WHAT'S NEW

What's New in Centrify Server Suite

Centrify Server Suite Standard Edition

Upgrading Server Suite components

If you plan to upgrade to Server Suite 2017.1 from a version prior to Server Suite 2017, you must upgrade all the components relevant to a deployment.  A set of major infrastructure improvements to Server Suite now requires product components to run at the same (relative) version level; otherwise, you may experience compatibility issues.

Centrify Agent™ for Windows 3.4.1

Support for Windows Server 2016 and Windows 10

This release of the agent fully supports Microsoft Windows 10 and Microsoft Windows Server 2016.

New privilege management for network settings

Granular privilege management is extended to network configuration settings in this release.  The new Network Manager feature enables users with proper rights to view the list of Ethernet and wireless adapters and perform basic administrative tasks such as rename or enable/disable, and configure their IP and DNS settings.

Additional enhancements

  • New group policy settings enable Centrify administrators to specify Active Directory domains that should be ignored and not processed by the agent (blacklisted) or domains that should be trusted and processed by the agent (whitelisted). for blacklisted and whitelisted domains. Please refer to "Specify a list of blacklisted domains" and "Specify a list of whitelisted domains" group policy settings under "Common Settings" for details.
  • New group policy settings configure the timeout value for multi-factor authentication (MFA) requests, and can instruct the agent to skip client certificate authentication for MFA; for example, when certificate authentication is disabled/blocked by enterprise policies or proxy settings. Please refer to "Specify the connection timeout for multi-factor authentication requests" and "Skip client certificate authentication" group policy settings under “Windows Settings\MFA Settings” for details.
  • The Privileged Desktop Centrify Start Menu will now display the shutdown/restart button even on Remote desktops when a user has shutdown privileges.
  • A new feature in the agent control panel allows a user to set credentials for Web Proxy authentication.
  • In Windows Services, the DirectAuthorize Agent service is now configured to depend on the Centrify Agent Logger service.

Centrify Agent for Linux – Centrify DirectControl™ 5.4.1

Note: These enhancements apply to all supported UNIX and Linux platform agents.

Enhancements

  • By default, the multi-factor authentication (MFA) feature now verifies the Centrify Identify Platform server certificate as per HTTPS protocol. The root CA bundle may not be present in some Unix operating systems, or may not have unexpired certificates for the certificate issues.  If you encounter SSL errors in MFA operations, you should update the root certificate authorities (CA) bundle for your *nix agents. Optionally, you can disable HTTPS server validation by setting the new parameter adclient.cloud.skip.cert.verification to true.   Also, you can specify an alternate root certificate authorities (CA) bundle using the adclient.cloud.cert.store parameter.
  • For users who require infinite credential renewal (as specified in krb5.cache.infinite.renewal.batch.users and krb5.cache.infinite.renewal.batch.groups), if the user's keytab /var/centrifydc/renewal/keytab_<uid> is available, the agent will do the initial Kerberos cache acquisition in addition to renewal.

Centrify OpenSSL

  • Centrify OpenSSL 5.4.1 is upgraded based on stock OpenSSL 1.0.2k.
    • This includes security fixes for CVE-2017-3731, CVE-2017-3732 and CVE-2016-7055.

Centrify OpenSSH

  • Centrify OpenSSH 5.4.1 is upgraded based on stock OpenSSH 7.4p1.
    • This includes security fixes for CVE-2016-10009, CVE-2016-10010, CVE-2016-10011 and CVE-2016-10012.
    • This release removes server support for the SSH v.1 protocol.

Centrify libcurl

  • Centrify libcurl is upgraded based on stock curl 7.53.1.
    • This includes security fixes for CVE-2017-2629, CVE-2016-9594, CVE-2016-9586, CVE-2016-9952 and CVE-2016-9953.

Configuration parameters

centrifydc.conf has been updated with a number of new parameters and enhancements.

  • New parameters
    • adclient.cloud.cert.store

      This parameter specifies the root CA bundle that adclient uses to verify the server certificate presented by Centrify Identity Platform. When it is not set, adclient uses the root CA bundle that openssl uses. When it is set, adclient uses the specified CA bundle instead. Please ensure the file is valid and the store is updated with the required certificates. The default is not set. This parameter is effective only when the parameter adclient.cloud.skip.cert.verification is set to false.
    • adclient.cloud.skip.cert.verification

      Centrify MFA support in DirectControl requires the use of HTTPS protocol to communicate with Centrify Identity Platform. Starting in Suite 2017.1, the *nix agent verifies the certificate presented by Centrify Identity Platform as a security feature specified in the HTTPS protocol.   This parameter specifies whether to bypass this validation step. The default is false (i.e., always verifies server certificate).
    • krb5.conf.k5login.directory

      This parameter specifies an alternative location for a user’s .k5login files. It has no default setting. If it is not set, the user’s .k5login file will be set as {%home_dir}/.k5login. For example, if it is set to <k5login_directory>, the user’s .k5login file will be set as <k5login_directory>/<user’s unixname>.

