What's New

What's New in Centrify Server Suite

Server Suite 2016.1

 

Centrify Server Suite Standard Edition

Multi-factor Authentication Enhancements

MFA platform support

As part of Centrify’s commitment to enabling MFA Everywhere – the additional security of multi-factor authentication to protect your critical IT infrastructure, where you need it, when you need it – support for MFA has been added to the platforms in the table below.

Platforms AddedMFA Login (both local and remote)MFA Privilege Elevation
AIX X X
HP-UX X X
Solaris X X
Windows Coming 2nd half calendar 2016 X

All Centrify Zone types supported

In addition to hierarchical zones, MFA is now supported for both Classic zone and Auto zone.  Customers using the older zone models can now take advantage of the additional security of multi-factor authentication.  (Agent updates are required.)  Centrify recommends that customers using the older zone models consider upgrading to hierarchical zones.  Hierarchal zones enable:

  • Superior role-based access controls, with delegation
  • True inheritance of identity attributes, access privileges, rights, and role assignments
  • Privilege elevation and the security of least privilege management
RSA SecurID and OATH supported

Customers with deployments of RSA SecurID one-time tokens can now use those tokens with Server Suite’s multi-factor authentication for both login and privilege elevation, the latter with sudo and dzdo.  You can also use other third party OTP tokens you may have already deployed.  Server Suite’s new OATH support enables MFA using USB tokens like YubiKey, or soft tokens like Google Authenticator, FreeOTP, or Duo.

MFA audit trail events

A new category “MFA” is added to the “Centrify Server Suite” audit trail events, enabling MFA events to be captured by DirectAudit or exported via syslog or the Windows Event Log to external applications such as security and incident event managers (SIEM).  In this release, two new Centrify event IDs are assigned:

  • 54100: MFA Challenge Succeeded
  • 54101: MFA Challenge Failed. The reason field indicates the failure reason.

Additional Enhancements to Standard Edition

  • OpenSSL is upgraded to 1.0.2g and the fix of CVE-2016-2107 is also incorporated in this release.
  • TLS v1.2 is supported now in ldapproxy and can be enforced by the TLSProtocolMin option.
  • The fix of CVE-2016-0755 is incorporated in Centrify libcurl, which is based on 7.44.0 stock libcurl.
  • Authenticating cross-forest users using an alternative UPN suffix is now supported.
  • Microsoft’s “Define host name-to-Kerberos realm mappings” group policy is now supported. The DirectControl agent will read the mapping and update the krb5.conf file.
  • This release adds a watchdog process (niswatch) to monitor and automatically restart adnisd, if necessary.
  • A Server Suite Standard Edition license is now required to run both adnisd and ldapproxy.
  • Starting from this release, Centrify supports the Standard Edition (DirectControl) agent on the latest Amazon Linux AMI release.  However, the agent must be installed manually; Deployment Manager does not support installing or upgrading the agent in the Amazon Cloud environment.
  • A new attribute in the hierarchical zone Unix Command Right allows dzdo/dzsh to check all command arguments and prevent navigation up a path hierarchy. Please refer to the 'Prevent navigation up a path hierarchy' checkbox in Access Manager.
  • Sudo issues as reported in CVE-2016-5602 are fixed in dzedit. See the new dzdo.edit.checkdir and dzdo.edit.follow configuration parameters.

Hadoop Support Enhancements

The sample script kerberos_security_setup.pl can support the new Ambari v2.1.2 CSV file format in addition to the original Ambari v1.6.1 format.

You can now configure the sample script kerberos_security_setup.pl to remove HTTP, NFS, CIFS and FTP SPNs in computer objects.  Four new configuration parameters are introduced in hadoop.conf to support this feature:

  • hadoop.adclient.krb5.service.principal.http.remove (default is true)
  • hadoop.adclient.krb5.service.principal.nfs.remove (default is false)
  • hadoop.adclient.krb5.service.principal.cifs.remove (default is false)
  • hadoop.adclient.krb5.service.principal.ftp.remove (default is false)

A new command option, --remove-spn, is also added. It will read the configuration file to remove the configured SPNs. By default only the HTTP SPN will be removed.

Smart Card and Certificate Management

Certificate management and auto-enrollment now supports Elliptic Curve algorithms. When either the ECDH_P256, ECDH_P384 or ECDH_P521 algorithm is selected in a version 3 Certificate template, the corresponding EC algorithm will be used to generate the key pair for the certificate.  Note that only SHA1 can be used as the signature algorithm when using EC algorithms.

Scripts and Command Line Utilities

The adcert -r --ntlm option is removed in this release.

If DirectAudit is installed in the current system, the adinfo –t --support option will also invoke “dainfo –t” and include its output in the final zip files.

A new command, adobjectrefresh, is added to update the cache for a specific user or group object instead of the entire zone. Please use the help option for information on its usage and available options.

Changes to Configuration Settings

The centrifydc.conf file has been enhanced with new and updated parameters.

