ADSelfService Plus Fixes and Enhancements [2018]

Release Notes for build 5702 (Dec 10, 2018)

Fixes:

Issue of product crashing when the configured GINA Frame Text exceeded the character limit during translation.
Issue which permitted users to close the password reset/account unlock window of the Windows logon agent is fixed.
XSS vulnerability in the employee search, and the self-update layout.
Issue in translating certain fields in the self-update layout of the end-user portal, from English to the selected language.
Issue which failed to display the mobile number format for the users in the User Registration section during enrollment.
Issue which failed to update the authentication settings for the configured mail server in the password expiration notifier free tool.
Issue in NTLM SSO if the configured service account contains special characters.
Issue in displaying the strength of the password entered in the reset, and change password pages.
Issue in auto-generating passwords due to inconsistencies in the enforced password policy.
Issue in modifying the font size of the Chinese characters in the Logon Page Customizer.
Issue that truncates the email content sent to authenticate users' identity during two-factor authentication.
Issue in importing enrollment data from MS SQL databases that have NTLMv2 session security enforced.
Issue which slowed down the generation of Non-Enrolled Users Report.
Issue which caused SAML-logout failure.

Release Notes for build 5701 (Nov 30, 2018)

Enhancements:

Trial mode: Test drive this feature by deploying the ADSelfService Plus iOS app for ten users’ mobile devices, with minimal configurations.
Automated CSR signing from ManageEngine while configuring APNs.
Schedulers to automate iOS app installation status.

Fixes:

An XML External Entity vulnerability that occurs while uploading product license is fixed.
Removed the dependancy on OpenSSL as a vulnerability fix.
Issue in domain data sync which failed to update deleted domain objects in ADSelfService Plus.
Issue in accessing ADSelfService Plus' portal through the older version of GINA/CP logon agent.

Release Notes for build 5700 (Nov 20, 2018)

Enhancements:

JRE bundled with ADSelfService Plus is updated to version 1.8.0.162.
Apache Tomcat server bundled with ADSelfService Plus is updated to version 8.5.32.
PostgreSQL server bundled with ADSelfService Plus is updated to version 9.4.14.

Release Notes for build 5607 (Oct 22, 2018)

Enhancements:

The AD Sync scheduler now uses DirSync Control to synchronize only the objects that were modified since the last synchronization

Release Notes for build 5606 (Oct 16, 2018)

Enhancements:

Access to Password Expiration Notifier free tool for ADSelfService Plus users with technician role.
Rebrand the self-service password reset/account unlock window of the Windows logon agent by adding your company image as browser title.

Issues Fixed:

Issue in sending SMS notifications with non-English characters due to SMS encoding.
Issue during backup and restoration of database due to character encoding.
Issue in selecting OUs if the selected OUs count exceed 100.
Issue in changing password if the sAMAccountName contains space.
Issue in changing password if the domain expects a down-level logon name instead of the entered sAMAccountName.
Issue in changing password in the mobile browser, when the password strength analyser is disabled.
Issue in synchronizing passwords with Office 365 when the new password contains a single quote (’).
Issue during password synchronization which displayed multiple records for a single password reset action in the Reset Password Audit report.
Issue which updates an invalid character in Active Directory for the entered '&' character in the My Info tab.
Issue which failed to display user profile photo in My Info tab after it is updated in Active Directory.
Issue in displaying the enforced password policy rules in the native Windows interface (Ctrl+Alt+Del) for non-English OSs.
Issue in enforcing the custom password policies when the selected dictionary file contains a back slash (\) or a double quote (").
Issue in deploying the Mac logon agent if the password of service account used contains a dollar symbol ($) or a forward slash (/).
Issue which failed to display the password-reveal icon in the native Windows interface when the GINA/CP logon agent is installed.
Issue which failed to list all the appropriate machines in the New Installation tab and the Installed Machines tab of the GINA/Mac Installation section.
Issue which failed to display an error message when a user, who doesn't have administrative privileges, attempts to install GINA/CP logon agent.
Issue which caused the login page of ADSelfService Plus to load indefinitely in Chromebook when NTLM Authentication is enabled.
Issue in accessing certain datatype (VARCHAR2) columns while fetching enrollment data from an Oracle database connection for Quick Enrollment.
Issue in Auto Enrollment if the imported enrollment data is encoded in UTF-8 format.
Issue in sending the scheduled reports in HTML format to the managers.
Issue which sent old audit data to ADSelfService Plus when there is an interruption in password sync agent service.
Issue which failed to display the installed password sync agent status in the Windows Control Panel.
Issue which displayed only ten of the available MS SQL server instances in the changeDB window.
Issue which shows duplicate values of mobile and mail attributes for certain users in the Enrolled Users report.
Issue which slowed down the generation of disabled users list during license management.

