Tips for finding Knowledge Articles

  • - Enter just a few key words related to your question or problem
  • - Add Key words to refine your search as necessary
  • - Do not use punctuation
  • - Search is not case sensitive
  • - Avoid non-descriptive filler words like "how", "the", "what", etc.
  • - If you do not find what you are looking for the first time,reduce the number of key words you enter and try searching again.
  • - Minimum supported Internet Explorer version is IE9
Home  >

Centrify 20.5 Release Notes

25 September,20 at 06:23 PM

New Features - Centrify Privileged Access Service


Direct RDP Gateway 

The ability to launch RDP connections without visiting the portal for the Privileged Access Service is going to enable users to have quick and secure access to systems. Users can specify a target system to connect to and the vaulted or manual account to be used for the brokered session.
This first phase of RDP Gateway includes the following features:
  • Support for initiating sessions with accounts that are vaulted in the Centrify Privileged Access Service.
  • Support for initiating sessions with manually entered account credentials that are known.
  • Support for native RDP clients, like Microsoft Remote Desktop.
  • Reports on Direct RDP Gateway usage.

Cloud Providers (PREVIEW mode featuring AWS)

AWS will be configurable as a ”Cloud Provider” in PAS. An AWS Cloud provider will support:

  • Vaulting and password management of root accounts
  • Single sign-on into managed root accounts with MFA enabled
  • Vaulting of IAM accounts
  • Vaulting of EC2 instances
The recommended best-practice in AWS is to secure the AWS root account password. With an AWS Cloud Provider configured in PAS, you can store and rotate the AWS root account password on-demand.

Secret Workflow

Workflow for secrets provides a user who has only View permission on a secret to request Retrieve access.  Once the request is made, one or more "approvers" indicate whether the request is granted, and if so, the permissions on the secret are updated to give the user access. 
  • Workflow can be enabled at a globally for all secrets or at individual system level. 
  • Upon approval a temporary permission will be added for the user on the specific secret. This permission assignment will only be alive for the approved time period. And like any other permission, the administrator is free to remove the permission assignment at any time.
  • Use the built in report detailing all secret workflow requests and the outcome,  the period for which access was granted if the request was accepted, etc. 

UMA Support for Native Clients

The Use My Account (UMA) feature can now be invoked in native SSH/RDP applications by specifying "me" as the account name.  The keyword "me" is configurable via the tenant config UseMyAccountName.
  • Login challenges are applied if admin would like to require multiple security challenges or provide more options for the end users.
  • Use My Account is available as an action on a system if
    • On Windows systems if the system is enrolled, and the user has AgentAuth permission.
    • On Unix systems if the 'UMA is configured' is checked in Settings.  Note that the target system may or may not be enrolled.  If it is enrolled, UMA will fail if the user lacks AgentAuth permission.

Unenroll from PAS GUI for Centrify Clients

Right-click and unenroll the Centrify Client from the PAS portal for one system or for a set of systems. 
  • Seamless de-provisioning  of the cclient from one central management pane with out accessing the machine locally. 
  • If local reconciliation is enabled, the unenroll will fail to prevent the loss of accidental unsychronization.

AgentAuth Workflow for Centrify Clients

Provides on demand, secure, and strictly enforced temporary access to privileged machines where the Centrify Client for Windows or Linux is installed.
  • Allows a user who has only the View Permission on a cenrolled system but not the AgentAuth permission to request the login permission via workflow. 
  • Can be configured at global level or individual system level.
  • Upon approval a temporary permission will be added for the user granting AgentAuth on the specific machine. This permission will only be alive for the approved time period. And like any other permission, the administrator is free to remove the permission assignment at any time.
  • Provides just-in-time access upon request and approval.
  • Use the builtin report detailing all AgentAuth workflow requests, the outcome, the period for which access was granted if the request was accepted, etc.

Alternate Account Support for Centrify Clients

PAS Alternate Accounts is a discovery-driven capability that allows organizations to centrally manage and secure high-privileged accounts. End users can run applications using a privileged account without moving off the host machine.
  • Securely and seamlessly elevate privilege using an associated Alternate Account from AD that's been discovered by PAS. 
  • Provides faster time to elevation by eradicating manual account checkout/check-in and elimination of a portal visit.
  • Limit exposure and lateral movement by leveraging token manipulation.
  • A new report “Remote Sessions Activity” has been added, showing all remote session activity from a specific date, by type (SSH / RDP) and mode.

