Advanced Authentication 6.0 includes new features, improves usability, and resolves several previous issues.
Many of these improvements were made in direct response to suggestions from our customers. We thank you for your time and valuable input. We hope you continue to help us ensure that our products meet all your needs. You can post feedback in the Advanced Authentication forum on NetIQ Communities, our online community that also includes product information, blogs, and links to helpful resources.
The documentation for this product is available on the NetIQ website in HTML and PDF formats on a page that does not require you to log in. If you have suggestions for documentation improvements, click Advanced Authentication NetIQ Documentation page. To download this product, see the Advanced Authentication Product website.at the bottom of any page in the HTML version of the documentation posted at the
Advanced Authentication 6.0 provides the following key features, enhancements, and fixes in this release:
This release introduces the following features:
Advanced Authentication introduces the Facial recognition identification to leverage the use of face biometrics as a multi-factor authentication. Users will have to present their face to the camera to get authenticated in a matter of seconds.
Advanced Authentication now supports the Google reCAPTCHA as a policy. Using reCAPTCHA, you can prevent the bot attacks on Advanced Authentication web portals by confirming that the user trying to log in is a human, not a robot. This adds an additional layer of security before users perform the multi-factor authentication.
Advanced Authentication facilitates the use of identity providers for OAuth 2.0, SAML, and OpenID Connect for web authentication. Administrators can configure the method with any of the identity providers. Users must enroll with any of these identity providers and get authenticated through them.
Advanced Authentication now supports the Windows Hello authentication with the Fingerprint authenticator on the Windows 10 machine.
Advanced Authentication now provides a new Reporting portal. Administrators can add new reports and customize the existing reports on this portal. The new reports provide information about enrolled users, authenticators, and so on with better graphical representation.
Advanced Authentication user interface has been enhanced to comply with the Micro Focus standards. The base operating system has changed from Debian to SUSE.
You can now use your customized CSS for all web portals of Advanced Authentication to modify the look and feel of the user interface to comply with the corporate colors and style.
Advanced Authentication now supports the SQL repository. You can add the Microsoft SQL Server type of SQL repository to be consumed by the Advanced Authentication server. For more information, see Advanced Authentication - Administration guide.
Advanced Authentication supports the Microsoft SQL Server 2016.
A new Multi-Factor Authentication (MFA) plug-in has been introduced to enable the multi-factor functionality for Active Directory Federation Services (ADFS). In comparison with the old ADFS plug-in, the new plug-in has been implemented as a standard extension for ADFS.
For more information, see the Advanced Authentication - ADFS MFA plug-in guide.
Authentication Agent allows you to perform strong multi-factor authentication on one computer to get authorized access to another computer where it is not possible to display the user interface or connect any external authentication devices. You can install the Authentication Agent on a workstation or laptop. When an authentication is initiated from a computer using Authentication Agent chain, the Authentication Agent on another computer prompts a restricted browser where user must perform authentication.
Advanced Authentication introduces a new portal where a Helpdesk administrator can upload a batch file that contains multiple tokens and can assign a token to specific users for the OATH authentication method.
Advanced Authentication allows users to authenticate with their Swedish Personal Identification Number. Users must configure the BankID app (desktop or mobile version) with the Personal Identification Number, activation, and security code.
Advanced Authentication allows an administrator to customize the method and chain names in a preferred language. The customized names are reflected on the Advanced Authentication portals and clients.
Advanced Authentication 6.0 includes the following enhancements:
Advanced Authentication 6.0 includes the following enhancements on the server:
Previously, an administrator was able to add multiple RADIUS Clients to only the predefinedevent and all the RADIUS Clients had to use the same set of authentication chains. Now, administrators can create a custom RADIUS event to use it for specific RADIUS Client.
Administrators can now add a list of facets for the FIDO U2F tokens to work on multiple sub-domains of a single domain. This allows users to enroll the FIDO U2F tokens on a single domain and get authenticated on multiple sub-domains.
NOTE:The facets are supported only on the Google Chrome. The support for sub-domains is not stabilized in Chrome, so you may get an error message The visited URL doesn't match the application ID or it is not in use during enrollment and authentication.
