Authentication Service and Privilege Elevation Service 5.9.1 Release Notes (Verify Privilege Server Suite 2022.1)

About this Release

Authentication Service and Privilege Elevation Service, part of the product category IBM Security Verify Privilege Server Suite (previously called Centrify Infrastructure Services or Centrify Zero Trust Privilege Services), centralize authentication and privileged user access across disparate systems and applications by extending Active Directory-based authentication, enabling use of Windows Group Policy and Single-Sign-On. With IBM Security Verify Privilege Server Suite, enterprises can easily migrate and manage complex UNIX, Linux, and Windows systems, rapidly consolidate identities into the directory, organize granular access and simplify administration. IBM Security Authentication Service, through IBM Security's patented Zone technology, allows organizations to easily establish global UNIX identities, centrally manage exceptions on Legacy systems, separate identity from access management and delegate administration. IBM Security's non-intrusive and organized approach to identity and access management results in stronger security, improved compliance and reduced operational costs.

The Upgrade Guide describes the correct order to perform updates such that all packages continue to perform correctly once upgraded.

The product-related release notes and documents are available online at https://docs.delinea.com/.

Delinea software is protected by U.S. Patents 7,591,005; 8,024,360; 8,321,523; 9,015,103; 9,112,846; 9,197,670; 9,378,391 and 9,442,962. (Ref: CS-44575)

Feature Changes in this Release

For a list of the supported platforms by this release, refer to the "Supported Platforms" section in the Verify Privilege Server Suite Release Notes.

For a list of platforms that IBM Security will remove support in upcoming releases, refer to the 'Notice of Termination Support' section in the Verify Privilege Server Suite Release Notes).

  • Implemented a new feature to gather statistic information for NSS requests. See Configuration Parameters for details.

  • Implemented a new feature to write info and warning logs when the time spent on a complete NSS request exceeds the configured threshold value. See Configuration Parameters for details.

General

Verify Privilege Server Suite and its component services have been changed to use the new IBM Security name and logo.

For more information about Delinea, see Delinea Announcement

Security Fix

Verify Privilege Server Suite DirectControl Agent for *NIX

  • Added support for a systemd environment file under the /etc/default directory. (Ref: 394029)

  • If the domain controller has installed Windows updates dated November 9, 2021 or later and set the new registry value "PacRequestorEnforcement" as "2", resetting passwords via Kerberos would fail. As a result, DirectControl adjoin, adkeytab, and adpasswd command line utilities would fail to reset accounts' password. Microsoft has confirmed this issue, please see the Known issues section of this article: https://prod.support.services.microsoft.com/en-us/topic/kb5008380-authentication-updates-cve-2021-42287-9dafac11-e0d0-4cb8-959a-143bd0201041 (Ref:430402)

    This release has a solution to bypass that issue.

DirectControl Command Line Utilities

Configuration Parameters

New Parameters
New Parameters for DirectControl
  • pam.homedir.update.ownership: false This parameter specifies whether or not to update the home directory ownership when the user logs in. The default is false. (Ref: 430517)

  • adclient.nss.statistic.interval: 30m This parameter specifies the statistic interval for adclient to gather NSS query statistics information. The default is 30 minutes. (Ref: 433831)

    Added the following Verify Privilege Server Suite configuration items for the NSS module:

    Below are the global settings for all categories of NSS requests (in milliseconds): nss.watch.slow.lookup.info.threshold: -1 nss.watch.slow.lookup.warn.threshold: -1

    Below are the per-category settings, append "user" or "group" suffix, which can override global settings. "user" category indicates these NSS calls: getpwnam* getpwuid* getgrouplist "group" category indicates these NSS calls: getgrnam* getgrgid*

    nss.watch.slow.lookup.info.threshold.user: -1 nss.watch.slow.lookup.warn.threshold.user: -1nss.watch.slow.lookup.info.threshold.group: -1 nss.watch.slow.lookup.warn.threshold.group: -1

