New Features - Centrify Identity Service

 

Improved App Policy

 

Introduced rules builder for per-App policy

• Same UI / options as are available in Login Authentication (Policy) / Privilege Service
• Admin can use scripts if preferred

New Behavior with App Challenges

• MFA at portal login is no longer considered “Highly Authenticated” for app access

 

 

 

 

Changes to Login Authentication Policy

 

16.10 no longer has a notion of High Auth for portal login.

• MFA at portal login does not prevent app policy from also asking for MFA
• No longer ask for application policy profile

Login Authentication options from 16.9: Application Policy Profile

 

Login Authentication options from 16.10: No Longer Ask for Application Policy Profile 

 

 

• 16.10 no longer has the option to “accept IWA” / “certificates” as strongly authenticated for application policies
  • Admins can specify that IWA / Certificates satisfy all MFA mechanisms

Login Authentication options from 16.9

 

 Login Authentication options from 16.10

 

 

Improved People Picker for SAML App Script Testing

 

We’ve made it easier for Admins to test their SAML apps:

• 16.10 now uses the standard People Picker UI
• Default search is on current user
  • System remembers the last user

 

 

 

Warning Message for Administrative Changes Resulting in Sysadmin Lockout

 

A warning message will appear if the system detects that changes may lock administrators out of their environment.

• Admin sets up profiles that Sysadmins can’t fulfill
• Warning appears after changes have been made

 

 

 

Deprecated Support for IWA over HTTP

 

As communicated when we upgraded to 16.7, we are officially removing support for IWA over HTTP.

• HTTPS checkbox has been removed, as it’s now the only option

 

 Cloud Connector Configuration from 16.9

 

Cloud Connector Configuration from 16.10 - HTTPS checkbox removed

 

 

The following apps have been updated:

• HootSuite
• ARIBA Exchange
• Citrix ShareFile
• Autotask
• Xing
• Splunk
• Symantec PartnerNet
• TradingView
• Enterprise Rent-A-Car

 

New Features - Centrify Privilege Service

 

Improvements to Application Management

 

16.9 - App updates happen on the 60 minute sweep interval:

 

 

16.10 - Right click to push an update: 

 

 

 

 

Re-enable Domain Account Management

 

Earlier this year, Microsoft removed part of their .NET API within a recommended security update for Windows.  Microsoft had previously recommended that vendors who needed to manage passwords for Windows local and domain accounts use this API.  CPS vaulting continues to work; however, with the removal of this API, CPS cannot automatically change passwords for Windows accounts.

• Re-enable password management (e.g. automatic rotation)

The fix in CPS for Microsoft’s API change is in two parts. 

• In 16.9, full management of passwords for domain accounts (i.e. Active Directory accounts) was re-enabled
• In 16.10, support for local accounts was re-enabled by implementing RPC over TCP management mode
• References:
  • https://support.microsoft.com/en-us/kb/3167679
  • https://support.microsoft.com/en-us/kb/3177108

 

End of Life Notice

 

Centrify Privilege Service CLI Toolkit

The Centrify CLI Toolkit has been removed from CPS in this release. Similar functionality to that in the CLI Toolkit is available in the new command-line tools in the Centrify Cloud Agent.  This functionality includes the application-to-application password management (AAPM) feature set.

 

End of life for support of the CLI Toolkit

Centrify will end support for the CLI Toolkit in CPS release 16.12, targeted for December, 2016. In addition, because of updates to Kerberos, Centrify Server Suite will support only the new Centrify Cloud Agent feature set as of Server Suite 2017.

 

Centrify strongly recommends that customers use the new Centrify Cloud Agent feature set in this release.

 

Changes to CLI Commands in the Centrify Cloud Agent

A new service account will be used to join a computer to the customer’s Centrify cloud tenant.  The "service account" will be a cloud user account with a name like

 

{hostname}$@{tenant.alias}.

 

The Kerberos-based join (aka -k option, with the Centrify Server Suite DirectControl agent) will be dropped.

 

There is no requirement for the computer to be joined to an Active Directory domain in order to use the new cloud agent.

