Authentication Service and Privilege Elevation Service 6.0.0 Release Notes (Server Suite 2023)

About this Release

Authentication Service and Privilege Elevation Service, part of the product category Delinea Server Suite (previously called Centrify Infrastructure Services or Centrify Zero Trust Privilege Services), centralize authentication and privileged user access across disparate systems and applications by extending Active Directory-based authentication, enabling use of Windows Group Policy and Single-Sign-On. With Delinea Server Suite, enterprises can easily migrate and manage complex UNIX, Linux, and Windows systems, rapidly consolidate identities into the directory, organize granular access and simplify administration. Delinea Authentication Service, through Delinea's patented Zone technology, allows organizations to easily establish global UNIX identities, centrally manage exceptions on legacy systems, separate identity from access management and delegate administration. Delinea's non-intrusive and organized approach to identity and access management results in stronger security, improved compliance and reduced operational costs.

The Upgrade Guide describes the correct order to perform updates such that all packages continue to perform correctly once upgraded.

Delinea software is protected by U.S. Patents 7,591,005; 8,024,360; 8,321,523; 9,015,103; 9,112,846; 9,197,670; 9,378,391 and 9,442,962. (Ref: CS-44575)

Feature Changes in this Release

For a list of the supported platforms by this release, refer to the "Supported Platforms" section in the Server Suite Release Notes.

For a list of platforms that Delinea will remove support in upcoming releases, refer to the 'Notice of Termination Support' section in the Server Suite Release Notes).

General

For more information about Delinea, see Delinea Announcement

Security Fix

Upgraded OpenSSL from v3.0.5 to v3.0.8. (Ref: 487090)
Upgraded cURL to v7.87.0. It fixed CVE-2022-35252, CVE-2022-42915, CVE-2022-43552 and CVE-2022-43551. (Ref: 481154)

Server Suite DirectControl Agent for *NIX

Added protection to avoid infinite recursion. (Ref: 295801)
Added support for authselect on RHEL or similar platforms. (Ref: 297948)
Added group policies to control AIX attributes mapping configuration. (Ref: 470269)
Added an option adclient.krb5.cache.infinite.renewal.gmsa to specify a list of Group Managed Service Account (gMSA) for which adclient will renew/issue Kerberos credential cache infinitely. (Ref: 476375)
Enhanced adkeytab to enforce that the '-y' option must be specified while creating an account in the case that FIPS mode is enabled. (Ref: 469452)
Support mapping AIX attributes to Active Directory attributes for LAM query on AIX. (Ref: 468388)
You can now specify multiple connectors with the configuration parameter adclient.cloud.connector. (Ref: 469283)
Exposed the configuration parameter adclient.group.ignore.blocked.domain.members which you use to ignore group members from explicitly blocked domains. (Ref: 468135)
Enhanced kinit -k to work even if the hostname is an FQDN. (Ref: 480104)
Added an option adclient.adsyncignore.interval to specify how often adclient will be syncing user.ignore and group.ignore with zone data and updating uid.ignore andgid.ignore accordingly. (Ref: 458329)
Upgraded OpenLDAP from 2.4.59 to 2.5.13 (Ref: 448127)

DirectControl Command Line Utilities

Configuration Parameters

New Parameters

lam.attributes.user.map: "file:/etc/centrifydc/attributes.user.map"This parameter specifies the map file to map AIX user attributes to AD user attributes. The default is file:/etc/centrifydc/attributes.user.map. (Ref: 468388)
lam.attributes.group.map: "file:/etc/centrifydc/attributes.group.map"This parameter specifies the map file to map AIX group attributes to AD group attributes. The default is file:/etc/centrifydc/attributes.group.map. (Ref: 468388)
adclient.krb5.cache.infinite.renewal.gmsa: ""This parameter specifies the list of Group Managed Service Account (gMSA) for which adclient will renew/issue Kerberos credential cache infinitely. The default is empty (Ref: 476375).
adclient.adsyncignore.interval: 0This parameter specifies how often (in minutes) adclient will be syncing user.ignore andgroup.ignore with zone data and updating uid.ignore and gid.ignore accordingly. The default is 0 (Ref: 458329).

