Centrify Server Suite now supports the Flexible Authentication Secure Tunneling (FAST) feature of Windows Server 2012 with the following options: (1) Not supported, (2) Supported and (3) Always provide claims. Other options of FAST are not supported at this time. FAST is also known as ‘Kerberos armoring’.
Centrify Licensing Service
Centrify has enhanced Server Suite license reporting to provide a comprehensive, real-time, and on-demand view into customer license consumption relative to purchased licenses. Centrify Licensing Service is added in this release to provide this information to customers, assisting them in managing their license usage and planning ahead for deployment of additional systems.
Centrify Licensing Service provides a single, central location for Centrify Server Suite license management, and for viewing license usage. This service improves and replaces the previous license management features of the Access Manager and Audit Manager consoles. The license management capability in Access Manager and Audit Manager is deprecated and will be removed in a future release.
Centrify strongly recommends that customers install and configure Centrify Licensing Service to take advantage of the new and enhanced license management capability. The Centrify DirectManage™ tools (Access Manager, ADUC extension and GPOE extension) will remind you upon startup if the new service is not running in the relevant Active Directory forest.
Best practice is to install one instance of the service as the primary, and one additional instance on a separate computer in the same forest for redundancy. There is no need for you to install additional instances of the service beyond the primary and a backup.
New data synchronization option in Centrify Report Services
In Centrify Report Services, customers can now choose to synchronize data from Active Directory based on zones instead of the original domain-based synchronization option. In many cases (especially in large deployments) this enables faster synchronization with the Centrify data stored in Active Directory, and reduces the processing time required by domain controllers to respond to the synchronization queries. This synchronization does not require the “Replicate Directory Changes” permissions in the Active Directory domains.
Feature name changes
The following names are changed in Centrify products. These changes may affect UI, group policies, log messages and documentation in general.
Cloud Connector is now Centrify Connector.
Centrify Cloud, Cloud Service, Cloud Server are now collectively referred to as Centrify Identify Platform.
Cloud Authentication is now Centrify MFA Service authentication.
Feature End of Life notice
With the introduction of the Report Services component in Suite 2016, this is the last supported release for the UNIX/Linux command line report utilities addbloader and adreport.
Upgrading Server Suite components
If you plan to upgrade to Server Suite 2017, you must upgrade all the components relevant to a deployment. A set of major infrastructure improvements to Server Suite now requires product components to run at the same (relative) version level; otherwise, you may experience compatibility issues.
Component compatibility with Server Suite 2017
Please note that the current versions of the following product components are not compatible with Suite 2017.
adbindproxy on AIX and HP-UX
SAP SNC plug-in
Centrify will release new versions of these product components that interoperate with Suite 2017 at a later date.
Centrify Agent™ for Windows 3.4.0
New privilege management features
Two major enhancements in this release enable support for very granular privilege elevation when managing Windows systems (both server and workstation). New DirectAuthorize applications for application management and Windows system management allow Server Suite administrators to grant privileges per-application or per-Windows feature. Administrators can lock down user privileges for:
Changing and/or removing installed applications
Adding or removing Windows Server roles
Adding or removing Windows features
Active Directory one-way trust enhancement
Centrify Agent for Windows now partially supports one-way trust environments for Active Directory in the Centrify DirectAuthorize™ feature set. An Active Directory user from an account forest can login to a machine in a resource forest and have her privileges elevated to an account or a built-in group from the resource forest.
Rescue group for multi-factor authentication
Multi-factor authentication at Windows logon had been enhanced. A new group policy Specify a list of rescue users (when the agent is not joined to a zone) enables a group of pre-defined administrative users to log into a computer in rescue mode or Windows Safe mode. This enables computer administration for states in which the computer cannot support multi-factor authentication.
Note: Multi-factor authentication for Windows login (local or remote) was added in an update to Server Suite 2016.1.
For easier deployment of in cases where only multi-factor authentication services on Windows is required by the customer, Centrify Agent will not install auditing and session monitoring features by default. Silent installation for all Centrify Agent features (including audit features) is supported by an optional command line installation parameter ADDLOCAL=ALL for the MSI installer package.
Centrify Agent for Linux – Centrify DirectControl™ 5.4.0
Changes in DirectControl packaging
Starting in Suite 2017, the following open source packages are no longer part of the DirectControl installation package and are shipped separately. This change in product packaging enables Centrify to respond faster to critical security patches from the open source community.
Note: These packages are prerequisites to installing the DirectControl package. Please be aware of this, especially if you have your own installation/upgrade automation scripts or if you retrieve Centrify packages from the Yum/APT repository.
Package name change
The RHEL and SUSE RPM package file names are changed:
From centrifydc*-<release#>-<OS>-<ARCH>.rpm to CentrifyDC*-<release#>-<OS>.<ARCH>.rpm
From centrifyda-<release#>-<OS>-<ARCH>.rpm to CentrifyDA-<release#>-<OS>.<ARCH>.rpm
Open Source component upgrade
Centrify Server Suite 2017 includes a major upgrade in the form of the Kerberos library, which is upgraded based on stock MIT Kerberos 5-1.14.1.
This Kerberos library upgrade includes security fixes for CVE-2015-2695, CVE-2015-2696, CVE-2015-2697.
Two additional capabilities in this upgrade also help to address known single sign-on (SSO) issues (listed below).
You can now configure an alternate location for .k5login in krb5.conf. This means Kerberos can look for .k5login in a location other than user’s home directory.
The handling of SSO from SSH is made more secure. The Kerberos codes will now ensure the principal name given in the Kerberos credential resolved to the target user (from the zone mapping); otherwise, it will fail the login attempt. This closed the loophole in the default processing where SSO is allowed if the target user name matches even just the first part of Kerberos principal.
Support for Windows Server 2012 Kerberos armoring configurations or above are as follows:
Always provide claims
Note: The Fail unarmored authentication requests configuration is not supported.