New parameters

adclient.legacyzone.mfa.background.fetch.interval: This parameter specifies, in minutes, how often the DirectControl agent updates its cache with Active Directory groups whose members require multi-factor authentication in classic zones or Auto zones.  The default is 30 minutes.

adclient.legacyzone.mfa.cloudurl: This parameter specifies the URL of the cloud instance that the DirectControl agent will access in order to implement multi-factor authentication for users in classic zones and Auto Zones.

adclient.legacyzone.mfa.enabled: This parameter specifies whether MFA is enabled for a classic zone or an Auto zone. The default is false.

adclient.legacyzone.mfa.required.groups: This parameter specifies a list of Active Directory groups in a classic zone or an Auto zone whose members are required to use multi-factor authentication when logging on or using privileged command. The default is none.

adclient.legacyzone.mfa.required.users: This parameter specifies a list of Active Directory users in a classic zone or an Auto Zone that are required to use multi-factor authentication when logging on or using privileged commands. The default is none.

adclient.legacyzone.mfa.rescue.users: This parameter specifies a list of Active Directory users who can logon to computers in a classic zone or an Auto zone   when multi-factor authentication is required, but the DirectControl agent cannot connect to the Centrify cloud service.

dzdo.edit.checkdir: This parameter is used to prevent dzedit from editing files located in a directory that is writable by the invoking user unless it is run by root. The default is true.

dzdo.edit.follow: This parameter is used to prevent dzedit from following symbolic links to edit files. The default is false.

dzdo.legacyzone.mfa.enabled: This parameter specifies if multi-factor authentication is required for users to run the dzdo command in a classic zone.  The default is false.

krb5.cache.clean.force.max: This parameter specifies the maximum lifetime of TGT (in days) before the DirectControl agent removes the Kerberos credential cache.  The default is 0, which means never.

Updated parameters

adclient.cloud.auth.conn.max: this parameter is renamed from adclient.cloud.auth.token.max.  Its default value and group policy are not changed.

adclient.local.account.manage: This configuration parameter specifies whether the DirectControl agent manages local users and local group accounts. The default was true in previous release.  It is changed to false from this release going forth.  However, if you enabled this in previous release, the setting is preserved.

In this release, there is stricter enforcement of syntax in centrifydc.conf and centrifyda.conf.

DirectManage Access Manager Changes and Enhancements

License summary is no longer displayed in the Manage Licenses dialog.

Access Manager now supports requiring Multi-Factor Authentication (MFA) during re-authentication for Desktops, Applications and Network Access Windows rights.

Starting from this release, you can select RFC2307-compatible zone to store UNIX properties using the Active Directory RFC2307-compatible schema.

The 'Prevent navigation up a path hierarchy' checkbox is added to the 'Attributes' tab of the Command Right property page to specify whether path traversal should be disabled in command right.  The default is to allow such navigation.

Password Synchronization now supports MD5 hash. The hash starting with "$1$" is generated using the crypt(3)-MD5 algorithm method. MD5 hash can be controlled using the registry setting:

HKLM/Software/Centrify/MD5Encryption Type: REG_DWORD

If this registry key does not exist or the value of this registry key is '0', then MD5 hash is disabled.

Access Module for PowerShell Enhancements

The RequireMfa parameter is added to the following cmdlets.  If the parameter is true, then MFA is required.  The default is MFA not required.

  • New-CdmZone
  • Set-CdmZone
  • New-CdmCommandRight
  • Set-CdmCommandRight
  • New-CdmDesktopRight
  • Set-CdmDesktopRight
  • New-CdmApplicationRight
  • Set-CdmApplicationRight
  • New-CdmNetworkAccessRight
  • Set-CdmNetworkAccessRight

The BlockGroupInheritance parameter is added to the New-CdmZone and Set-CmdZone cmdlets.  If the parameter is true, then the Active Directory groups in the parent zones that are not used by the joined machines in the child zone are not visible at that child zone.  If the parameter is false, then all groups are visible.  The default is false.

The Force option is added to the New-CdmUserProfile or Set-CdmUserProfile cmdlets.  If the option is true, then the creation or modification of user profile is allowed even if its UNIX name is the same as the samAccountName of another AD user in zone's domain.  Default is not allowed.

The DisablePathTraverse parameter is added to the New-CdmCommandRight and Set-CdmCommandRight cmdlets to specify whether path traversal is disabled in command right.  The default is false.  Also, the IsDisablePathTraverse property is added to the CdmCommandRight object. (Ref: CS-39391)

Centrify Report Services Enhancements

You can now specify the name of the report database in the Configuration Wizard.

Starting from Suite 2016.1, the following reports support local accounts:

  • Authorization report
  • PCI - Login Summary report
  • PCI - Rights Summary report
  • SOX - Login Summary report
  • SOX - Rights Summary report
  • Hierarchical Zone - Users report
  • Users report
  • Groups report

In Suite 2016.1, the following new views are added:

  • ComputerRoleEffectiveMembers
  • EffectiveAuthorizedLocalUserPrivileges_Computer
  • EffectiveAuthorizedUserPrivileges_Computer
  • EffectiveAuthorizedUsers_Computer
  • EffectiveAuthorizedUsers_Computer_Classic
  • EffectiveAuthorizedUsers_Computer_Hierarchical
  • EffectiveAuthorizedZoneLocalUsers
  • EffectiveAuthorizedZoneUsers
  • EffectiveRoleAssignment
  • EffectiveRoleAssignment_Classic
  • EffectiveRoleAssignment_Hierarchical
  • EffectiveSysRights
  • EffectiveZoneLocalGroupMembers
  • EffectiveZoneLocalGroups
  • EffectiveZoneLocalUsers
  • RoleRights
  • ZoneLocalGroupMembers
  • ZoneLocalGroups
  • ZoneLocalUsers

New columns are added to the view ZoneComputers.