Centrify DirectManage™ and console enhancements

  • Role assignment supports a description field in hierarchical zones and the corresponding support is now added to Access Manager and Report Services in this release.
  • DirectControl now allows customers to store their own information as custom attributes for role, role assignment and computer role definition. This capability has been added in Access Manager, Report Services, Access Module for PowerShell, the DirectControl SDK and the adedit command module.
  • Note: This new feature only applies to hierarchical zones.

adedit

  • adedit now supports a new "customattr" field for role assignments, roles and computer roles in a hierarchical zone.

Centrify Report Services

  • Report Services now supports the description field of a role assignment in a hierarchical zone in various report views.
  • Report Services now supports the newly added custom attribute for role definition, role assignment and computer role in a hierarchical zone in various report views.
  • Additional performance optimization is applied to the Login Summary Report in this release.

Access Module for PowerShell

  • A new property CustomAttributes is added to the cmdlets New-CdmRole, Set-CdmRole, New-CdmRoleAssignment, Set-CdmRoleAssignment, New-CdmComputerRole and Set-CdmComputerRole to allow users to manage this record with their own custom data.

Deployment Manager 5.4.1

  • Allow deployment to some newly supported platforms for Centrify Server Suite. For a list of the supported platforms by this release, refer to the “Supported Platforms” section in the Centrify Suite release notes.

Centrify Agent, Centrify Identity Service, Mac OS Edition for Server Suite 2017.1

  • Please see the release notes file for information on new and enhanced features for the Centrify Agent for Mac.

Centrify Server Suite Enterprise Edition

Auditing and Session Monitoring – Centrify DirectAudit™ 3.4.1

Prerequisites for upgrading your Server Suite deployment

Centrify DirectControl™ is a pre-requisite for Centrify DirectAudit on Linux and UNIX.  Customers who use Centrify DirectControl for identity consolidation and privilege elevation on Linux and UNIX along with Centrify DirectAudit should always run the same relative versions of these components. 

The minimum version of DirectControl required by this version of DirectAudit is 5.4.0 (Suite 2017).

Enhancements

  • File monitoring functionality is enhanced by adding /var/centrify to the default advanced monitoring directory list and file monitoring events will not be generated when configuration files are modified by Centrify Agent for Linux daemon.
  • Added an "advanced_monitoring" query to dainfo using the -q option which can return the following values: "enabled: online" (0), "enabled: offline" (1), "enabled: unknown" (2), "disabled" (3), "not supported" (4) and "unknown" (5).
  • SElinux context “centrify_log_t” is added to the file centrifyda_client.log so that NSS applications can still write to this log in debug mode.
  • In Windows Services, the DirectAudit Agent service is now configured to depend on Centrify Agent Logger service.

UNIX and Linux Agent

  • The system limits for the number of open files per process may be low (e.g., 1024) in some operating systems. This will result in errors in the DirectAudit daemon when there are many concurrent audited sessions.   If you see this warning message in the system log:  “The number of open files reached the limitation.  Need to increase the limitation, then restart dad to take effect”, please modify the configuration parameter dad.process.fdlimit to increase the number of file descriptors allowed (this value must be less than system hard limit).  In addition, there is  a new group policy entry: 'Set soft limit of open files' in "Computer Configuration" -> "Centrify DirectAudit Settings" -> "UNIX Agent Settings" -> "DirectAudit Daemon Settings" to configure this parameter.

Supported Platforms

Support is added for the following operating system platforms in this release:

  • Amazon Linux AMI - latest version (x86_64)
  • CentOS 6.9 (x86_64)
  • Oracle Linux 6.9 (x86_64)
  • RHEL 6.9 (x86_64)
  • Ubuntu 17.04 (x86_64)
  • Windows Server 2016
  • Windows 10

To see all platforms in the Centrify Server Suites within the extended support period, select “SEE ALL PLATFORM VERSIONS” in www.centrify.com/platforms.

To check whether your platform is end of life, click www.centrify.com/product-lifecycle and scroll down the page.

Termination of Support

Support is removed for the following operating system platforms in this release:

  • Citrix XenServer 6.0, 6.1
  • IBM Virtual I/O Server 1.x
  • Linux Mint Debian Edition 201303, 201403
  • Windows 8

This is the last release of Centrify Server Suite in which the following operating system platforms will be supported:

  • All 32-bit Linux
  • All Linux Mint and Linux Mint Debian Edition (LMDE)
  • All OpenSUSE
  • All RHEL on Itanium architecture
  • All Scientific Linux
  • All SUSE on Itanium architecture
  • AIX 6.1
  • CentOS 5.x
  • Fedora 22, 23, 24
  • Mac 10.10
  • OpenSUSE 13.2, 42.1
  • Oracle Linux 5.x
  • Redhat 4.x
  • Ubuntu 12.04 LTS, 16.10
  • VMware vMA 4.0, 4.1

Security Advisories

Centrify has established product security policies documented in the web page, www.centrify.com/product-policy. You may also find the details of all the published security advisories there.

Security Fixes

The zip files for all Windows components in this release and all releases in Centrify Download Center will now unpack into clean folders that contain only the software installation package. This is to avoid a potential DLL hijacking vulnerability, which cannot occur if the installation package is launched from a folder in which it is the only file.

Sensitive data is now encrypted in the local inter-process communication within Centrify *NIX components.