This Kerberos library upgrade may cause some minor behavior changes but in general the SSO behavior remains the same. However, to block SSO for the local user, you will need to set krb5.sso.block.local_user to true and the local user should be in user.ignore.
Kerberos 1.14.x supports ccselect plugin and this causes some issues for KCM ccache. We have introduced a new configuration parameter krb5.conf.plugins.ccselect.disable and a corresponding group policy to let you manage it.
Due to the new Kerberos library, previous releases of Centrify products that use an older Kerberos version (DirectAudit, DirectSecure, DB2 plug-in, adbindproxy support for Samba on AIX and HP-UX, and SAP SNC plug-in) are not compatible with DirectControl v5.4.0 in Suite 2017.
Centrify OpenSSL 5.4.0 is upgraded based on stock OpenSSL 1.0.2j.
This includes security fixes for CVE-2016-2177, CVE-2016-2178, CVE-2016-2179, CVE-2016-2180, CVE-2016-2181, CVE-2016-2182, CVE-2016-2183, CVE-2016-6302, CVE-2016-6303, CVE-2016-6304, CVE-2016-6306 and CVE-2016-7052
Patch of CVE-2016-2178 is also applied to openssl-fips-2.0.11.
Centrify OpenSSH 5.4.0 is upgraded based on stock OpenSSH 7.3p1.
SSHv1 is no longer supported.
The LAM version of Centrify openssh is no longer shipped as all AIX versions already provide PAM authentication. If you are still using the LAM version of Centrify openssh, you should replace it with the corresponding PAM version for supportability.
Centrify libcurl is upgraded based on stock curl 7.51.0.
This includes security fixes for CVE-2016-5419, CVE-2016-5420, CVE-2016-5421, CVE-2016-7167, CVE-2016-8615, CVE-2016-8616, CVE-2016-8617, CVE-2016-8618, CVE-2016-8619, CVE-2016-8620, CVE-2016-8621, CVE-2016-8622, CVE-2016-8623, CVE-2016-8624, CVE-2016-8625.
Centrify dzdo is upgraded based on stock sudo 1.8.17p1.
Centrify PuTTY is upgraded based on stock PuTTY 0.67.
This new version also fixes the following security issues:
CVE-2015-5309 Potentially memory-corrupting integer-overflow in the handling of the ECH (erase characters) control sequence in the terminal emulator.
CVE-2016-2563 Stack corruption vulnerability in the old-style SCP protocol.
Transaction control in LRPC2 protocol
The LRPC2 protocol has been enhanced for additional transaction control under heavy load. Note: users need to upgrade both DirectControl and DirectAudit to this version to benefit from the added protection.
HTTPS portal requirement for multi-factor authentication
The MFA mechanism (IWA) in the Centrify Admin Portal no longer supports HTTP and requires HTTPS for security reason. The diagnostic tool, adcdiag, will fail the test if HTTPS is not available. Please ensure that the Centrify connectors are configured with HTTPS if you use this feature. Please refer to KB 7393 How to configure the updated 2016.1 DirectControl agent to support MFA over HTTPS to the Cloud Connector for more information.
Customer-managed, on-premises deployments of Centrify Privilege Service™ can be used to provide MFA services for Server Suite. Please refer to KB 7726 How to configure default IWA root cert for on-premises Centrify Privilege Service for more information.
Performance improvement in the DirectControl agent
Additional attributes "_UnixName", "sAMAccountName", "userPrincipalName", "Guid", and "Unixid", are now stored in memory cache for faster lookup when the configuration parameter "capi.cache.enabled" is set to true.
The support of Alternate UPN suffixes (ALTUPN) is now extended to cover two-way trusted forests.
The support of AIX extended attributes is now enhanced to cover the following:
Extended attributes for local users in Local Account Management.
User extended attributes up to AIX 7.2.
Group extended attributes.
You may find the supported attributes with the commands adquery user –X help user and adquery group –X help group.
Integration with third party password enforcement tool
Four configuration parameters, adclient.random.password.complexity.pattern, adclient.random.password.generate.try, adclient.random.password.length.max, adclient.random.password.length.min, are added for better integration with third party password enforcement tool.
Scripts and command line utilities
The command adjoin has a new option “-F/--forceDeleteObj” to clean up the existing computer object and extension object in Active Directory before performing the adjoin operation.
centrifydc.conf has been updated with a number of new parameters and enhancements.
This parameter specifies a Centrify connector in the current Active Directory forest to provide connectivity between LINUX/UNIX servers and Centrify Identity Platform server for Centrify MFA authentication service. The host specified in this parameter will also be used as the HTTP proxy unless adclient.cloud.iwa.url is specified. If the specified connector is not available, the DirectControl agent will try to find the closest valid connector. Administrators can use either IP address or FQDN in this parameter. For example, adclient.cloud.connector: 192.168.1.61:8080 or adclient.cloud.connector: connector.mydomain.com:8080. Note that port 8080 is the default port for Centrify connectors. By default, this parameter is empty.
This parameter controls whether weak encryption types should be allowed in the following parameters: adclient.krb5.tkt.encryption.types and adclient.krb5.permitted.encryption.types.
Weak encryption types include: des-cdc-crc, des-cbc-md4, dec-cbc-md5, dec-cbc-raw, des3-cbc-raw, des-hmac-sha1, arcfour-hmac-exp, rc4-hmac-exp and arcfour-hmac-md5-exp. Note that setting this parameter to false may cause authentication failures in an existing Kerberos infrastructure that does not support strong ciphers. The default value is true which allows weak encryption types.
This parameter specifies the complexity requirements for the random password, e.g. 1=Upper (upper case characters A-Z), 2=Lower (lower case character a-z), 4=digit (0 to 9), 8=special char (non-alphanumeric characters such as !, $, # and %). The default is 7 (Upper, Lower and digit).