Note: EffectiveAuthorizedUserPrivileges_Computer view’s output is same as the current EffectiveLoginUserPrivileges_Computer report view.

Centrify Report Services utilizes the Reporting Services component which is a part of Microsoft SQL Server. Below are all the currently Supported SQL Server versions and platforms:

  • SQL Server 2008 R2 Express with Advanced Services (Service Pack 2 or higher recommended)
  • SQL Server 2008 R2 Standard or Enterprise or Datacenter (Service Pack 2 or higher recommended)
  • SQL Server 2012 Express with Advanced Services
  • SQL Server 2012 Standard or Enterprise
  • SQL Server 2014 Express with Advanced Services
  • SQL Server 2014 Standard or Enterprise

Note: Microsoft SQL Server 2008 R2 is not compatible with Windows 10.

Note: All versions of 32-bit Microsoft SQL Servers are not supported.

Deployment Report Enhancements

Under the Deployment Summary, the count of Mac agents for each zone type is now displayed separately from *NIX agents.

The Deployment Report Wizard for Centrify Server Suite Enterprise Edition now supports report preview that was available previously only for Standard Edition.

If a user fails to send the generated report to Centrify Support Portal, the report is automatically saved and a warning message is prompted.

When invoking the Deployment Report utility, there is a new switch, ‘/plaindata’, which allows the user to specify that host, zone and installation names need not be obfuscated in generated report.

Group Policy Enhancements

The “Notification Command Line” computer configuration group policy under “Centrify Settings > DirectControl Settings > Local Account Management” is added to invoke a user-provided post-processing program.

Four computer configuration group policies under “Centrify Settings > DirectControl Settings > Addns Settings” are added to manage addns configuration:

  • Enable addns invoked by adclient
  • Set command line options used by adclient
  • Set DNS records update interval
  • Set wait response interval for update requests

For details of the group policy, refer to the explanation text.

Adedit Enhancements

The “delegate_zone_right” command adds a list of new rights to delegate:

  • add_user_group_to_computer_zone
  • delete_user_group_from_computer_zone
  • modify_user_group_in_computer_zone
  • add_computer_zone
  • add_computer_role
  • delete_computer_zone
  • delete_computer_role
  • delegate_permission_for_computer_zone
  • add_nismap

Additionally, the 'manage_role_assignments' right now supports managing role assignments from zone, computer zone and computer role.

The “get_zone_field” and “set_zone_field” commands support the hierarchical zone field 'block.parent.zgroup'.  If the value is set to true, then it displays only the UNIX groups that are used in the joined servers in the zone.  If the value is set to false, then it displays all the UNIX groups.

The get_role_assignment_field and set_role_assignment_field commands support the description field.

Centrify OpenSSH Changes and Enhancements

Centrify OpenSSH 5.3.1 is upgraded based on OpenSSH 7.2p2. (Ref: CS-39757)

Note: The symbolic link file of slogin is removed in the stock OpenSSH.  It is retained in the Centrify OpenSSH.

Note: The support of SSH protocol version 1 is removed in the stock OpenSSH.  It is still supported by the Centrify OpenSSH.

Centrify OpenSSH 5.3.1 is not compatible with previous Centrify DirectControl releases due to the major upgrade of OpenSSL in this release.

A new keyword, SSOMFA, is added to Centrify sshd_config to require multi-factor authentication (MFA) for secure shell connections even for single sign-on access to remote computers.  This keyword works only when USEPAM is enabled. This option can also be enabled by the group policy “Enable SSO MFA” under “SSH Settings”. The default is ‘no’ (disabled).

Please note that MFA is not supported for authentication using a public key.

Centrify PuTTY 5.1.8 Enhancement

Centrify PuTTY is currently integrated with open source PuTTY version 0.64.

This release enhances Centrify PuTTY to support the SSOMFA (Single Sign-On Multi-Factor Authentication) feature in Centrify OpenSSH Server.

Windows Agent Enhancements

With this release, the Centrify Windows Agent now supports multi-factor authentication for privilege elevation. With this new feature, you can use the Centrify Identity Service to configure Windows roles and rights to require a second form of authentication challenge, such as answering a security question, or responding to a phone call or email, in addition to requiring a user name and password.

Windows Application rights and Network Access rights are now fully supported in Windows 10 and Windows Server 2016. The Desktop right is not supported in this release for these platforms.

New Audit Trail events are added for MFA re-authentication operations. If the role is configured to do MFA re-authentication, it will generate Audit Trail events for MFA challenge success or failure operations. Event details as below.

  • New Windows event IDs assigned to the category "Centrify Suite\MFA" for audit trail events.
    • 200: MFA Challenge Succeeded
    • 201: MFA Challenge Failed

Deployment Manager 5.3.1 Change

The Centrify product catalog is separated from the Deployment Manager setup package. The product catalog will only be imported into the repository when Deployment Manager is installed from Centrify Server Suite ISO.

