Automatic Password Reconciliation for Local Accounts on UNIX and Linux Systems

Out of sync passwords can interrupt IT operations and impact security. This new feature will extend the support of a privileged local administrative account to reconcile passwords of local accounts on UNIX and Linux, without manual administrative intervention. This will guarantee that Centrify is the single source of truth for passwords used to access infrastructure. Systems with managed local accounts enabled for automatic maintenance will have password updates that happen automatically when the stored credentials don't match the local password on the system.

Centrify Integration Hub (Phase I): SSH Self-Service Resource Profiles

• Resource Profiles for SSH-enabled devices.
• Provides the ability to define custom system profiles leveraging the Expect framework.
• Includes support for Credential Verification, Password Rotation, Password Reconciliation, and Proxy Accounts.
• Delivers an SSH Test Kit for validating functionality.

Other Enhancements

• New option for cunenroll
  A new option (-t, --terminate-user-sessions) has been added to cunenroll. Use together with delete so that all of the sessions will be terminated if there are any user sessions logged in from the Centrify Identity Platform.
   
• Mapping of federated users to other federations
  It is now possible to map federated users to users in other federations, based on the user’s domain. A checkbox is provided in the partner edit dialog to enable mapping to other federations on the authentication tab.
   
• New video in Getting Started Wizard
  A new video has been added to the Getting Started Wizard to provide an overview of the Discovery feature, called “Discovering Systems and Accounts”
   

End of Life Notification

• The version 1 ServerAgent/VerifyPassword REST API has been removed in this release. The replacement version 2 API is serveragent/verifypasswordv2 (CC-65426).
   

Changes

• ​​​​​​To improve security, emails sent by the cloud service have been changed from “noreply@centrify.com” to no “no-reply-[user]@[customercname]”. It is important to note that the “From” address of email no longer matches the underlying “From” (in email headers) and this may trip up some Spam filters. You should whitelist email from @customerCNAME in your Spam filters, where customercname is your system CNAME (customerID.my.centrify.net) (CC-72791).

• /uprest/GetUPData once again returns a list of apps the user can launch (i.e. has been granted access to), since the introduction of the new UI it would not return a list of apps (CC-71252).

• Login to Linux through cagent has been optimized to remove the timeout hang that some customers were experiencing (CC-73498, CPSSUP-1034).
   
• The error message provided when unable to add a UNIX system to PAS has been improved to provide more information about the failure (CC-66864, CPSSUP-658).
   
• The performance of the UI has been improved when loading set members when there are a large number of sets (CC-73526).
   
• The discovery of local Windows accounts no longer requires the remote registry service to be running on the target system (CC-72703).
   
• Orphaned federated users (i.e. users with an owning federation that no longer exists) can now be deleted and do not cause any search which they are in to fail (CC-73504).
   
• Rotating passwords for SQL Server accounts with the escape character ‘\’ as the special character no longer fail (CC-72184, CPSSUP-959).
   
• It is now possible to disable the connector SSH banner using the “Enable Custom Banner” option. Toggling the option Off will disable the banner (CC-71279, CPSSUP-906).
   
• To reduce confusion when a loading Secrets operation in the UI takes a long time, the UI now indicates that data is loading (CC_70693, CPSSUP-858).
   
• The Connector has been updated to check for computers when validating a user, causing intermittent dzdo MFA issues in some cases (CC-72348).
   
• The Secrets folder browser search now clears the search string when entering a folder from the search results, showing all rows within the folder that you have permission for (CC-71431, CPSSUP-917).
   
• When cunenroll is executed in the context of a machine service account, it was not able to delete the service account as the service account is running the thread that processes the request. They are deleted in this scenario in 20.1 (CC-72388).
   
• As there is no functionality using the Backchannel Agent currently, the Backchannel options have been removed from cinfo and cdiag (CC-72183).
   
• In the cloud agent, user names are no longer case sensitive for Active Directory user names as the user has no knowledge how their UPNs are stored in AD (CC-70698).
   
• Successful enrollment and unenrollment using the cloud agent is now logged to stdout instead of stderr (CC-70967, CPSSUP-878).
   
• The cenroll man page has been updated to remove the –tenant-suffix option as it is not valid (CC-70707).

• The Cloud Agent now unenrolls correctly on CoreOS (CC-70660).