This parameter specifies the maximum times of attempts to generate a random password for an Active Directory user. The default value is 10.
This parameter specifies the maximum length of the random password. The default value is 21.
This parameter specifies the minimum length of the random password. The default value is 15.
This parameter controls whether the DirectControl agent should disable Kerberos built-in ccselect plugins. If it is set to true, ccselect built-in plugins are disabled in krb5.conf. If it is set to false, the [plugin] section remains as is. The default is true.
When you query a user's shell through the DirectControl NSS module, this option determines if the DirectControl emergency shell should be returned for an "Audit Required" user who does not have rescue rights when DirectAudit service daemon (dad) is not running. The default value is false, which means the nologin shell configured in nss.shell.nologin is returned.
The default of this parameter is changed from true to false.
This parameter’s default is changed from upn to sam. This is because an Active Directory user's Kerberos name is generated as sAMAccountName@<AD REALM> by default. To be consistent with this new default setting, for a name format such as <name>@<REALM>, the DirectControl agent will now try sAMAccountName (SAM@DOM) format match first and then UPN. Note: if you really want to set adclient.krb5.principal.name to upn, be aware of a potential issue when a user’s (userA) UPN matches another user’s (UserB) sAMAccountName and the UPN domain suffix matches the domain realm. In this case, userA will not be able to login using his own password, and userB who logged in using his sAMAccountName could SSO to userA's account because of the confusion induced from matching UPN with SAM@DOM. For an Active Directory user mapped to MIT user, the Kerberos name generation will ignore this setting as before.
The default property value of this parameter has been changed from 'http nfs ftp cifs' to 'ftp cifs' on all platforms except Mac OS X. Note: when performing self-join, adjoin –S, the DirectControl agent will respect any existing SPNs in the computer object.
This parameter specifies a list of programs which do not support MFA. Programs using Centrify PAM for authentication are required to support MFA for users that have "MFA required" sysrights. For programs that do not support this feature, administrators can add the program names in this parameter to bypass MFA. The default list is now "ftpd proftpd vsftpd java httpd cdc_chkpwd kdm unix2_chkpwd".
Centrify LDAP Proxy performance enhancements
To minimize unnecessary traffic to Active Directory, ldapproxy has implemented a local cache to handle authentication which may double the performance in some scenarios. This cache authentication data is used by default if it is available and unexpired.
To further minimize the traffic to adclient and subsequently to Active Directory, ldapproxy has implemented an optional client side cache in slapd that handles repeated (same) searches. It is disabled by default in slapd.conf (ldapproxy.cache.enabled false).
Centrify DirectManage™ and console enhancements
The DirectManage Windows installer now provides an option to install Microsoft SQL Server Compact 3.5. If there is no Microsoft SQL Server Compact 3.5 installed, DirectManage Access Manager will disable the Sudoers Import feature and DirectManage Deployment Manager will not be allowed to install.
Password Synchronization Extension has not changed in this release. It is the same package with the version number 5.3.1 as in the previous Suite 2016.1 release, i.e., CentrifyDC_PasswordSync-5.3.1-win64.msi.
Centrify Licensing Report
Deployment Report is now called Centrify Licensing Report and is part of the new Licensing Service component.
To further enhance readability, there are a few changes in the report layout. The detailed system report in the bottom part of the report is also re-organized to make it easier to correlate with the deployment summary on top. You can also easily identify a license key that is being used by multiple DirectAudit installations by looking at the new “shared” column.
Centrify Report Services
Centrify Report Services provides another option to synchronize Centrify data from Active Directory to a local SQL store. The new option allows users to specify individual or all Centrify zones for data synchronization, whereas the original option is domain based.
A new category License Management is added to the Centrify Server Suite audit trail events. Twelve new events are added in this release and assigned to this category.
60100: DirectControl license key added.
60101: Fail to add DirectControl license key.
60102: DirectControl license key removed.
60103: Fail to remove DirectControl license key.
60104: DirectControl license container added.
60105: Fail to add DirectControl license container.
60106: DirectControl license container removed.
60107: Fail to remove DirectControl license container.
60200: DirectAudit license key added.
60201: Fail to add DirectAudit license key.
60202: DirectAudit license key removed.
60203: Fail to remove DirectAudit license key.
Note: The group policy Centrify Audit Trail Settings addresses all the available audit trail event categories including the new License Management category.
Centrify Report Services now supports SQL Server 2016.
The PCI/SOX reports below now provide an option to skip building and rendering charts. You may want to do so if you have a very large environment.
SOX/PCI-Login Report-By Computer
SOX/PCI-Login Report-By Group
SOX/PCI-Login Report-By Role
SOX/PCI-Login Report-By User
SOX/PCI-Login Summary Report
SOX/PCI-Rights Report-By Computer
SOX/PCI-Rights Report-By Group
SOX/PCI-Rights Report-By Role
SOX/PCI-Rights Report-By User
SOX/PCI-Rights Summary Report
In this release, the following new views are added:
EffectiveAuthorizedLocalUsers_Computer – it lists effective role assignments for local users in each computer.
ZoneHierarchy – it lists all the Hierarchical zones and their effective child zones.
Zone Provisioning Agent
The following performance improvements are added in this release:
When many of zones are being provisioned, there may be a burst of traffic to the domain controller. We have introduced a configurable delay between each zone provisioning to throttle this traffic. The delay is controlled by a registry key ProvisioningDelay in HKLM\SOFTWARE\Centrify ZPA. For example, setting the key ProvisioningDelay to Type: DWORD; Value: 5 will add 5 seconds delay between each zone provisioning. The default is no delay.
Zone Provisioning Agent typically runs a full provisioning cycle each time based on schedule. There is a new option that will skip full provisioning if there is no change in the source group. This is enabled by setting a registry key CheckSourceChange to Type: DWORD; Value: 1 in HKLM\SOFTWARE\Centrify ZPA.