Now, Advanced Authentication supports the Canadian French language.
Now, FIPS has been enabled by default.
This release adds support for integration of Advanced Authentication with the following third party solutions:
Citrix StoreFront using SAML
Google G Suite
For more information, see Advanced Authentication - Administration guide.
This release introduces theoption in the method to validate the user’s password with the password cached in the Advanced Authentication server.
If the password does not match with the cached password or it is not stored on the Advanced Authentication server, the following actions are performed:
The cached value is reset
Advanced Authentication server contacts the LDAP server to validate the user password.
Previously, while authenticating a user, Advanced Authentication server contacted the LDAP server to validate the user’s password that caused performance issues.
This release introduces the following widgets on the dashboard:
These widgets help administrators to collect more information about enrolled users, authenticators, active licenses, and so on.
Now, administrators can export the dashboard widgets to CSV or JSON formats.
Previously, while authenticating on the web pages using SAML or OAuth, users had to specify their username twice during the multi-factor authentication. With themethod, users are not prompted to specify their user name for a second time.
Advanced Authentication now supports third-party vendors for the Smartphone apps. Theoption for iOS app and option for Android app have been introduced in the Smartphone settings of the Administration portal. The push notification is sent only to the app whose or matches with the app. By default, the Smartphone method works with the NetIQ Auth apps.
The NetIQ App can now be used to scan the QR code when the Google Authenticator format is enabled. Previously, the QR code could be scanned only with the Google Authenticator or Microsoft Authenticator apps.
This support is applicable only for the Android and iOS apps. It does not apply for the Windows Phone app.
Advanced Authentication Syslog now records all the actions performed by the administrators such as adding, updating, and deletion of all events and chains in the appliance.
Advanced Authentication introduced the export database feature in 5.6 Patch Update 3. With 6.0, you can import the database. You can use this functionality to migrate from version 5 as well as migrating the database to next versions.
By default, certified Feitian attestation certificates have been added for the FIDO U2F authentication in the Advanced Authentication appliance.
Advanced Authentication now allows an administrator to delete the pre-configured attestation certificate and add the custom attestation certificate to the FIDO U2F compliant token for authentication.
An option to unlock the users who have been locked in the Advanced Authentication server local repository has been added to the Helpdesk portal. The Helpdesk administrator can unlock these users and allow them to authenticate.
Advanced Authentication introduces thepolicy that allows administrators to hide the required (high security) chain after users authenticate with the required chain within a grace period. With this policy, only the linked chain is displayed to the users in place of both the required and linked chain within the grace period.
Advanced Authentication now uses the NBIS as a fingerprint matching engine in the server. The new engine improves the quality of fingerprint recognition, specially for inexpensive swipe sensors.
NOTE:After migrating from Advanced Authentication v5, users may need to re-enroll the Fingerprint authenticators if they have enrolled the authenticators on the WBF compliant readers. This is because, the previous authenticators may contain low quality fingerprint images. Re-enrollment for the Lumidigm and Digital Persona readers is not required.
Previously, users locked in a repository (Active Directory) were not able to authenticate on Advanced Authentication. Now, administrator can allow users who are locked in a repository to authenticate on Advanced Authentication using theoption in Events. This option may be required for integrations such as Self Service Password Reset integration.
Advanced Authentication now supports different resolutions of display on the Windows Client. Previously, on the Windows Client that has smaller screen with a high resolution, the window was very smaller in size. The text and controls were not readable.
Advanced Authentication provides a Diagnostic Tool that allows users to collect logs from the Mac OS X Client, and Device Service. The Diagnostic Tool also validates connection to the Advanced Authentication servers.
This release enables users to customize the background image of the login screen in Windows 7.
This release provides a new install package of the Device service and Mac OS client for Mac OS. The uninstaller scripts to remove these components automatically are also available. For more information, see Advanced Authentication - Mac OS X Client guide.
Advanced Authentication now allows the administrators to change the default logo and set a customized logo in the Mac OS Client.
