ADSelfService Plus Fixes and Enhancements [2024]
Release Notes for build 6509 ( Nov 15, 2024 )
Enhancements
The Windows login agent is now compatible with devices running on ARM64 processors.
Issue fixes
An issue that caused the Windows login agent to deny RDP connections between Windows machines in untrusted domains has been fixed. This issue occurred on builds 6504 and later.
A display issue that caused the login agent prompts on 2K monitors to appear zoomed-in has been fixed.
An issue that caused domain technicians not included under a policy to be redirected to the User Disclaimer page upon logging in has been fixed. This issue occurred when a User Disclaimer was enabled for users.
Enhancements
The Spring Framework JAR files used in the product have been updated to version 5.3.39.
The PostgreSQL JDBC driver used in the product has been updated to version 42.5.6.
Issue Fixes
An issue which prevented high availability configurations from being saved when ADSelfService Plus was using an external MS SQL database with Windows Authentication has been fixed.
An issue where enrolled users imported from other databases received enrollment notifications repeatedly has been fixed.
An issue where SSO logins to ADSelfService Plus failed even upon successful identity verification has been fixed. This issue occurred when ADSelfService Plus was updated to builds 6504 or later, from builds 6304 or earlier.
An issue that prevented the Duo verification page from loading during MFA has been fixed. This issue occurred on builds 6504 through 6507.
Issue Fixed
- A memory leak issue caused while decrypting the password sent by the password sync agent.
Issue Fixes
An issue that caused users' sessions to expire during the password reset process has now been fixed. This issue occurred on Safari browsers when audio CAPTCHA was used.
An issue that prevented admins from increasing the number of records displayed in the MFA Trusted Browsers and MFA Trusted Machines reports has been resolved.
An issue with the Mail Group Subscription feature, where mail groups from only two child domains could be subscribed to or unsubscribed from even when other child domains were present, has now been fixed.
Enhancement
Password synchronization with Microsoft 365/Entra ID (Azure) and Microsoft Dynamics CRM can now be achieved using OAuth client credentials, enabling you to choose modern authentication via OAuth instead of password authentication for password synchronization.
Feature
Integration with ManageEngine ServiceDesk Plus Cloud: Admins can now effortlessly track users' self-service actions by integrating ADSelfService Plus with ServiceDesk Plus Cloud. Upon integration, each self-service action will automatically generate a ticket in ServiceDesk Plus Cloud, ensuring seamless monitoring and management. Learn more about integrating ADSelfService Plus with ServiceDesk Plus Cloud here.
Enhancements
The Apache Tomcat version used in the product has been updated to 9.0.93.
Log files sent to the support team for troubleshooting from the ADSelfService Plus admin portal or manually uploaded from the ADSelfService Plus installation directory can now be selected based on the date and type of log file.
The file cleanup functionality has been extended to log files and database backups. These files can now be configured for automatic deletion once the retention period is over.
Exported reports from ADSelfService Plus can now be protected using a password.
Issue Fixes
An issue where a single Windows authentication failure was counted twice against the allowed number of incorrect password attempts has now been fixed. This issue occurred on machines with the Windows login agent installed.
An issue that reduced the size of the force enrollment pop-up on 4K monitors has now been fixed.
An issue that prevented push notifications from being sent to Android devices has now been fixed.
An issue with displaying the enforced password rules while changing the password of product administrator accounts has now been fixed.
An issue that prevented users from being redirected to Duo Security for MFA if ADSelfService Plus was accessed using a URL other than the access URL has now been fixed.
An issue that disrupted the ADSelfService Plus service during password synchronization with OpenLDAP Server for usernames containing Turkish characters has now been fixed.