When provisioning multiple users from another domain, Zone Provisioning Agent will do bind requests to the same domain, which may cause performance issue in large deployments. This is now improved with a connection cache.
Access Module for PowerShell
Local accounts support is added to Access Module for PowerShell. You can create, change, read and delete local account objects using the following cmdlets:
New-CdmLocalUserProfile and Remove-CdmLocalUserProfile
Set-CdmLocalUserProfile and Get-CdmLocalUserProfile
New-CdmLocalGroupProfile and Remove-CdmLocalGroupProfile
Set-CdmLocalGroupProfile and Get-CdmLocalGroupProfile
RHEL and CentOS Smartcard
Added an option -K --check-kdc-eku to the command-line utility sctool to allow sctool to check the KDC certificate for the Extended Key Usage (EKU) attribute "Kerberos Authentication". This option was added because EKU checking is disabled by default.
RC4 and DES encryption for SmartCard Kerberos authentication is no longer supported. Please configure your Active Directory domain and forest to use AES-128 or AES-256 encryption for Kerberos in order to ensure future compatibility.
This release includes a Kerberos library upgrade allowing support for newly-provisioned smart cards with SHA-256 encryption. Centrify has tested the following SHA-256 smart cards:
Oberthur ID One 128 v5.5 Dual SHA256 Cards
G&D FIPS 201 SCE 3.2 SHA256 Cards
Centrify Server Suite Enterprise Edition
Auditing and Session Monitoring – Centrify DirectAudit™ 3.4.0
Prerequisites for upgrading your Server Suite deployment
Centrify DirectControl™ is a pre-requisite for Centrify DirectAudit on Linux and UNIX. Customers who use Centrify DirectControl for identity consolidation and privilege elevation on Linux and UNIX along with Centrify DirectAudit should always run the same relative versions of these components.
The minimum version of DirectControl required by this version of DirectAudit is 5.4.0 (Suite 2017).
Centrify introduces new advanced monitoring features for DirectAudit in Suite 2017. These features enable monitoring of applications and files at the process level on Linux servers and workstations.
Prior versions of DirectAudit monitor user activity within the shell. Shell-based monitoring, which includes features such as command recognition and video recording with time-indexed commands, is retained and will continue to be a feature of Server Suite. Advanced monitoring adds an additional layer of security and functionality by monitoring process calls from the system kernel, which are virtually impossible to spoof.
In Server Suite 2017, this feature is only available in the Red Hat Linux family. It will be available in other operating systems in future releases.
Here are two examples of the benefits of advanced monitoring.
Example One – Advanced monitoring of user commands
A user has decided to attempt to use the passwd command in a way that will escape detection. He creates a shell alias in his login script:
He types ‘checkout’ in his shell session, which appears innocuous but actually launches the passwd command. However, because advanced monitoring audits at the process level, it detects that the user did indeed run the passwd command, and creates an audit trail event correlating the user and the passwd command.
Example Two – Advanced monitoring of change to SSH key files
You are using best practices for SSH key management and have configured the location of the AuthorizedKeysFile in /etc/ssh/%u/authorized_keys rather than the user’s home directory (group policy can help you do this on Centrify-managed systems).
When advanced monitoring is turned on, by default it detects changes to all files and folders (including sub-folders) in /etc. Since SSH key files reside in sub-folders below /etc (in this example), when advanced monitoring is turned on Centrify will automatically audit when SSH key files are changed.
An audit trail event is generated for each such change and sent to syslog. You can easily enable your security information and event management solution (SIEM) to use these events to notify you when a user adds or modifies an SSH key on a critical system.
List of advanced monitoring features and functionality
Audit trail events can be generated:
When specific programs are executed by any user. This applies even to the root user, or to a user whose session is not being actively audited. The list of programs is specified by the configuration parameter event.monitor.commands.
When any file in the directories /etc, /var/centrifyda and /var/centrifydc is modified by a non-root user. ‘Modified’ means any write operation and/or any change to the file’s attributes.
A history of programs executed in an audited session is created, including programs that are executed by scripts. Since this feature may result in additional audit information which will increase the storage size of the audit store database, this feature must be enabled by setting the parameter event.execution.monitor.
You can enable or disable advanced monitoring at the command line with dacontrol –m/-n.
A new category of audit trail events was added to DirectAudit Advanced Monitoring which include the following six new events. Please refer to Audit Event Administrator Guide for details.
57200: Monitored program is executed is started.
57201: Monitored program execution fails to execute.
57300: Monitored file modification attempted.
57301: Monitored file modification attempt failed
Events 57400 and 57401 are used by DirectAudit software components. They are not stored in the Audit Store databases and are not available in audit trail event reports.
57400: Command execution is started. (Centrify use only)
57401: Command execution fails to start. (Centrify use only)
Audit trail events were added to the Centrify Commands category for the DirectAudit Advanced Monitoring feature:
20900: Advanced monitoring enabled
20910: Advanced monitoring disabled
New reports have been added for advanced monitoring.
The Detailed Execution report lists all processes (i.e. commands and applications) executed by non-root users.
The Monitored Execution report lists the executed processes specified by configuration file or group policy. This report lists commands regardless of who executed them (e.g. root) and regardless of whether it took place on the context of an audited session.
The File Monitor report lists all cases where a specified file was changed by a write operation or by a change to its attributes. By default, all files and folders (including sub-folders) in the following locations are monitored.
Advanced monitoring requires that all DirectAudit components, including the management and audit store tore databases, collectors, and the Audit Manager and Audit Analyzer consoles be upgraded to Server Suite 2017 or later versions.
Report of aggregate license usage
DirectAudit now reports aggregated license usage across multiple DirectAudit installations. Please note that the installations must be reachable by the new Centrify Licensing Service component.
New events parameters for integrating session replay with SIEM solutions
Two new common parameters DAInst (for DirectAudit Installation name) and DASessID (for DirectAudit session ID) are added to all audit trail events written to syslog and the Windows Event log to allow better SIEM integration for session replay.
