ADSelfService Plus Fixes and Enhancements [2021]

ADSelfService Plus Fixes and Enhancements [2021]

Release Notes for build 6113 (Sep 1, 2021)
Issue Fixes :
  • An issue which restricted users with special characters in their passwords from logging in to the portal via the mobile site has now been fixed.
  • An issue that restricted users access to the portal even during the permitted logon hours has been resolved.
  • All cookies can now be protected by enabling the HttpOnly flag.
Release Notes for build 6112 (Aug 26, 2021)
Enhancements:
  • Mac Agent support has now been introduced for macOS Big Sur.
  • Mobile app support to block specific email domains and mobile number formats during user enrollment has now been provided.
Issue Fixes :
  • While using the mobile app to reset password/unlock account, the forced number of authentication factors were not verified. This issue has now been resolved.
  • A vulnerability in the Approval Workflow module which facilitated an unauthenticated attacker to send emails to domain users has now been fixed.
  • The possibility of a Boolean SQL injection attack during manual account linking for Oracle Database has been eliminated.
  • The security issue of account takeover via machine account creation has now been fixed.
  • The SSRF vulnerability present in the High Availability module has now been fixed.
  • The issue in build 6111 with the MFA for VPN feature in which authentication was bypassed has now been resolved.
  • The password changes were not applied across all linked accounts when the Force Password Synchronization option was enabled in build 6111. This issue has now been fixed.
Release Notes for build 6111 (Aug 2, 2021)
Highlights
  • MFA for OWA/Exchange Server: Strongly secure your Exchange environment with a dedicated multi-factor authentication (MFA) setup with over 17 advanced authentication methods, for Outlook on the Web and Exchange admin center logins.
Feature
  • Support for OpenID Connect and OAuth applications:
    ADSelfService Plus now offers OAuth and OpenID Connect-based single sign-on for any enterprise application that supports these protocols, in addition to the already existing SAML support.

Issue fixes
  • Users will not be allowed to login if they have spaces in their passwords, for builds from 6108.
  • Password expiry notifications were not being sent to the user, if the number of days for account expiry contains '0'. This issue has been resolved.
  • The account linking setting for O365 application was not saved properly when single sign-on is enabled for O365. This issue has been fixed.
Release Notes for build 6110 (Jul 29, 2021)
Security Issue Fix :
  • Fixed the account takeover issue by enforcing SAML signature verification before logging in users through SAML SSO.
Release Notes for build 6109 (Jul 23, 2021)

Issue Fixes :
  • The VPN Group Name field is no longer mandatory while configuring Cisco AnyConnect for updating cached credentials over VPN.
  • The issue that occurred when updating country/region under the Profile tab has been resolved.
  • The issue with domain API verification in Duo configuration has now been fixed.
Release Notes for build 6108 (Jul 14, 2021)

Features

  • Passwordless Login: ADSelfService Plus and other SSO-enabled applications can now be accessed using advanced authentication methods such as biometrics, YubiKey, Google Authenticator, etc.
  • Forced enrollment for machine login MFA: Enforce mandatory enrollment to ADSelfService Plus from login screens to implement MFA for machine access.
  • Exclusive MFA setup for cloud applications: Customize the authentication factor set-up for service provider-initiated SSO-enabled application logins.

Enhancements

  • SAML authenticator: SAML authentication can be included as an authentication factor for ADSelfService Plus logins, Endpoints MFA, and Applications MFA.
  • Language support: ADSelfService Plus now supports Traditional Chinese language.