Centrify Server Suite Standard Edition

Kerberos armoring support

Centrify Server Suite now supports the Flexible Authentication Secure Tunneling (FAST) feature of Windows Server 2012 with the following options: (1) Not supported, (2) Supported and (3) Always provide claims. Other options of FAST are not supported at this time. FAST is also known as ‘Kerberos armoring’.


Centrify Licensing Service

Centrify has enhanced Server Suite license reporting to provide a comprehensive, real-time, and on-demand view into customer license consumption relative to purchased licenses. Centrify Licensing Service is added in this release to provide this information to customers, assisting them in managing their license usage and planning ahead for deployment of additional systems.

Centrify Licensing Service provides a single, central location for Centrify Server Suite license management, and for viewing license usage. This service improves and replaces the previous license management features of the Access Manager and Audit Manager consoles. The license management capability in Access Manager and Audit Manager is deprecated and will be removed in a future release.

Centrify strongly recommends that customers install and configure Centrify Licensing Service to take advantage of the new and enhanced license management capability. The Centrify DirectManage™ tools (Access Manager, ADUC extension and GPOE extension) will remind you upon startup if the new service is not running in the relevant Active Directory forest.

Best practice is to install one instance of the service as the primary, and one additional instance on a separate computer in the same forest for redundancy. There is no need for you to install additional instances of the service beyond the primary and a backup.


New data synchronization option in Centrify Report Services

In Centrify Report Services, customers can now choose to synchronize data from Active Directory based on zones instead of the original domain-based synchronization option. In many cases (especially in large deployments) this enables faster synchronization with the Centrify data stored in Active Directory, and reduces the processing time required by domain controllers to respond to the synchronization queries. This synchronization does not require the “Replicate Directory Changes” permissions in the Active Directory domains.

Feature name changes

The following names are changed in Centrify products. These changes may affect UI, group policies, log messages and documentation in general.

  • Cloud Connector is now Centrify Connector.
  • Centrify Cloud, Cloud Service, Cloud Server are now collectively referred to as Centrify Identify Platform.
  • Cloud Authentication is now Centrify MFA Service authentication.

Feature End of Life notice

With the introduction of the Report Services component in Suite 2016, this is the last supported release for the UNIX/Linux command line report utilities addbloader and adreport.

Upgrading Server Suite components

If you plan to upgrade to Server Suite 2017, you must upgrade all the components relevant to a deployment. A set of major infrastructure improvements to Server Suite now requires product components to run at the same (relative) version level; otherwise, you may experience compatibility issues.

Component compatibility with Server Suite 2017

Please note that the current versions of the following product components are not compatible with Suite 2017.

  • Centrify DirectSecure™
  • DB2 plug-in
  • adbindproxy on AIX and HP-UX
  • SAP SNC plug-in

Centrify will release new versions of these product components that interoperate with Suite 2017 at a later date.

Centrify Agent™ for Windows 3.4.0

New privilege management features

Two major enhancements in this release enable support for very granular privilege elevation when managing Windows systems (both server and workstation). New DirectAuthorize applications for application management and Windows system management allow Server Suite administrators to grant privileges per-application or per-Windows feature. Administrators can lock down user privileges for:

  • Changing and/or removing installed applications
  • Adding or removing Windows Server roles
  • Adding or removing Windows features

Active Directory one-way trust enhancement

Centrify Agent for Windows now partially supports one-way trust environments for Active Directory in the Centrify DirectAuthorize™ feature set. An Active Directory user from an account forest can login to a machine in a resource forest and have her privileges elevated to an account or a built-in group from the resource forest.


Rescue group for multi-factor authentication

Multi-factor authentication at Windows logon had been enhanced. A new group policy Specify a list of rescue users (when the agent is not joined to a zone) enables a group of pre-defined administrative users to log into a computer in rescue mode or Windows Safe mode. This enables computer administration for states in which the computer cannot support multi-factor authentication.

Note: Multi-factor authentication for Windows login (local or remote) was added in an update to Server Suite 2016.1.

Installer changes

For easier deployment of in cases where only multi-factor authentication services on Windows is required by the customer, Centrify Agent will not install auditing and session monitoring features by default. Silent installation for all Centrify Agent features (including audit features) is supported by an optional command line installation parameter ADDLOCAL=ALL for the MSI installer package.

Centrify Agent for Linux – Centrify DirectControl™ 5.4.0

Changes in DirectControl packaging

Starting in Suite 2017, the following open source packages are no longer part of the DirectControl installation package and are shipped separately. This change in product packaging enables Centrify to respond faster to critical security patches from the open source community.

  • CentrifyDC-openssl
  • CentrifyDC-openldap
  • CentrifyDC-curl

Note: These packages are prerequisites to installing the DirectControl package. Please be aware of this, especially if you have your own installation/upgrade automation scripts or if you retrieve Centrify packages from the Yum/APT repository.

Package name change

  • The RHEL and SUSE RPM package file names are changed:
    • From centrifydc*-<release#>-<OS>-<ARCH>.rpm to CentrifyDC*-<release#>-<OS>.<ARCH>.rpm
      • Example: CentrifyDC-openssh-7.3p1-5.4.0-rhel4.x86_64.rpm
    • From centrifyda-<release#>-<OS>-<ARCH>.rpm to CentrifyDA-<release#>-<OS>.<ARCH>.rpm
      • Example: CentrifyDA-3.4.0-suse10.i386.rpm

Open Source component upgrade

Centrify Server Suite 2017 includes a major upgrade in the form of the Kerberos library, which is upgraded based on stock MIT Kerberos 5-1.14.1.