Changes to installation wizard
The installation wizard of the DirectAudit component will configure the Microsoft SQL Server Reporting Service (SSRS) startup type to Manual if the user elects to install a new instance of SQL Server. If the user later decides to use the same SQL Server instance to host databases of other products (e.g., Centrify Report Services) that may need SSRS, they must change the startup type to Automatic and start the service manually.
The audit collector now caches the DNS information of connected audited systems to avoid frequent DNS lookups. This reduces network traffic and, in some cases, improves de-spooling performance.
Audit Analyzer and session player enhancements
The Audit Analyzer console now allows exporting metadata from multiple sessions to a single text file. When a user chooses the option of single file export, the user name and machine name are prefixed to each line of the exported file for easier parsing. In addition, a blank line is added as a delimiter to separate data from different sessions.
Audit Analyzer now supports searching sessions based on size. Users can now specify search criteria that will return the list of sessions that are greater than or less than the size (in kilobytes) specified by the user.
Three new reports are added to support the advanced monitoring feature:
Detailed Execution Report
Monitored Execution Report
File Monitor Report
Two items are added to the session context menu for advanced monitoring features related to a session.
Monitored Execution List…
Export Detailed Executions
Audit Manager enhancements
Audit Manager now validates the database patch/security level to ensure it's up to date before attaching an existing Audit Store database. A warning will be shown if the user tries to attach an Audit Store database that may not have the latest Centrify patch installed.
DirectManage Audit Manager now shows a list of all audit management servers configured for the connected installation along with the last known status of each of them.
The computer that runs the Centrify License Service is shown in the license summary page in Audit Manager.
The ability to add/remove DirectAudit licenses from Audit Manager will be deprecated in future releases. To add/remove licenses in Suite 2017 and later, you should use Centrify Licensing Service Control Panel on the system where Centrify Licensing Service is running.
Auditing for the Centrify Agent for UNIX and Linux
IMPORTANT: The minimum version of DirectControl required by this version of DirectAudit is 5.4.0 (Suite 2017). In other words, when you install or upgrade Server Suite 2017 and you are using both DirectControl and DirectAudit, please make sure that you upgrade *both* components to the same version level on the system.
The DirectAudit AIX package is now 64-bit to support AIX VIOS versions >= 2.2.2.
Sequence number and process ID verification was added to an internal inter-process communication sub-system for more robust transaction control between DirectAudit and DirectControl.
A new configuration parameter preferred.audit.store to address cases where a Unix agent has multiple IP addresses that belong to the scope of different audit stores. The new parameter is used to specify which audit store to use. A new group policy Set the preferred Audit Store is added to support this setting.
NOTE: The following item applies only to customers who have evaluated the Early Access version of Centrify Server Suite 2017.
The default value of the event.execution.monitor option in centrifyda.conf has been changed from 'true' to 'false'; therefore, detailed execution monitoring is disabled by default in the advanced monitoring feature.
The security fix identified in KB-7865 is incorporated in this release. Customers are encouraged to upgrade to this release; or, apply the patches mentioned in the KB article.
When generating script files for upgrading databases, the Database Maintenance Wizard now appends the corresponding database name to each file name. This enables the audit administrator to easily cross-reference a script file with the database the script will upgrade.
DirectAudit Version 1 database support end of life
Please note that Server Suite 2017 is the last release of that supports DirectAudit Version 1 databases. In versions after Suite 2017, you will no longer be able to attach Version 1 databases to an existing DirectAudit installation.
If you are a customer with DirectAudit Version 1 databases, please contact us through your Centrify Customer Success portal for more information.
This group policy setting is enhanced to take effect immediately for the Windows agent: Centrify DirectAudit Settings/Windows Agent Settings/Set update agent status timeout
Centrify Audit Module for PowerShell enhancement
A new Get-CdaUserEvent cmdlet can be used to retrieve the user activity events for reporting purposes.
The existing cmdlet Get-CdaAuditEvent can now be used to retrieve the user privileged activity events for reporting purposes.
Support is added for the following operating system platforms in this release:
Latest version of Amazon Linux AMI (x86, x86_64)
CentOS 7.2 (x86_64)
Debian Linux 7.10, 8.3, 8.4 (x86, x86_64)
Oracle Enterprise Linux 7.2 (x86_64)
Scientific Linux 7.2 (x86_64)
openSUSE 42.1 (x86_64)
SUSE 12 SP1 (x86_64)
Scientific Linux 7.2 (x86_64)
Ubuntu 16.04 LTS (x86, x86_64)
To see all platforms in the Centrify Server Suites within the extended support period, select “SEE ALL PLATFORM VERSIONS” in www.centrify.com/platforms.
Support is removed for the following operating system platforms in this release:
Debian Linux 6
HPUX 11.11, 11.23
Oracle Solaris 9
This is the last release of Centrify Server Suite in which the following operating system platforms will be supported:
SUSE Linux Enterprise 10
Ubuntu 15.04, 15.10
The next release will be the last release of Centrify Server Suite in which the following operating system platforms will be supported:
Citrix XenServer 6.0, 6.1
IBM Virtual I/O Server 1.x
Linux Mint Debian Edition 201303, 201403
Centrify Server Suite Standard Edition
Multi-factor Authentication Enhancements
MFA platform support
As part of Centrify’s commitment to enabling MFA Everywhere – the additional security of multi-factor authentication to protect your critical IT infrastructure, where you need it, when you need it – support for MFA has been added to the platforms in the table below.
