ADSelfService Plus Fixes and Enhancements [2025]

ADSelfService Plus Fixes and Enhancements [2025]

Release Notes for build 6518 (Sep 24, 2025)

Enhancements
  1. The Tomcat version used in the product has been updated to 9.0.109.
  2. ADSelfService Plus now supports PKCE (Proof Key for Code Exchange) in OAuth authorization flows, enhancing security for both server-based and client-only applications.
  3. Security hardening has been implemented to safeguard your instance with appropriate security recommendations.
Issue fixes
  1. An issue where Force Enrollment was skipped when UMCP (User Must Change Password) was enforced has been fixed.
  2. Login page loading performance when rendering domains has been improved.
  3. An issue where SSHA (Salted Secure Hash Algorithm) password encryption failed with OpenLDAP and 389 Directory Server has been fixed.
  4. Issues with Google Password Sync caused by configuring more than one Google Workspace for a single user have been resolved.
  5. An issue caused by idle SP-initiated SAML login sessions to the portal has been resolved.
  6. An issue where CPU utilization reached 100% when multiple users logged in simultaneously via SSO has been resolved.

Release Notes for build 6517 (Jul 21, 2025)

Feature
  1. FIDO2 Passkeys support for machine logins: FIDO2 Passkeys can now be used as an MFA method for logins to Windows, macOS (including offline MFA), and Linux machines. This enhances security by ensuring robust, phishing-resistant authentication right from the initial point of access.

Enhancements

  1. The commons-fileupload-1.5.jar and esapi-2.6.0.0.jar files used in the product have been upgraded to commons-fileupload-1.6.0.jar and esapi-2.7.0.0.jar, respectively.

  2. Login agent registry settings are now synchronized with agent-installed machines in real time during MFA verification, ensuring that configuration changes take effect immediately without having to wait for the GINA/macOS/Linux Customization Scheduler to run.

Issue fixes

  1. An issue that caused empty emails to be sent out instead of the scheduled Agent Installed Machines Report has now been fixed.
  2. Fixed an issue where I18N property file customizations did not replicate to the secondary server in High Availability environments.

Release Notes for build 6515 (May 29, 2025)

Enhancements

  1. 1Kosmos is now supported as an Identity Provider for both SSO and SAML MFA configurations. Learn more

  2. The Tomcat version has been upgraded from 9.0.102 to 9.0.104.

  3. The Java Runtime Environment (JRE) has been upgraded from Azul Zulu version 8.84.0.15 to 8.86.0.25.

  4. The Bootstrap library has been updated to a customized version with unused components removed, and the Bootstrap-select plugin has been customized with enhanced HTML sanitization to mitigate reported vulnerabilities.

  5. The Highcharts library has been updated to a customized version with manually applied security patches.

  6. The jQuery and jQuery UI libraries have been upgraded to versions 3.7.1 and 1.14.0.

  7. The Moment.js library has been upgraded to version 2.29.4.

  8. The DOMPurify library has been upgraded to version 2.5.8.

  9. The Spring JARs used in the Service Proxy Membrane component have been updated to a secure, patched version.

Issue fixes  

  1. A performance issue where the OU tree took longer to load when multiple OUs were expanded has now been fixed.

  2. An issue that prevented audit report schedulers from executing when handling large volumes of audit data has been fixed.

  3. An issue that prevented password synchronization with Entra ID for tenants in the China region has been fixed. Support is now available for China, US, and Global regions.


Release Notes for build 6514 (April 22, 2025)

Enhancements

  1. ADSelfService Plus now supports MFA for logins to Red Hat (versions 8.x to 9.x) and Rocky Linux (versions 8.x to 9.x) machines.

  2. In addition to email notifications, admins can now get instant SMS alerts to monitor ADSelfService Plus service startups and downtime. Learn more .

Issue fixes  

  1. An SQL injection vulnerability ( CVE-2025-3833 ) that allowed any ADSelfService Plus technician to execute SQL queries through the Reports module has been fixed.

  2. An issue that prevented mobile numbers containing the character X from being updated during directory self-update has been fixed.

  3. An issue that prevented users from configuring passwords containing the $ special character during password resets or changes has now been resolved.

  4. An issue that prevented the ADSelfService Plus MFA connector from being installed on RD Web Access servers with a default language that was not English has been resolved.

  5. An issue caused while installing the ADSelfService Plus login agent via GPO, where the Button Text parameter stored non-readable characters in the registry instead of the correct Unicode characters (such as Polish letters), has now been resolved.

  6. An issue where error messages during login agent installation failures were displayed as junk values in the Agent Installation Failures Report when the ADSelfService Plus server's system locale was set to Japan, has been resolved.

  7. An issue where password synchronization with AD failed if the AD domain was added into ADSelfService Plus with the NetBIOS name instead of the DNS name has been fixed.

  8. An issue that caused password synchronization with SAP NetWeaver to fail for SAP service, reference, system and communication users has been resolved.

  9. An issue that removed Turkish characters from exported PDF reports when ADSelfService Plus was configured to use English as the display language has now been fixed.

  10. An issue preventing the customization of columns in reports generated by the free Password Expiration Notification tool in ADSelfService Plus has now been fixed.