Release Notes for build 5605 (Sep 27, 2018)

Feature:

Active Directory-based security questions as an MFA method: You can set up AD-based security questions to authenticate users at the time of self-service password reset and account unlock by comparing their answers with the corresponding AD attributes' value.

Release Notes for build 5604 (Sep 25, 2018)

Issues fixed:

An XSS vulnerability has been fixed.

Release Notes for build 5603 (Sep 21, 2018)

Highlights:

SAP NetWeaver password synchronization: Synchronize AD password changes with SAP NetWeaver in real-time.

Single Sign-on with Active Directory Federation Services (ADFS): ADSelfService Plus adds ADFS to the list of SAML-based identity providers through which users can access its web console.
One-click logout: Improve security by turning every SAML-based application connected to ADSelfService Plus into a point of logout. When users initiate a logout from the identity provider, the user is also logged out from ADSelfService Plus, and vice versa.
ADSelfService Plus now supports the Finnish language.

Issues Fixed:

Issue in Windows logon agent (GINA/Credential Provider extension) which failed to display the password policy enforcement rules in the Ctrl+Alt+Del screen of Windows 10, version 1803 has been fixed.

Release Notes for build 5602 (Aug 17, 2018)

Enhancements:

Customized verification code length: Specify the length of verification codes to be sent to users via email and SMS from the web console.
Ability to install GINA/CP logon agent using DNS hostname: The GINA/CP logon agent can now be installed on machines using the DNS hostname in addition to the sAMAccountName.

Issues Fixed:

Issue in adding service account in domain settings when the password exceeds 100 characters.
Issue in sending bulk emails due to minimum authentication count set in the SMTP server.
Issue which listed machines with incomplete client software updates along with the error occurred machines.
Issue which failed to display the title image of ADSelfService Plus when accessed via mobiles.
Issue in changing the product logo size.
Issue which displayed the newly imported questions from CSV as admin-defined questions instead of listing it with the user-defined questions.
Issue which truncates SMS messages with the '&' character.
Issue in using custom attributes with Boolean datatype in the self-update layout.
Issue in sending test SMS from the ADSelfService Plus licensed Clickatell provider.
ADSelfService Plus now utilizes TLS 1.1 and TLS 1.2 for improved security.
Issue in configuring OpenLDAP for password synchronization when the domain name contains space.
Issue which accepted invalid certificates in the Mac logon agent.
Issue in providing appropriate permissions to technicians for fetching enrollment data from the MS SQL database.
Issue in generating reports when the MS SQL database name starts with a number.
Issue in loading the login page when Safari browser attempts to access ADSelfService Plus using an NTLM account.
Issue in configuring header and footer content in the authentication pages of RSA SecurID, RADIUS Authentication, and Duo Security.
Issue in password synchronization between multiple domains when users change their password for the first time.
Issue which denied password reset for a user if an admin had deleted another user with the same display name in Active Directory.
Issue in password synchronization with Salesforce.
Issue which prompted users to change their passwords when they attempt to access ADSelfService Plus using SAML-based authentication if their password is set to never expire

Release Notes for build 5601 (Jul 30, 2018)

Highlight:

ADSelfService Plus now supports Hebrew language.

Release Notes for build 5600 (Jul 24, 2018)

Highlight:

The Password Expiration Notifier free tool gets a makeover with a new flat user interface that makes configuring password expiration notifications easier than ever.

Issues fixed:

Issue in expanding parent OUs to select child OUs in the GINA/Mac logon agent installation page.
Issue in disabling product and event notification in Server Settings.
Issue in deleting unowned licenses from the Restrict Users option.

Release Notes for build 5521 (Jun 21, 2018)

Features:

SAML-based multi-factor authentication (MFA): For self password reset and account unlock, users can now be authenticated using SAML-based identity providers such as OneLogin and Okta.
SAML-based SSO to access ADSelfService Plus: Allow users to authenticate themselves through SAML-based identity providers for a one click access to ADSelfService Plus.

Enhancements:

SSO support for Blackboard: ADSelfService Plus now supports SAML-based SSO for Blackboard.

Issue fixed:

Issue in self password reset when the minimum password age is set.

