ADSelfService Plus Fixes and Enhancements [2021]
Release Notes for build 6118 (Nov 30, 2021)
Issue Fix :
- An issue in renewing the SAML certificate when ADSelfService Plus is the identity provider has now been fixed.
Release Notes for build 6117 (Nov 15, 2021)
Highlight :
- Azure
AD MFA support: Azure AD MFA can now be used for identity verification
during self-service reset/unlock; self-service portal login; cloud
application, machine and OWA logins. This method is supported in both
web and mobile applications.
Enhancement :
- RADIUS challenge support has now been provided for RADIUS multi-factor authentication.
Issue Fixes :
- An issue in the Enrolled Users Report while sorting the users' mobile numbers has now been resolved.
- OWA context was added twice in the server.xml file when service pack installation failed. This issue has now been resolved.
- An
issue in which the content-type was missing in the response when the
mobile site URL had js, css, image, and cewolf as resource types has now
been fixed.
- When
the answer to the security question were all numbers, users were unable
to prove their identity for password reset/unlock account via the
mobile application. This issue has now been fixed.
- A login issue which occurred when users committed an error of adding spaces in the beginning and end of the username and when the username contained % has now been fixed.
Release Notes for build 6116 (Sep 30, 2021)
Security Issue Fixes :
- All the API endpoints have now been strengthened to be more secure.
- A security vulnerability which allowed performing unauthenticated UMCP operation using REST API has now been fixed.
- The access to the domain password policy HTML has now been restricted for all users.
Issue Fix :
- A minor change has been implemented to display the username and password fields on the same login page now.
Release Notes for build 6115 (Sep 24, 2021)
Issue Fixes :
- When
a custom attribute's display name containing \ or " was added to the
employee search display column, no results were returned for an employee
search. This issue has now been fixed.
- An issue in the Linux Login Agent specific to Ubuntu 18.04.5 LTS has now been resolved.
- An
issue in integrating ADManager Plus with ADSelfService Plus when the
provided admin/technician account's password contained % has now been
fixed.
- Login issue when the username contained space has now been resolved.
Release Notes for build 6114 (Sep 7, 2021)
Security Issue Fix:
- An authentication bypass vulnerability affecting REST API URLs, that could result in Remote Code Execution, has now been fixed. [CVE-2021-40539]
Severity: Critical
Note:
As we notice indications of exploitation of this vulnerability,
customers are requested to update the software to the latest version as
soon as possible.
Feature:
- SAML SSO support for ServiceDesk Plus: ADSelfService Plus now supports single-sign on (SSO) to the on-premises version of ManageEngine ServiceDesk Plus.
Enhancement:
- Migrated
from JavaPNS to Pushy library (v0.14.1) and from NotNoop to Pushy
library (v0.14.1), for sending iOS notifications and pushing the mobile
application respectively, when the MDM profile is installed.
Release Notes for build 6113 (Sep 1, 2021)
Issue Fixes :
- An issue which restricted users with special characters in their passwords from logging in to the portal via the mobile site has now been fixed.
- An issue that restricted users access to the portal even during the permitted logon hours has been resolved.
- All cookies can now be protected by enabling the HttpOnly flag.
Release Notes for build 6112 (Aug 26, 2021)
Enhancements:
- Mac Agent support has now been introduced for macOS Big Sur.
- Mobile app support to block specific email domains and mobile number formats during user enrollment has now been provided.
Issue Fixes :
- While
using the mobile app to reset password/unlock account, the forced
number of authentication factors were not verified. This issue has now
been resolved.
- A
vulnerability in the Approval Workflow module which facilitated an
unauthenticated attacker to send emails to domain users has now been
fixed.
- The possibility of a Boolean SQL injection attack during manual account linking for Oracle Database has been eliminated.
- The security issue of account takeover via machine account creation has now been fixed.
- The SSRF vulnerability present in the High Availability module has now been fixed.
- The issue in build 6111 with the MFA for VPN feature in which authentication was bypassed has now been resolved.
- The password changes were not applied across all linked accounts when the Force Password Synchronization option was enabled in build 6111. This issue has now been fixed.
Release Notes for build 6111 (Aug 2, 2021)
Highlights
- MFA for OWA/Exchange Server: Strongly secure your Exchange environment with
a dedicated multi-factor authentication (MFA) setup with over 17
advanced authentication methods, for Outlook on the Web and Exchange
admin center logins.
Feature
- Support for OpenID Connect and OAuth applications:
ADSelfService Plus now offers OAuth and OpenID Connect-based single sign-on for any enterprise application that supports these protocols, in addition to the already existing SAML support.
Issue fixes
- Users will not be allowed to login if they have spaces in their passwords, for builds from 6108.
- Password
expiry notifications were not being sent to the user, if the number of
days for account expiry contains '0'. This issue has been resolved.
- The account linking setting for O365 application was not saved properly when single sign-on is enabled for O365. This issue has been fixed.
Release Notes for build 6110 (Jul 29, 2021)
Security Issue Fix :
- Fixed the account takeover issue by enforcing SAML signature verification before logging in users through SAML SSO.
Release Notes for build 6109 (Jul 23, 2021)
Issue Fixes :
- The VPN Group Name field is no longer mandatory while configuring Cisco AnyConnect for updating cached credentials over VPN.
