Authentication Service and Privilege Elevation Service 6.2.1 Release Notes (Server Suite 2025.1)

Release Date: December 10, 2025

The Authentication and Privilege Elevation release notes describe any changes to the following feature areas:

Access Manager DirectControl Agent for *NIX Report Services
Access Module for PowerShell DirectControl Command Line Utilities Roles and rights
Active Directory environment Endpoint enrollment RunAsRole
ADedit Agent for Windows Group Policy Management Smart Card
Application Manager Licensing Service Windows configuration and environment
Audit Trail Events Network manager Windows installation
Compatibility with third party products NIS Windows Installer
Configuration parameters OpenLDAP Proxy Windows SDK
Desktop with elevated privileges OpenSSH Zone Provisioning Agent

Be sure to also review the Authentication Service and Privilege Elevation Service Limitations that apply to multiple releases.

Changes in Release 2025.1.5 Rolling Update (2025.1.5 / April 2026)

  • Fixed PowerShell cmdlets (Get-CdmZone, New-CdmZone, etc.) failing with "A local error has occurred" during license check when the service account cannot authenticate to the forest root domain. (719478)

  • Optimized DirectAuthorize Windows agent to filter role assignments server-side, reducing LDAP load on Domain Controllers in large environments. (720092)

Changes in Release 2025.1.4 Rolling Update (2025.1.4 / April 2026)

  • Fixed a bug where centrifydc-sshd failed to start on AIX. (709931)

  • Fedora 42 is now supported. (709930)

Changes in Release 2025.1.3 Rolling Update (2025.1.3 / March 2026)

  • DirectControl Agent - Fixed an issue where adclient could crash if the gMSA credential ticket failed to renew. (703127)

Changes in Release 2025.1.1 Rolling Update (2025.1.1 / January 2026)

  • In 2025.1, a configuration option was introduced to control which TLS version the Server Suite 6.2.1 agent uses for MFA on Linux (see Known Issues). However, this configuration was not applied to adcdiag. As a result, adcdiag could use a different TLS version than the agent. This issue has been fixed by updating adcdiag to use the same TLS version configuration as the agent to ensure consistent behavior. (696223)

  • Minimum supported TLS version is changed from 1.3 to 1.2. (696224)

New Features

This section describes new features included in this release.

Server Suite Agent for Windows

  • Users can configure whether a new session should be launched when logging into a Citrix XenApp server by setting the registry value 'DisableNewSessionOnCitrix'. (644868)

Improvements

This section provides an overview of the product improvements in this release.

Server Suite DirectControl Agent for *NIX

  • The dzdo command line program has been patched for CVE-205-32462. (682771)

  • Added a timeout mechanism to the .setgrpsrc file access. If the file cannot be read within the specified time period, the operation will be terminated to prevent indefinite block. (684220)

  • TLS 1.3 is supported. (668104)

    For the Linux/UNIX agent, you might need to modify the configuration so the agent allows an earlier version, TLS 1.2. See Known Issues.

  • Upgraded SQLite to 3.48.0 and patched for CVE-2025-6965. (668357)

Server Suite DirectControl Agent for Windows

  • TLS 1.3 is supported. This solution only applies to Windows Server 2022 or later. (668104)

Server Suite OpenLDAP

  • Upgraded OpenLDAP to 2.6.10. (655111)

Server Suite LDAP Proxy

  • Upgraded OpenLDAP to 2.6.10 (655111)

  • LDAPProxy now releases sessions in time instead of waiting for the connection to be closed. (682436)

Server Suite OpenSSL

  • Upgraded OpenSSL to 3.5.4. (668695)

Fixed Issues

This section lists notable issues that have been fixed in this release.

Server Suite DirectControl Agent for *NIX

  • Fixed an issue where adcheck shows an unexpected warning for SAMBA. (681629)

  • Fixed an issue in Release 2025.0.1 on Linux with systemd service manager where the watchdog process (cdcwatch) will be killed by systemd if DirectControl agent (adclient) crashed. (678270)

  • Fixed an issue where upgrading on Linux systems that have SELinux enabled with the install.sh script might terminate GDM sessions. (665870)

  • Fixed an issue where CentrifyDC 6.1.0 + breaks Ubuntu 24.04+ system update. (665535)

  • Fixed an issue where systemd cannot stop centrifydc service properly. (671884)

Known Issues

Symptom:

MFA can fail when the *NIX Agent is used, with error messages like the following:

  • SSL connection error

  • curl error occurred in curl_easy_perform: SSL connect error (35)

  • Identity Platform failed to authenticate this computer through the Connector

Cause:

The cause is a TLS version mismatch. In Linux, the Server Suite 6.2.1 agent by default will try TLS 1.3 for MFA. If the Windows system the connector is running on doesn't use TLS 1.3 by default, this configuration interferes with SSL communication between the MFA and the adclient, causing intermittent authentication issues during login.

Solution:

  1. On the Linux/UNIX server where the agent is installed, edit the file /etc/centrifydc/centrifydc.conf.

  2. Add the following parameter:

    adclient.cloud.min.tls.version: TLSv1.2

  3. Save the file.

  4. Restart the service:

    systemctl restart centrifydc.service