Release Notes for build 5520 (May 31, 2018)

Highlight:

Two-factor authentication for Windows logon: Improve security by enforcing two-factor authentication for local interactive and remote desktop logons to Windows clients and servers.
ServiceNow password synchronization: Now synchronize users' Active Directory passwords with their ServiceNow accounts in real-time.

Issue fixed:

Security issue in which the HttpOnly flag was missing from the adscsrf cookie has been fixed.

Release Notes for build 5518 (May 7, 2018)

Enhancements:

Option to set a link expiry time in the secure identity verification link, using the %linkExpireTime% macro.
The Change Password Audit report now includes information on users who must change their password (after password reset) during their next logon.
Logs can now be forwarded in Rawlog and CEF formats to any SIEM solution or a syslog server.
Employee search's scope can be limited to that forest in which the user performing the search resides.
British English has been added to the list of languages with which you can personalize ADSelfService Plus.

Issues Fixed:

Broken authentication vulnerabilities which can lead to unauthorized access of the product resources.
Issue in displaying the Soon-to-Expire Password User report on the next login after a session expiry.
Issue in logon client (GINA/ Credential Provider agent) installation if the password of the service account used to fetch the domain data contains a backslash (\).
Issue in generating valid SAML metadata for single sign-on configuration while using default ports.

Release Notes for build 5517 (Apr 17, 2018)

Enhancements:

Users can now be restricted from having multiple active sessions in ADSelfService Plus concurrently.
Option to automatically send Soon-to-Expire Account Users and Account Expired Users reports to users’ managers using reports scheduler.
Now you can define multiple mobile number formats and allow users to enter their mobile number in any of the pre-defined formats during enrollment.
jQuery bundled with ADSelfService Plus has been upgraded from 1.8.1 to 1.12.2.
NTLMv2 jar bundled with ADSelfService Plus has been upgraded from 1.1.19 to 1.2.2.

Issues fixed:

Vulnerability issue in the Windows logon (GINA/CP) client.
Issue in GINA/CP installer which prevented the deployment of login agents in the latest macOS.
Vulnerability issue which could lead to attackers exploiting unused HTTP methods in the product has been fixed.
XSS issue in enrollment.
Issue in loading the change password page for users with “User must change password at next logon” option enabled.
Issue in synchronizing password changes with Oracle DB.
Issue in configuring SonicWall Global and NetExtender VPN clients.
Issue in migrating from PostgreSQL to MS SQL in Free Edition.
Issue in approval workflow which failed to update the requests’ “assigned to” status in ADSelfService Plus.

Release Notes for build 5516 (Mar 29, 2018)

Enhancement:

High availability support: Ensure users have uninterrupted access to self-service password management, single sign-on, and other self-service features by enabling high availability.

Issues fixed:

Unrestricted file upload issue which could lead to XSS and server-side command execution vulnerabilities has been fixed.
SSRF vulnerability issue which led to NTLM hash disclosure has been fixed.
Reflected cross site scripting vulnerability has been fixed.
Issue in the quick search option available in the graphical reports under the dashboard.

Release Notes for build 5515 (Mar 12, 2018)

Enhancement:

Enhanced user filtering Policy : You can now configure ADSelfService Plus policies with enhanced user filtration process. In addition to OU/Groups, users can now be filtered by using specific attributes for better usage restriction and license consumption .

For example, you can configure SMS-based two factor authentication for all users in the domain. Then you can use the 'mobile' attribute in Active Directory as the criteria for user filter and set the condition to 'is not empty'. This prevents users who will not be able to use SMS-based authentication to fall under purview of the policy.

Security Fix:

Improper authentication during SAML Single sign-on that gives way to man-in-the-middle attack by inserting fraudulent user identification has now been fixed.

Release Notes for build 5513 (Feb 20, 2018)

Features:

Custom SAML applications: Any application that supports SAML 2.0 protocol for authentication can now be integrated for SSO.
SAML SSO support for Shufflrr and ADP.
VPN support extended for SonicWall, SonicWall GlobalNow and Checkpoint.
Custom VPN providers: Any Type-1 VPN provider is now supported.

Enhancement:

Option to exclude TFA for service provider(SP) initiated SAML SSO.
Each of the SAML SSO applications can now support multiple configuratiions.
Access to self-service portal can now be restricted to specific IP ranges via AD360 console.

Release Notes for build 5510 (Jan 9, 2018)

Enhancement:

SSO support for three new apps: Cybozu Office, Garoon, and Mailwise.
Two-factor authentication with SAML can now be enforced for SP initiated login as well.

Issues fixed: