Enhanced Support for LDAP
The Centrify Privileged Access Service is extending supportability for generic LDAP servers with the ability to customize LDAP attributes and schemas. LDAP user and group attribute names for non-standard and custom LDAP schemas can be added, mapped, and tested for validity.
Highlights
- Improved unique identifier support.
- Improved support for LDAP groups
- support for password change and resets
- Improved site awareness using native methods.
- Improved search capability by understanding native methods.
- Validated support for Radiant Logic’s federated identity service, RadiantOne Federated Identity (FID).
- Support for other LDAP vendors to come in the future.
FIDO2 Support for multi-factor authentication
Centrify has supported Fast IDentity Online (FIDO) for years and is a member of the FIDO alliance. FIDO2 is an authentication standard hosted by FIDO Alliance. FIDO2 cryptographic login credentials are unique across every website, never leave the user’s device and are never stored on a server. Since FIDO cryptographic keys are unique for each internet site, they cannot be used to track users across sites. This security model eliminates the risks of phishing, forms of password theft, and replay attacks. Also, this provides better alignment with NIST 800-53 high-assurance authentication controls.
Centrify will be leveraging the WebAuthn API to enable password-less authentication to the Privileged Access Service using either on-device or external authenticators. On-device authenticators are biometric authenticators integrated into the device hardware. Popular examples are Apple Touch ID and Face ID, Windows Hello, and fingerprint scanners. External authenticators are security keys that you plug into the device's USB port; for example, a YubiKey.
Centrify Client Auditing
Audit for the new generation Centrify Clients. This new generation of client-based auditing will be independent from Active Directory, allowing for more flexible and scalable deployments. Please look forward to some of the following benefits with this release.
- Deploy the Audit and Monitoring agent on the Centrify Client for Windows or Linux without Active Directory (AD).
- Secure data path over HTTPS.
- Improves the ability to deploy Auditing in DMZs or IaaS where AD is not available.
Offline Login on Centrify Client for Windows
The Centrify Privileged Access Service introduces a new permission called “Offline Rescue” to improve the availability controls for Windows systems. This permission allows an end-user to have the ability to use a passcode to log into a system that is offline.
- OTP settings for Key Algorithm, number of digits, and counter period can be configured.
- Offline passcode can be retrieved from the system properties.
- Support for other Unix/Linux to come in the future.
- Resolved an issue where an administrator with Application Management or System Administrator privileges could set a malicious URL of an application, deploy that application to a higher privileged administrator, and run client side scripts as the administrator (CC-72064).
- CVE-2019-11888 (go language) was resolved by upgrading the go language package to 1.12.6 (CC-68465).
End of Life Notification
This section contains notifications for upcoming termination of apps, features, programmatic access or device support.
- The version 1 ServerAgent/VerifyPassword REST API will be removed from Centrify Privilege Access Service 20.1. The replacement version 2 API is serveragent/verifypasswordv2 (CC-65426).
OS Platform Support Changes
- The Cloud Linux Agent now supports the following operating systems:
- CoreOS version 2247.5
- CentOS 7.7
- CentOS 8.0
- Fedora 30
- Fedora 31
- Ubuntu 19.10
Changes
The following list records issues resolved in this release and behavior changes.
- With cagent enrolled, adding a group name containing a space (for example, “Remote Desktop Users”) in Local Group Mapping no longer generates an error (CC-69230).
- When working with Centrify Identity Platform, Centrifydc entries are no longer removed from the PAM file after cunenroll-ing the Cloud Linux Agent (CC-67306).
- When the native RDP attempt fails to connect to a target, the real reason the connect attempt failed is now logged in the event log rather than “Invalid Credentials” or “Unknown Error” (CC-70261).
- Logging in via PAS remote access as a PAS-managed local user now works for user names of the form username@ipaddress. Previously the ipaddress was misinterpreted as an AD domain (CC-70822).
- The default retention period for jobs in Job History has been increased from 7 to 30 days. This default can be changed by Centrify support on request (CC-70657).
- Completion time is now shown in the job report for jobs that did not succeed (CC-69935).
- Administrators can now manage DirectAudit configuration parameters using cedit (CC-70362).
Changes for Hot Fix 1.
- Fixed a bug where a blank page was displayed after launching an application (CC-72340).
Changes for Hot Fix 2.
- Fixed a bug where user activity could not be viewed due to long load times (CC-72357).
Changes for Hot Fix 3.
- N/A - This release has not been released and is not included in Hot Fix 4.
Changes for Hot Fix 4.
- Reconcilable accounts missing a password are now put under management when bulk managing accounts (CC-72447, CPSSUP-982).
- Fixed the Linux download for Ubuntu to correctly serve the 19.6 release package instead of 19.5 (CC-72619, CPSSUP-1007).
- Resolved an issue with OAuth2 profile caching for apps (CC-70756, CPSSUP-933).
- Fixed a bug where user activity could not be viewed due to long load times (CC-72357).
Note: To receive release notes prior to the monthly product update, subscribe to the Centrify Cloud Highlights and Release Notes Tech Blog. This release information is posted in advance of the release date. Please check back at release time for updates.
KB-22952: After upgrading to 19.6 on Solaris 11.x, ca-certificate service goes into a degraded state