An issue that prevented access to ADSelfService Plus via any shortcut icon when the product was already running in the background has now been fixed. This issue occurred when a context path was configured for ADSelfService Plus.
An issue where users with the Password must never expire setting selected in AD were forced to change their passwords upon logging into ADSelfService Plus has now been fixed. This issue was encountered by users for whom passwordless logins were enabled.
An issue that caused MFA using Security Questions and Answers to fail even when the answers were correct has now been fixed. This issue occurred when the Security Questions and Answers were displayed one-by-one.
An issue that caused images in emails sent from ADSelfService Plus to be displayed as previews when viewed via the iOS Mail app has been fixed.
An issue that prevented password expiry notifications from being sent to users whose passwords have expired, has now been fixed.
Release Notes for build 6503 ( Aug 5, 2024 )
Feature
Cached credentials in Windows machines can now be updated without a VPN. Learn more about updating cached credentials using ADSelfService Plus.
Issue Fixes
An issue causing a blank screen when accessing the Windows login agent on machines with a base language other than English, but with the English language pack downloaded and installed, has been fixed.
An issue with disconnecting custom Open VPN clients after the cached credentials update has been fixed.
Release Notes for build 6502 ( Jul 12, 2024 )
Device Management Portal support, which allows end users to manage their Duo-registered devices from the self-service portal, has now been extended to Duo Web SDK v4.
Face authentication from Android devices can now be an additional biometric authentication method alongside fingerprint authentication for MFA.
Issue Fix
An issue that caused the custom logo to be hidden on the machine login screen when a context path is set has now been fixed.
Issue fixes
An issue that caused incorrect messages to be displayed during failed CAPTCHA attempts has now been fixed.
An issue that occurred while restricting unowned licenses when multiple accounts with the same username exist across different domains has now been fixed.
The PostgreSQL database bundled with ADSelfService Plus has been updated to version 14.12 for 64-bit machines.
The Apache Tomcat version used in the product has been updated to 9.0.89.
The JRE version used in the product has been updated to Zulu jre8_0_412.
The JVM Wrapper version used in ADSelfService Plus has been updated to v3_5_51.
ADSelfService Plus now utilizes the JDBC driver for SQL server connections.
An issue that occurred from builds 6407 up to 6409, where the User Attempts Audit Report displayed the ADSelfService Plus server's loopback IP address instead of users' IP addresses has now been fixed.
An issue preventing SP-initiated OAuth SSO logins even when authentication was successful in ADSelfService Plus has now been fixed.
An issue with regenerating expired SAML encryption certificates when SAML authentication was configured after the certificate expired, has now been fixed.
An issue in the mail server configuration settings where multiple email addresses could not be saved if there was a space after each comma separating them has now been fixed.
An issue with updating the location of the VPN client in the Registry Editor when the Windows login agent was installed via GPO has been fixed.
An issue that prevented Syslog and Splunk configurations from being saved while the TCP 7 port was disabled has now been fixed.
An issue that prevented the use of images with uppercase extensions in the product has now been fixed.
An issue that prevented SSO logins to Microsoft 365 has now been fixed.
- An issue caused by duplicated authenticator priority values, that resulted in the update of ADSelfService Plus from version 6221 to 6403 to fail, has been fixed.
- An issue that prevented the modification of password expiry notifications in languages other than English upon updating ADSelfService Plus from build 6213 or earlier, has now been fixed.
- An issue causing an existing domain to disappear from ADSelfService Plus' UI when an administrator attempted to add a domain controller with the same name as the domain, has now been fixed.
- New reports for deeper insights: ADSelfService Plus now offers fourteen new reports that provide deeper insights on user behavior pertaining to MFA usage and self-service actions.