CENTRIFY SERVER SUITE ENTERPRISE EDITION

General Changes and Enhancements

Starting in Suite 2016.1, the SQL Server 2008 R2 SP2 Express Edition that is installed by DirectManage Audit Easy Installer will have CENTRIFYSUITE as the default instance name, and the installer will enable the SQL Server Reporting Services (SSRS) feature for this instance and configure it in Native mode in order for the same instance to be used to host the Centrify Report Services database in an evaluation environment. Previously, the default instance name was DIRECTAUDIT and the installer did not enable the SQL Server Reporting Services feature for that instance.

Centrify DirectManage Audit now supports hosting the Management database and/or Audit Store databases in a SQL Server Availability Group. To benefit from all the features provided by a SQL Server Availability Group (such as multi subnet failover), Centrify recommends upgrading all DirectManage Audit components including Collectors, Audit Management Server service, Audit Manager console and Audit Analyzer console to the latest version. Note that there is no requirement to upgrade all the agents before using this new feature.

Audit Analyzer and Session Player Enhancement

DirectManage Audit Audit Analyzer now allows exporting multiple sessions to a single text file. When a user chooses the option of single file export, the user name and machine name are prefixed to each line of the exported file for easier parsing. In addition, a blank line is added as a delimiter to separate data from different sessions.

Centrify UNIX Agent (DirectAudit) Enhancements

The parameter, "dad.data.dir," defines the data directory path for DirectAudit.  This is depreciated in Suite 2016.1. Customers who need to use a different location to store DirectAudit data and spool files must follow the approaches described in KB-6548. Also, when alternate directory location is used, only the symbolic link to the data directory will be removed when DirectAudit is uninstalled. The actual data directory remains in the system.  Since this parameter is deprecated, the DirectAudit upgrade process aborts with an error message if it detects that this parameter is specified.  Please contact Centrify Technical Support in this case.

Added a parameter, "dash.cmd.audit.blacklist", which allows a user to skip certain auditing command patterns using a regular expression. Command and arguments matching the expression will not be captured, but the “Audited command is executed” audit trail event will still be sent.

Added a new script 'dacheck' which allows users to check for any potential problems in their DirectAudit environment.

Enhanced the parameters "spool.diskspace.min" and "spool.diskspace.softlimit" allow a user to specify the value as  a percentage or  an exact size.

Added a parameter in Unix agent so that Audit Analyzer can either show the original user that ran the audited command or the current user (the user identity after su/sudo/dzdo). In previous versions of DirectAudit, Audit Analyzer can only show the current user that runs an audited command, which may not be the real user identity (if the user uses su/sudo/dzdo to change identity).  In Suite 2016.1, the administrator can configure the Unix agents such that Audit Analyzer can show the identity of the original user.  This is controlled by the parameter dash.cmd.audit.show.actual.user in the Unix agent.  This parameter can also be configured by group policy “Show actual user running an audited command”.  Customers must upgrade the Unix agents (not Audit Analyzer) for this feature to be effective.

Windows Agent (DirectAudit) Enhancements

The Group Policy "Centrify DirectAudit Settings/Windows Agent Settings/Set update agent status timeout" setting is enhanced to take effect immediately for the Windows agent.

Centrify Audit Module for PowerShell Enhancement

Added Get-CdaUserEvent cmdlet in powershell module which can be used to retrieve the user activity events for reporting purpose. Another existing cmdlet Get-CdaAuditEvent can be used to retrieve the user privileged activity events for reporting purpose.

Security Update

DirectControl 5.3.1 contains the fix of the following DirectAudit issue: When a system is under high CPU utilization, communication between Centrify DirectControl and Centrify DirectAudit agents may timeout but the communication channel remains open. This results in the DirectAudit agent processing an incorrect response to its request. Note that this occurs only in the DirectAudit *NIX agent when the DirectAudit shell auditing functionality is enabled. The fix in this version of DirectControl and DirectAudit closes the communication channel between the two agents during timeouts and error situations.

This fix has already been retrofitted to Server Suite 2016 and Server Suite 2015.1 as of March 2016.  This issue does not happen in Server Suite 2015 and prior releases.

Supported Platforms

Support is added for the following operating system platforms in this release:

  • AIX 7.2
  • Latest version of Amazon Linux AMI (x86, x86_64)
  • CentOS 7.2 (x86_64)
  • Debian Linux 7.10, 8.3, 8.4 (x86, x86_64)
  • Oracle Enterprise Linux 7.2 (x86_64)
  • Scientific Linux 7.2 (x86_64)
  • openSUSE 42.1 (x86_64)
  • SUSE 12 SP1 (x86_64)
  • Scientific Linux 7.2 (x86_64)
  • Ubuntu 16.04 LTS (x86, x86_64)

To see all platforms in the Centrify Server Suites within the extended support period, select “SEE ALL PLATFORM VERSIONS” in www.centrify.com/platforms.

To check whether your platform is end of life, click www.centrify.com/product-lifecycle and scroll down the page.