  • This Kerberos library upgrade includes security fixes for CVE-2015-2695, CVE-2015-2696, CVE-2015-2697.
  • Two additional capabilities in this upgrade also help to address known single sign-on (SSO) issues (listed below).
    • You can now configure an alternate location for .k5login in krb5.conf. This means Kerberos can look for .k5login in a location other than user’s home directory.
    • The handling of SSO from SSH is made more secure. The Kerberos codes will now ensure the principal name given in the Kerberos credential resolved to the target user (from the zone mapping); otherwise, it will fail the login attempt. This closed the loophole in the default processing where SSO is allowed if the target user name matches even just the first part of Kerberos principal.
  • Support for Windows Server 2012 Kerberos armoring configurations or above are as follows:
    • Not supported
    • Supported
    • Always provide claims

Note: The Fail unarmored authentication requests configuration is not supported.

  • This Kerberos library upgrade may cause some minor behavior changes but in general the SSO behavior remains the same. However, to block SSO for the local user, you will need to set krb5.sso.block.local_user to true and the local user should be in user.ignore.
  • Kerberos 1.14.x supports ccselect plugin and this causes some issues for KCM ccache. We have introduced a new configuration parameter krb5.conf.plugins.ccselect.disable and a corresponding group policy to let you manage it.
  • Due to the new Kerberos library, previous releases of Centrify products that use an older Kerberos version (DirectAudit, DirectSecure, DB2 plug-in, adbindproxy support for Samba on AIX and HP-UX, and SAP SNC plug-in) are not compatible with DirectControl v5.4.0 in Suite 2017.

Centrify OpenSSL

  • Centrify OpenSSL 5.4.0 is upgraded based on stock OpenSSL 1.0.2j.
    • This includes security fixes for CVE-2016-2177, CVE-2016-2178, CVE-2016-2179, CVE-2016-2180, CVE-2016-2181, CVE-2016-2182, CVE-2016-2183, CVE-2016-6302, CVE-2016-6303, CVE-2016-6304, CVE-2016-6306 and CVE-2016-7052

Patch of CVE-2016-2178 is also applied to openssl-fips-2.0.11.

Centrify OpenSSH

  • Centrify OpenSSH 5.4.0 is upgraded based on stock OpenSSH 7.3p1.
  • SSHv1 is no longer supported.
  • The LAM version of Centrify openssh is no longer shipped as all AIX versions already provide PAM authentication. If you are still using the LAM version of Centrify openssh, you should replace it with the corresponding PAM version for supportability.

Centrify libcurl

  • Centrify libcurl is upgraded based on stock curl 7.51.0.
  • This includes security fixes for CVE-2016-5419, CVE-2016-5420, CVE-2016-5421, CVE-2016-7167, CVE-2016-8615, CVE-2016-8616, CVE-2016-8617, CVE-2016-8618, CVE-2016-8619, CVE-2016-8620, CVE-2016-8621, CVE-2016-8622, CVE-2016-8623, CVE-2016-8624, CVE-2016-8625.

Centrify dzdo

  • Centrify dzdo is upgraded based on stock sudo 1.8.17p1.

Centrify PuTTY

  • Centrify PuTTY is upgraded based on stock PuTTY 0.67.
  • This new version also fixes the following security issues:
    • CVE-2015-5309 Potentially memory-corrupting integer-overflow in the handling of the ECH (erase characters) control sequence in the terminal emulator.
    • CVE-2016-2563 Stack corruption vulnerability in the old-style SCP protocol.

Transaction control in LRPC2 protocol

The LRPC2 protocol has been enhanced for additional transaction control under heavy load. Note: users need to upgrade both DirectControl and DirectAudit to this version to benefit from the added protection.

HTTPS portal requirement for multi-factor authentication

The MFA mechanism (IWA) in the Centrify Admin Portal no longer supports HTTP and requires HTTPS for security reason. The diagnostic tool, adcdiag, will fail the test if HTTPS is not available. Please ensure that the Centrify connectors are configured with HTTPS if you use this feature. Please refer to KB 7393 How to configure the updated 2016.1 DirectControl agent to support MFA over HTTPS to the Cloud Connector for more information.

Customer-managed, on-premises deployments of Centrify Privilege Service™ can be used to provide MFA services for Server Suite. Please refer to KB 7726 How to configure default IWA root cert for on-premises Centrify Privilege Service for more information.

Performance improvement in the DirectControl agent

  • Additional attributes "_UnixName", "sAMAccountName", "userPrincipalName", "Guid", and "Unixid", are now stored in memory cache for faster lookup when the configuration parameter "capi.cache.enabled" is set to true.

Miscellaneous enhancements

  • The support of Alternate UPN suffixes (ALTUPN) is now extended to cover two-way trusted forests.
  • The support of AIX extended attributes is now enhanced to cover the following:
    • Extended attributes for local users in Local Account Management.
    • User extended attributes up to AIX 7.2.
    • Group extended attributes.
  • You may find the supported attributes with the commands adquery user –X help user and adquery group –X help group.