    Added the following Verify Privilege Server Suite configuration items for adclient: Below are the global settings for all categories of NSS requests (in milliseconds):adclient.watch.slow.lookup.info.threshold: -1 adclient.watch.slow.lookup.warn.threshold: -1

    Below are the per-category settings, append "user" or "group" suffix, which can override global settings. "user" category indicates these NSS calls: getpwnam* getpwuid* getgrouplist "group" category indicates these NSS calls: getgrnam* getgrgid*

    adclient.watch.slow.lookup.info.threshold.user: -1 adclient.watch.slow.lookup.warn.threshold.user: -1adclient.watch.slow.lookup.info.threshold.group: -1 adclient.watch.slow.lookup.warn.threshold.group: -1

New Parameters for OpenLDAP Proxy
  • Added the support of bypassing caches for specified categories with the following new parameters in slapd.conf:

    • ldapproxy.bypass.adclientcache: set this parameter to specify some categories (separating with comma; "*" means all searches) to enable this feature.
    • ldapproxy.bypass.slapdcache: set this parameter in the /etc/centrifydc/openldap/ldapproxy.slapd.conf file to specify some categories (separating with comma; "*" means all searches) to enable this feature.
      Note: USER and GROUP categories always use caches.
Modified Parameters

Audit Trail Events

Verify Privilege Server Suite Access Manager

Verify Privilege Server Suite Access Module for PowerShell

Verify Privilege Server Suite Group Policy Management

Verify Privilege Server Suite Licensing Service

Verify Privilege Server Suite OpenLDAP Proxy

Verify Privilege Server Suite OpenSSH

Verify Privilege Server Suite OpenSSL

Verify Privilege Server Suite Report Services

  • You can now specify registry keys to be created during the Report Services silent installation so you don't need to go back after it's installed to specify additional config parameters. (Ref:430713)

Verify Privilege Server Suite Smart Card

  • Added Smart Card Support for Rocky Linux. (Ref:433531)
  • Added Smart Card Support for Alma Linux. (Ref:433532)

Verify Privilege Server Suite Windows Installer

Verify Privilege Server Suite Windows SDK

Verify Privilege Server Suite Zone Provisioning Agent

Fixed Issues in this Release

General

  • We have fixed the memory allocation issues related to Microsoft KB: KB5014697 (Win 11) / KB5014692 (Win10) / KB5014699 (Win2019) / KB5014702 (Win2016) KB updates. (Ref:441208)

Security Fixes

  • Fixed the high severity CVE-2022-37434 of zlib with the official patch. (Ref:454508)

  • OpenSSL was upgraded from 3.0.1. to 3.0.5 (Ref: 444612)

  • Centrify cURL was upgraded based on cURL v7.84.0.(Ref:442043)

  • Upgraded zlib to 1.2.12.(Ref:430916)

Verify Privilege Server Suite DirectControl Agent for *NIX

  • The obsolete group policy script TestFipsMode.pl has been removed from the CentrifyDC package. (Ref: 427705)

  • Fixed an issue where single sign-on could fail when using the KCM kerberos credential cache. (Ref: 430385)

  • Fixed an issue where dzdo may crash on Debian if audit is disabled in a kernel parameter. (Ref: 442864)

  • Fixed an issue where adjoin didn't write Kerberos keytab entries of the computer userPrincipalName. (Ref: 442592)

  • Fixed an issue where some groups may have lost members when 'adclient.local.group.merge' was true. (Ref: 431082)

  • Fixed an issue where centrifydc.log was empty after log rotation on RHEL 8 (Ref: 429155)

  • Fixed a race condition issue that would sometimes crash processes performing NSS user lookups. (Ref:443314)

  • Fixed an issue where the user needed to add '+' at the end of /etc/passwd manually to resolve the AD user while NSS compatability mode was enabled.(Ref:441847)