MFA Login (both local and remote)
MFA Privilege Elevation
Coming 2nd half calendar 2016
All Centrify Zone types supported
In addition to hierarchical zones, MFA is now supported for both Classic zone and Auto zone. Customers using the older zone models can now take advantage of the additional security of multi-factor authentication. (Agent updates are required.) Centrify recommends that customers using the older zone models consider upgrading to hierarchical zones. Hierarchal zones enable:
Superior role-based access controls, with delegation
True inheritance of identity attributes, access privileges, rights, and role assignments
Privilege elevation and the security of least privilege management
RSA SecurID and OATH supported
Customers with deployments of RSA SecurID one-time tokens can now use those tokens with Server Suite’s multi-factor authentication for both login and privilege elevation, the latter with sudo and dzdo. You can also use other third party OTP tokens you may have already deployed. Server Suite’s new OATH support enables MFA using USB tokens like YubiKey, or soft tokens like Google Authenticator, FreeOTP, or Duo.
MFA audit trail events
A new category “MFA” is added to the “Centrify Server Suite” audit trail events, enabling MFA events to be captured by DirectAudit or exported via syslog or the Windows Event Log to external applications such as security and incident event managers (SIEM). In this release, two new Centrify event IDs are assigned:
54100: MFA Challenge Succeeded
54101: MFA Challenge Failed. The reason field indicates the failure reason.
Additional Enhancements to Standard Edition
OpenSSL is upgraded to 1.0.2g and the fix of CVE-2016-2107 is also incorporated in this release.
TLS v1.2 is supported now in ldapproxy and can be enforced by the TLSProtocolMin option.
The fix of CVE-2016-0755 is incorporated in Centrify libcurl, which is based on 7.44.0 stock libcurl.
Authenticating cross-forest users using an alternative UPN suffix is now supported.
Microsoft’s “Define host name-to-Kerberos realm mappings” group policy is now supported. The DirectControl agent will read the mapping and update the krb5.conf file.
This release adds a watchdog process (niswatch) to monitor and automatically restart adnisd, if necessary.
A Server Suite Standard Edition license is now required to run both adnisd and ldapproxy.
Starting from this release, Centrify supports the Standard Edition (DirectControl) agent on the latest Amazon Linux AMI release. However, the agent must be installed manually; Deployment Manager does not support installing or upgrading the agent in the Amazon Cloud environment.
A new attribute in the hierarchical zone Unix Command Right allows dzdo/dzsh to check all command arguments and prevent navigation up a path hierarchy. Please refer to the 'Prevent navigation up a path hierarchy' checkbox in Access Manager.
Sudo issues as reported in CVE-2016-5602 are fixed in dzedit. See the new dzdo.edit.checkdir and dzdo.edit.follow configuration parameters.
Hadoop Support Enhancements
The sample script kerberos_security_setup.pl can support the new Ambari v2.1.2 CSV file format in addition to the original Ambari v1.6.1 format.
You can now configure the sample script kerberos_security_setup.pl to remove HTTP, NFS, CIFS and FTP SPNs in computer objects. Four new configuration parameters are introduced in hadoop.conf to support this feature:
hadoop.adclient.krb5.service.principal.http.remove (default is true)
hadoop.adclient.krb5.service.principal.nfs.remove (default is false)
hadoop.adclient.krb5.service.principal.cifs.remove (default is false)
hadoop.adclient.krb5.service.principal.ftp.remove (default is false)
A new command option, --remove-spn, is also added. It will read the configuration file to remove the configured SPNs. By default only the HTTP SPN will be removed.
Smart Card and Certificate Management
Certificate management and auto-enrollment now supports Elliptic Curve algorithms. When either the ECDH_P256, ECDH_P384 or ECDH_P521 algorithm is selected in a version 3 Certificate template, the corresponding EC algorithm will be used to generate the key pair for the certificate. Note that only SHA1 can be used as the signature algorithm when using EC algorithms.
Scripts and Command Line Utilities
The adcert -r --ntlm option is removed in this release.
If DirectAudit is installed in the current system, the adinfo –t --support option will also invoke “dainfo –t” and include its output in the final zip files.
A new command, adobjectrefresh, is added to update the cache for a specific user or group object instead of the entire zone. Please use the help option for information on its usage and available options.
Changes to Configuration Settings
The centrifydc.conf file has been enhanced with new and updated parameters.
adclient.legacyzone.mfa.background.fetch.interval: This parameter specifies, in minutes, how often the DirectControl agent updates its cache with Active Directory groups whose members require multi-factor authentication in classic zones or Auto zones. The default is 30 minutes.
adclient.legacyzone.mfa.cloudurl: This parameter specifies the URL of the cloud instance that the DirectControl agent will access in order to implement multi-factor authentication for users in classic zones and Auto Zones.
adclient.legacyzone.mfa.enabled: This parameter specifies whether MFA is enabled for a classic zone or an Auto zone. The default is false.
adclient.legacyzone.mfa.required.groups: This parameter specifies a list of Active Directory groups in a classic zone or an Auto zone whose members are required to use multi-factor authentication when logging on or using privileged command. The default is none.
adclient.legacyzone.mfa.required.users: This parameter specifies a list of Active Directory users in a classic zone or an Auto Zone that are required to use multi-factor authentication when logging on or using privileged commands. The default is none.
adclient.legacyzone.mfa.rescue.users: This parameter specifies a list of Active Directory users who can logon to computers in a classic zone or an Auto zone when multi-factor authentication is required, but the DirectControl agent cannot connect to the Centrify cloud service.
dzdo.edit.checkdir: This parameter is used to prevent dzedit from editing files located in a directory that is writable by the invoking user unless it is run by root. The default is true.
dzdo.edit.follow: This parameter is used to prevent dzedit from following symbolic links to edit files. The default is false.
dzdo.legacyzone.mfa.enabled: This parameter specifies if multi-factor authentication is required for users to run the dzdo command in a classic zone. The default is false.
krb5.cache.clean.force.max: This parameter specifies the maximum lifetime of TGT (in days) before the DirectControl agent removes the Kerberos credential cache. The default is 0, which means never.
adclient.cloud.auth.conn.max: this parameter is renamed from adclient.cloud.auth.token.max. Its default value and group policy are not changed.
adclient.local.account.manage: This configuration parameter specifies whether the DirectControl agent manages local users and local group accounts. The default was true in previous release. It is changed to false from this release going forth. However, if you enabled this in previous release, the setting is preserved.