Integration with third party password enforcement tool

Four configuration parameters, adclient.random.password.complexity.pattern, adclient.random.password.generate.try, adclient.random.password.length.max, adclient.random.password.length.min, are added for better integration with third party password enforcement tool.

Scripts and command line utilities

The command adjoin has a new option “-F/--forceDeleteObj” to clean up the existing computer object and extension object in Active Directory before performing the adjoin operation.

Configuration parameters

centrifydc.conf has been updated with a number of new parameters and enhancements.

  • New parameters
    • adclient.cloud.connector

      This parameter specifies a Centrify connector in the current Active Directory forest to provide connectivity between LINUX/UNIX servers and Centrify Identity Platform server for Centrify MFA authentication service. The host specified in this parameter will also be used as the HTTP proxy unless adclient.cloud.iwa.url is specified. If the specified connector is not available, the DirectControl agent will try to find the closest valid connector. Administrators can use either IP address or FQDN in this parameter. For example, adclient.cloud.connector: 192.168.1.61:8080 or adclient.cloud.connector: connector.mydomain.com:8080. Note that port 8080 is the default port for Centrify connectors. By default, this parameter is empty.
    • adclient.krb5.allow_weak_crypto

      This parameter controls whether weak encryption types should be allowed in the following parameters: adclient.krb5.tkt.encryption.types and adclient.krb5.permitted.encryption.types.

      Weak encryption types include: des-cdc-crc, des-cbc-md4, dec-cbc-md5, dec-cbc-raw, des3-cbc-raw, des-hmac-sha1, arcfour-hmac-exp, rc4-hmac-exp and arcfour-hmac-md5-exp. Note that setting this parameter to false may cause authentication failures in an existing Kerberos infrastructure that does not support strong ciphers. The default value is true which allows weak encryption types.
    • adclient.random.password.complexity.pattern

      This parameter specifies the complexity requirements for the random password, e.g. 1=Upper (upper case characters A-Z), 2=Lower (lower case character a-z), 4=digit (0 to 9), 8=special char (non-alphanumeric characters such as !, $, # and %). The default is 7 (Upper, Lower and digit).
    • adclient.random.password.generate.try

      This parameter specifies the maximum times of attempts to generate a random password for an Active Directory user. The default value is 10.
    • adclient.random.password.length.max

      This parameter specifies the maximum length of the random password. The default value is 21.
    • adclient.random.password.length.min

      This parameter specifies the minimum length of the random password. The default value is 15.
    • krb5.conf.plugins.ccselect.disable

      This parameter controls whether the DirectControl agent should disable Kerberos built-in ccselect plugins. If it is set to true, ccselect built-in plugins are disabled in krb5.conf. If it is set to false, the [plugin] section remains as is. The default is true.
    • nss.shell.emergency.enabled

      When you query a user's shell through the DirectControl NSS module, this option determines if the DirectControl emergency shell should be returned for an "Audit Required" user who does not have rescue rights when DirectAudit service daemon (dad) is not running. The default value is false, which means the nologin shell configured in nss.shell.nologin is returned.
  • Updated parameters
    • adclient.binding.refresh.force

      The default of this parameter is changed from true to false.
    • adclient.krb5.principal

      This parameter’s default is changed from upn to sam. This is because an Active Directory user's Kerberos name is generated as sAMAccountName@<AD REALM> by default. To be consistent with this new default setting, for a name format such as <name>@<REALM>, the DirectControl agent will now try sAMAccountName (SAM@DOM) format match first and then UPN. Note: if you really want to set adclient.krb5.principal.name to upn, be aware of a potential issue when a user’s (userA) UPN matches another user’s (UserB) sAMAccountName and the UPN domain suffix matches the domain realm. In this case, userA will not be able to login using his own password, and userB who logged in using his sAMAccountName could SSO to userA's account because of the confusion induced from matching UPN with SAM@DOM. For an Active Directory user mapped to MIT user, the Kerberos name generation will ignore this setting as before.
    • adclient.krb5.service.principals

      The default property value of this parameter has been changed from 'http nfs ftp cifs' to 'ftp cifs' on all platforms except Mac OS X. Note: when performing self-join, adjoin –S, the DirectControl agent will respect any existing SPNs in the computer object.
    • pam.mfa.program.ignore

      This parameter specifies a list of programs which do not support MFA. Programs using Centrify PAM for authentication are required to support MFA for users that have "MFA required" sysrights. For programs that do not support this feature, administrators can add the program names in this parameter to bypass MFA. The default list is now "ftpd proftpd vsftpd java httpd cdc_chkpwd kdm unix2_chkpwd".

Centrify LDAP Proxy performance enhancements

  • To minimize unnecessary traffic to Active Directory, ldapproxy has implemented a local cache to handle authentication which may double the performance in some scenarios. This cache authentication data is used by default if it is available and unexpired.
  • To further minimize the traffic to adclient and subsequently to Active Directory, ldapproxy has implemented an optional client side cache in slapd that handles repeated (same) searches. It is disabled by default in slapd.conf (ldapproxy.cache.enabled false).