Termination of Support

Support is removed for the following operating system platforms in this release:

  • Debian Linux 6
  • Fedora 20
  • HPUX 11.11, 11.23
  • Oracle Solaris 9
  • Ubuntu 14.10

This is the last release of Centrify Server Suite in which the following operating system platforms will be supported:

  • Fedora 21
  • openSUSE 13.1
  • SUSE Linux Enterprise 10
  • Ubuntu 15.04, 15.10

The next release will be the last release of Centrify Server Suite in which the following operating system platforms will be supported:

  • Citrix XenServer 6.0, 6.1
  • IBM Virtual I/O Server 1.x
  • Linux Mint Debian Edition 201303, 201403

Supported Platform Matrix (Mac/UNIX/Linux) – Suite 2016.1

AgentCPUExpressDirectControlDirectAudit
Mac 10.9, 10.10, 10.11 (no Centrify OpenSSH) x86_64 Yes Yes No
HP-UX 11.31 (Trusted and Untrusted) Itanium No Yes Yes
HP-UX 11.31 (Trusted and Untrusted) PA-RISC No Yes Yes
IBM AIX 6.1 ppc No Yes Yes
IBM AIX 7.1 ppc Yes Yes Yes
IBM AIX 7.2 ppc Yes Yes Yes
IBM Virtual I/O Server 1.x, 2.x (AIX LVM only) ppc No Yes Yes
CentOS 5.0-5.11, 6.0-6.11 x86, x86_64 Yes Yes Yes
CentOS 7.0-7.2 x86_64 Yes Yes Yes
Citrix 6.0, 6.1, 6.2 x86 Yes Yes Yes
Citrix 6.5 x86_64 Yes Yes No
Debian 7.0-7.10, 8.0-8.4 x86, x86_64 Yes Yes Yes
Linux Mint LTS, 13, 17, 17.1-17.2 x86_64 Yes Yes Yes
SUSE Enterprise Linux 10-10SP4, 11-11SP4 x86, x86_64 Yes Yes Yes
SUSE Enterprise Linux 10-10SP4, 11-11SP4 ppc Yes Yes Yes
SUSE Enterprise Linux 10-10SP4, 11-11SP4 Itanium Yes Yes No
SUSE Enterprise Linux 12-12SP1 x86_64 Yes Yes Yes
openSUSE 13.1-13.2 x86, x86_64 Yes Yes Yes
openSUSE 42.1 x86_64 Yes Yes Yes
Amazon Linux AMI X86, x86_64 Yes Yes No
Oracle Enterprise Linux 5.0-5.11, 6.0-6.7 x86, x86_64 Yes Yes Yes
Oracle Enterprise Linux 7.0-7.2 x86_64 Yes Yes Yes
Oracle Solaris 10, 11 Express, 11.0-11.3 SPARC Yes Yes Yes
Oracle Solaris 10, 11 Express, 11.0-11.3 x86, x86_64 Yes Yes Yes
Red Hat Enterprise Linux 4.x, 5.0-5.11, 6.0-6.7 x86, x86_64 Yes Yes Yes
Red Hat Enterprise Linux 7.0-7.2 x86_64 Yes Yes Yes
Red Hat Enterprise Linux 4.x, 5.0-5.11, 6.0-6.7 ppc Yes Yes Yes
Red Hat Enterprise Linux 7.0-7.2 ppc (1) Yes Yes Yes
Red Hat Enterprise Linux 4.x, 5.0-5.11, 6.0-6.7 Itaninum Yes Yes No
Red Hat Fedora Linux 21, 22, 23 x86, x86_64 Yes Yes Yes
Scientific Linux 5.0-5.11, 6.0-6.7 x86, x86_64 Yes Yes Yes
Scientific Linux 7.0-7.2 x86_64 Yes Yes Yes
Ubuntu Linux LTS 12.04, 14.04, 16.04 x86, x86_64 Yes Yes Yes
Ubuntu Linux 15.04, 15.10 x86, x86_64 Yes Yes Yes


(1) No Power8 support.

Supported Platform Matrix (Windows)

64-bit Windows (32-bit Windows are not supported)DirectManage AccessDirectManage AuditWindows AgentDeployment ReportDeployment ManagerCentrify PuTTY
Windows 7 Yes (1) (1) Yes Yes Yes
Windows 8 No Yes Yes Yes Yes Yes
Windows 8.1 Yes Yes (2) Yes Yes Yes
Windows 10 Yes Yes (3) Yes Yes Yes
Windows Server 2008R2 Yes (1) (1) Yes Yes Yes
Windows Server 2012 Yes Yes Yes Yes Yes Yes
Windows Server 2012R2 Yes Yes (2) Yes Yes Yes
Windows Server 2012 Core, 2012 MSI No No Yes No No No
Windows Server 2012R2 Core, 2012R2 MSI No No Yes No No No


(1) It is supported but requires SP1 or above.

(2) It is supported except when running in LSA protected mode.

(3) Windows Application rights and Network Access rights are supported but not the Desktop right.


Server Suite 2016

Centrify Server Suite Standard Edition

Multi-factor Authentication

Server Suite now integrates directly with the multi-factor authentication (MFA) features of the Centrify Identity Platform.  Server Suite administrators can now require users to respond to MFA challenges when logging into a server, or when elevating privilege.  

