22.2 Release Notes

This update includes the following features, fixes, and other changes.

New Features

Delinea and Centrify

We have updated the look and feel of the Cloud Client installer to reflect the new Delinea logo and colors. All files, folders, directories, settings, and registry keys and so forth remain as Centrify, as does the Admin Portal for PAS.

For more information about Delinea, see Delinea Announcement

Notice of Discontinuation

None

Resolved Issues and Changes in 22.2

Here are the resolved issues and behavior changes in this release:

  • Added a new API SetFeatureState to update the state of a feature on an enrolled system. Only a sysadmin can call this API. In a single call, multiple features of a single enrolled system can be enabled/disabled. You can find more information about APIs at our Developer Portal.

  • Changed Privilege Elevation Commands to update the Display Name when the Name was changed.

  • Updated the bulkSystemDelete API to be more efficient.

  • CVE-2018-1285 for log4net fixed with an upgrade to library version 2.0.14 in the Connector package.

  • When checking for duplicate LDAP configurations, we now check both versions of LDAP so that we don't accidentally override LDAP1 configs with LDAP2.

  • Fixed an issue with authenticating against a Radius server. Redirection will now use the correct user when attempting to authenticate.

  • The optional "scope" field has been added in the partner management area. This field allows for integration with Azure Active Directory.

  • Fixed an issue with the login screen in the iOS mobile app where it wasn't visible after updating the device to iOS 15.4.

  • Fixed an issue that could cause ldap directory services to disappear from the list of directory services.

  • When deleting systems, the email will now include information about failed deletions as well as successful ones.

  • Updating LDAP and Google Directory Services configurations will now generate 'Modify' events that can be used to build reports and log changes.

  • There is now a setup_certauth.ps1 script that you can use to add certificates (such as for smart cards) to your HS-PAS installation.

Resolved Issues and Changes in 22.2 HF 1

  • Fixed an issue with the Privilege Elevation Command screen where the page wouldn't load after clicking the Add button.

  • Users can choose to delete previously pushed configuration files from PAS by navigating to Settings -> Resources -> Config files. Note that deleting config files from PAS does not revert the configuration files from the systems where those configuration files are. For details about deploying configuration files, see Viewing or Deleting Configuration Files.

Resolved Issues and Changes in 22.2 HF6

Google released an update to Chrome that made users unable to handle copy and paste actions within RDP sessions. We have adjusted the permissions so that copy and paste are accessible to users again.

Resolved Issues and Changes in 22.2 HF7

  • Added a new API to improve the performance of periodic password rotation.

Supported Platforms

Clients for Linux

Client for Red Hat

  • Red Hat Enterprise Linux 7.9, 8.3
  • CentOS 7.9, 8.3
  • Fedora 33, 34
  • Oracle Linux 7.9, 8.3
  • Amazon Linux 2 Latest Version

Client for Red Hat (ARM architecture):

  • 7.9, 8.3

Client for SUSE

  • SUSE15-SP3

Client for Debian

  • Debian 9.13, 10.9, 11.2
  • Ubuntu 18.04LTS, 20.04LTS, 21.04

Client for Alpine Linux

  • Alpine Linux 3.14

    Before you uninstall the Cloud Client for Linux from an Alpine Linux system, you must unenroll the system first. The Alpine Linux package manager doesn't allow the service to verify that the client is unenrolled from Delinea PAS before uninstalling. If you uninstall the client without unenrolling first, you won't be able to log in to the system anymore.

Clients for Microsoft Windows

Windows 10 LTSB/LTSC, Windows Server 2012r2, 2016, 2019 LTSC, Windows 2022

Centrify Connector

  • Windows Server 2012r2, Server 2016, Server 2019, Windows 2022

Hyper-scalable Centrify Privileged Access Service

  • Windows Server 2016, Server 2019, Windows 2022

Windows PAS Remote Access Kit

Windows 10, Server 2012r2, Server 2016, Server 2019

Centrify App for Android

Android 5 (API level 21) and later

Centrify App for iOS

iOS 12 and above

Databases

  • Microsoft SQL Server (versions 2008R2 and later)
  • Oracle (versions 11.2.0.4, 12.1.0.1, 12.1.0.2)
  • SAP ASE (version 16.0)

Network Devices and Appliances

  • Check Point Gaia (versions R77.30, R80.10)
  • Cisco AsyncOS (versions v10 and v11)
  • Cisco IOS (versions IOS 12.1/IOS 15.0)
  • Cisco NX-OS (version NX-OS 6.0)
  • F5 Networks BIG-IP (versions v11, v12, v13)
  • HP Nonstop OS (J06.19, H06.29)
  • IBM i (versions IBM i 7.2, IBM i 7.3)
  • Juniper Junos OS (version JunOS 12.3R6.6)
  • Palo Alto Networks PAN-OS (versions 7.1, 8.0)
  • VMware VMkernel (versions 5.5, 6.0, 6.5 and 6.7)
  • Generic SSH

Desktop Apps

Privileged Access Service provides templates for the following Windows applications in the Desktop Apps feature. Privileged Access Service supports any versions of these applications that are compliant with the requirements for Windows Server 2012 R2 / 2016 Remote Desktop Services and RemoteApp. These applications must accept and process the command line strings pre-defined within the Desktop Apps templates. We have officially tested the following versions:

  • SQL Server Management Studio (versions 13.0.15600.2, 2016 and 12.0.4522.0, 2012)
  • TOAD for Oracle (version 13.0.0.80)
  • VMware vSphere Client (version 6.0.0)
VMware vSphere Client supports VMware VMkernel systems with a VMkernel system version below 6.5
Custom user-defined templates are also available for additional desktop applications.

 

Known Issues

Client Known Issues

  • When you log in to an enrolled system and your account is set up to use MFA redirection, the service prompts you for your password, not the password for the MFA redirect user. This feature is available on systems that have the Cloud Client installed and enrolled.

  • For privilege elevation workflow activity, the events in the Activity log show that commands were run without an authentication challenge when in fact the user was challenged with additional authentication requests when running the command after the workflow request is approved.

MFA Known Issues

  • Ensure required data for each selected authentication factor is present When selecting the use of a secondary factor (SMS, phone, email, etc) you should ensure that the data is present in Active Directory for all users otherwise it is possible that users with missing data may be locked out. You can specify a preferred factor and if not present an alternative factor will be used. For example, if a user has no phone number in AD and SMS was the preferred factor, the Delinea PAS will fall back to another selected factor (for example, email). If there is no phone number or email in AD in this case, the user would effectively be locked out.

  • Email as an MFA mechanism is subject to spam / junk filters Be aware that using email as an MFA mechanism may be affected by users' email providers' spam or junk filters.

  • SMS / phone are only attempted once a password is validated This prevents spam and billing issues if an attacker attempts to brute force passwords to gain entry.

  • For FIDO2 and On-Device Authentication options you will need to login from the tenant specific URL .