  • Fixed an issue where user lookup by NTLM name would fail when the adclient.included.domains setting was in place.(Ref:422590)

DirectControl Command Line Utilities

DirectControl Installation

Audit Trail Events

Verify Privilege Server Suite Access Manager

  • Fixed an issue where Access Manager showed an unknown OS type for AlmaLinux, Rocky Linux, Red Hat Enterprise Linux CoreOS, and Flatcar Container Linux. (Ref: 431687)

  • Fixed an issue in Access Manager where users couldn't change the license container in the zone's properties dialog box. (Ref: 433612)

  • Fixed an issue with the Access Manager analyzer where it showed incorrect orphaned role assignments. (Ref: 431820)

Verify Privilege Server Suite Access Module for PowerShell

Verify Privilege Server Suite ADEdit

  • Fixed an issue where the adedit command 'create_assignment' couldn't create role assignments for the same user but with different start/end time. (Ref:422588)

Verify Privilege Server Suite Group Policy Management

Verify Privilege Server Suite Licensing Service

Verify Privilege Server Suite NIS

Verify Privilege Server Suite OpenLDAP Proxy

  • Fixed an issue where the ldapproxy in-memory cache couldn't work with sizelimit. (Ref:445830)

  • Fixed an issue where ldapproxy replied with two searchResultDone packets for one paged search.(Ref:442434)

  • Fixed an issue where ldapproxy returned "no such object" when searching for an rfc2307nismap container. (Ref:441860)

Verify Privilege Server Suite OpenSSH

Verify Privilege Server Suite Report Services

  • Fixed an issue where Report Services ended prematurely because of a null exception. (Ref: 430704)

Verify Privilege Server Suite Smart Card

Verify Privilege Server Suite Windows Installer

Verify Privilege Server Suite Windows SDK

Verify Privilege Server Suite Zone Provisioning Agent

Fixes in Release 2022.1 Component Update (2022.1.9 / July 2024)

  • Fixed issues related to CVE-2024-6387 and CVE-2024-6409 by creating a patch for OpenSSH. (Ref: 582223)

    This Component Update will deprecate the previous version, Component Update (March 2024).

Fixes in Release 2022.1 Component Update (March 2024)

  • Fixed issues related to CVE-2023-42465 by creating a patch for Dzdo. (Ref: 553569)

    This Component Update will deprecate the previous version.

Fixes in Release 2022.1 Component Update

  • Fixed issues releated to CVE-2023-5363 by creating a patch to OpenSSL 3.0.7. (Ref: 541353)

  • Fixed several critical security fixes by upgrading 'Centrify OpenSSL' to 3.0.7. (Ref: 469895)

  • Fixed issues related to CVE-2022-42915 by upgrading cURL to 7.86.0. (Ref: 469896)

Known Issues

The following sections describe common limitations or known issues associated with this Authentication Service and Privilege Elevation Service release.

For the most up to date list of known issues, please login to the Customer Support Portal at https://www.delinea.com/support and refer to Knowledge Base articles for any known issues with the release.

Verify Privilege Server Suite DirectControl Agent for *NIX

  • Known Issues with Multi-Factor Authentication (MFA)

    If MFA is enabled but the parameter "adclient.legacyzone.mfa.required.groups" is set to a non-existent group, all AD users will be required for MFA. The workaround is to remove any non-existent groups from the parameter. (Ref: CS-39591b)

  • Known Issues with AIX

    On AIX, upgrading DirectControl agent from 5.0.2 or older versions in disconnected mode may cause unexpected behavior. The centrifydc service may be down after upgrade. It's recommended not to upgrade DirectControl agent in disconnected mode. (Ref: CS-30494a)

    Some versions of AIX cannot handle username longer than eight characters. As a preventive measure, we have added a new test case in the adcheck command to check if the parameter LOGIN_NAME_MAX is set to 9. If yes, adcheck will show a warning so that users can be aware of it. (Ref: CS-30789a)