Centrify DirectManage™ and console enhancements

  • The DirectManage Windows installer now provides an option to install Microsoft SQL Server Compact 3.5. If there is no Microsoft SQL Server Compact 3.5 installed, DirectManage Access Manager will disable the Sudoers Import feature and DirectManage Deployment Manager will not be allowed to install.
  • Password Synchronization Extension has not changed in this release. It is the same package with the version number 5.3.1 as in the previous Suite 2016.1 release, i.e., CentrifyDC_PasswordSync-5.3.1-win64.msi.

Centrify Licensing Report

  • Deployment Report is now called Centrify Licensing Report and is part of the new Licensing Service component.
  • To further enhance readability, there are a few changes in the report layout. The detailed system report in the bottom part of the report is also re-organized to make it easier to correlate with the deployment summary on top. You can also easily identify a license key that is being used by multiple DirectAudit installations by looking at the new “shared” column.

Centrify Report Services

  • Centrify Report Services provides another option to synchronize Centrify data from Active Directory to a local SQL store. The new option allows users to specify individual or all Centrify zones for data synchronization, whereas the original option is domain based.
  • A new category License Management is added to the Centrify Server Suite audit trail events. Twelve new events are added in this release and assigned to this category.
    • 60100: DirectControl license key added.
    • 60101: Fail to add DirectControl license key.
    • 60102: DirectControl license key removed.
    • 60103: Fail to remove DirectControl license key.
    • 60104: DirectControl license container added.
    • 60105: Fail to add DirectControl license container.
    • 60106: DirectControl license container removed.
    • 60107: Fail to remove DirectControl license container.
    • 60200: DirectAudit license key added.
    • 60201: Fail to add DirectAudit license key.
    • 60202: DirectAudit license key removed.
    • 60203: Fail to remove DirectAudit license key.
  • Note: The group policy Centrify Audit Trail Settings addresses all the available audit trail event categories including the new License Management category.
  • Centrify Report Services now supports SQL Server 2016.
  • The PCI/SOX reports below now provide an option to skip building and rendering charts. You may want to do so if you have a very large environment.
    • SOX/PCI-Login Report-By Computer
    • SOX/PCI-Login Report-By Group
    • SOX/PCI-Login Report-By Role
    • SOX/PCI-Login Report-By User
    • SOX/PCI-Login Summary Report
    • SOX/PCI-Rights Report-By Computer
    • SOX/PCI-Rights Report-By Group
    • SOX/PCI-Rights Report-By Role
    • SOX/PCI-Rights Report-By User
    • SOX/PCI-Rights Summary Report
  • In this release, the following new views are added:
    • EffectiveAuthorizedLocalUsers_Computer – it lists effective role assignments for local users in each computer.
    • ZoneHierarchy – it lists all the Hierarchical zones and their effective child zones.

Zone Provisioning Agent

The following performance improvements are added in this release:

When many of zones are being provisioned, there may be a burst of traffic to the domain controller. We have introduced a configurable delay between each zone provisioning to throttle this traffic. The delay is controlled by a registry key ProvisioningDelay in HKLM\SOFTWARE\Centrify ZPA. For example, setting the key ProvisioningDelay to Type: DWORD; Value: 5 will add 5 seconds delay between each zone provisioning. The default is no delay.

Zone Provisioning Agent typically runs a full provisioning cycle each time based on schedule. There is a new option that will skip full provisioning if there is no change in the source group. This is enabled by setting a registry key CheckSourceChange to Type: DWORD; Value: 1 in HKLM\SOFTWARE\Centrify ZPA.

When provisioning multiple users from another domain, Zone Provisioning Agent will do bind requests to the same domain, which may cause performance issue in large deployments. This is now improved with a connection cache.

Access Module for PowerShell

Local accounts support is added to Access Module for PowerShell. You can create, change, read and delete local account objects using the following cmdlets:

  • New-CdmLocalUserProfile and Remove-CdmLocalUserProfile
  • Set-CdmLocalUserProfile and Get-CdmLocalUserProfile
  • New-CdmLocalGroupProfile and Remove-CdmLocalGroupProfile
  • Set-CdmLocalGroupProfile and Get-CdmLocalGroupProfile

RHEL and CentOS Smartcard

  • Added an option -K --check-kdc-eku to the command-line utility sctool to allow sctool to check the KDC certificate for the Extended Key Usage (EKU) attribute "Kerberos Authentication". This option was added because EKU checking is disabled by default.
  • RC4 and DES encryption for SmartCard Kerberos authentication is no longer supported. Please configure your Active Directory domain and forest to use AES-128 or AES-256 encryption for Kerberos in order to ensure future compatibility.
  • This release includes a Kerberos library upgrade allowing support for newly-provisioned smart cards with SHA-256 encryption. Centrify has tested the following SHA-256 smart cards:
    • Oberthur ID One 128 v5.5 Dual SHA256 Cards
    • G&D FIPS 201 SCE 3.2 SHA256 Cards

Centrify Server Suite Enterprise Edition

Auditing and Session Monitoring – Centrify DirectAudit™ 3.4.0

Prerequisites for upgrading your Server Suite deployment

Centrify DirectControl™ is a pre-requisite for Centrify DirectAudit on Linux and UNIX. Customers who use Centrify DirectControl for identity consolidation and privilege elevation on Linux and UNIX along with Centrify DirectAudit should always run the same relative versions of these components.

