Tips for finding Knowledge Articles

  • - Enter just a few key words related to your question or problem
  • - Add Key words to refine your search as necessary
  • - Do not use punctuation
  • - Search is not case sensitive
  • - Avoid non-descriptive filler words like "how", "the", "what", etc.
  • - If you do not find what you are looking for the first time,reduce the number of key words you enter and try searching again.
  • - Minimum supported Internet Explorer version is IE9
Home  >

Centrify 20.3 Release Notes

2 October,21 at 04:33 AM

New Features - Centrify Privileged Access Service

Centrify Hyper-Scalable Privileged Access Service

Our new architecture for Customer Managed Clustering will provide the world’s first “shared-nothing” high availability and on-premises privileged access management (PAM) with cloud-first services.
Centrify Hyper-Scalable Privileged Access Service uses cloud-first technology for customer-managed installs that were honed from our SaaS offering with a web-tier, job scheduler, caching, and load balancing. In turn, it yields the following benefits for customers:
  • Upgrading has zero-downtime and is fully automatable.  
  • Easy provisioning and management of cluster resources.
  • Allows for infinite horizontal scale-out.
  • Active-active web, background, and TCP relay nodes.
  • Consolidated diagnostic logging.
  • Continued support for high availability.
User-added image

Resource Policies for Centrify Privileged Access Service

Sets were introduced in 2017 to improve the manageability of Centrify Privileged Access Service resource objects. In this new release, policies will be applicable to sets of resources. An example of a policy that administrators will be able to apply is multi-factor authentication (MFA) for login to systems on the built-in set of all systems and do the same for requiring MFA for checkout of account passwords.
Policies will be able to be applied to sets of the following resource objects:
  • Accounts
  • Domains
  • Databases       
  • Systems
  • SSH Keys
  • Secrets
Easily identify the policy summary and the sources (Default, Global, Set, or Resource Object override).
User-added image

Inventory of Resources and Users

Administrators will be able to obtain better visibility of Centrify Privileged Access Service resources and users via an enhanced dashboard that accounts for the inventory in the portal. The Resource Counts dashboard will display the systems, databases, accounts, services, clients, and users that are in the service as of the last daily snapshot.
User-added image

SSH Resource Profile Enhancements

An SSH Resource Profile can be created to define a custom system and specify how Centrify Privileged Access Service should interact with a device that supports the SSH protocol. In the 20.3 release, we will be enhancing the SSH Resource Profiles so that they can be grouped into sets for permissions management. We will also support the ability to import and export these profiles so that they can be shared between different environments. This will be a step towards our future plans of the Centrify Integration Hub, which will be a self-service portal that will allow custom device and application plugins for privileged sessions and password management to be shared by customers, partners, and third-party software vendors in the Centrify community. 

User-added image

Client-Driven Password Reconciliation for Local Accounts 

Out-of-sync passwords can interrupt IT operations and impact security. Centrify supports automatic password reconciliation using shared accounts (multi-phase).
The Centrify Client will enable the following account operations without reliance on the Centrify Gateway Connector: 
  • Password reset
  • Account unlock (only for Windows)
  • Password rotation
  • Account status verification
  • System connection verification
  • Proxy account management
The Centrify Client will be the preferred reconciliation method, If both the Centrify Client and Centrify Gateway Connector are present, and fall back to the Centrify Gateway Connector automatically if connectivity fails.

User-added image

Centrify Delegated Machine Credentials

Centrify Delegated Machine Credentials leverage the OAUTH2-based credentials and machine identity of the Centrify Clients for Centrify Privileged Access Service to delegate API access to applications.
  • Uses machine identity to build a strong authenticated relationship with Centrify Privileged Access Service.
  • Brokers out this trust to be utilized by applications and clients for automation and application-to-application password management (AAPM) use cases.
  • Requires a Centrify Client to be enrolled on the target machine with the Centrify Delegated Machine Credentials feature enabled.

User-added image  User-added image

New Features

  • New built-in reports “/Resources/Linux User Profiles” and “/Resources/Linux Group Profiles” have been added for user and group profiles respectively in Linux clients.
  • The Centrify agent for Linux can now log PAM calls. A new configuration option (log.pam), is provided to facilitate this. The default for the config is false, set to true to enable PAM logging.
  • To improve performance on NSS user queries, a whitelist of cloud users can now be specified for which the Centrify agent for Linux will always prefetch user profile and group information in getgrXXX() calls without logging into the agent first. The configuration parameter is nss.prefetch.users and usernames can be specified as either UPN or UNIX names.