Modified Parameters

adclient.cloud.connector: "" This parameter specifies multiple connectors separated by commas. The default is empty. (Ref: 469283)
adclient.cloud.connector.refresh.interval: 2 The default value of this parameter is changed from 8 to 2. (Ref: 477001)
adclient.group.ignore.blocked.domain.members: false This parameter is exposed. (Ref: 468135)

Audit Trail Events

Server Suite Access Manager

The 'Zones' node indicated if there are zones opened. (Ref: 478472)

Server Suite Access Module for PowerShell

A new parameter -ExtendedAttributes was added to the access manager powershell cmdlets

New-CdmUserProfile and Set-CdmUserProfile. This parameter allows AIX extended attributes to

be added, modified or removed. The cmdlet Get-CdmUserProfile was modified to display

ExtendedAttributes. (Ref: 453868)

Server Suite Group Policy Management

Server Suite Licensing Service

Server Suite OpenLDAP Proxy

Upgraded OpenLDAP from 2.4.59 to 2.5.13 (Ref: 448127)

Server Suite OpenSSH

Server Suite Report Services

Supported SQL Server 2019. (Ref: 474807)
The existing database can be reused if its database version is the same as Report Service. (Ref: 458296)

Server Suite Smart Card

Added Smart Card Support for Oracle Linux 8. (Ref: 480339)
Smart Card Authentication in DirectControl is enhanced to support certificate-to-user mapping by way of the per-user altSecurityIdentities attribute. (Ref: 471297)

Configuration Parameters

New Parameters

smartcard.cert.upn.mapping: true

This parameter specifies whether to uses the Subject Alternative Name (SAN) for UPN mapping

for SmartCard support. The default is true. (Ref: 471297)

Server Suite Windows Installer

Server Suite Windows SDK

Server Suite Zone Provisioning Agent

Fixed Issues in this Release

General

Security Fixes

Fixed CVE-2023-22809 for dzdo/dzedit. (Ref: 482707)

Server Suite DirectControl Agent for *NIX

Fixed an issue that ldapproxy may not include pagedResultsControl in searchResultDone message. (Ref: 446758)
Fixed an issue that the scp and sftp of Delinea Openssh may crash on Solaris 10. (Ref: 447712)
Fixed an issue that adclient cannot shut down during the step building cache. (Ref: 471076)
Fixed an issue that zone user is not listed by "adquery user" when the home directory of zone user's profile contains "%{pgroup}". (Ref: 482952)
Added a new option (client) for addebug to control client log specially. (Ref: 430722)
Fixed an issue that MFA might fail on SuSE Linux. (Ref: 452146)
Fixed a memory leak bug in DirectControl CAPI cache which causing cumulative memory leak in DirectAudit NSS module if the CAPI cache is enabled. As the NSS module is used system-wide, this problem actually affects almost all applications. (Ref: 471535)
Fixed a problem in DirectControl that when user query the RootDSE for 2016 or 2019 domain via ldapproxy, the subschemaSubentry attribute will have a strange ">;" prefix in the result DN value. (Ref: 473736)
Fixed an issue that some commands, for example, git and scp, cannot work within dzsh. (Ref: 467667)
Fixed an issue that DirectControl services could be in disconnected mode for a short period of time right after system boot on systemd systems (Ref: 486028)
Enhanced adclient to properly handle the situation that the Next-Closest-Site information is not available from some domain controllers. (Ref: 468557)
Fixed an issue that user overriding via group membership in passwd.ovr sometimes does not apply when the overriding group is not zone enabled. (Ref: 471306)
Improved the code logic about automatic adjusting in-memory "adclient.zone.group.count" value. (Ref: 465141)
Fixed an issue that adclient validates password for SSO-only users. (Ref: 488803)

DirectControl Command Line Utilities

DirectControl Installation

Fixed an issue on Solaris 10 that if DirectControl is installed in Solaris global zone for all zones, then installing new Solaris zone will show an error about the CentrifyDC-openssl package and that package will not be installed in the new zone. This problem has been fixed. (Ref: 467604)
Changed RHEL RPM GPG signature to SHA256. (Ref: 483190)

Audit Trail Events

Server Suite Access Manager

Server Suite Access Module for PowerShell

Fixed an issue that 'AllowNestedCommandExecution' would be enabled even if it is not specified

in the cmdlet 'Set-CdmCommandRight'. (Ref: 483327)