The minimum version of DirectControl required by this version of DirectAudit is 5.4.0 (Suite 2017).

Advanced monitoring

Centrify introduces new advanced monitoring features for DirectAudit in Suite 2017. These features enable monitoring of applications and files at the process level on Linux servers and workstations.

Prior versions of DirectAudit monitor user activity within the shell. Shell-based monitoring, which includes features such as command recognition and video recording with time-indexed commands, is retained and will continue to be a feature of Server Suite. Advanced monitoring adds an additional layer of security and functionality by monitoring process calls from the system kernel, which are virtually impossible to spoof.

In Server Suite 2017, this feature is only available in the Red Hat Linux family. It will be available in other operating systems in future releases.

Here are two examples of the benefits of advanced monitoring.

Example One – Advanced monitoring of user commands

A user has decided to attempt to use the passwd command in a way that will escape detection. He creates a shell alias in his login script:

alias checkout=/usr/bin/passwd

He types ‘checkout’ in his shell session, which appears innocuous but actually launches the passwd command. However, because advanced monitoring audits at the process level, it detects that the user did indeed run the passwd command, and creates an audit trail event correlating the user and the passwd command.

Example Two – Advanced monitoring of change to SSH key files

You are using best practices for SSH key management and have configured the location of the AuthorizedKeysFile in /etc/ssh/%u/authorized_keys rather than the user’s home directory (group policy can help you do this on Centrify-managed systems).

When advanced monitoring is turned on, by default it detects changes to all files and folders (including sub-folders) in /etc. Since SSH key files reside in sub-folders below /etc (in this example), when advanced monitoring is turned on Centrify will automatically audit when SSH key files are changed.

An audit trail event is generated for each such change and sent to syslog. You can easily enable your security information and event management solution (SIEM) to use these events to notify you when a user adds or modifies an SSH key on a critical system.

List of advanced monitoring features and functionality

  • Audit trail events can be generated:
    • When specific programs are executed by any user. This applies even to the root user, or to a user whose session is not being actively audited. The list of programs is specified by the configuration parameter event.monitor.commands.
    • When any file in the directories /etc, /var/centrifyda and /var/centrifydc is modified by a non-root user. ‘Modified’ means any write operation and/or any change to the file’s attributes.
  • A history of programs executed in an audited session is created, including programs that are executed by scripts. Since this feature may result in additional audit information which will increase the storage size of the audit store database, this feature must be enabled by setting the parameter event.execution.monitor.
  • You can enable or disable advanced monitoring at the command line with dacontrol –m/-n.
  • A new category of audit trail events was added to DirectAudit Advanced Monitoring which include the following six new events. Please refer to Audit Event Administrator Guide for details.
    • 57200: Monitored program is executed is started.
    • 57201: Monitored program execution fails to execute.
    • 57300: Monitored file modification attempted.
    • 57301: Monitored file modification attempt failed
    • Events 57400 and 57401 are used by DirectAudit software components. They are not stored in the Audit Store databases and are not available in audit trail event reports.
      • 57400: Command execution is started. (Centrify use only)
      • 57401: Command execution fails to start. (Centrify use only)
    • Audit trail events were added to the Centrify Commands category for the DirectAudit Advanced Monitoring feature:
      • 20900: Advanced monitoring enabled
      • 20910: Advanced monitoring disabled
    • New reports have been added for advanced monitoring.
      • The Detailed Execution report lists all processes (i.e. commands and applications) executed by non-root users.
      • The Monitored Execution report lists the executed processes specified by configuration file or group policy. This report lists commands regardless of who executed them (e.g. root) and regardless of whether it took place on the context of an audited session.
      • The File Monitor report lists all cases where a specified file was changed by a write operation or by a change to its attributes. By default, all files and folders (including sub-folders) in the following locations are monitored.
        • /etc
        • /var/centrifyda
        • /var/centrifydc

        Advanced monitoring requires that all DirectAudit components, including the management and audit store tore databases, collectors, and the Audit Manager and Audit Analyzer consoles be upgraded to Server Suite 2017 or later versions.

      Report of aggregate license usage

      DirectAudit now reports aggregated license usage across multiple DirectAudit installations. Please note that the installations must be reachable by the new Centrify Licensing Service component.

      New events parameters for integrating session replay with SIEM solutions

      Two new common parameters DAInst (for DirectAudit Installation name) and DASessID (for DirectAudit session ID) are added to all audit trail events written to syslog and the Windows Event log to allow better SIEM integration for session replay.

      Changes to installation wizard

      The installation wizard of the DirectAudit component will configure the Microsoft SQL Server Reporting Service (SSRS) startup type to Manual if the user elects to install a new instance of SQL Server. If the user later decides to use the same SQL Server instance to host databases of other products (e.g., Centrify Report Services) that may need SSRS, they must change the startup type to Automatic and start the service manually.

      Collector enhancement

      The audit collector now caches the DNS information of connected audited systems to avoid frequent DNS lookups. This reduces network traffic and, in some cases, improves de-spooling performance.