  • Known issues with Fedora 19 and above (Ref: CS-31549a, CS-31730a)

    There are several potential issues on Fedora 19 and above:

    1. The adcheck command will fail if the machine does not have Perl installed.
    2. Group Policy will not be fully functional unless Text/ParseWords.pm is installed.
  • Known issues with RedHat

    When logging into a RedHat system using an Active Directory user that has the same name as a local user, the system will not warn the user of the conflict, which will result in unpredictable login behavior. The workaround is to remove the conflict or login with a different AD user. (Ref: CS-28940a, CS-28941a)

    • Known issues with rsh / rlogin (Ref: IN-90001)
    • When using rsh or rlogin to access a computer that has DirectControl agent installed, and where the user is required to change their password, users are prompted to change their password twice. Users may use the same password each time they are prompted, and the password is successfully changed.
  • Known issues with compatibility

    Using DirectControl 4.x agents with Access Manager 5.x (Ref: IN-90001)

    • DirectControl 4.x agents can join classic zones created by Access Manager 5.x. It will ostensibly be able to join a DirectControl 4.x agent to a hierarchical zone as well, but this causes failure later as such behavior is undefined.

    Default zone not used in DirectControl 5.x (Ref: IN-90001)

    • In DirectControl 4.x, and earlier, there was a concept of the default zone. When Access Manager was installed, a special zone could be created as the default zone. If no zone was specified when joining a domain with adjoin, the default zone would be used.
    • This concept has been removed from DirectControl 5.0.0 and later as it is no longer relevant with hierarchical zones. In zoned mode, a zone must now always be specified.
    • A zone called "default" may be created, and default zones created in earlier versions of Access Manager may be used, but the name must be explicitly used.

Smart Card

  • Release 18.8 includes an update to Coolkey to support Giesecke & Devrient 144k, Gemalto DLGX4-A 144, and HID Crescendo 144K FIPS cards. However, this has caused known issues that may cause CAC cards to only work sporadically. A workaround for CAC cards is to wait for it to prompt for PIN and Welcome, without removing the card, and then try again. (Ref: CC-58013a)

  • There is a Red Hat Linux desktop selection issue found in RHEL 7 with smart card login. When login with smart card, if both GNOME and KDE desktops are installed, user can only log into GNOME desktop even though "KDE Plasma Workspace" option is selected. (Ref: CS-35125a)

  • On RHEL 5.10 and 5.11, if "Smart Card Support" is enabled and a smartcard is inserted on the login screen, a PIN prompt may not show up until you hit the "Enter" key. The workaround is to replace libsoftokn3.so with the old one on RHEL 5.9, which is a shared object file in NSS package. (Ref: CS-35038a)

  • On RHEL 5.10 and 5.11, if "Smart Card Support" is enabled and "Card Removal Action" is configured as "Lock", the screen will be locked several seconds after login with smart card. The workaround is to replace libsoftokn3.so with the old one on RHEL 5.9, which is a shared object file in NSS package. (Ref: CS-33871a)

  • When a SmartCard user attempts to login on Red Hat 6.0 with a password that has expired, the authentication error message may not mention that authentication has failed due to an expired password. (Ref: CS-28305a)

  • On RedHat, any SmartCard user will get a PIN prompt even if he's not zoned, even though the login attempt will ultimately fail. This is a divergence from Mac behavior - On Mac, if a SmartCard user is not zoned, Mac doesn't even prompt the user for PIN. (Ref: CS-33175c)

  • If a SmartCard user's Active Directory password expires while in disconnected mode, the user may still be able to log into their machine using their expired password. This is not a usual case, as secure SmartCard AD environments usually do not allow both PIN and Password logins while using a Smart Card. (Ref: CS-28926a)

  • To login successfully in disconnected mode (Ref: CS-29111a):

    • For a password user:
      • A password user must log in successfully once in connected mode prior to logging in using disconnected mode. (This is consistent with other DirectControl agent for *NIX behavior)
    • For a SmartCard user:
      • The above is not true of SmartCard login. Given a properly configured RedHat system with valid certificate trust chain and CRL set up, a SmartCard user may successfully login using disconnected mode even without prior successful logins in connected mode.
      • If certificate trust chain is not configured properly on the RedHat system, the SmartCard user's login attempt will fail.
      • If the SmartCard user's login certificate has been revoked, and the RedHat system has a valid CRL that includes this certificate, then the system will reject the user.
  • After upgrading from DirectControl version 5.0.4 to version 5.1, a Smartcard user may not be able to login successfully. The workaround is to run the following CLI commands:

    sudo rm /etc/pam_pkcs11/cacerts/*

    sudo rm /etc/pam_pkcs11/crls/*

    sudo rm /var/centrify/net/certs/*

    then run adgpupdate. (Ref: CS-30025c)

  • When CRL check is set via Group Policy and attempting to authenticate via Smartcard, authentication may fail. The workaround is to wait until the Group Policy Update interval has occurred and try again or to force an immediate Group Policy update by running the CLI command adgpupdate. (Ref: CS-30090c)

  • After upgrading from DirectControl agent Version 5.0.4 to version 5.1.1, a SmartCard user may not be able to authenticate successfully. The workaround is to perform the following CLI command sequence:

    sctool -d

    sctool -e

    sudo rm /etc/pam_pkcs11/cacerts/*

    sudo rm /etc/pam_pkcs11/crls/*

    sudo rm /var/centrify/net/certs/*"

    adgpupdate
and then re-login using the SmartCard and PIN. (Ref: CS-30353c)
  • A name-mapping user can unlock screen with password even though the previous login was with PIN. (Ref: CS-31364b)
  • Need to input PIN twice to login using CAC card with PIN on RedHat. It will fail on the first input but succeed on the second one. (Ref: CS-30551c)
  • Running "sctool –D" with normal user will provide wrong CRL check result. The work-around is to run it as root. (Ref: CS-31357b)
  • Screen saver shows password not PIN prompt (Ref: CS-31559a)

Most smart card users can log on with a smart card and PIN only and cannot authenticate with a username and password. However, it is possible to configure users for both smart card/PIN and username/password authentication. Generally, this set up works seamlessly: the user either enters a username and password at the log on prompt, or inserts a smart card and enters a PIN at the prompt.

However, for multi-user cards, it can be problematic when the screen locks and the card is in the reader. When a user attempts to unlock the screen, the system prompts for a password, not for a PIN, although the PIN is required because the card is in the reader. If the user is not aware that the card is still in the reader and enters his password multiple times, the card will lock once the limit for incorrect entries is reached.

On RHEL 7, an authenticated Active Directory user via smart card cannot login again if the smart card is removed. This is due to a bug in RHEL 7, https://bugzilla.redhat.com/show_bug.cgi?id=1238342. This problem does not happen on RHEL6. (Ref: CSSSUP-6914c)

Report Services

  • N/A

Additional Information and Support

In addition to the documentation provided with this package, see the IBM Security Knowledge Base for answers to common questions and other information (including any general or platform-specific known limitations), tips, or suggestions. You can also contact IBM Security Support directly with your questions through the IBM Security Web site, by email, or by telephone.

The IBM Security Resources web site provides access to a wide range of information including analyst report, best practice brief, case study, datasheet, ebook, white papers, etc., that may help you optimize your use of IBM Security products. For more information, see the IBM Security Resources web site.

You can also contact IBM Security Support directly with your questions through the IBM Security Web site, by email, or by telephone. To contact IBM Security Support or to get help with installing or using this software, send email to support@delinea.com or call 1-202-991-0540. For information about purchasing or evaluating IBM Security products, send email to info@delinea.com.