Tips for finding Knowledge Articles

  • - Enter just a few key words related to your question or problem
  • - Add Key words to refine your search as necessary
  • - Do not use punctuation
  • - Search is not case sensitive
  • - Avoid non-descriptive filler words like "how", "the", "what", etc.
  • - If you do not find what you are looking for the first time,reduce the number of key words you enter and try searching again.
  • - Minimum supported Internet Explorer version is IE9
Home  >
article

Centrify 21.7 Release Notes

2 November,21 at 10:42 PM

 
Updated 2 November 2021

Integration with Thycotic Secret Server

Support for Thycotic Secret Server has been added to the Cloud Platform, showing in the Admin Portal as a Vault.

 
  • Users can see Systems and Accounts from one or more Secret Server vaults.
  • Introduces a new Account type of Vault. A vault account includes details about contacting a Secret Server and uses the Secret Server as the authority for the account credentials.
  • Supported operations on a vault account are session creation (WebSSH/WebRDP), check-in/checkout of local accounts, domain accounts, and SSH keys, and credential verification.
  • The Cloud Platform will periodically (or on-demand) synchronize with Secret Server vaults to obtain current Systems and Accounts.
  • System Resource Mappings introduces a new type of resource mapping for Secret Server Sites. These optional mappings give the Cloud Platform the information needed to choose an appropriate Gateway Connector when connecting to a target system.
  • PAS can reach Secret Server instances directly for a SaaS Secret Server or via a Gateway Connector for an on-premises Secret Server instance.

Privilege elevation for Centrify Clients for Windows and Linux (preview)

Cloud Suite users can now run programs and commands with elevated privileges on Windows and Linux systems running Centrify Clients without the need to have an ongoing privileged login session. This feature is offered as a preview in 21.7.
 
  • Centralized management to determine who can elevate privilege to run which applications and commands on which systems. Administrators use the Centrify Platform portal UI to manage privilege elevation policies.
  • Privilege elevation policies can be defined globally (for all Windows clients, all Linux clients, and all clients), for a Set of computers (e.g., nodes in a Hadoop cluster), or a specific system.
  • For Linux, elevation to root is via a sudo plug-in. For Windows, it is via a UAC hook.
  • Supports policy-driven MFA to enforce step-up authentication before privilege is elevated.
  • Includes reports on privilege elevation activities and who can run which programs or commands with privilege on which systems.
  • Self-service access request workflows are supported natively or via ServiceNow and SailPoint integrations, allowing users to request time-limited elevation rights.

Identity Management for Linux (preview)

This new feature of Cloud Suite allows customers to manage Linux RFC-2307 user attributes centrally within the Cloud Platform. Prior to this release, random UIDs and GIDs were assigned for each Linux system. This could result in access denials when users attempted to access applications, files, or folders or (for example) NetApp shares where the UID/GID of the resource didn’t match.

With 21.7, customers can control which UIDs users will assume when logging in to Linux systems, as well as other RFC-2307 attributes such as home directory, username, and shell. This is similar functionality that Server Suite provides for Active Directory accounts, but with the Cloud Platform, this can be applied to any backend directory that is being used.

MFA Redirection

We have made enhancements to the MFA redirection experience in 21.7 to improve security and to make MFA redirection configuration more intuitive.

Improved Security

Enhanced security for MFA redirection was introduced in release 21.6. In 21.7, we introduce a new granular administrative right to allow MFA redirection without needing User Management or sysadmin rights.

To redirect MFA to another user, you will need a new administrative right called “MFA Redirect Management.” System administrators and users with the “User Management” right already have this right. Other administrators can be delegated the right by creating or editing a role in the admin portal as follows:

Access --> Roles --> (role name) --> Administrative Rights --> Add (right)

And choosing MFA redirect management from the list.

Capture1.PNG

To support this, the method used in release 21.6 and earlier to enable MFA redirection in:

Access --> Policies --> (Policy set) --> User Security --> User Account Settings

Has been removed.

User Interface

To enable MFA redirection for a user, go to the user’s account, choose the “MFA Redirection” tab and check the box “Redirect Multi-factor Authentication to a different user account.” Once enabled, you will be able to select the user to which MFA is to be redirected.