  11. An issue that caused users who had never logged into ADSelfService Plus to be excluded from the Soon-To-Expire User Passwords Report sent to admins has now been fixed. This issue occurred when push notifications were enabled for the password expiry notification.

  12. An issue that prevented non-English characters from being used in the State and City fields while generating a self-signed SSL certificate through the built-in SSL Certificate Tool has been fixed.

  13. An issue that prevented audit logs from being forwarded to the syslog server has been fixed.

  14. An issue where whitespace characters in the SAML response signature caused some applications to fail signature validation has been fixed.


Release Notes for build 6513 (April 03, 2025)

Enhancements 

  1. Support for Smart Card Authentication using USB devices like YubiKeys and PIV cards has now been extended beyond the ADSelfService Plus portal to include logins to VPNs, Outlook Web Access, and Windows machines.

  2. MFA for VPNs can be configured with any authenticator offered by ADSelfService Plus, including FIDO Passkeys, Smart Card Authentication, and other MFA methods not natively supported by the VPN client, by clicking a secure browser-based link. Learn more

  3. The Account Blocking feature has been enhanced to secure Active Directory accounts by extending its coverage to both portal logins and enterprise applications, providing comprehensive protection against unauthorized access.

  4. The Account Blocking feature has been enhanced to allow admins to control or automate the unblocking of accounts blocked due to failed authentication attempts.

  5. Separate authenticators can now be configured for self-service password resets and account unlocks.

  6. Granular MFA enforcement on protected Windows resources can now be applied to specific sets of users via policies. Learn more

  7. ADSelfService Plus now supports auto-launching SSO applications upon user logins, streamlining access to apps and eliminating the need for extra clicks.

  8. SAML attribute assertions can now be passed for multi-valued attributes, enabling applications to support complex user attributes more efficiently.

  9. Bookmark applications for SSO: ADSelfService Plus' now offers a Bookmark feature, which provides a convenient way to integrate external applications which do not support protocols like SAML, OAuth, or OIDC, into the user portal.Learn more

  10. Admins can now choose to perform report generation, license management, and login agent installation exclusively on parent OUs, without affecting the child OUs.

  11. An option to skip MFA during OWA logins if the user has not enrolled for the required authenticators has been added.

  12. Admins can now limit the number of secondary email addresses and phone numbers a user can add to their profile.

  13. A username format will now need to be configured to use the TOTP-based authenticators offered for MFA.

  14. Using the Password Policy Enforcer, you can now force your users to set strong passwords that match custom regex patterns. Learn more

  15. The Notification Delivery Report and Password/Account Expiry Notifications Delivery Report now include additional columns with information about the recipient's (admin or manager) email address.

 Issue Fixes 

  1. To improve security and prevent unauthorized access to resources protected with TOTP-based authenticators, TOTPs which have been used to verify the user's identity once cannot be reused even if the TOTP lifetime is still valid.

  2. An issue that prevented user enrollment data for FIDO Passkeys from appearing in the MFA Enrollment Audit Report has been resolved. This issue occurred following modifications to the Access URL.


Release Notes for build 6512 (Mar 10, 2025)

Enhancement 

  • Minor updates have been made to enhance the integration of ADSelfService Plus with ManageEngine AD360 build 4407.


Release Notes for build 6511 (Feb 26, 2025)

Issue Fixes

  1. An account takeover vulnerability (CVE-2025-1723) caused by session conflicts has been fixed. Learn more.

  2. The push notification certificate on the ADSelfService Plus iOS app has been renewed.


Release Notes for build 6510 (Jan 2, 2025)

Enhancements

  1. macOS 15 Sequoia is now supported by the macOS login agent for MFA and self-service password resets and account unlocks from the machine login screen.
    Note: This support is limited to devices with Apple silicon.

  2. The Apache Tomcat version used in the product has been updated to 9.0.98.


Issue Fixes

  1. Security enhancements have been made to the communication between the ADSelfService Plus server and the OWA MFA connector.
    Note: After updating ADSelfService Plus to build 6510, it is recommended to reinstall the OWA MFA connector for OWA MFA to work properly.

  2. An issue that prevented user restriction or license removal in bulk has been fixed. This issue occurred when ADSelfService Plus was integrated with AD360 or configured to use the MS SQL database.

  3. An issue causing delays in Endpoint MFA logins during high volumes of concurrent MFA requests has now been resolved.

  4. An issue where reports visible on the primary server were not displayed on the secondary server during failover has been fixed.

  5. An issue that prevented the configuration of High Availability when SSL was enabled for MS SQL database connections using the JDBC driver has been fixed.



        New to M365 Manager Plus?
        New to M365 Manager Plus?
          New to RecoveryManager Plus?
          New to RecoveryManager Plus?
            New to Exchange Reporter Plus?
            New to Exchange Reporter Plus?
              New to SharePoint Manager Plus?
              New to SharePoint Manager Plus?
                See all integrations
                New to ADManager Plus?
                See all integrations
                New to ADManager Plus?

                  New to ADSelfService Plus?

                  Start your free trial
                  Start your free trial

                        Related Products