Server Suite ADEdit

Server Suite Group Policy Management

Server Suite Licensing Service

Fixed an issue that the license usage is incorrect on licensing service control panel. (Ref: 433524)

Server Suite NIS

Server Suite OpenLDAP Proxy

Server Suite OpenSSH

Server Suite Report Services

Fixed an issue that backup folder cannot be created via 'Upgrade and Deployment Wizard'. (Ref: 466258)
Fixed an issue that the version number checking of PostgreSQL is failed. (Ref: 466763)

Server Suite Smart Card

Server Suite Windows Installer

Server Suite Windows SDK

Server Suite Zone Provisioning Agent

Fixed an issue that ZPA cannot provision the user when the user having the same nested group as

the primary group. (Ref:442953)

Fixes in Release 2023 Component Update (April 2024)

Fixed issues related to CVE-2023-42465 by creating a patch for Dzdo. (Ref: 553570)
Fixed an upgrade issue when upgrading from version 2022.1 or earlier on Flatcar Linux. (Ref: 560297)

Fixes in Release 2023 Component Update

Fixed issues related to CVE-2023-5363 by creating a patch to openSSL 3.0.8. (Ref: 540789)
Fixed a deadlock issue in adclient. (Ref: 517984)

Known Issues

The following sections describe common limitations or known issues associated with this Authentication Service and Privilege Elevation Service release.

For the most up to date list of known issues, please login to the Customer Support Portal at https://www.delinea.com/support and refer to Knowledge Base articles for any known issues with the release.

Server Suite DirectControl Agent for *NIX

Known Issues with Multi-Factor Authentication (MFA)

If MFA is enabled but the parameter "adclient.legacyzone.mfa.required.groups" is set to a non-existent group, all AD users will be required for MFA. The workaround is to remove any non-existent groups from the parameter. (Ref: CS-39591b)
Known Issues with AIX

On AIX, upgrading DirectControl agent from 5.0.2 or older versions in disconnected mode may cause unexpected behavior. The centrifydc service may be down after upgrade. It's recommended not to upgrade DirectControl agent in disconnected mode. (Ref: CS-30494a)

Some versions of AIX cannot handle username longer than eight characters. As a preventive measure, we have added a new test case in the adcheck command to check if the parameterLOGIN_NAME_MAX is set to 9. If yes, adcheck will show a warning so that users can be aware of it. (Ref: CS-30789a)
Known issues with Fedora 19 and above (Ref: CS-31549a, CS-31730a)

There are several potential issues on Fedora 19 and above:
1. The adcheck command will fail if the machine does not have Perl installed.
2. Group Policy will not be fully functional unless Text/ParseWords.pm is installed.
Known issues with RedHat

When logging into a RedHat system using an Active Directory user that has the same name as a local user, the system will not warn the user of the conflict, which will result inunpredictable login behavior. The workaround is to remove the conflict or login with a different AD user. (Ref: CS-28940a, CS-28941a)
- Known issues with rsh / rlogin (Ref: IN-90001)
- When using rsh or rlogin to access a computer that has DirectControl agent installed, and
  where the user is required to change their password, users are prompted to change their
  password twice. Users may use the same password each time they are prompted, and the
  password is successfully changed.
Known issues with compatibility

Using DirectControl 4.x agents with Access Manager 5.x (Ref: IN-90001)
- DirectControl 4.x agents can join classic zones created by Access Manager 5.x. It will
  ostensibly be able to join a DirectControl 4.x agent to a hierarchical zone as well,
  but this causes failure later as such behavior is undefined.
Default zone not used in DirectControl 5.x (Ref: IN-90001)
- In DirectControl 4.x, and earlier, there was a concept of the default zone. When Access Manager
  was installed, a special zone could be created as the default zone. If no zone was specified
  when joining a domain with adjoin, the default zone would be used.
- This concept has been removed from DirectControl 5.0.0 and later as it is no longer relevant with hierarchical zones. In zoned mode, a zone must now always be specified.
- A zone called "default" may be created, and default zones created in earlier versions of Access Manager may be used, but the name must be explicitly used.

