCTURE SERVICES FEATURES:

  • Better support for just-in-time access with a new control to disallow permanent grant of permissions in the access request workflow
  • Update to SSH library for improved security
 

NEW CENTRIFY APPLICATION SERVICES FEATURES:

  • Box de-provisioning. Option to transfer content to admin account in addition to previously supported de-provisioning options.
  • Password Complexity Settings. Adhere to NIST standard (NIST 800-63B)
  • Customized Privacy Policy and Terms of Use. Allow customer to have custom links to their privacy policy and terms of use.
  • ADFS MFA Plugin (Beta only). Centrify’s MFA plugin for ADFS 3.0,
  • SCIM server APIs. CRUD for user/group resources.
  • Custom MFA Phone Messages. Allows the customer to customize the audio messages for phone calls related to MFA
  • Mandatory Setup of MFA (require end users to set up MFA). Allows administrators to force and ensure end users have setup required MFA factors at first portal login
 

NEW CENTRIFY ENDPOINT SERVICES FEATURES:

  • iOS - Show a custom message on Lock screen: Device lock MDM command (Lock Screen action) supports custom message (both iOS/Mac) and Phone number (iOS).

For a complete set of new features, please review the Centrify Cloud 18.11 Release Notes and Infrastructure Services 18.11 Release Notes.


November 12, 2018

What's New in Centrify 18.10

What's New in Centrify
Privileged Access Service 18.10

BETTER SUPPORT FOR JUST-IN-TIME ACCESS AND APPROVAL

Many organizations are moving to a model of just-in-time access and approval. Centrify supports this model with new controls to prohibit permanent entitlements in the request and approval process.

 
Security Settings Screenshot
 

Disallow approvers the option to grant permanent entitlements.

  • Applies to all access request and approval processes
    • Password checkout or SSH key retrieval
    • Remote management sessions
  • Approvers can grant only time-bound access to accounts and systems
  • Global switch applies to all approval processes
    • Simple to enact and prove to auditors
 
REMOTE SESSIONS AT SCALE FOR CUSTOMER-MANAGED INSTALLATIONS

Distributed connector architecture and direct-to-target session brokering ensures performance at enterprise scale.

 
Remote Sessions Diagram
 

Enable the use of local SSH/RDP clients and disallow session streaming through the Web tier.

  • Forces remote management session data path direct from user workstation to connector to target system
    • Removes the Web tier from the data path
    • Scale management sessions by adding connectors
  • Global switch disallows use of browser-based SSH/RDP and brokers session out of the Web tier
  • Logging and auditing fully supported
 
SYSTEM, APPLIANCE AND DATABASE SUPPORT FOR SHARED ACCOUNTS

Continuous improvement in coverage of local account management for systems, appliances and databases, and secure remote access for systems and appliances.

 
System, Application, and Database Diagram
 

Multi-tenant Oracle

  • Manage database account password on Oracle Database 12c multi-tenant architecture
  • Standalone database only

October 25, 2018

What's New in Centrify 18.9

New Centrify Privileged Access Services Features:

Manage connections and passwords for desktop apps

For organizations who require external controls on desktop application and database clients, Centrify controls the accounts and target connections the client can access.

Control the users and accounts that can access your systems and databases through thick clients such as TOAD.

Thick clients — Windows desktop applications — run on a secure proxy.

 
Manage Connections and Passwords Diagram
 

You control:

  • Who can log into the proxy
  • What thick client application they can run
  • What the client can connect to
  • What account the client uses to connect

Sessions are audited (recorded)

Users can create custom templates for apps that:

  • Support running in Windows Remote Desktop Services for Windows Server 2012R2 and 2016.
  • Allow command line parameters for account credentials and, optionally, target systems (such as databases).