- The issue that occurred when updating country/region under the Profile tab has been resolved.
- The issue with domain API verification in Duo configuration has now been fixed.
Release Notes for build 6108 (Jul 14, 2021)
Features
- Passwordless Login:
ADSelfService Plus and other SSO-enabled applications can now be
accessed using advanced authentication methods such as biometrics,
YubiKey, Google Authenticator, etc.
- Forced enrollment for machine login MFA: Enforce mandatory enrollment to ADSelfService Plus from login screens to implement MFA for machine access.
- Exclusive MFA setup for cloud applications: Customize the authentication factor set-up for service provider-initiated SSO-enabled application logins.
Enhancements
- SAML authenticator:
SAML authentication can be included as an authentication factor for
ADSelfService Plus logins, Endpoints MFA, and Applications MFA.
- Language support: ADSelfService Plus now supports Traditional Chinese language.
Issue fixes
- The macOS login agent was not loading after a restart or shut down operation. This has been fixed.
- Enabling
Hide Personalization setting did not force the admin's theme preference
over the users when the users' theme preference was set before the
enforcement of this setting. This issue has been resolved.
- An issue that caused trouble in the SSO login process in the latest versions of browsers has been resolved.
Release Notes for build 6107 (Jul 2, 2021)
- The jQuery library used in the product has been updated from version 1.11.3 to 3.5.1.
- The Bootstrap framework used in the product has been updated from version 3.3.6 to 3.4.1.
- The jQuery UI used in the product has been updated from version 1.9.2 to v1.10.0.
Release Notes for build 6106 (Jun 15, 2021)
Enhancements:
- Conditional Access: You can now restrict access to the ADSelfService Plus portal and enable NTLM single sign-on, based on a user's location, device used, time of access, and IP address.
- Duo Device Management Portal: Users can now add or remove Duo-registered devices from the ADSelfService Plus portal.
Issue fixes:
- User profile images were not being displayed in the Organization Chart when Reverse Proxy was configured. This issue has been resolved.
- An OU performance issue that caused delays in information retrieval has been resolved.
- When a user is a part of many groups, the login process was slightly delayed. This issue has been resolved.
Release Notes for build 6105 (May 26, 2021)
Enhancements:
- Admins can now configure users' managers email addresses to send them notifications about user activities like self-service password reset, self-service account unlock, password change, and enrollment.
- The email verification code generated during enrollment and user identity verification can now be sent to the admin or manager via email.
- An option has been introduced to block specific email domains and mobile formats provided during user enrollment.
Issue fixes:
- A vulnerability which lead to unauthenticated and authenticated remote code execution through PowerShell injection has been fixed.
- If the user entered an email address during enrollment and the same email address was later updated as the user's AD mail attribute value, the user did not receive scheduled notifications and the email address was displayed twice during email verification authentication. This issue has been fixed.
- When users access the end-user portal through NTLM Authentication, user actions could not be performed in certain Windows environments. This has been fixed.
- The configuration of RADIUS authenticator failed when the secret key had specific special characters (<, >, ', ", and &). This has been fixed.
- An issue that occurred in the secure links generated for email verification has been fixed.
Release Notes for build 6104 (May 8, 2021)
Vulnerability Issue Fixes:
- A vulnerability that in rare cases allowed bypassing CAPTCHA in the ADSelfService Plus login page has been fixed.
- A rare Cross-Site Scripting attack vulnerability in the e-mail address field used in the employee search feature has been fixed. (Reporter: Matt CVE-ID: CVE-2021-27956))
- A vulnerability that in rare cases can cause Reflected Cross-Site Scripting attacks has been fixed.
- A vulnerability that in rare cases let attackers expose information about the database application configured for password sync has been fixed.
- A vulnerability that in rare cases let attackers bypass the ADSelfService Plus' admin portal access restriction based on IP addresses has been fixed.
Release Notes for build 6103 (Apr 28, 2021)
Highlight:
- Zoho OneAuth's OTP authenticator can be used as an MFA method to verify users' identities during password reset and account unlock actions, ADSelfService Plus logins, and machines and VPN logins.
Enhancements:
- The Linux login agent now supports Ubuntu version 20.x.
- The password synchronization with OpenLDAP now supports the Extended Password modify operation - (RFC-3062).
- SAML assertion attributes have been introduced to allow admins to configure the specific attributes that have to be included in the SAML response token sent to the service provider by ADSelfService Plus to prove a user's identity.
Issue Fixes:
- For SAP NetWeaver password sync, the unlock account functionality is now restricted for accounts that were locked or disabled by the admins.
- An issue with configuring the Select Duration setting for scheduled reports has been fixed.
- An issue with generating reports using the Operator technician role has been fixed.
Release Notes for build 6102 (Mar 20, 2021)
Issue Fix:
- A remote code execution vulnerability (Zoho bug bounty ID: ZVE-2021-0941) caused by a PowerShell script used for password change operations has been fixed.
Release Notes for build 6101 (Mar 5, 2021)
Enhancement:
- ADSelfService Plus now supports three different methods of Windows login agent installation to ensure success rate. The three methods are :
- Remcom
- PAExec
- WMI
Issue Fix:
- The issue of not receiving a prompt for multi-factor authentication while using the VPN when languages other than English are personalized for the ADSelfService Plus server has been resolved.