 

Platform Support Changes

Support for the Fedora platform is dropped in this release.  The matrix below lists the platforms that are be supported by the Centrify Cloud Agent in release 16.10 for AAPM, and for user authentication from either a cloud user account or a user account from an Active Directory instance connected to the customer’s Centrify cloud tenant.

 

Platform	AAPM	Login
RHEL	Y	Y
CentOS	Y
Oracle	Y
Fedora
AMI	Y	Y
SLES	Y
Ubuntu	Y

 

Resolved Issues and Behavior Changes

 

The following list records issues resolved in this release and behavior changes.

 

• HTTP can no longer be used for IWA in 16.10.
  • The “Use HTTPS for IWA” checkbox is gone from the UI, all behavior will be as if that box was checked.
  • All IWA from Web browsers, it attempted, is done using the HTTPS port configured. If not configured properly, IWA will fail silently and users will have to login interactively.
  • IWA will be attempted if there is no IP range configured, or if the IP range is configured and the Web browser is within that range.
  • The cloud connector will continue to listen on the internal network for HTTP traffic, to support older on-prem AAPM clients, etc, but this will be removed in 16.11.
• With the changes to authentication policy in 16.10, the concept of high authentication has been eliminated and the new Application Challenges feature works differently. For IWA users, checking the policy option “Accept IWA connections as strongly authenticated for application policies” would cause them never to be challenged for apps tagged with privileged launch requirements. In 16.10, Application Challenges require users to satisfy authentication mechanisms once per configurable time period (default 30 minutes) before being able to launch a privileged app.
  
  By default, IWS logins satisfy the password mechanism only. For any privileged app set up with a challenge that requires any mechanisms other than password (for example, email or SMS), IWA users will have to provide that mechanism before the app will launch and provide it again once the duration in the associated auth profile is exceeded.
  
  You can limit the challenge to once per session by extending the duration in the associated auth profile to a long period, for example 10 hours. Note, however, that such a setup has a significant security impact as any IWA user will be able to launch privileged apps without identity re-verification for extended periods (CC-41247).
• A user’s password is now correctly synched to Google Apps for Work if the sync option is enabled after a user first logs in (CC-40948, CC-38514).
• In Box, a user’s home directory is no longer only created if the user is the owner of the directory. As long as the user is a collaborator on the directory, the directory can be used as the user’s home directory (CC-41500).
• The “Download Signing Certificate” help tip has been updated for the Webex SAML/provisioning app (CC-40711).
• Support has been added to write back msDS-ExternalDirectoryObject for Office 365 (CC-33936).
• A race condition has been resolved whereby it was possible to create duplicate users with the same name if the same user was created by two administrators within a couple of seconds of each other (CC-41914).
• Active Directory groups are now correctly enumerated. Previously, if an error was encountered other than a non-existent user then the enumeration would terminate and could result in symptoms such as users being de-provisioned or failed lookup of a user’s AD groups (CC-41821, CISSUP-2447, CISSUP-2427).
• The Slack provisioning plug-in has been updated to provide more feedback when user name updates fail (CC-40410).
• The frequently user and recent list of apps in the User Portal is now correctly populated. Previously some frequently or recently used applications were left out (CC-39239).
• It is now possible to add an Exchange server in Settings > Mobile > ActiveSync Device Quarantining (CC-41573).
• No longer receive invalid primary domain errors when attempting to authorize Google apps for provisioning (CC-41654, CISSUP-2413).
• The Overwrite, Keep, Retain and Deprovision option prompts on a provisioning-capable app’s de-provisioning page have been updated to better describe their actions (CC-40315).
• Users’ phone numbers can now be synched to Webex (CC-37894).
• Mobile apps are now removed from iOS devices when the application setting “Uninstall this app if app is unassigned from the user” is checked (CC-41455).

 

For security advisories and known issues, please see attached file.

 

For 16.10 Hot Fix 1 security advisories and known issues, please see attached file.

 

Note: To receive release notes prior to the monthly product update, subscribe to the Centrify Cloud Highlights and Release Notes Tech Blog. This release information is posted in advance of the release date. Please check back at release time for updates.