Capture2.PNG

To avoid duplicate methods to enable MFA redirection, enabling MFA redirection notification via:

(User name) à Profile --> Devices

And enabling MFA redirection to a different user account via:

Access à Users à (User) --> Account

Have both been removed.

Notice of Discontinuation

As a performance improvement, the “Rights” column from the “Server” and “VaultAccount” tables in reports will be eliminated in a future release. This column is expensive to calculate and not needed in most use cases of these tables. If you have existing custom reports referencing the “Rights” column in these tables, you will need to update them by removing the column reference. If not corrected, custom reports using this column will cease to function when the “Rights” columns are removed (CC-78591).

Changes

The following list records issues resolved in this release and behavior changes.
 
  • The PIN length for devices using the Centrify mobile applications for Android and iOS must now be between 6 and 10 characters. Previously the minimum PIN length was 4 characters, and there was no upper limit (296415, 296416).
  • (303105) For Centrify mobile applications for iOS and Android, search has been reintroduced for passcodes in
    • Resources --> Authentication --> Passcodes
  • The /ServerManage/UpdateResource API has been supplemented by a new API, /ServerManage/PatchResource. UpdateResource expects all fields to be included in the call that have already been populated; otherwise, missing fields will be cleared. PatchResource will update only the fields included in the REST API call. Fields that are not in the call will be untouched (CC-78656).
  • Resolved an issue whereby a user with local sudo rights cannot run any sudo commands when the Centrify Agent for Linux is installed and enrolled (CC-78919).
  • When using an LDAP configuration with two base DNs - one for users and one for groups - the group DN field now correctly validates when being tested or saved (CC-77878).
  • Resolved an issue whereby it was still possible to add a system where an invalid IP address was given and “Verify system settings” was checked (CC-78774).
  • The CSV file generated by the Escrow feature is no longer truncated in some cases (298888).
  • Resolved an issue where, in some cases, it was possible to log in using the keyboard-interactive mode, but logins using the password authentication mode would fail (CC-78756).
  • Workflow now correctly handles requestor and approver timestamps when time zones for requester and approver are different (300067).

Supported Platforms

Centrify Connector

Windows Server 2012r2, Server 2016, Server 2019

Hyper-scalable Centrify Privileged Access Service

Windows Server 2016, Server 2019

Centrify Clients for Linux

Client for Red Hat 6:
  • Red Hat Enterprise Linux 6.9, 6.10, 7.5, 7.6, 7.7, 7.8, 7.9, 8.0, 8.1, 8.2, 8.3
  • CentOS 6.9, 6.10, 7.5, 7.6, 7.7, 7.8, 7.9, 8.0, 8.1, 8.2, 8.3
  • Fedora 33, 34
  • Oracle Linux 6.9, 6.10, 7.5, 7.6, 7.7, 7.8, 7.9, 8.0, 8.1, 8.2, 8.3
  • Amazon Linux 2 Latest Version
Client for Red Hat 7 (ARM architecture):
  • 7.6, 7.7, 7.8, 7.9, 8.0, 8.1, 8.2, 8.3
Client for SUSE 12
  • SUSE 12 SP3+, 15
Client for Debian 9
  • Debian 9.0 – 9.13, 10.0 – 10.9, 11
  • Ubuntu 18.04LTS, 20.04LTS, 21.04
Client for Alpine Linux 3
  • Alpine Linux 3.13, 3.14
    • Note that before you uninstall the Centrify Client for Linux from an Alpine Linux system, you must unenroll the system first. The Alpine Linux package manager doesn't allow the service to verify that the client is unenrolled from Centrify PAS before uninstalling. If you uninstall the client without unenrolling first, you won't be able to log in to the system anymore.
Client for Atomic Linux (support is deferred to a later release)

Centrify Client for Microsoft Windows

Windows 10 LTSB/LTSC, Windows Server 2012r2, 2016, 2019 LTSC

Windows PAS Remote Access Kit

Windows 10, Server 2012r2, Server 2016, Server 2019

Centrify app for Android

Android 5 (API level 21) and later

Centrify app for iOS

iOS 12 and above

(Tested systems and devices for are listed in the documentation)