Authentication Service and Privilege Elevation Service 6.1.0 Release Notes (Verify Privilege Server Suite 2024)

Release Date: September 24, 2024

Authentication Service and Privilege Elevation Service, part of the product category IBM Security Verify Privilege Server Suite (previously called Centrify Infrastructure Services or Centrify Zero Trust Privilege Services), centralize authentication and privileged user access across disparate systems and applications by extending Active Directory-based authentication, enabling use of Windows Group Policy and Single-Sign-On. With IBM Security Verify Privilege Server Suite, enterprises can easily migrate and manage complex UNIX, Linux, and Windows systems, rapidly consolidate identities into the directory, organize granular access and simplify administration. IBM Security Authentication Service, through IBM Security's patented Zone technology, allows organizations to easily establish global UNIX identities, centrally manage exceptions on legacy systems, separate identity from access management and delegate administration. IBM Security's non-intrusive and organized approach to identity and access management results in stronger security, improved compliance and reduced operational costs.

The Upgrade Guide describes the correct order to perform updates such that all packages continue to perform correctly once upgraded.

Delinea software is protected by U.S. Patents 7,591,005; 8,024,360; 8,321,523; 9,015,103; 9,112,846; 9,197,670; 9,378,391 and 9,442,962. (Ref: CS-44575)

Feature Changes in this Release

For a list of the supported platforms by this release, refer to the "Supported Platforms" section in the Verify Privilege Server Suite Release Notes.

For a list of platforms that IBM Security will remove support in upcoming releases, refer to the 'Notice of Termination Support' section in the Verify Privilege Server Suite Release Notes).

Compatibility

If Direct Control is upgraded to 2024, Verify Privilege Server Suite OpenSSH needs to be upgraded to 2024 as well.

Security Fix

  • The patch for Dzdo has been updated to fix CVE-2023-42465. (Ref: 553596)

  • Upgraded OpenSSL from v3.1.2 to v3.3.0. (Ref: 535309)

  • Upgraded cURL to v8.7.1. (Ref: 524571)

  • Created a CVE-2024-6387 patch for OpenSSH 9.7p1. (Ref: 582249)

Verify Privilege Server Suite DirectControl Agent for *NIX

  • When you unselect the "serversuite" authselect profile(e.g. adleave), the system reverts the authselect profile to the state before selecting the "serversuite" profile. (Ref: 545178)

  • Verify Privilege Server Suite supports creating a role with a new Dzdo Rescue right, which allows you to control which users can authenticate to the system via dzdo if multi-factor authentication problems with the cloud platform prevent users from authenticating to the system. (Ref: 543477)

  • centrify-kcm will be restarted automatically by system when it crashes. (Ref: 557292)

  • A new parameter, '<gmsa>.krb5.keytab.upn.realm', is introduced to control the realm of UPN principal in the keytab file for each gMSA. (Ref: 558566)

  • adreload now triggers the renewal of gMSA ccache if they will expire soon or do not exist. (Ref: 531871)

  • The default value of adclient.clients.listen.backlog has been increased to 1024. (Ref: 554712)

  • The automatic Kerberos credential cache renewal logic in adclient was enhanced to avoid possible user account lockout caused by the use of an old password. (Ref: 541853)

  • Verify Privilege Server Suite supports IPv6, but DirectAudit does not support IPv6 yet. (Ref: 447757)

Verify Privilege Server Suite Access Module for PowerShell

  • A new system right "HasDzdoRescueRight" was introduced for New-CdmRole, Set-CdmRole, and Get-CdmRole. (Ref: 543474)

Verify Privilege Server Suite OpenLDAP Proxy

  • A new configuration item 'ldapproxy.nosuchobject.onempty true' has been added for IBM Security Ldapproxy. It controls whether to return LDAP_NO_SUCH_OBJECT(32) for empty result searches. The default value is true for backward compatibility. If set to false, LDAP_SUCCESS(0) is returned for strict RFC compliance. (Ref: 539439)

Verify Privilege Server Suite OpenSSH

  • Upgraded OpenSSH to 9.7p1. (Ref: 546591)

  • Support for merging sshd configurations from included configuration files during installation or upgraded has been added. (Ref: 558127)

Verify Privilege Server Suite Report Services

  • Verify Privilege Server Suite Reporting Service supports SQL Server 2022. (Ref: 552201)

Fixed Issues in this Release

Verify Privilege Server Suite DirectControl Agent for *NIX

  • An issue was fixed that after uninstallation of Verify Privilege Server Suite, authselect may still use the 'serversuite' profile. (Ref: 545175)