- SSO for ManageEngine applications: Provide one-click, secure, passwordless access to ManageEngine applications like Endpoint Central, ADAudit Plus, PAM360, and more, through SAML SSO.

- ADSelfService Plus now allows the configuration of RADIUS response attributes that determine the user groups or roles for VPN connections, or other purposes.

- Conditional Access policies can now be applied to VPN connections protected by MFA.

- Enrollment Notifications sent via SMS can now be configured for users opting for Quick Enrollment.

- ADSelfService Plus now allows admins to have granular control over the notifications generated for different enrollment or self-service actions.

- Admins can now receive notifications about unsuccessful user access attempts.

- Users are now restricted from enrolling for MFA using an email or mobile number that has already been used for enrollment by another user.

- Policy Names and Conditional Access Rules pertaining to users attempting MFA are now audited, and can be viewed as part of MFA audit reports.

- The Password Synchronization feature now supports Oracle's multitenant architecture.

- Admins can now configure soon-to-expire password SMS notifications for users' secondary mobile numbers.

Users' linked accounts can now be automatically unlocked upon successful password resets.
 - Email notifications can now be sent to administrators when ADSelfService Plus restarts after a downtime period.

- The Tomcat version has been upgraded to 8.5.99.
- An issue that occurred when logging in using Citrix Workspace in a machine with the ADSelfService Plus Windows login agent installed has now been fixed.
- An issue on macOS version 12 where the login agent freezes when using Duo MFA has been fixed.
- An issue in upgrading from builds 6400 and 6401 when syslog is configured for log forwarding in ADSelfService Plus through ManageEngine AD360 has now been fixed.
- Login failure in Windows machines caused by exceeding the idle timeout limit has now been fixed.
- An issue in synchronizing passwords that contain HTML characters using a custom script has been resolved.
- An issue causing the CSS parser JAR file to be duplicated when upgrading from builds 5806 and below has been fixed.
- An issue with displaying the customized text added in the Language Customization page has now been fixed.
- An issue with the "Trust this machine" option not functioning as intended during high user login attempts has now been fixed.
Just-in-Time user provisioning for applications: ADSelfService Plus now supports Just-in-Time user provisioning for Assetsonar, Monday.com, Peakon, Slack, and more applications .
Issue Fixes
An issue causing an Invalid access URL error while authenticating with Duo Security from the ADSelfService Plus mobile site has been fixed. This issue occurred when ADSelfService Plus was utilizing a reverse proxy set up on a separate machine.
An issue that prevented access to ADSelfService Plus via any shortcut icon when the product was already running has now been fixed.
An issue with the enforce enrollment login script that affected the working of the Duo Universal prompt when ADSelfService Plus was using the default port for HTTP or HTTPS connections has now been fixed.
An issue that caused an Invalid Request error when setting up mail configurations on non-English deployments of ADSelfService Plus has now been fixed.
An issue causing the Tenant ID value in OAuth mail configurations to disappear upon integrating ADSelfService Plus with AD360, has been fixed.
An issue that caused OAuth SSO login failures while using the PKCE code challenge has now been fixed.
Enhancements
REST API-based integration support has been provided for the RSA authenticator.
The RSA authenticator now supports policy-based configuration.
A Username Pattern has been introduced for RSA authentication to efficiently manage issues caused by multiple domains having similar usernames.
Issue Fixes
The ADSelfService Plus MFA connector for OWA MFA can now be installed on Exchange servers which also act as domain controllers.
An issue which prevented users from uploading their AD photo attribute using the directory self-update feature when the file extension of the image was in uppercase letters has been resolved.
An issue that prevented password changes and resets using the ADSelfService Plus mobile site if the password contained a unicode character, despite the password policy mandating it, has now been fixed.
An issue that prevented initial logins to machines using the manually-installed login agent when the ADSelfService Plus server was inaccessible, has now been fixed.
A loading issue that domain technicians without a designated policy experienced while attempting to access ADSelfService Plus from AD360 has been fixed.
An issue that prevented SMTP settings from being saved if the admin's display name had more than one space has now been fixed.
An issue caused while configuring a high availability deployment of ADSelfService Plus with an external PostgreSQL database has now been fixed.
An issue that prevented attachments with the .docs extension from being sent with emails from ADSelfService Plus has now been fixed.
An issue that prevented the Mobile App Deployment page from loading when the domain name began with a numeral has now been fixed.
An issue that caused the Access URL to revert to the hostname when an SSL certificate was applied has now been fixed.
Issues with password changes and resets using the SHA-1 algorithm for the OpenLDAP and 389 Directory Server have now been fixed.
An issue that caused the login agent to display a Server Unreachable error when ADSelfService Plus had a context path configured has been fixed.
An issue that caused incorrect search results to be displayed while searching for computers under the Conditional Access section has now been fixed.
An issue that caused restricted users to consume licenses while attempting password resets or account unlocks from the self-service portal has now been fixed.
Feature
FIDO Passkeys for phishing-resistant MFA: FIDO-compliant device-authenticators like Windows Hello, Apple Face ID/Touch ID, Android Biometrics, and security keys like YubiKeys, Google Titan Keys etc., can now be used to protect access to applications for a secure, passwordless experience.
- The Spring Framework JAR files used in the product have been updated to version 5.3.28.
- An authenticated RCE security vulnerability (CVE-2024-0252) in the load balancer component of ADSelfService Plus has been fixed. This vulnerability was reported by Joe Zhoy.