MFA provides IT and security teams with an additional layer of assurance that:

  • Only authorized users are accessing critical systems
  • Non-human access by malware is prohibited
  • Password theft alone cannot provide access

MFA validates user access through a variety of methods selected by the Identity Platform administrator.  Supported methods include

  • Centrify Mobile Authenticator on iOS and Android
  • One-Time Password (E-mail or SMS)
  • Phone call response
  • Answering a user-configured security question

This feature requires the use of hierarchical Centrify Zones™ in Server Suite, and user accounts in Centrify Privilege Service™ or Centrify Identity Service™.  MFA supports Active Directory users; local users are not supported.  Feature support is limited to Linux servers only in this release.  UNIX and Windows Server will be supported in a future release.

Zone-based Application Identity Management (local account provisioning)

Server Suite now provides centralized management of local users and groups on Linux and UNIX systems. Local users and groups can now be defined and managed from within Access Manager, enabling IT to centrally manage the creation, identity profile, and termination of these accounts from within the Centrify Zone hierarchy.

This feature provides IT and security teams with a simple, secure, and efficient way to manage local accounts that are typically used (for example) to launch applications and services on critical systems.


Local users and groups management is supported for:

  • The Global Zone
  • Child Zones
  • Computer Zones
  • Computer Roles

An example use case might be to define an Oracle® account for all computers that are members of a “Database Servers” Computer Role.  The Centrify agent will manage these accounts and groups locally on the target systems within the /etc/passwd and /etc/group files.  The Oracle account and identity profile will automatically be created, modified, or deleted on the target system based on a system’s membership within the role.

Newly created or deleted local accounts and groups will automatically trigger the execution of a user-defined script.  By default, Server Suite includes a script that natively integrates management of these accounts with Centrify Privilege Service; however, customers can use their own script to work with virtually any password management solution, or integrate with other applications and services.

Reporting Services

Reporting Services is a new feature set that provides enhanced reporting for Server Suite authorization and authentication data through Microsoft® SQL Server™ Reporting Services, a standard feature of all versions of SQL Server.  Centrify Zone data within Active Directory is cached in a new SQL Server database to provide excellent report generation performance even for very large Server Suite deployments.

Additional features and benefits for reporting in this release are:

  • New attestation reports to address regulatory compliance
  • Simplified report customization with Microsoft SQL Reporting Services (SSRS) visual design tools
  • Database views are exported and documented to enable access by external business intelligence tools.
  • Reports can be published, subscribed to, and automatically sent via e-mail on a user-defined schedule

Other New Features

  • The “Delegate Zone Control…” feature in Access Manager can apply to multiple Zones at once.
  • The Generate Centrify Recommended Deployment Structure Wizard is merged with the Setup Wizard.  On first run, the customer will be able to create a Centrify deployment structure before running the setup wizard.
  • Both RFC 2307 and Microsoft Windows Services for UNIX (SFU) schemas are now supported.
  • A new system right sets the visibility of a user’s effective rights within a Zone, by role membership.
  • Adinfo is enhanced to provide information for the new MFA feature.
  • A new admanagelocal command manages local user and group accounts.
  • Adkeytab is enhanced to report the last password change attempt, time, and result.
  • Adflush is enhanced to flush information about the Centrify Identity Platform cloud connector(s) in the local Centrify agent.
  • OpenSSL is upgraded to 0.9.8zg in this release.
  • cURL is upgraded to 7.44.0 in this release.
  • Access Module for PowerShell is now built on the .NET Framework 4.5, and requires a minimum of PowerShell 4.0.
  • New cmdlets enable getting and setting information for the Zone Provisioning Agent (ZPA).
  • The Get-CdmManagedComputer cmdleg is enhanced to show preferred and subnet sites.
  • The Zone Provisioning Agent now has an option to lookup for managed service accounts and group managed service accounts as the provisioning service account.
  • Starting from this release, group policies in ADMX (Administrative Template File XML based) format are shipped and ADM (Administrative Template File) format will not be provided.
  • On Centrify managed RHEL systems, we now can append CA root certificate to the system default store, i.e. /etc/pki/tls/certs/ca-bundle.crt.
  • The Deployment Report feature now includes support for Server Suite Enterprise with license and usage information from DirectAudit in Suite 2016 or later, and provides new summarized usage count information grouped by Server/Workstation license type in the Deployment Summary section of the report.
  • The Centrify LDAP Proxy can now return the extended distinguished name of an object using ldapsearch.