  • An issue was fixed that /usr/share/centrifydc/bin/centrify-kcm does not show the kcm status correctly on Alpine Linux. (Ref: 553187)

  • An issue was fixed where adquery showed the account locked even after the lockout duration had elapsed. (Ref: 536852)

  • An issue was fixed where gssproxy crashed centrify-kcm. (Ref: 556233)

  • Fixed an issue in DirectControl CAPI that only allowed services running as root to verify Kerberos PAC. The bug would break the compatibility with IBM Security DB2 GSS plugin. (Ref: 561565)

  • Fix an issue in addns command that when -r,--refresh (refresh) option is specified, if it is going to update any (HOST or PTR) records, it will ignore the refresh option. (Ref: 543479)

  • Fixed an issue where "addns -U" always tried to refresh A records regardless of the "-r, --refresh" option. (Ref: 553649)

  • Fixed an upgrade issue when upgrading from version 2022.1 and earlier on Flatcar Linux. (Ref: 556177)

  • Fixed an issue that occurred when comments were on the same line as a DNS entry in '/etc/resolve.conf'. (Ref: 559168)

  • Fixed an issue with adclient where it would sometimes crash on Solaris SPARC platforms when a new 2-way forest trust was discovered in the Active Directory. (Ref: 538357)

  • Fixed an issue regarding refreshing the certificate CRL for smart card authentication integrated with Citrix Linux Virtual Delivery Agent (VDA). (Ref: 545314)

  • Fixed an issue in adclient where a background LDAP page search result refresh task may get run many times unnecessarily. (Ref: 543590)

  • Fixed a data race condition issue that would cause adclient to crash on some non-GNU platforms such as AIX and Solaris. (Ref: 573185)

DirectControl Command Line Utilities

  • Fixed an issue with enrolling certificates of Windows Server 2012+ CA-compatible templates using adcert CLI under FIPS mode. (Ref: 542488)

Changes in Release 2024 Rolling Update (2024.0.2 / July 2024)

  • Fixed issues related to CVE-2024-6387 by creating a patch for OpenSSH. (Ref: 582249)

  • Fixed the issue where a role defined in a parent zone for a user in a child zone could not be found. (Ref: 568613)

  • Fixed an issue with certificate auto-enrollment, where the DirectControl agent requested certificate renewals each time it applied group policies because the adcert CLI could not correctly validate the template revision information of the certificates. (Ref: 579114)

  • Improved mapping rules in OpenLDAP Proxy to handle cases where the search filter is '(&(objectClass=posixAccount)(uid=<name>))' but the <name> is actually derived from 'sAMAccountName' instead of the UNIX name. (Ref: 511369)

Known Issues

The following sections describe common limitations or known issues associated with this Authentication Service and Privilege Elevation Service release.

Verify Privilege Server Suite DirectControl Agent for *NIX

  • Known Issues with the upgrade:

    • When upgrading release 2022.1 and older to release 2023 and newer releases on aarch64 and PPC platforms you may see an error/warning like "adinfo: double free or corruption", you can ignore the error/warning, the upgrade will continue successfully and everything will work fine after that. (Ref: 560452)

  • Known Issues with Multi-Factor Authentication (MFA):

    • If MFA is enabled but the parameter "adclient.legacyzone.mfa.required.groups" is set to a non-existent group, all AD users will be required for MFA. The workaround is to remove any non-existent groups from the parameter. (Ref: CS-39591b)

  • Known Issues with AIX:

    • On AIX, upgrading DirectControl agent from 5.0.2 or older versions in disconnected mode may cause unexpected behavior. The centrifydc service may be down after the upgrade. It's recommended not to upgrade DirectControl agent in disconnected mode. (Ref: CS-30494a)

    • Some versions of AIX can't handle a username longer than eight characters. As a preventive measure, we have added a new test case in the adcheck command to check if the parameter LOGIN_NAME_MAX is set to 9. If yes, adcheck will show a warning so that users can be aware of it. (Ref: CS-30789a)

  • Known issues with Fedora 19 and above: (Ref: CS-31549a, CS-31730a)

    • The adcheck command will fail if the machine does not have Perl installed.

    • Group Policy will not be fully functional unless Text/ParseWords.pm is installed.