Now, Advanced Authentication Device Service for Windows allows you to configure multiple fingerprint reader modes to use more than one fingerprint reader mode without switching the modes in the configuration file. By default, the fingerprint.mode is set to auto that enables the Lumidigm, DigitalPersona, and WbfDirect modes.
Now, Advanced Authentication introduces an option to validate the Windows Client installation on a terminal client and allows Single Sign On (SSO) only in the situations. Previously, the SSO feature for a Remote Desktop connection overlooked the Windows Client installation on the terminal client and allowed SSO, which may not be secure.
For more information, see Advanced Authentication - Windows Client guide.
Advanced Authentication now supports the Voice OTP authenticator for Linux and Mac.
Previously, the VPN icon was not being displayed on the Windows login screen. The icon was being filtered with the Windows Client Credential Provider. Now, Advanced Authentication removes the filter for Pre-Logon-Access Provider (PLAP) and displays this icon on the login screen.
This release extends support to the following operating systems:
SUSE 11 Service Pack 3 and 4
SUSE 12 Service Pack 3
Mac OS High Sierra
Red Hat Linux 7.5
Microsoft Windows 10 v1803
When a DNS discovery for the servers is not used, Advanced Authentication allows you to specify more than one Advanced Authentication server. This is supported for Windows Client, Linux PAM Client, and Mac OS Client.
All events of the Windows Client are now logged in the Application logs of. These logs provide information about login, server connections, and so on.
For more information, see Advanced Authentication - Windows Client guide.
You can now configure the card waiting timeout for Card authentication on Mac OS Client.
This release extends the support for the RFIDeas card readers to Linux and Mac Clients.
Context-sensitive help has been added to the Authenticators Management (Self-Service), Helpdesk, Search Card, and Tokens Management portals of Advanced Authentication. Users can read the related documentation, when they click the Help button on the respective portals.
Previously, native Mac OS authentication was used for the fast user switching. Now, Advanced Authentication uses the authentication window of the Mac OS Client for the fast user switching.
Cache support has been extended to Linux and Mac Clients.
Advanced Authentication contains the following security enhancements in 6.0:
Advanced Authentication now uses OpenSSL instead of DPAPI to comply to the FIPS standards.
The endpoint id and endpoint_secret have been encrypted in the configuration files.
The XML External Entity (XXE) injection vulnerability has been removed during the importing of the PSKC import.
To secure connection between Linux endpoints and Advanced Authentication server, you must insert the server certificates in one of the following path:
Operating System specific
Enable the verification of a certificate after inserting the certificate in the preferred path. For more information see, Advanced Authentication- Linux PAM Client guide.
You can also enable the verification of a certificate in Mac endpoints to secure the connection between the respective endpoint and Advanced Authentication server. For more information see, Advanced Authentication - Mac OS X Client guide.
Advanced Authentication 6.0 includes the following software fixes:
Issue: When users send any request with only the host name instead of Fully Qualified Domain Name (FQDN) to the server, the server does not respond. (Bug 1020827)
Fix: Now, users can provide only the host name to send a request to the server to receive appropriate response.
Issue: When users log in to NetIQ Access Manager 4.4 in path based acceleration setup, the Access Gateway forwards the request to the Self-Service portal URL (https://<aa server>/account/). Advanced Authentication server performs URL redirection and provides a redirect URL without trailing backslash (https://<aa server>/account), Access Gateway adds trailing backslash to the redirect URL, which causes a loop and the valid page is not displayed. (Bug 1062262)
Fix: Now, valid URLs (with or without trailing backslash) of a specific page is mapped to the relevant HTML page.
When a user log in to Windows workstation using the Windows Client for the first time, a message that prompts the user to synchronize the password is updated to Password must be synchronized. (Bug 1030020)
In the Windows Client, when a user specifies backslash (\) in Sign in to <workstation name> is not displayed. (Bug 1063099), a message
Issue: After a successful login to the Self Service Password Reset (SSPR) service through Advanced Authentication, an idle WebAuth session is active in the background. After a duration of one hour, if a user tries to access SSPR again, the WebAuth service displays an error message Access Denied due to the endpoint session timeout. (Bug 1049204)
Fix: When users try to access Self Service Password Reset, a new WebAuth session is initiated to allow users to access the Self Service Password Reset service.