Smart Card

Release 18.8 includes an update to Coolkey to support Giesecke & Devrient 144k, Gemalto DLGX4-A 144, and HID Crescendo 144K FIPS cards. However, this has caused known issues that may cause CAC cardsto only work sporadically. A workaround for CAC cards is to wait for it to prompt for PIN and Welcome, without removing the card, and then try again. (Ref: CC-58013a)
There is a Red Hat Linux desktop selection issue found in RHEL 7 with smart card login. When login with smart card, if both GNOME and KDE desktops are installed, user can only log into GNOME desktop even though "KDE Plasma Workspace" option is selected. (Ref: CS-35125a)
When a SmartCard user attempts to login with a password that has expired, the authentication error message may not mention that authentication has failed due to an expired password. (Ref: CS-28305a)
Any SmartCard user will get a PIN prompt even if he's not zoned, even though the login attempt will ultimately fail. (Ref: CS-33175c)
If a SmartCard user's Active Directory password expires while in disconnected mode, the user may still be able to log into their machine using their expired password. This is not a usualcase, as secure SmartCard AD environments usually do not allow both PIN and Password logins while using a Smart Card. (Ref: CS-28926a)
To login successfully in disconnected mode (Ref: CS-29111a):
- For a password user:
  * A password user must log in successfully once in connected mode prior to logging in
  using disconnected mode. (This is consistent with other DirectControl agent for *NIX behavior)
  - For a SmartCard user:
    - The above is not true of SmartCard login. Given a properly configured RedHat system with
      valid certificate trust chain and CRL set up, a SmartCard user may successfully login
      using disconnected mode even without prior successful logins in connected mode.
      - If certificate trust chain is not configured properly on the RedHat system, the SmartCard user's login attempt will fail.
      - If the SmartCard user's login certificate has been revoked, and the RedHat system has a valid CRL that includes this certificate, then the system will reject the user.
When CRL check is set via Group Policy and attempting to authenticate via Smartcard, authentication may fail. The workaround is to wait until the Group Policy Update interval has occurred andtry again or to force an immediate Group Policy update by running the CLI command adgpupdate. (Ref: CS-30090c)
A name-mapping user can unlock screen with password even though the previous login was with PIN. (Ref: CS-31364b)
Need to input PIN twice to login using CAC card with PIN on RedHat. It will fail on the first input but succeed on the second one. (Ref: CS-30551c)
Running "sctool -D" with normal user will provide wrong CRL check result. The work-around is to run it as root. (Ref: CS-31357b)
Screen saver shows password not PIN prompt (Ref: CS-31559a)

Most smart card users can log on with a smart card and PIN only and cannot authenticate with a username and password. However, it is possible to configure users for both smart card/PIN and username/password authentication. Generally, this set up works seamlessly: the user either enters a username and password at the log on prompt, or inserts a smart card and enters a PIN at the prompt.

However, for multi-user cards, it can be problematic when the screen locks and the card is in the reader. When a user attempts to unlock the screen, the system prompts for a password, not for a PIN, although the PIN is required because the card is in the reader. If the user is not aware that the card is still in the reader and enters his password multiple times, the card will lock once the limit for incorrect entries is reached.

On RHEL 7, an authenticated Active Directory user via smart card cannot login again if the smart card is removed. This is due to a bug in RHEL 7, https://bugzilla.redhat.com/show_bug.cgi?id=1238342. This problem does not happen on RHEL6. (Ref: CSSSUP-6914c)

Additional Information and Support

In addition to the documentation provided with this package, see the Delinea Knowledge Base for answers to common questions and other information (including any general or platform-specific known limitations), tips, or suggestions. You can also contact Delinea Support directly with your questions through the Delinea Web site, by email, or by telephone.

The Delinea Resources web site provides access to a wide range of information including analyst reports, best practice briefs, case studies, datasheets, ebook, white papers, etc., that may help you optimize your use of Delinea products. For more information, see the Delinea Resources web site.

You can also contact Delinea Support directly with your questions through the Delinea Web site, by email, or by telephone. To contact Delinea Support or to get help with installing or using this software, send email to support@delinea.com or call 1-202-991-0540. For information about purchasing or evaluating Delinea products, send email to info@delinea.com.