Changes in 20.5-HF1

The following change was made in 20.5-HF1:
  • Resolved an issue where the creation of a cloud user failed for a mapped federated user (CC-76031).
  • Resolved an issue with the Centrify client for Windows that prevented it working through a proxy and honoring proxy settings (CC-75963).


The following list records issues resolved in this release and behavior changes.

  • Starting in this release, all customers have an enhanced security feature enabled that adds the ability to set and require a PIN for MFA phone calls.
Although enabled, the PIN will not be enforced by default and users without a configured PIN will be able to enter the # (pound / hash) key to bypass.
Documentation on how to enable a phone PIN can be found here:
  • If you are using the CPS Remote Access Kit (RAK), it must be updated to version 20.5 when the connectors are updated to 20.5. Until you upgrade the connectors to the current version, it is acceptable to use an older RAK package (CC-75003).
  • With both the self-hosted Centrify Privilege Access Service and the Hyper-scalable Privilege Access Service, the download section of the Admin Portal has been updated to include only the Connector package and the browser extensions. Additionally, a link is provided to the Centrify Download Center for Centrify Clients, DirectAudit agents and OpenSSL packages (CC-75469).
  • When enrolling a host to a tenant you can now use use the DomainName instead of the DomainId to specify the Active Directory domain the machine is joined to. The syntax becomes  -S "DomainName:<domain_name>" (CC-74172).
  • User and group enumeration now only return objects that are acquired after the last cflush, preventing old UNIX profile data from being erroneously returned (CC-75424).
  • Managed SSH keys are now supported on HP-UX and Solaris systems (CC-74556).
  • The Centrify Client can now reliably reach the Privilege Access Service when an HTTP proxy is used, previously there were occasions when use of an HTTP proxy would prevent access (CC-75723).
  • The management mode for a local account no longer changes to disabled when the password for the account is rotated (CC-75038).
  • Resolved an issue where changing the column width in a Portal table changed the sort order for a different column (CC-75451).
  • If the tenant URL redirects to another URL, when registering a connector, any configured MFA for the account used to register the connector no longer errors out (CC-75737).
  • Client functionality (such as cgetaccount) now functions correctly when cenroll -f is used in conjunction with a proxy specification in the command line (CC-75751).
  • Proxy settings are no longer lost after a Centrify Client upgrade (CC-75735).
  • German keyboard layout is now correctly selected with a WebRDP session on Chrome when both client and server have their language set to German (CC-75116).
  • Multi-select and multi-delete is now supported in the advanced configuration tab (CC-75440).
  • Deleting a policy no longer deletes any used challenge definitions (CC-75148).

End of Life Notification

This section contains notifications for upcoming termination of apps, features, programmatic access or device support.

  • The Centrify Clients for Linux will no longer support Debian 8 starting release 20.6.

Supported Platforms

Centrify Connector

  • Windows Server 2012r2, Server 2016, Server 2019

Self-hosted Centrify Privileged Access Service

  • Windows Server 2012r2, Server 2016, Server 2019

Hyper-scalable Centrify Privileged Access Service

  • Windows Server 2016, Server 2019

Centrify Clients for Linux

Client for Red Hat 6:
  • Red Hat Enterprise Linux 6.9, 6.10, 7.5, 7.6, 8.0, 8.1
  • CentOS 6.9, 6.10, 7.5, 7.6, 8.0
  • Fedora 30, 31
  • Oracle Linux 6.9, 6.10, 7.5, 7.6
  • Amazon Linux AMI 2017.09, 2018.03
  • Amazon Linux 2 2017.09, 2018.03
Client for CoreOS
  • Latest stable release 2345.3.0

Client for SUSE 11
  • SUSE 11

Client for SUSE 12
  • SUSE 12, 15

Client for Debian 8
  • Debian 8, 9
  • Ubuntu 16.04LTS, 18.04LTS, 18.10, 19.04

Centrify Client for Microsoft Windows

  • Windows Server 2012r2, Server 2016, Server 2019

Windows PAS Remote Access Kit

  • Windows 10, Server 2012r2, Server 2016, Server 2019

Centrify app for Android

  • Android 4.4 (API level 19) and later

Centrify app for iOS

  • iOS 11 and above

(Tested systems and devices for Privileged Access Service are listed in the documentation)


Note: This release information is posted in advance of the release date and subject to change. Please check back at release time for updates.