Chat now with support
Chat with Support

Quest has tools and processes in place to identify, protect, detect, and remediate vulnerabilities and incidents when they occur, including external security partners. As part of our standard security operations, Quest does not use CrowdStrike in any of our operations. We are reviewing our third parties, and so far, there is minimal affect. It is Quest's policy not to provide further technical details unless they directly impact customer data.

Safeguard Authentication Services 6.0 LTS - Upgrade Guide

Privileged Access Suite for UNIX Introducing One Identity Safeguard Authentication Services Upgrade Windows components Configure Active Directory Configure UNIX agent components Upgrade client components manually Getting started with Safeguard Authentication Services Troubleshooting

Privileged Access Suite for UNIX

UNIX security simplified

Privileged Access Suite for UNIX solves the intrinsic security and administration issues of UNIX-based systems (including Linux and macOS) while making satisfying compliance requirements easier. It unifies and consolidates identities, assigns individual accountability, and enables centralized reporting for user and administrator access to UNIX. The Privileged Access Suite for UNIX combines an Active Directory bridge and root delegation solutions under a unified console that grants organizations centralized visibility and streamlined administration of identities and access rights across their entire UNIX environment.

Active Directory bridge

Achieve unified access control, authentication, authorization, and identity administration for UNIX, Linux, and macOS systems by extending them into Active Directory (AD) and taking advantage of AD’s inherent benefits. Patented technology allows non-Windows resources to become part of the AD trusted realm, and extends AD’s security, compliance, and Kerberos-based authentication capabilities to UNIX, Linux, and macOS. See for more information about the Active Directory Bridge product.

Root delegation

The Privileged Access Suite for UNIX offers two different approaches to delegating the UNIX root account. The suite either enhances or replaces sudo, depending on your needs.

  • By choosing to enhance sudo, you will keep everything you know and love about sudo while enhancing it with features like a central sudo policy server, centralized keystroke logs, a sudo event log, and compliance reports for who can do what with sudo.

    See for more information about enhancing sudo.

  • By choosing to replace sudo, you will still be able to delegate the UNIX root privilege based on centralized policy reporting on access rights, but with a more granular permission and the ability to log keystrokes on all activities from the time a user logs in, not just the commands that are prefixed with "sudo." In addition, this option implements several additional security features like restricted shells, remote host command execution, and hardened binaries that remove the ability to escape out of commands and gain undetected elevated access.

    For more information about replacing sudo, see

Privileged Access Suite for UNIX

Privileged Access Suite for UNIX offers two editions: Standard edition and Advanced edition. Both editions include the Safeguard Authentication Services patented technology that allows organizations to extend the security and compliance of Active Directory to UNIX, Linux, and macOS platforms and enterprise applications. In addition:

  • The Standard edition licenses you for Safeguard for Sudo.

  • The Advanced edition licenses you for Privilege Manager for Unix.

Introducing One Identity Safeguard Authentication Services

One Identity Safeguard Authentication Services is patented technology that enables organizations to extend the security and compliance of Active Directory to UNIX, Linux, and macOS platforms and enterprise applications. It addresses the compliance need for cross-platform access control, the operational need for centralized authentication and single sign-on, and enables the unification of identities and directories for simplified identity and access management.

Upgrade requirements

You can upgrade Safeguard Authentication Services from any existing supported version of the product by installing Safeguard Authentication Services on the computer where the old version was installed.

To upgrade Safeguard Authentication Services, you must have local administrator rights to:

  • Create a container and a child container in Active Directory.

  • Join a UNIX host to the Active Directory domain.

NOTE: Have your license available for the Setup wizard.

NOTE: Safeguard Authentication Services 6.0 LTS is stricter about following the default_etypes setting in vas.conf. If the domain is set up to only accept AES encryption types, prior to upgrading:

  1. Open vas.conf.

  2. Navigate to the [libdefaults] section.

  3. Ensure that the default_etypes are set correctly.

    For example:


    default_etypes = aes256-cts-hmac-sha1-96 aes128-cts-hmac-sha1-96

About licenses

Safeguard Authentication Services must be licensed in order for Active Directory users to authenticate on UNIX and macOS hosts.


  • New licenses have to be added prior to upgrade.

  • You can install and configure Safeguard Authentication Services on Windows and use the included management tools to UNIX-enable users and groups in Active Directory without installing a license. However, you must have a valid Safeguard Authentication Services license installed for full functionality.

To obtain a license, use the Licensing Assistance page on the One Identity support page or contact your account representative.

Self Service Tools
Knowledge Base
Notifications & Alerts
Product Support
Software Downloads
Technical Documentation
User Forums
Video Tutorials
RSS Feed
Contact Us
Licensing Assistance
Technical Support
View All
Related Documents

The document was helpful.

Select Rating

I easily found the information I needed.

Select Rating