Our new architecture for Customer Managed Clustering will provide the world’s first “shared-nothing” high availability and on-premises privileged access management (PAM) with cloud-first services. Centrify Hyper-Scalable Privileged Access Service uses cloud-first technology for customer-managed installs that were honed from our SaaS offering with a web-tier, job scheduler, caching, and load balancing. In turn, it yields the following benefits for customers:
Upgrading has zero-downtime and is fully automatable.
Easy provisioning and management of cluster resources.
Allows for infinite horizontal scale-out.
Active-active web, background, and TCP relay nodes.
Consolidated diagnostic logging.
Continued support for high availability.
Resource Policies for Centrify Privileged Access Service
Sets were introduced in 2017 to improve the manageability of Centrify Privileged Access Service resource objects. In this new release, policies will be applicable to sets of resources. An example of a policy that administrators will be able to apply is multi-factor authentication (MFA) for login to systems on the built-in set of all systems and do the same for requiring MFA for checkout of account passwords. Policies will be able to be applied to sets of the following resource objects:
Easily identify the policy summary and the sources (Default, Global, Set, or Resource Object override).
Inventory of Resources and Users
Administrators will be able to obtain better visibility of Centrify Privileged Access Service resources and users via an enhanced dashboard that accounts for the inventory in the portal. The Resource Counts dashboard will display the systems, databases, accounts, services, clients, and users that are in the service as of the last daily snapshot.
SSH Resource Profile Enhancements
An SSH Resource Profile can be created to define a custom system and specify how Centrify Privileged Access Service should interact with a device that supports the SSH protocol. In the 20.3 release, we will be enhancing the SSH Resource Profiles so that they can be grouped into sets for permissions management. We will also support the ability to import and export these profiles so that they can be shared between different environments. This will be a step towards our future plans of the Centrify Integration Hub, which will be a self-service portal that will allow custom device and application plugins for privileged sessions and password management to be shared by customers, partners, and third-party software vendors in the Centrify community.
Client-Driven Password Reconciliation for Local Accounts
Out-of-sync passwords can interrupt IT operations and impact security. Centrify supports automatic password reconciliation using shared accounts (multi-phase). The Centrify Client will enable the following account operations without reliance on the Centrify Gateway Connector:
Account unlock (only for Windows)
Account status verification
System connection verification
Proxy account management
The Centrify Client will be the preferred reconciliation method, If both the Centrify Client and Centrify Gateway Connector are present, and fall back to the Centrify Gateway Connector automatically if connectivity fails.
Centrify Delegated Machine Credentials
Centrify Delegated Machine Credentials leverage the OAUTH2-based credentials and machine identity of the Centrify Clients for Centrify Privileged Access Service to delegate API access to applications.
Uses machine identity to build a strong authenticated relationship with Centrify Privileged Access Service.
Brokers out this trust to be utilized by applications and clients for automation and application-to-application password management (AAPM) use cases.
Requires a Centrify Client to be enrolled on the target machine with the Centrify Delegated Machine Credentials feature enabled.
New built-in reports “/Resources/Linux User Profiles” and “/Resources/Linux Group Profiles” have been added for user and group profiles respectively in Linux clients.
The Centrify agent for Linux can now log PAM calls. A new configuration option (log.pam), is provided to facilitate this. The default for the config is false, set to true to enable PAM logging.
To improve performance on NSS user queries, a whitelist of cloud users can now be specified for which the Centrify agent for Linux will always prefetch user profile and group information in getgrXXX() calls without logging into the agent first. The configuration parameter is nss.prefetch.users and usernames can be specified as either UPN or UNIX names.
The following list records issues resolved in this release and behavior changes.
The installers for the self-hosted Privileged Access Service and the Centrify Connector will detect if .NET 4.8 is installed on the install machine and silently install if it is not already present (CC-73958).
From this release, client machines where the Remote Access Kit is launched must have .NET 4.8 installed (CC-73921).
The Centrify Catalog has been updated in this release with a revised set of supported apps, as many of the apps provided previously were not relevant to the Privileged Access Service. Full details of the changes are in KB-36199.
The /ServerManage/CreateDiscoveryProfile endpoint has now been updated to require an OU and domains while creating an AD Discovery profile. Previously no input validation was performed to ensure the information was provided and the profile was created (CC-72834).
OperationMode has been added to AdministrativePasswordChangeEvent events (CC-74343).
Resolved an issue where the Linux agent would not report ready after the 5 second delay when enrolling. The delay has been increased to 10 seconds (CC-74612).
Native RAIL app startup failures are now logged as an event (CC-73900).
Activities are now shown in the Built-in report “/Resources/User Activity” for Windows native RDP sessions (CC-73502).
Activities related to desktop apps are now displayed in the user’s Profile > Activity tab (CC-73552).
Active Directory discovery now correctly searches child domains where both the parent and child are explicitly set in the discovery job (CC-73761).
Sets of SSH resource profiles can now be created (CC-72333).
Additional index columns have been added to two tables:
In the pvreport table: “name”, “starttime” and “jobid” In the collections table: “collectiontype” (CC-74317).
It is now possible to successfully launch an RDP session with the native RDP client when a cloud user was entered as the account for a cloud-joined system (CC-73977).
The following languages are no longer supported in mobile apps and as preferred cultures: Arabic, Dutch, Portuguese, Russian, Serbian, Swedish, Thai, Vietnamese (CC-74163).
Numlock on local workstation and remote host are now synchronized when the local host session starts (CC-61433).
Changes for Hot Fix 2
Fixed an issue that member permission ‘Agent Auth’ under System Set was missing (CC-75080).
Removed an unnecessary background job that caused high CPU and network usage on collection events (CC-75013).
Fixed an issue that MFA might be broken for customers using Centrify agents with Centrify branded connectors (CC-74952).
Added the code to clean up unnecessary User Portal applications and reset the social auth configuration (CC-74819).
Windows Server 2012r2, Server 2016, Server 2019
Self-hosted Centrify Privileged Access Service
Windows Server 2012r2, Server 2016
Hyper-scalable Centrify Privileged Access Service
Windows Server 2016, Server 2019
Centrify Clients for Linux
Client for Red Hat 6:
Red Hat Enterprise Linux 6.9, 6.10, 7.5, 7.6, 8.0, 8.1
CentOS 6.9, 6.10, 7.5, 7.6, 8.0
Fedora 30, 31
Oracle Linux 6.9, 6.10, 7.5, 7.6
Amazon Linux AMI 2017.09, 2018.03
Amazon Linux 2 2017.09, 2018.03
Client for CoreOS
Latest stable release 2345.3.0
Client for SuSE 12
SuSE 12, 15
Client for Debian 8
Debian 8, 9
Ubuntu 16.04LTS, 18.04LTS, 18.10, 19.04
Centrify Client for Microsoft Windows
Windows Server 2012r2, Server 2016, Server 2019
Windows PAS Remote Access Kit
Windows 10, Server 2012r2, Server 2016, Server 2019