In this release, there is stricter enforcement of syntax in centrifydc.conf and centrifyda.conf.
DirectManage Access Manager Changes and Enhancements
License summary is no longer displayed in the Manage Licenses dialog.
Access Manager now supports requiring Multi-Factor Authentication (MFA) during re-authentication for Desktops, Applications and Network Access Windows rights.
Starting from this release, you can select RFC2307-compatible zone to store UNIX properties using the Active Directory RFC2307-compatible schema.
The 'Prevent navigation up a path hierarchy' checkbox is added to the 'Attributes' tab of the Command Right property page to specify whether path traversal should be disabled in command right. The default is to allow such navigation.
Password Synchronization now supports MD5 hash. The hash starting with "$1$" is generated using the crypt(3)-MD5 algorithm method. MD5 hash can be controlled using the registry setting:
If this registry key does not exist or the value of this registry key is '0', then MD5 hash is disabled.
Access Module for PowerShell Enhancements
The RequireMfa parameter is added to the following cmdlets. If the parameter is true, then MFA is required. The default is MFA not required.
The BlockGroupInheritance parameter is added to the New-CdmZone and Set-CmdZone cmdlets. If the parameter is true, then the Active Directory groups in the parent zones that are not used by the joined machines in the child zone are not visible at that child zone. If the parameter is false, then all groups are visible. The default is false.
The Force option is added to the New-CdmUserProfile or Set-CdmUserProfile cmdlets. If the option is true, then the creation or modification of user profile is allowed even if its UNIX name is the same as the samAccountName of another AD user in zone's domain. Default is not allowed.
The DisablePathTraverse parameter is added to the New-CdmCommandRight and Set-CdmCommandRight cmdlets to specify whether path traversal is disabled in command right. The default is false. Also, the IsDisablePathTraverse property is added to the CdmCommandRight object. (Ref: CS-39391)
Centrify Report Services Enhancements
You can now specify the name of the report database in the Configuration Wizard.
Starting from Suite 2016.1, the following reports support local accounts:
PCI - Login Summary report
PCI - Rights Summary report
SOX - Login Summary report
SOX - Rights Summary report
Hierarchical Zone - Users report
In Suite 2016.1, the following new views are added:
New columns are added to the view ZoneComputers.
Note: EffectiveAuthorizedUserPrivileges_Computer view’s output is same as the current EffectiveLoginUserPrivileges_Computer report view.
Centrify Report Services utilizes the Reporting Services component which is a part of Microsoft SQL Server. Below are all the currently Supported SQL Server versions and platforms:
SQL Server 2008 R2 Express with Advanced Services (Service Pack 2 or higher recommended)
SQL Server 2008 R2 Standard or Enterprise or Datacenter (Service Pack 2 or higher recommended)
SQL Server 2012 Express with Advanced Services
SQL Server 2012 Standard or Enterprise
SQL Server 2014 Express with Advanced Services
SQL Server 2014 Standard or Enterprise
Note: Microsoft SQL Server 2008 R2 is not compatible with Windows 10.
Note: All versions of 32-bit Microsoft SQL Servers are not supported.
Deployment Report Enhancements
Under the Deployment Summary, the count of Mac agents for each zone type is now displayed separately from *NIX agents.
The Deployment Report Wizard for Centrify Server Suite Enterprise Edition now supports report preview that was available previously only for Standard Edition.
If a user fails to send the generated report to Centrify Support Portal, the report is automatically saved and a warning message is prompted.
When invoking the Deployment Report utility, there is a new switch, ‘/plaindata’, which allows the user to specify that host, zone and installation names need not be obfuscated in generated report.
Group Policy Enhancements
The “Notification Command Line” computer configuration group policy under “Centrify Settings > DirectControl Settings > Local Account Management” is added to invoke a user-provided post-processing program.
Four computer configuration group policies under “Centrify Settings > DirectControl Settings > Addns Settings” are added to manage addns configuration:
Enable addns invoked by adclient
Set command line options used by adclient
Set DNS records update interval
Set wait response interval for update requests
For details of the group policy, refer to the explanation text.
The “delegate_zone_right” command adds a list of new rights to delegate:
Additionally, the 'manage_role_assignments' right now supports managing role assignments from zone, computer zone and computer role.
The “get_zone_field” and “set_zone_field” commands support the hierarchical zone field 'block.parent.zgroup'. If the value is set to true, then it displays only the UNIX groups that are used in the joined servers in the zone. If the value is set to false, then it displays all the UNIX groups.
The get_role_assignment_field and set_role_assignment_field commands support the description field.
Centrify OpenSSH Changes and Enhancements
Centrify OpenSSH 5.3.1 is upgraded based on OpenSSH 7.2p2. (Ref: CS-39757)
Note: The symbolic link file of slogin is removed in the stock OpenSSH. It is retained in the Centrify OpenSSH.
Note: The support of SSH protocol version 1 is removed in the stock OpenSSH. It is still supported by the Centrify OpenSSH.
Centrify OpenSSH 5.3.1 is not compatible with previous Centrify DirectControl releases due to the major upgrade of OpenSSL in this release.
A new keyword, SSOMFA, is added to Centrify sshd_config to require multi-factor authentication (MFA) for secure shell connections even for single sign-on access to remote computers. This keyword works only when USEPAM is enabled. This option can also be enabled by the group policy “Enable SSO MFA” under “SSH Settings”. The default is ‘no’ (disabled).
Please note that MFA is not supported for authentication using a public key.
Centrify PuTTY 5.1.8 Enhancement
Centrify PuTTY is currently integrated with open source PuTTY version 0.64.
