Tips for finding Knowledge Articles

  • - Enter just a few key words related to your question or problem
  • - Add Key words to refine your search as necessary
  • - Do not use punctuation
  • - Search is not case sensitive
  • - Avoid non-descriptive filler words like "how", "the", "what", etc.
  • - If you do not find what you are looking for the first time,reduce the number of key words you enter and try searching again.
  • - Minimum supported Internet Explorer version is IE9
Home  >
article

Centrify 21.3 Release Notes

11 May,21 at 08:38 PM

Updated May 11, 2021
 

New Features for the Centrify Vault Suite:


Centrify Provider for Terraform

This is a Terraform Provider allowing management of a Centrify tenant and its objects using Terraform. This Provider is available as a binary to be used with Terraform CLI and registry.terraform.io for use from Terraform Cloud. Source code, docs, examples, scripts, and binaries are available on Centrify's GitHub account: https://github.com/centrify/terraform-provider-centrify

Adding Support for Different BaseDNs for Users and Groups Using LDAP Directory Services 

Centrify LDAP directory services integration now supports configuring a separate BaseDN for groups. For customers who store groups in a different location than users, this enables them to specify both a BaseDB and a GroupDN to begin LDAP lookups.

User-added image


Multiple Domain Administrative Accounts for the Same Domain

In this release, customers can configure a unique domain administrative account for specific account Sets allowing multiple domain administrative accounts for accounts in the same domain.
In a Policy Set, under Resources / Accounts, the Domain Administrative Account can be set:

User-added image

A Policy Set can be assigned to a Set that contains a subset of domain accounts.

Update and Include AWS CLI for PowerShell and Python in Centrify Vault Suite

Customers can already achieve SAML-based federated single sign-on to the AWS Management Console via a Centrify Web App in the Vault Suite portal. Now, this capability is extended to users of the AWS CLI.
From the Trust properties page of the AWS Console Web App (or the Vault Suite Downloads page in the Tools section), you can download updated Python and PowerShell CLI utilities to access AWS services in this manner.
These updated scripts also support on-premises Centrify tenants and add more verbose output for clarity.

User-added imageUser-added image

Sample scripts are provided for PowerShell and Python.

User-added image


 

New Features for the Centrify Cloud Suite:

Privilege Elevation for CClient - Phase I (GA)

This is the first phase of privilege elevation support for the Centrify CClient. This phase will provide all-or-nothing elevation to root for Linux systems and local Administrator for Windows systems. From the Centrify Vault Suite Portal, customers can now centrally configure, enable, or disable privilege elevation for Active Directory, Centrify Directory, Google Cloud Directory, or federated users. In this phase, you can also enable multi-factor authentication (MFA) at elevation for extra protection and validation of a user's identity. Note that this was included in release 21.1 as a preview.

User-added imageUser-added imageUser-added image


Csetaccount Support for Adding to Account Sets (Windows, Linux)

A new command-line parameter for "csetaccount" allows customers to specify a destination Set that the new account will be added to. By specifying a destinate Set on the command line, the account will automatically inherit access and permissions configured for that Set. This is especially beneficial in DevOps automation scenarios to avoid making additional CLI or API calls to configure such entitlements.

User-added image


 

New Features

  • Privilege elevation for CClient – Phase 1. This release includes the first phase of privilege elevation support for Centrify CClient, allowing users with limited access to request to elevate their access in order to perform privileged operations..
  • Multiple domain administrative accounts are now supported for the same domain, allowing more granular administrative control over various accounts in different tiers in the Active Directory infrastructure.
  • An installer is now provided as part of the Centrify Hyper-scale Privilege Access Service package to quickly and easily set up a system for evaluation and demonstration on a single node. Note that this is designed specifically for evaluation and cannot be used for initial install of a non-evaluation system as non-evaluation systems always require more than one node.
  • More granular administration rights (preview) – This release includes preview support for additional administrative rights to govern the ability to add resource objects for systems, databases and SSH keys. In subsequent previews additional object types for domains, Web apps and desktop apps will be added.
  • The System Select / Request Account Login dialog has been updated to make it easier to scope the search for accounts by domain. Domains are listed to the left of the accounts in domain hierarchy and may be included / excluded by checking or unchecking the domain. To find users in domain accounts, select a domain filter and type your search; the search will show domain accounts as well as local accounts matching the search term. There is also a filter for workflow-enabled accounts.
 

