Support for Thycotic Secret Server has been added to the Cloud Platform, showing in the Admin Portal as a Vault.
Users can see Systems and Accounts from one or more Secret Server vaults.
Introduces a new Account type of Vault. A vault account includes details about contacting a Secret Server and uses the Secret Server as the authority for the account credentials.
Supported operations on a vault account are session creation (WebSSH/WebRDP), check-in/checkout of local accounts, domain accounts, and SSH keys, and credential verification.
The Cloud Platform will periodically (or on-demand) synchronize with Secret Server vaults to obtain current Systems and Accounts.
System Resource Mappings introduces a new type of resource mapping for Secret Server Sites. These optional mappings give the Cloud Platform the information needed to choose an appropriate Gateway Connector when connecting to a target system.
PAS can reach Secret Server instances directly for a SaaS Secret Server or via a Gateway Connector for an on-premises Secret Server instance.
Privilege elevation for Centrify Clients for Windows and Linux (preview)
Cloud Suite users can now run programs and commands with elevated privileges on Windows and Linux systems running Centrify Clients without the need to have an ongoing privileged login session. This feature is offered as a preview in 21.7.
Centralized management to determine who can elevate privilege to run which applications and commands on which systems. Administrators use the Centrify Platform portal UI to manage privilege elevation policies.
Privilege elevation policies can be defined globally (for all Windows clients, all Linux clients, and all clients), for a Set of computers (e.g., nodes in a Hadoop cluster), or a specific system.
For Linux, elevation to root is via a sudo plug-in. For Windows, it is via a UAC hook.
Supports policy-driven MFA to enforce step-up authentication before privilege is elevated.
Includes reports on privilege elevation activities and who can run which programs or commands with privilege on which systems.
Self-service access request workflows are supported natively or via ServiceNow and SailPoint integrations, allowing users to request time-limited elevation rights.
Identity Management for Linux (preview)
This new feature of Cloud Suite allows customers to manage Linux RFC-2307 user attributes centrally within the Cloud Platform. Prior to this release, random UIDs and GIDs were assigned for each Linux system. This could result in access denials when users attempted to access applications, files, or folders or (for example) NetApp shares where the UID/GID of the resource didn’t match.
With 21.7, customers can control which UIDs users will assume when logging in to Linux systems, as well as other RFC-2307 attributes such as home directory, username, and shell. This is similar functionality that Server Suite provides for Active Directory accounts, but with the Cloud Platform, this can be applied to any backend directory that is being used.
We have made enhancements to the MFA redirection experience in 21.7 to improve security and to make MFA redirection configuration more intuitive.
Enhanced security for MFA redirection was introduced in release 21.6. In 21.7, we introduce a new granular administrative right to allow MFA redirection without needing User Management or sysadmin rights.
To redirect MFA to another user, you will need a new administrative right called “MFA Redirect Management.” System administrators and users with the “User Management” right already have this right. Other administrators can be delegated the right by creating or editing a role in the admin portal as follows:
And choosing MFA redirect management from the list.
To support this, the method used in release 21.6 and earlier to enable MFA redirection in:
Access --> Policies --> (Policy set) --> User Security --> User Account Settings
Has been removed.
To enable MFA redirection for a user, go to the user’s account, choose the “MFA Redirection” tab and check the box “Redirect Multi-factor Authentication to a different user account.” Once enabled, you will be able to select the user to which MFA is to be redirected.
To avoid duplicate methods to enable MFA redirection, enabling MFA redirection notification via:
(User name) à Profile --> Devices
And enabling MFA redirection to a different user account via:
Access à Users à (User) --> Account
Have both been removed.
Notice of Discontinuation
As a performance improvement, the “Rights” column from the “Server” and “VaultAccount” tables in reports will be eliminated in a future release. This column is expensive to calculate and not needed in most use cases of these tables. If you have existing custom reports referencing the “Rights” column in these tables, you will need to update them by removing the column reference. If not corrected, custom reports using this column will cease to function when the “Rights” columns are removed (CC-78591).
The following list records issues resolved in this release and behavior changes.
The PIN length for devices using the Centrify mobile applications for Android and iOS must now be between 6 and 10 characters. Previously the minimum PIN length was 4 characters, and there was no upper limit (296415, 296416).
(303105) For Centrify mobile applications for iOS and Android, search has been reintroduced for passcodes in
Resources --> Authentication --> Passcodes
The /ServerManage/UpdateResource API has been supplemented by a new API, /ServerManage/PatchResource. UpdateResource expects all fields to be included in the call that have already been populated; otherwise, missing fields will be cleared. PatchResource will update only the fields included in the REST API call. Fields that are not in the call will be untouched (CC-78656).
Resolved an issue whereby a user with local sudo rights cannot run any sudo commands when the Centrify Agent for Linux is installed and enrolled (CC-78919).
When using an LDAP configuration with two base DNs - one for users and one for groups - the group DN field now correctly validates when being tested or saved (CC-77878).
Resolved an issue whereby it was still possible to add a system where an invalid IP address was given and “Verify system settings” was checked (CC-78774).
The CSV file generated by the Escrow feature is no longer truncated in some cases (298888).
Resolved an issue where, in some cases, it was possible to log in using the keyboard-interactive mode, but logins using the password authentication mode would fail (CC-78756).
Workflow now correctly handles requestor and approver timestamps when time zones for requester and approver are different (300067).
Windows Server 2012r2, Server 2016, Server 2019
Hyper-scalable Centrify Privileged Access Service
Windows Server 2016, Server 2019
Centrify Clients for Linux
Client for Red Hat 6:
Red Hat Enterprise Linux 6.9, 6.10, 7.5, 7.6, 7.7, 7.8, 7.9, 8.0, 8.1, 8.2, 8.3
Note that before you uninstall the Centrify Client for Linux from an Alpine Linux system, you must unenroll the system first. The Alpine Linux package manager doesn't allow the service to verify that the client is unenrolled from Centrify PAS before uninstalling. If you uninstall the client without unenrolling first, you won't be able to log in to the system anymore.
Client for Atomic Linux(support is deferred to a later release)
Centrify Client for Microsoft Windows
Windows 10 LTSB/LTSC, Windows Server 2012r2, 2016, 2019 LTSC
Windows PAS Remote Access Kit
Windows 10, Server 2012r2, Server 2016, Server 2019