This release enhances Centrify PuTTY to support the SSOMFA (Single Sign-On Multi-Factor Authentication) feature in Centrify OpenSSH Server.
Windows Agent Enhancements
With this release, the Centrify Windows Agent now supports multi-factor authentication for privilege elevation. With this new feature, you can use the Centrify Identity Service to configure Windows roles and rights to require a second form of authentication challenge, such as answering a security question, or responding to a phone call or email, in addition to requiring a user name and password.
Windows Application rights and Network Access rights are now fully supported in Windows 10 and Windows Server 2016. The Desktop right is not supported in this release for these platforms.
New Audit Trail events are added for MFA re-authentication operations. If the role is configured to do MFA re-authentication, it will generate Audit Trail events for MFA challenge success or failure operations. Event details as below.
New Windows event IDs assigned to the category "Centrify Suite\MFA" for audit trail events.
200: MFA Challenge Succeeded
201: MFA Challenge Failed
Deployment Manager 5.3.1 Change
The Centrify product catalog is separated from the Deployment Manager setup package. The product catalog will only be imported into the repository when Deployment Manager is installed from Centrify Server Suite ISO.
CENTRIFY SERVER SUITE ENTERPRISE EDITION
General Changes and Enhancements
Starting in Suite 2016.1, the SQL Server 2008 R2 SP2 Express Edition that is installed by DirectManage Audit Easy Installer will have CENTRIFYSUITE as the default instance name, and the installer will enable the SQL Server Reporting Services (SSRS) feature for this instance and configure it in Native mode in order for the same instance to be used to host the Centrify Report Services database in an evaluation environment. Previously, the default instance name was DIRECTAUDIT and the installer did not enable the SQL Server Reporting Services feature for that instance.
Centrify DirectManage Audit now supports hosting the Management database and/or Audit Store databases in a SQL Server Availability Group. To benefit from all the features provided by a SQL Server Availability Group (such as multi subnet failover), Centrify recommends upgrading all DirectManage Audit components including Collectors, Audit Management Server service, Audit Manager console and Audit Analyzer console to the latest version. Note that there is no requirement to upgrade all the agents before using this new feature.
Audit Analyzer and Session Player Enhancement
DirectManage Audit Audit Analyzer now allows exporting multiple sessions to a single text file. When a user chooses the option of single file export, the user name and machine name are prefixed to each line of the exported file for easier parsing. In addition, a blank line is added as a delimiter to separate data from different sessions.
Centrify UNIX Agent (DirectAudit) Enhancements
The parameter, "dad.data.dir," defines the data directory path for DirectAudit. This is depreciated in Suite 2016.1. Customers who need to use a different location to store DirectAudit data and spool files must follow the approaches described in KB-6548. Also, when alternate directory location is used, only the symbolic link to the data directory will be removed when DirectAudit is uninstalled. The actual data directory remains in the system. Since this parameter is deprecated, the DirectAudit upgrade process aborts with an error message if it detects that this parameter is specified. Please contact Centrify Technical Support in this case.
Added a parameter, "dash.cmd.audit.blacklist", which allows a user to skip certain auditing command patterns using a regular expression. Command and arguments matching the expression will not be captured, but the “Audited command is executed” audit trail event will still be sent.
Added a new script 'dacheck' which allows users to check for any potential problems in their DirectAudit environment.
Enhanced the parameters "spool.diskspace.min" and "spool.diskspace.softlimit" allow a user to specify the value as a percentage or an exact size.
Added a parameter in Unix agent so that Audit Analyzer can either show the original user that ran the audited command or the current user (the user identity after su/sudo/dzdo). In previous versions of DirectAudit, Audit Analyzer can only show the current user that runs an audited command, which may not be the real user identity (if the user uses su/sudo/dzdo to change identity). In Suite 2016.1, the administrator can configure the Unix agents such that Audit Analyzer can show the identity of the original user. This is controlled by the parameter dash.cmd.audit.show.actual.user in the Unix agent. This parameter can also be configured by group policy “Show actual user running an audited command”. Customers must upgrade the Unix agents (not Audit Analyzer) for this feature to be effective.
Windows Agent (DirectAudit) Enhancements
The Group Policy "Centrify DirectAudit Settings/Windows Agent Settings/Set update agent status timeout" setting is enhanced to take effect immediately for the Windows agent.
Centrify Audit Module for PowerShell Enhancement
Added Get-CdaUserEvent cmdlet in powershell module which can be used to retrieve the user activity events for reporting purpose. Another existing cmdlet Get-CdaAuditEvent can be used to retrieve the user privileged activity events for reporting purpose.
DirectControl 5.3.1 contains the fix of the following DirectAudit issue: When a system is under high CPU utilization, communication between Centrify DirectControl and Centrify DirectAudit agents may timeout but the communication channel remains open. This results in the DirectAudit agent processing an incorrect response to its request. Note that this occurs only in the DirectAudit *NIX agent when the DirectAudit shell auditing functionality is enabled. The fix in this version of DirectControl and DirectAudit closes the communication channel between the two agents during timeouts and error situations.
This fix has already been retrofitted to Server Suite 2016 and Server Suite 2015.1 as of March 2016. This issue does not happen in Server Suite 2015 and prior releases.
Support is added for the following operating system platforms in this release:
Latest version of Amazon Linux AMI (x86, x86_64)
CentOS 7.2 (x86_64)
Debian Linux 7.10, 8.3, 8.4 (x86, x86_64)
Oracle Enterprise Linux 7.2 (x86_64)
Scientific Linux 7.2 (x86_64)
openSUSE 42.1 (x86_64)
SUSE 12 SP1 (x86_64)
Scientific Linux 7.2 (x86_64)
Ubuntu 16.04 LTS (x86, x86_64)
To see all platforms in the Centrify Server Suites within the extended support period, select “SEE ALL PLATFORM VERSIONS” in www.centrify.com/platforms.