Issue: When a user logs in to the OAuth 2.0 event, an error message Invalid authentication method is not displayed though one of the following condition is true:
Chain is not assigned to the OAuth event.
User has not enrolled to the method that is assigned to the OAuth event. (Bug 1047448)
Fix: With this release, if the method is not assigned or methods available in the chain are not enrolled, a valid message is displayed.
This release also addresses a potential Man in the Middle (MITM) attack in the versions prior to Advanced Authentication 6.0. Special thanks to Octav Opaschi, of Detack GMBH, for responsibly disclosing this to us. (CVE-2019-11650)
NetIQ Corporation strives to ensure our products provide quality solutions for your enterprise software needs. The following issues are currently being researched. If you need further assistance with any issue, please contact Technical Support.
Advanced Authentication 6.0 includes the following known issues:
Issue: When a local (non-domain) user logs in to the Linux Client, a chain that is assigned to a domain-user authentication is prompted in place of the local user name form.
Issue: On the Mac Client, when a user clicks the icon in the lower-right corner of thedialog box, the Mac authentication window is displayed in place of the Advanced Authentication window.
Workaround: To display the Advanced Authentication window, execute the command: defaults write com.apple.Preferences UseSheets -bool FALSE
Issue: When a user enrolls the Fingerprint method on the Mozilla Firefox Quantum browser, the enrollment fails and a message Cannot reach the server is displayed.
Workaround: To enroll the Fingerprint method on the Mozilla Firefox Quantum browser, import the rootCA.crt file from the Device Service folder to the Trusted Root Certification Authorities certificate store of the computer.
Issue: When you install Advanced Authentication with Dynamic Host Configuration Protocol (DHCP), an error is displayed and the network is not configured on the server.
Reason: This error occurs because of the Yet another Setup Tool (YaST) configuration available in the Open SUSE.
Issue: On Mac 10.13.4 machine, when a domain user logs in for the first time to the domain joined Mac Client using any of the available authentication chain, the Mac machine gets stuck and a network account is not created for the new domain user. This issue happens, when one of the following condition is true:
The user does not have a mobile account on the Mac machine.
Theis turned during login.
Issue: When you install the Advanced Authentication server with a static IP address, the installation gets stuck in thescreen in some instances.
Workaround: You must wait for few hours or try to install the server again.
Upgrading Advanced Authentication 5.6 to 6.0 is not supported. However, you can export the configurations from Advanced Authentication 5.6.341 to 6.0. After you install Advanced Authentication 6.0, you can import all the configurations from 5.6.341.
For example, to upgrade from Advanced Authentication 5.5 to 6.0, you must first upgrade from Advanced Authentication 5.5 to 5.6.341. Then, you must install 6.0 and import the configurations from 5.6.341.
For more information about upgrading, see Advanced Authentication- Server Installation and Upgrade guide.
NOTE: This release discontinues the ADFS plug-in. You can configure integration with ADFS using the ADFS MFA Plug-in or through SAML. For more information, see Advanced Authentication - Administration guide and Advanced Authentication - ADFS MFA plug-in guide.
After migrating from Advanced Authentication v5, users may need to re-enroll the Fingerprint authenticators if they have enrolled the authenticators on the WBF compliant readers. This is because, the previous authenticators may contain low quality fingerprint images. Re-enrollment for the Lumidigm and Digital Persona readers is not required.
Our goal is to provide documentation that meets your needs. If you have suggestions for improvements, please email Documentation-Feedback@netiq.com. We value your input and look forward to hearing from you.
For detailed contact information, see the Support Contact Information website.
For general corporate and product information, see the NetIQ Corporate website.
For interactive conversations with your peers and NetIQ experts, become an active member of our community. The NetIQ online community provides product information, useful links to helpful resources, blogs, and social media channels.
For information about legal notices, trademarks, disclaimers, warranties, export and other use restrictions, U.S. Government rights, patent policy, and FIPS compliance, see https://www.netiq.com/company/legal/.
Copyright © 2018 NetIQ Corporation, a Micro Focus company. All Rights Reserved.