Issue fixes

  • The macOS login agent was not loading after a restart or shut down operation. This has been fixed.    
  • Enabling Hide Personalization setting did not force the admin's theme preference over the users when the users' theme preference was set before the enforcement of this setting. This issue has been resolved.
  • An issue that caused trouble in the SSO login process in the latest versions of browsers has been resolved.
Release Notes for build 6107 (Jul 2, 2021)
  • The jQuery library used in the product has been updated from version 1.11.3 to 3.5.1.
  • The Bootstrap framework used in the product has been updated from version 3.3.6 to 3.4.1.
  • The jQuery UI used in the product has been updated from version 1.9.2 to v1.10.0.
Release Notes for build 6106 (Jun 15, 2021)
Enhancements:
  • Conditional Access: You can now restrict access to the ADSelfService Plus portal and enable NTLM single sign-on, based on a user's location, device used, time of access, and IP address.
  • Duo Device Management Portal: Users can now add or remove Duo-registered devices from the ADSelfService Plus portal.
Issue fixes:

  • User profile images were not being displayed in the Organization Chart when Reverse Proxy was configured. This issue has been resolved.
  • An OU performance issue that caused delays in information retrieval has been resolved.
  • When a user is a part of many groups, the login process was slightly delayed. This issue has been resolved.
Release Notes for build 6105 (May 26, 2021)
Enhancements:

  • Admins can now configure users' managers email addresses to send them notifications about user activities like self-service password reset, self-service account unlock, password change, and enrollment.
  • The email verification code generated during enrollment and user identity verification can now be sent to the admin or manager via email.
  • An option has been introduced to block specific email domains and mobile formats provided during user enrollment.
Issue fixes:

  • A vulnerability which lead to unauthenticated and authenticated remote code execution through PowerShell injection has been fixed.
  • If the user entered an email address during enrollment and the same email address was later updated as the user's AD mail attribute value, the user did not receive scheduled notifications and the email address was displayed twice during email verification authentication. This issue has been fixed.
  • When users access the end-user portal through NTLM Authentication, user actions could not be performed in certain Windows environments. This has been fixed. 
  • The configuration of RADIUS authenticator failed when the secret key had specific special characters (<, >, ', ", and &). This has been fixed.
  • An issue that occurred in the secure links generated for email verification has been fixed.
Release Notes for build 6104 (May 8, 2021)
Vulnerability Issue Fixes:
  • A vulnerability that in rare cases allowed bypassing CAPTCHA in the ADSelfService Plus login page has been fixed.
  • A rare Cross-Site Scripting attack vulnerability in the e-mail address field used in the employee search feature has been fixed. (Reporter: Matt CVE-ID: CVE-2021-27956))
  • A vulnerability that in rare cases can cause Reflected Cross-Site Scripting attacks has been fixed.
  • A vulnerability that in rare cases let attackers expose information about the database application configured for password sync has been fixed.
  • A vulnerability that in rare cases let attackers bypass the ADSelfService Plus' admin portal access restriction based on IP addresses has been fixed.

Release Notes for build 6103 (Apr 28, 2021)
Highlight:
  • Zoho OneAuth's OTP authenticator can be used as an MFA method to verify users' identities during password reset and account unlock actions, ADSelfService Plus logins, and machines and VPN logins.
Enhancements:
  • The Linux login agent now supports Ubuntu version 20.x.
  • The password synchronization with OpenLDAP now supports the Extended Password modify operation - (RFC-3062).
  • SAML assertion attributes have been introduced to allow admins to configure the specific attributes that have to be included in the SAML response token sent to the service provider by ADSelfService Plus to prove a user's identity.
Issue Fixes:
  • For SAP NetWeaver password sync, the unlock account functionality is now restricted for accounts that were locked or disabled by the admins.
  • An issue with configuring the Select Duration setting for scheduled reports has been fixed.
  • An issue with generating reports using the Operator technician role has been fixed.
Release Notes for build 6102 (Mar 20, 2021)
Issue Fix:
  • A remote code execution vulnerability (Zoho bug bounty ID: ZVE-2021-0941) caused by a PowerShell script used for password change operations has been fixed.

Release Notes for build 6101 (Mar 5, 2021)
Enhancement:
  • ADSelfService Plus now supports three different methods of Windows login agent installation to ensure success rate. The three methods are :
    • Remcom
    • PAExec
    • WMI
Issue Fix:
  • The issue of not receiving a prompt for multi-factor authentication while using the VPN when languages other than English are personalized for the ADSelfService Plus server has been resolved.
Please click here to check the fixes and enhancements on the previous version of the application.