New Features - Centrify Privileged Access Service
SSH Key Management
The existing capabilities will be enhanced to support the following operations:
- The ability to enable SSH key management, which allows for key rotation.
- The ability to apply the following policies for the rotation of SSH keys:
- SSH key rotation interval
- Minimum SSH key age
- SSH key generation algorithm
- Clean-up intervals for retired SSH keys
- The ability to leverage an account that has an SSH key for System and Account Discovery operations.

Discover Local Accounts with Specific Names
The Centrify Privileged Access Service Discovery tool is getting an upgrade to have a new Actions option that allows rules to be made around what specific local accounts to discover for particular system types.
Multiple account names can be specified by using a comma or semi-colon separated list.

Support for Clipboard Copy and Paste in Web-Based RDP Sessions
The user experience can be enhanced for Centrify Privileged Access Service vault-brokered RDP sessions by allowing for copy and paste of text and images.
- The ability to enable or disable the clipboard for native and web-based RDP sessions.
- The ability to copy and paste text and images for web-based RDP sessions while using the following browsers:
- Google Chrome
- Microsoft Edge
- Microsoft Internet Explorer (*text only)


UAC Support for Centrify Client on Windows
End users can now log on to a Windows host machine using a non-privileged account and launch an application as administrator after satisfying UAC using a cloud user's credentials.
Note: The directory user must belong to a role that is mapped to the machine's local administrator group. Role mappings can be configured using the Centrify Client's local group mapping feature, located on the Windows system's Local Group Mapping page.
New Features
- Domain Controller "Penalty Box"
The connector now detects and tracks domain controllers (DCs) that are slow to respond (using a configurable threshold) or timing out, and will prefer faster DCs over slower ones. This is reset once the connector re-discovers DCs or after a period of time if using a DC whitelist.
Basically this is a DC penalty box; if the DC is timing out it goes in the box for a period of time.
- Windows Server 2019 is now supported as the host OS for Centrify Self-hosted PAS.
- Drag and drop is now supported to upload secrets from the host OS into the secrets UI where supported by the browser
Upcoming Changes
Starting with Centrify Privileged Access Service 20.5, all customers will have an enhanced security feature enabled that adds the ability to set and require a PIN for MFA phone calls.
Although enabled, the PIN will not be enforced by default and users without a configured PIN will be able to enter the # (pound / hash) key to bypass.
Documentation on how to enable a phone PIN can be found here: https://docs.centrify.com/Content/CoreServices/Authenticate/PhonePIN.htm
Changes
The following list records issues resolved in this release and behavior changes.
- The Centrify Agent now supports a new status 'disabled' for the case that the enrolled system was deleted from PAS. If this state is detected, the Centrify Agent will try to unenroll itself (similar to 'cunenroll -f'), leaving only the cagent service in the system. A re-enrollment is required to bring the agent working (CC-74284).
- Backchannel and password reconciliation in closed environments (i.e. environments that use an HTTP proxy) now works reliably (CC-74757).
- When adding SSH keys, either directly or via a file, a duplicate name causes an exception. A new payload property (“ImplicitRename”), has been added to AddSshKey and AddSshKeyFile, defaulting to false, to rename the key on collision. An additional optional property (“RenameHint”) provides a string to help with the rename. If the property is set to true, the response from the endpoint will include both the new key UUID and the new name in an object of the form (_RowKey:“foo”, Name:”bar”). The response is unchanged in the case ImplicitRename is set to false (CC-74316).
- Resolved an issue where the URL provided to pull SP metadata in federated cases with Centrify Hyper-scale PAS and Centrify Self-hosted PAS was not correct (CC-75119).
- Centrify Hyper-scale PAS can now be installed successfully with the database in -DBNoPLV8 mode (CC-75121).
- Deleting a system now also removes the agent profile and service account. Previously these were not removed and caused issues if the system was re-enrolled (CC-73993).
- RDP requests with an empty password are no longer treated as a failed auth, they are now treated as if a password has not been provided (CC-74352).
- Disabling the management of a service password in Service Settings now updates the assigned multiplexed account (CC-74353).
- The semantics of the UpdateResource API has changed with regard to delegated machine credentials (DMC) scopes. If there is no change to the DMC scope, there will be no DMCScope element in the payload. If there is any change to DMC scope, all DMCScopes are sent in the DMCScope element as an array. The back end will replace the current DMCScope settings. Note that all scopes are required in the payload, not just the delta. If the user wants to delete all DMC scopes, the DMCScope element is included in the payload but it is empty (CC-74798).
- RDP connections are now allowed to target machines with SecurityLater=0. The behavior matches the MS Terminal Services Client setting on the Connector machine (Connect / Warn / Do Not Connect). (CC-74080).
- The status of an approval request in the portal is now updated reliably to reflect an approval or rejection operation (CC-71225).
- The swagger API reference is now included in the Self-hosted PAS and Hyper-scalable PAS packages at <base url>/vfslow/lib/api/swagger.json (CC-74728).
- Both administrators and the owner of the device can now unregister a device in the Admin Portal. Previously only administrators had the right to unregister a device. (CC-73940).
Changes for Hot Fix 1
- Resolved an issue where enrolling multiple machines and adding them to a set at the same time would result in not all machines being added to the set (CC-75371).
- The Ubuntu OpenSSL package link on the Admin Portal Downloads page now correctly downloads the Debian 8 package rather than the SUSE 12 package (CC-75464).
Supported Platforms
Centrify Connector
- Windows Server 2012r2, Server 2016, Server 2019
Self-hosted Centrify Privileged Access Service
- Windows Server 2012r2, Server 2016, Server 2019
Hyper-scalable Centrify Privileged Access Service
- Windows Server 2016, Server 2019
Centrify Clients for Linux
Client for Red Hat 6:
- Red Hat Enterprise Linux 6.9, 6.10, 7.5, 7.6, 8.0, 8.1
- CentOS 6.9, 6.10, 7.5, 7.6, 8.0
- Fedora 30, 31
- Oracle Linux 6.9, 6.10, 7.5, 7.6
- Amazon Linux AMI 2017.09, 2018.03
- Amazon Linux 2 2017.09, 2018.03
Client for CoreOS
- Latest stable release 2345.3.0
Client for SUSE 12
Client for Debian 8
- Debian 8, 9
- Ubuntu 16.04LTS, 18.04LTS, 18.10, 19.04
Centrify Client for Microsoft Windows
- Windows Server 2012r2, Server 2016, Server 2019
Windows PAS Remote Access Kit
- Windows 10, Server 2012r2, Server 2016, Server 2019
Centrify app for Android
- Android 4.4 (API level 19) and later
Centrify app for iOS
(Tested systems and devices for Privileged Access Service are listed in the documentation)