New and updated parameters for centrifydc.conf to set or control include:

  • The maximum number of simultaneous cloud authentication sessions
  • How many times to attempt computer password change verification in the background
  • The delay (in seconds) between computer password change verification attempts
  • Whether to force the principal name in Kerberos tickets to lowercase
  • Whether Centrify DirectControl should manage local user and local group accounts in the machine
  • Invocation of a CLI in another process to pass a comma-separated unixname list to the CLI for further processing
  • Merge local group membership from /etc/group into the Centrify group response for groups with the same name and gid
  • Whether to turn on/off MFA feature on the server
  • Specify how often etc/group and etc/passwd are updated on an individual computer based on the local group and local user settings that you configure in Access Manager
  • Whether to send network queries to outbound trust domains unless it contains zoned (foreign) users
  • The interval of background task in hours to refresh cloud connectors
  • Copy the symlink in /etc/skel when home directory is created for the Active Directory user
  • Lists the applications that do not support MFA
  • Specifies the list of programs that Centrify PAM always creates new krb5ccache and update KRB5CCNAME in pam session
  • Whether adclient negotiates using LDAP signing only (integrity only)
  • Additional directives for the adclient.krb5.conf.file.custom configuration parameter

Adedit has been enhanced:

  • Supports local users and groups
  • Indicates whether the visible system right is enabled when a role is created
  • Adds a new option "-raw" in the TCL ade_lib library to return the parentLink in <GUID>@<DOMAIN> format. (This is for hierarchical zones only.)
  • Returns the name of the cloud instance associated with the selected hierarchical zone
  • Sets the name of the cloud instance associated with the selected hierarchical zone.
  • Returns the distinguished name of the current msDS-AzScope Active Directory object associated with the computer zone.
  • Returns the computer role description.
  • Sets the Active Directory description attribute for the msds-AzScope object.
  • List the NIS maps stored in Centrify zones.
  • Privileged Desktop support on Windows 8/8.1 and Windows Server 2012 R2

Windows Agent Enhancements

A new Centrify Start Menu is installed on the Windows Desktop on Windows 8 and 8.1, and Windows Server 2012 R2.  This menu is similar to the Start Menu on Windows 7, and contains familiar items such as Programs, Run, Search, and Control Panel.  This new feature enables support for privileged Desktops on these versions of Windows.

  • Run as Privilege context menu changes

The context menu (right-click menu) for elevating privilege has been renamed “Run as Privilege…” from “Run as Role…”, to make it clearer to the end user that this option will allow them to perform operations on the selected item with additional access rights and Windows privileges.

The “Run as Privilege…” feature is simplified to make operation one-click access to privileges easier. When there is only a single role for the user, the Windows Agent will simply execute the operation without displaying the role selection dialog.

  • New notification dialog for privileged Desktops

A new notification dialog for the System Tray notifies the user when a privileged Desktop is created or switched.  This dialog replaces the watermark in previous versions of the Windows Agent, and is designed with new Windows notification features in mind.

Deprecated Features

  • Support for user accounts with privileged Desktops

Individual user accounts are no longer supported as the “run as” account for new privileged Desktops.  Existing privileged Desktop running as user accounts can be used to run applications through the “Run with Privilege…” context (right-click) menu.

  • Installed documentation

Documentation is no longer installed on the user’s system.  Links to download the latest Server Suite documentation directly from the Centrify Download Center are included with the installer, which enables the user to always have access to the most up-to-date documentation.

Supported Platforms

Support has been removed for the following operating systems:

  • All 32-bit Windows platform

Note: Centrify Server Suite Standard Edition for Windows does not currently support Windows 10.  Support for Windows 10 will be added in an upcoming maintenance release.Supported Platforms.


Supported Platforms

Support has been added for the following operating systems:

  • Mac OS X 10.11 (x86_64)
  • Fedora 23 (x86, x86_64)
  • CentOS 6.7 (x86, x86_64)
  • Oracle Enterprise Linux 6.7 (x86, x86_64)
  • Red Hat Enterprise Linux Desktop 6.7 (x86, x86_64)
  • Red Hat Enterprise Linux Server 6.7 (x86, x86_64)
  • Red Hat Enterprise Linux Server 6.7 (ppc64 – no Power8)
  • Red Hat Enterprise Linux Desktop 7.2 (x86_64)
  • Red Hat Enterprise Linux Server 7.2 (x86_64)
  • Red Hat Enterprise Linux Server 7.0, 7.1, 7.2 (ppc64 – no Power8)
  • Scientific Linux 6.7 (x86, x86_64)
  • Ubuntu Desktop 15.10 (x86, x86_64)
  • Ubuntu Server 15.10 (x86, x86_64)
  • SUSE Linux Enterprise Desktop 11 SP4 (x86, x86_64)
  • SUSE Linux Enterprise Server 11 SP4 (x86, x86_64, ppc64, ia64)
  • Oracle Solaris 11.3 (x86_64, SPARC)

Support is removed for the following operating systems:

  • All 32-bit Windows platforms
  • Mac OS X 10.8
  • Fedora 19 (32-bit and 64-bit)
  • Oracle Enterprise Linux 4.x (32-bit and 64-bit)
  • openSUSE 12.1, 12.2, 12.3 (32-bit and 64-bit)
  • Oracle Solaris 8 SPARC

Deprecated Platforms

This is the last release for the support of the following operating systems:

  • Debian Linux 6.x (32-bit and 64-bit)
  • Fedora 20 (32-bit and 64-bit)
  • HP-UX 11.11, 11.23 PA-RISC (Normal and Trusted modes)
  • HP-UX 11.23 Itanium (Normal and Trusted modes)
  • Oracle Solaris 9 (32-bit and 64-bit)
  • Ubuntu Desktop 14.10 (32-bit and 64-bit)
  • Ubuntu Server 14.10 (32-bit and 64-bit)

Support will be discontinued soon (the next release will be the last release with support) for the following operating systems:

  • Fedora 21 (32-bit and 64-bit)
  • Ubuntu Desktop 15.04, 15.10 (32-bit and 64-bit)
  • Ubuntu Server 15.04, 15.10 (32-bit and 64-bit)
  • SUSE Linux Enterprise Desktop 10 (32-bit and 64-bit)
  • SUSE Linux Enterprise Server 10 (32-bit and 64-bit)
  • openSUSE 13.1 (32-bit and 64-bit)


Centrify Server Suite Enterprise Edition

Scalability and Performance Improvements

  • The audit agent can now more intelligently select a Collector
  • Centrify has also improved the data storage and indexing of the audited data in order to improve the performance of the audit analyzer.

Other improvements

  • Session Review can now be delegated.
  • Audit can be configured to capture user input without output.
  • Group Policy can be used to configure video capture option on a per agent basis.
  • Support for Red Hat and SuSE on Power 8.
  • Support for modern UI applications

Windows Agent Auditing Enhancements

Video capture for modern UI applications in Windows 8/8.1 and Windows Server 2012/2012 R2 is now supported, enabling IT and security administrators to gather a complete visual audit trail of all activity on a user’s desktop regardless of the type of application (desktop or modern).

  • New controls for performance and scalability

Two new Group Policy settings for auditing enable better control of the amount of data captured by the agent and spooled to the offline data file.  The maximum color depth of recorded video is now controllable, as is the maximum size of the offline data file on the host.  These controls provide more granularity for performance and scalability, especially in large deployments.

Supported Platforms

Support has been added for the following operating systems:

  • Windows 10 (x86_64) DirectAudit agent-only
  • Mac OS X 10.11 (x86_64)
  • Fedora 23 (x86, x86_64) (Ref: CS-7117)
  • CentOS 6.7 (x86, x86_64)
  • Oracle Enterprise Linux 6.7 (x86, x86_64)
  • Red Hat Enterprise Linux Desktop 6.7 (x86, x86_64)
  • Red Hat Enterprise Linux Server 6.7 (x86, x86_64)
  • Red Hat Enterprise Linux Server 6.7 (ppc64 – no Power8)
  • Red Hat Enterprise Linux Desktop 7.2 (x86_64)
  • Red Hat Enterprise Linux Server 7.2 (x86_64)
  • Red Hat Enterprise Linux Server 7.2 (ppc64 – no Power8)
  • Scientific Linux 6.7 (x86, x86_64)
  • Ubuntu Desktop 15.10 (x86, x86_64)
  • Ubuntu Server 15.10 (x86, x86_64)
  • SUSE Linux Enterprise Desktop 11 SP4 (x86, x86_64)
  • SUSE Enterprise Linux Desktop 11 SP3 and above for PowerPC Power 8 (Ref: CS-7155)
  • SUSE Linux Enterprise Server 11 SP4 (x86, x86_64, ppc64, ia64)
  • Oracle Solaris 11.3 (x86_64, SPARC)
  • Microsoft SQL Server 2014; supported editions include 64 bit versions of SQL Server 2014 (Standard or Enterprise) and SQL Server 2014 Express with Advanced Services.

DirectAudit supports 64 bit versions of following editions of SQL server:

  • SQL Server 2008 Express with Advanced Services
  • SQL Server 2008 Standard or Enterprise
  • SQL Server 2008 R2 Express with Advanced Services (Service Pack 2 or higher recommended)
  • SQL Server 2008 R2 Standard or Enterprise or Datacenter (Service Pack 2 or higher recommended)
  • SQL Server 2012 Express with Advanced Services
  • SQL Server 2012 Standard or Enterprise
  • SQL Server 2014 Express with Advanced Services
  • SQL Server 2014 Standard or Enterprise

Note: SQL Server 2008 and 2008 R2 are not compatible with Windows 10.

Note: DirectAudit does not support 32 bit versions of SQL server.

Support is removed for the following operating systems:

  • All 32-bit Windows platforms
  • 64-bit Windows 2008 Server
  • Mac OS X 10.8
  • Fedora 19 (32-bit and 64-bit)
  • Oracle Enterprise Linux 4.x (32-bit and 64-bit)
  • openSUSE 12.1, 12.2, 12.3 (32-bit and 64-bit)
  • Oracle Solaris 8 SPARC

Deprecated Platforms

This is the last release for the support of the following operating systems:

  • Debian Linux 6.x (32-bit and 64-bit)
  • Fedora 20 (32-bit and 64-bit)
  • HP-UX 11.11, 11.23 PA-RISC (Normal and Trusted modes)
  • HP-UX 11.23 Itanium (Normal and Trusted modes)
  • Oracle Solaris 9 (32-bit and 64-bit)
  • Ubuntu Desktop 14.10 (32-bit and 64-bit)
  • Ubuntu Server 14.10 (32-bit and 64-bit)

Support will be discontinued soon (the next release will be the last release with support) for the following operating systems:

  • Fedora 21 (32-bit and 64-bit)
  • Ubuntu Desktop 15.04, 15.10 (32-bit and 64-bit)
  • Ubuntu Server 15.04, 15.10 (32-bit and 64-bit)