  • Known issues with RedHat:

    • When logging into a RedHat system using an Active Directory user that has the same name as a local user, the system will not warn the user of the conflict, which will result in unpredictable login behavior. The workaround is to remove the conflict or login with a different AD user. (Ref: CS-28940a, CS-28941a)

    • Known issues with rsh / rlogin (Ref: IN-90001)

    • When using rsh or rlogin to access a computer that has DirectControl agent installed, and where the user is required to change their password, users are prompted to change their password twice. Users may use the same password each time they are prompted, and the password is successfully changed.

  • Known issues with compatibility:

    • DirectControl SELinux module is not compatible with RHEL 6.0 and the installation of the module will fail on RHEL 6.0. If SELinux is required, please upgrade to RHEL 6.1 or above, or upgrade the SELinux policy on the system. (Ref: 503757)

    • Default zone is not used in DirectControl 5.x (Ref: IN-90001)

      • In DirectControl 4.x, and earlier, there was a concept of the default zone. When Access Manager was installed, a special zone could be created as the default zone. If no zone was specified when joining a domain with adjoin, the default zone would be used.

      • This concept has been removed from DirectControl 5.0.0 and later as it is no longer relevant with hierarchical zones. In zoned mode, a zone must now always be specified.

      • A zone called "default" may be created, and default zones created in earlier versions of Access Manager may be used, but the name must be explicitly used.

Smart Card

  • There is a Red Hat Linux desktop selection issue found in RHEL 7 with smart card login. When login with smart card, if both GNOME and KDE desktops are installed, user can only log into GNOME desktop even though "KDE Plasma Workspace" option is selected. (Ref: CS-35125a)

  • When a SmartCard user attempts to login with a password that has expired, the authentication error message may not mention that authentication has failed due to an expired password. (Ref: CS-28305a)

  • Any SmartCard user will get a PIN prompt even if he's not zoned, even though the login attempt will ultimately fail. (Ref: CS-33175c)

  • If a SmartCard user's Active Directory password expires while in disconnected mode, the user may still be able to log into their machine using their expired password. This is not a usualcase, as secure SmartCard AD environments usually do not allow both PIN and Password logins while using a Smart Card. (Ref: CS-28926a)

  • To login successfully in disconnected mode (Ref: CS-29111a):

    • For a password user:

      * A password user must log in successfully once in connected mode prior to logging in using disconnected mode. (This is consistent with other DirectControl agent for *NIX behavior)

      • For a SmartCard user:
        • The above is not true of SmartCard login. Given a properly configured RedHat system with valid certificate trust chain and CRL set up, a SmartCard user may successfully login using disconnected mode even without prior successful logins in connected mode.
          • If certificate trust chain is not configured properly on the RedHat system, the SmartCard user's login attempt will fail.
          • If the SmartCard user's login certificate has been revoked, and the RedHat system has a valid CRL that includes this certificate, then the system will reject the user.
  • When CRL check is set via Group Policy and attempting to authenticate via Smartcard, authentication may fail. The workaround is to wait until the Group Policy Update interval has occurred andtry again or to force an immediate Group Policy update by running the CLI command adgpupdate. (Ref: CS-30090c)

  • A name-mapping user can unlock screen with password even though the previous login was with PIN. (Ref: CS-31364b)

  • Need to input PIN twice to login using CAC card with PIN on RedHat. It will fail on the first input but succeed on the second one. (Ref: CS-30551c)

  • Running "sctool -D" with normal user will provide wrong CRL check result. The work-around is to run it as root. (Ref: CS-31357b)

  • Screen saver shows password not PIN prompt (Ref: CS-31559a)

Most smart card users can log on with a smart card and PIN only and cannot authenticate with a username and password. However, it is possible to configure users for both smart card/PIN and username/password authentication. Generally, this set up works seamlessly: the user either enters a username and password at the log on prompt, or inserts a smart card and enters a PIN at the prompt.

However, for multi-user cards, it can be problematic when the screen locks and the card is in the reader. When a user attempts to unlock the screen, the system prompts for a password, not for a PIN, although the PIN is required because the card is in the reader. If the user is not aware that the card is still in the reader and enters his password multiple times, the card will lock once the limit for incorrect entries is reached.

On RHEL 7, an authenticated Active Directory user via smart card cannot login again if the smart card is removed. This is due to a bug in RHEL 7, https://bugzilla.redhat.com/show_bug.cgi?id=1238342. This problem does not happen on RHEL6. (Ref: CSSSUP-6914c)

Additional Information and Support

If you have questions about products, sales, and support about IBM Security Verify Privilege products, please contact IBM Support.