The following list records issues resolved in this release and behavior changes.

  • The installers for the self-hosted Privileged Access Service and the Centrify Connector will detect if .NET 4.8 is installed on the install machine and silently install if it is not already present (CC-73958).
  • From this release, client machines where the Remote Access Kit is launched must have .NET 4.8 installed (CC-73921).
  • The Centrify Catalog has been updated in this release with a revised set of supported apps, as many of the apps provided previously were not relevant to the Privileged Access Service. Full details of the changes are in KB-36199.
  • The /ServerManage/CreateDiscoveryProfile endpoint has now been updated to require an OU and domains while creating an AD Discovery profile. Previously no input validation was performed to ensure the information was provided and the profile was created (CC-72834).
  • OperationMode has been added to AdministrativePasswordChangeEvent events (CC-74343).
  • Resolved an issue where the Linux agent would not report ready after the 5 second delay when enrolling. The delay has been increased to 10 seconds (CC-74612).
  • Native RAIL app startup failures are now logged as an event (CC-73900).
  • Activities are now shown in the Built-in report “/Resources/User Activity” for Windows native RDP sessions (CC-73502).
  • Activities related to desktop apps are now displayed in the user’s Profile > Activity tab (CC-73552).
  • Active Directory discovery now correctly searches child domains where both the parent and child are explicitly set in the discovery job (CC-73761).
  • Sets of SSH resource profiles can now be created (CC-72333).
  • Additional index columns have been added to two tables:

    In the pvreport table:               “name”, “starttime” and “jobid”
    In the collections table:           “collectiontype”

  • It is now possible to successfully launch an RDP session with the native RDP client when a cloud user was entered as the account for a cloud-joined system (CC-73977).
  • The following languages are no longer supported in mobile apps and as preferred cultures: Arabic, Dutch, Portuguese, Russian, Serbian, Swedish, Thai, Vietnamese (CC-74163).
  • Numlock on local workstation and remote host are now synchronized when the local host session starts (CC-61433).

Changes for Hot Fix 2
  • Fixed an issue that member permission ‘Agent Auth’ under System Set was missing (CC-75080).
  • Removed an unnecessary background job that caused high CPU and network usage on collection events (CC-75013).
  • Fixed an issue that MFA might be broken for customers using Centrify agents with Centrify branded connectors (CC-74952).
  • Added the code to clean up unnecessary User Portal applications and reset the social auth configuration (CC-74819).

Supported Platforms

Centrify Connector

  • Windows Server 2012r2, Server 2016, Server 2019

Self-hosted Centrify Privileged Access Service

  • Windows Server 2012r2, Server 2016

Hyper-scalable Centrify Privileged Access Service

  • Windows Server 2016, Server 2019

Centrify Clients for Linux

Client for Red Hat 6:
  • Red Hat Enterprise Linux 6.9, 6.10, 7.5, 7.6, 8.0, 8.1
  • CentOS 6.9, 6.10, 7.5, 7.6, 8.0
  • Fedora 30, 31
  • Oracle Linux 6.9, 6.10, 7.5, 7.6
  • Amazon Linux AMI 2017.09, 2018.03
  • Amazon Linux 2 2017.09, 2018.03
Client for CoreOS
  • Latest stable release 2345.3.0

Client for SuSE 12
  • SuSE 12, 15

Client for Debian 8
  • Debian 8, 9
  • Ubuntu 16.04LTS, 18.04LTS, 18.10, 19.04

Centrify Client for Microsoft Windows

  • Windows Server 2012r2, Server 2016, Server 2019

Windows PAS Remote Access Kit

  • Windows 10, Server 2012r2, Server 2016, Server 2019

Centrify app for Android

  • Android 4.4 (API level 19) and later

Centrify app for iOS

  • iOS 11 and above

(Tested systems and devices for Privileged Access Service are listed in the documentation)

Note: To receive release notes prior to the monthly product update, subscribe to the Centrify Cloud Highlights and Release Notes Tech Blog. This release information is posted in advance of the release date. Please check back at release time for updates.