Pre-defined templates are provided for:

  • Microsoft SQL Server Management Studio
  • TOAD for Oracle
  • VMware vSphere Client Network-based discovery of local privileged accounts

Managing local privileged accounts can be a challenge for even the best IT teams. New discovery features help you find local privileged accounts and manage their passwords.

 
Managing Local Privileged Accounts Diagram
 

Use Centrify to automatically find, import, and manage local privileged accounts.

  • Find and scan systems for local privileged accounts by network subnet
  • Uses the same robust architecture and features as network system discovery
  • Automatically import local accounts
  • Take local account passwords under management
  • New bulk selection, i.e. “multi-select”

Discovered local accounts are automatically placed into sets. Accounts that are members of a Windows built-in/Administrators group (local administrator) can optionally be added to a separate set, making it easy to discover and view Windows local accounts that have very high privilege.

 
System and device login using SSH keys

For organizations who use SSH keys for access to systems, Centrify supports storing and using SSH keys for login.

 
System and Device Login Diagram
 

Control the users and accounts that can access your systems through SSH keys.

  • Any account can use either a password or an SSH key (exclusive)
  • Access request to accounts using SSH keys is fully supported
  • PAS supports PEM for private keys and the following key algorithms:
    • DSA
    • PEM
 
Additional Enhancements

Time stamps were added to the log output of the diagnostic PowerShell scripts in customer-managed installations.

For customer-managed installations, a new process for obtaining the APNS certificate ensures that these customers will receive a unique CSR from Centrify, and a unique APNS certificate from Apple.

A change to the SailPoint IdentityIQ integration with PAS enables the creation of a tile on the PAS User Portal after an access request has been approved within IIQ.

 

New Centrify Application Services Features:

  • MFA Redirect Phase 1: Allows admins/users with multiple accounts potentially in different domains to ensure that he or she can use MFA from one account
  • CBE Improvements: We now provide extension for all 4 browsers to access apps easier
  • SAML script editor: The editor now includes inline hints, autocomplete, and onscreen help to make it easier for customers to write SAML scripts
  • DevOps applications category: This new applications category in the apps catalog enables customers to easily set up SSO for popular DevOps CI/CD apps
  • AWS CLI Utilities: We now offer Python and PowerShell CLI utilities for both admins and users to access Amazon Web Services (AWS) by leveraging Centrify Identity Services
  • Time-based workflow for mobile and desktop: Customers can now reduce risk by requesting and granting access to apps only during a given time window
 

New Centrify EndPoint Services Features:

  • Delegated Administration: Customers can now implement policy sets for endpoints and mobile devices ensuring that endpoints / mobile devices are being added to and removed from sets dynamically, based on changes to the attributes of the device.
  • O365 conditional access: We now provide an exchange (o365) / MDM administrators the ability to ensure that no one can get access to company mail from a mobile device unless that mobile device is enrolled in MDM with our Centrify MDM solution.

For details see Centrify Cloud 18.9 Release Notes.
 


OCTOBER 9, 2018

Centrify to Focus on Zero Trust Privilege, Spins out IDaaS Business as Idaptive

Centrify announces the spinout of its IDaaS business into a new company called Idaptive to better serve its customers and partners.

Centrify and Idaptive will operate as independent, affiliated companies beginning in January 2019. This strategy doubles down on two distinct areas of enterprise security – Privileged Access Management and IDaaS – with dedicated resources to optimize focus, efficiency and growth.

  • Centrify is sharpening its strategic focus on redefining the legacy approach to Privileged Access Management (PAM) with cloud-ready Zero Trust Privilege to stop the leading cause of breaches – privileged access abuse.
  • Idaptive will deliver Next-Gen Access to protect employees, partners and customers with its market-leading IDaaS solution, securing access everywhere with an Intelligent Access Cloud that constantly learns from and adapts to login context and risk in a way that protects companies.

We’re committed to clearly and consistently communicating this news to our customers, partners, and employees, so there are a lot of communications going out starting today:

For details, please contact your Centrify Account representative.