Notice of discontinuation

  • The Centrify Android app will discontinue support for Android 4.4 with release 21.4. Users with Android 4.4 devices may continue to use the release 21.3 Android app, however functionality introduced after 21.3 may not work as expected.
  • With the 21.5 release we are planning to drop browser extension support for Microsoft Internet Explorer version 11, due to Microsoft end-of-life-ing the product and to improve the security posture of the cloud service.
  • In the 21.5 release support for TLS 1.1 will be fully deprecated from Centrify cloud products, including mobile apps. Only TLS 1.2 and above will be allowed. Note: previously this was communicated for release 21.3; the timeline has been pushed back to allow customers additional time to prepare for this change.

 

Changes for hot fix 4
  • The System Select / Request Account Login dialog has been modified to hide the domain search filters, making the account selection and search work the same way as
    in release 21.2 and earlier. Loading the dialog will present all local and domain accounts for the system.
For customers who wish to use the previous behavior, which was new in release 21.3, where the domain search filters were shown and the only local accounts are shown by default, please request Centrify support make the change for you (CC-78347).
  • The link for the Chrome browser extension has been restored.
Note: the name of the browser extension has been modified, for cloud users the browser extension is now called “Centrify Browser Extension (Cloud)”. For customers using Hyper-scale PAS the browser extension is now called “Centrify Browser Extension (On Premises)”. In each case the functionality is identical (CC-78410).Resolved an issue that could cause connectors to require a restart after Pod maintenance (CC-78376).

Changes for hot fix 3
  • Resolved an issue that could cause connectors to require a restart after Pod maintenance (CC-78376).
  • Master (MSP) tenants are now able to create new child tenants once again (CC-78378).


Changes for hot fix 2

  • In release 21.3, the System Select / Request Account dialog was updated and domain administrative accounts were filtered out of the list of accounts. This hot fix restores domain administrative accounts to that list (CC-78339).
 
Changes for hot fix 1
  • Back end server change to allow Centrify Operations to convert tenants on AWS Pods to use performance code for Roles (CC-78340).

Changes


The following list records issues resolved in this release and behavior changes.

  • Generic LDAP support now allows two base DNs, one for users and an optional one for groups. In order to use this support it is necessary to use connector release 21.3 or later (CC-77801).
  • The user and account column in the audit analyzer -> audit sessions page now correctly shows the cloud user’s name (CC-77899).
  • Deleted discovered local accounts are now blacklisted, preventing them from being discovered again once the discovery profile re-runs (CC-77845).
  • Centrify Hyper-scale Privilege Access Service installation no longer fails on Azure-hosted Postgres installations (CC-77627).
  • Adding permission for a role to a large system set no longer causes timeouts (CC-77873).
  • The option to enable / disable the App Gateway service on connectors has been reinstated (CC-77574).
  • PAS desktop apps now will open correctly with the native RDP client without the Remote Access Kit installed (CC-77594).
  • The adaptive analytics portal explorer view can once again show event details on a map (CC-7754).
 

Supported Platforms


Centrify Connector

  • Windows Server 2012r2, Server 2016, Server 2019

Self-hosted Centrify Privileged Access Service

  • Windows Server 2012r2, Server 2016, Server 2019

Hyper-scalable Centrify Privileged Access Service

  • Windows Server 2016, Server 2019

Centrify Clients for Linux

Client for Red Hat 6:
  • Red Hat Enterprise Linux 6.9, 6.10, 7.5, 7.6, 7.7, 7.8, 7.9, 8.0, 8.1
  • CentOS 6.9, 6.10, 7.5, 7.6, 7.7, 7.8, 8.0, 8.1, 8.2, 8.3
  • Fedora 30, 31, 32
  • Oracle Linux 6.9, 6.10, 7.5, 7.6, 7.7, 7.8, 7.9
  • Amazon Linux AMI 2017.09, 2018.03
  • Amazon Linux 2 2017.09, 2018.03
Client for Red Hat 7 (ARM architecture):
  • 7.5, 7.6, 7.7, 7.8, 7.9, 8.0, 8.1
Client for CoreOS
  • Latest stable release 2345.3.0

Client for SUSE 12
  • SUSE 12, 15

Client for Debian 9
  • Debian 9
  • Ubuntu 16.04LTS, 18.04LTS, 20.04LTS

Centrify Client for Microsoft Windows

  • Windows Server 2012r2, Server 2016, Server 2019

Windows PAS Remote Access Kit

  • Windows 10, Server 2012r2, Server 2016, Server 2019

Centrify app for Android

  • Android 4.4 (API level 19) and later

Centrify app for iOS

  • iOS 11 and above

(Tested systems and devices for Privileged Access Service are listed in the documentation)