      Audit Analyzer and session player enhancements

      • The Audit Analyzer console now allows exporting metadata from multiple sessions to a single text file. When a user chooses the option of single file export, the user name and machine name are prefixed to each line of the exported file for easier parsing. In addition, a blank line is added as a delimiter to separate data from different sessions.
      • Audit Analyzer now supports searching sessions based on size. Users can now specify search criteria that will return the list of sessions that are greater than or less than the size (in kilobytes) specified by the user.
      • Three new reports are added to support the advanced monitoring feature:
        • Detailed Execution Report
        • Monitored Execution Report
        • File Monitor Report
      • Two items are added to the session context menu for advanced monitoring features related to a session.
        • Monitored Execution List…
        • Export Detailed Executions

Audit Manager enhancements

  • Audit Manager now validates the database patch/security level to ensure it's up to date before attaching an existing Audit Store database. A warning will be shown if the user tries to attach an Audit Store database that may not have the latest Centrify patch installed.
  • DirectManage Audit Manager now shows a list of all audit management servers configured for the connected installation along with the last known status of each of them.
  • The computer that runs the Centrify License Service is shown in the license summary page in Audit Manager.


The ability to add/remove DirectAudit licenses from Audit Manager will be deprecated in future releases. To add/remove licenses in Suite 2017 and later, you should use Centrify Licensing Service Control Panel on the system where Centrify Licensing Service is running.

Auditing for the Centrify Agent for UNIX and Linux

IMPORTANT: The minimum version of DirectControl required by this version of DirectAudit is 5.4.0 (Suite 2017). In other words, when you install or upgrade Server Suite 2017 and you are using both DirectControl and DirectAudit, please make sure that you upgrade *both* components to the same version level on the system.

  • The DirectAudit AIX package is now 64-bit to support AIX VIOS versions >= 2.2.2.
  • Sequence number and process ID verification was added to an internal inter-process communication sub-system for more robust transaction control between DirectAudit and DirectControl.
  • A new configuration parameter preferred.audit.store to address cases where a Unix agent has multiple IP addresses that belong to the scope of different audit stores. The new parameter is used to specify which audit store to use. A new group policy Set the preferred Audit Store is added to support this setting.

NOTE: The following item applies only to customers who have evaluated the Early Access version of Centrify Server Suite 2017.

  • The default value of the event.execution.monitor option in centrifyda.conf has been changed from 'true' to 'false'; therefore, detailed execution monitoring is disabled by default in the advanced monitoring feature.

Audit database

  • The security fix identified in KB-7865 is incorporated in this release. Customers are encouraged to upgrade to this release; or, apply the patches mentioned in the KB article.
  • When generating script files for upgrading databases, the Database Maintenance Wizard now appends the corresponding database name to each file name. This enables the audit administrator to easily cross-reference a script file with the database the script will upgrade.

DirectAudit Version 1 database support end of life

Please note that Server Suite 2017 is the last release of that supports DirectAudit Version 1 databases. In versions after Suite 2017, you will no longer be able to attach Version 1 databases to an existing DirectAudit installation.

If you are a customer with DirectAudit Version 1 databases, please contact us through your Centrify Customer Success portal for more information.

Windows enhancement

  • This group policy setting is enhanced to take effect immediately for the Windows agent:
    Centrify DirectAudit Settings/Windows Agent Settings/Set update agent status timeout

Centrify Audit Module for PowerShell enhancement

  • A new Get-CdaUserEvent cmdlet can be used to retrieve the user activity events for reporting purposes.
  • The existing cmdlet Get-CdaAuditEvent can now be used to retrieve the user privileged activity events for reporting purposes.

Supported Platforms

Support is added for the following operating system platforms in this release:

  • AIX 7.2
  • Latest version of Amazon Linux AMI (x86, x86_64)
  • CentOS 7.2 (x86_64)
  • Debian Linux 7.10, 8.3, 8.4 (x86, x86_64)
  • Oracle Enterprise Linux 7.2 (x86_64)
  • Scientific Linux 7.2 (x86_64)
  • openSUSE 42.1 (x86_64)
  • SUSE 12 SP1 (x86_64)
  • Scientific Linux 7.2 (x86_64)
  • Ubuntu 16.04 LTS (x86, x86_64)

To see all platforms in the Centrify Server Suites within the extended support period, select “SEE ALL PLATFORM VERSIONS” in www.centrify.com/platforms.

To check whether your platform is end of life, click www.centrify.com/product-lifecycle and scroll down the page.

Termination of Support

Support is removed for the following operating system platforms in this release:

  • Debian Linux 6
  • Fedora 20
  • HPUX 11.11, 11.23
  • Oracle Solaris 9
  • Ubuntu 14.10

This is the last release of Centrify Server Suite in which the following operating system platforms will be supported:

  • Fedora 21
  • openSUSE 13.1
  • SUSE Linux Enterprise 10
  • Ubuntu 15.04, 15.10

The next release will be the last release of Centrify Server Suite in which the following operating system platforms will be supported:

  • Citrix XenServer 6.0, 6.1
  • IBM Virtual I/O Server 1.x
  • Linux Mint Debian Edition 201303, 201403