Advanced Authentication 6.2 includes new features, improves usability, and resolves several previous issues.
Many of these improvements were made in direct response to suggestions from our customers. We thank you for your time and valuable input. We hope you continue to help us ensure that our products meet all your needs. You can post feedback in the Advanced Authentication forum on NetIQ Communities, our online community that also includes product information, blogs, and links to helpful resources.
For more information about this release and for the latest release notes, see the Documentation Advanced Authentication NetIQ Documentation page. To download this product, see the Advanced Authentication Product website.
If you have suggestions for documentation improvements, click comment on this topic at the bottom of the specific page in the HTML version of the documentation posted at the Advanced Authentication NetIQ Documentation page.
IMPORTANT:Advanced Authentication 6.3 and later will not support SLES 11 Service Pack 4.
Advanced Authentication 6.2 provides the following key features, enhancements, and fixes in this release:
This release introduces the following features:
Advanced Authentication introduces Repo Agent. It acts as a middleware between the LDAP repository and Advanced Authentication. This Repo Agent retrieves users’ data from the LDAP repository, stores it in a database, and sends it to Advanced Authentication for authentication.
This prevents operational delays caused due to direct interaction of Advanced Authentication with the LDAP repository. The Repo Agent is recommended to be used in cloud-based environments with on-premise LDAP repositories. In addition, it enhances security because customers may not want to publish LDAP servers on the internet.
For more information, see the Advanced Authentication - Repo Agent guide.
This release provides an option to perform offline updates for the operating system. This is in addition to the online updates.
For more information, see the Performing the Offline Updates
in the Advanced Authentication- Server Installation and Upgrade guide.
In addition to the existing supported platforms, this release adds support for Windows Server 2019 for the following components:
Windows Client
Authentication Agent
Device Service
RDG Plug-in
Logon Filter
This release adds support for the CN UA550II type of card reader.
For more information, see Card Settings
in the Advanced Authentication - Device Service guide.
Advanced Authentication now supports the multi-finger reader Green Bit DactyScan84c for enrolling the Fingerprint method. This reader enables users to enroll more than one finger together. The Green Bit DactyScan84c has capability to capture one of the following fingers combination at a time:
Four fingers of the left hand
Four fingers of the right hand
Two thumbs
For more information, see Fingerprint
in the Advanced Authentication - Administration guide.
This release introduces an option to enable users to assign one of the enrolled fingers as duress. Using the duress finger, users can authenticate to any device or application in case of a threat or emergency. Authentication with the duress finger triggers an alert notification to the configured recipient. This helps in securing the device or application without compromising the safety of the user.
For more information, see Fingerprint
in the Advanced Authentication - Administration guide.
Advanced Authentication 6.2 includes the following enhancements:
The database export and import process has been improved to keep the cluster configuration intact while importing the database.
You can refer to the Disaster Recovery procedure if the cluster is lost while importing the database. For more information, see Recovering from a Disaster
in the Advanced Authentication - Administration guide.
Advanced Authentication facilitates an administrator to add a preferred IP addresses to the Whitelist IP Address. This helps to register a trusted endpoint from these IP addresses with the administrator’s credentials.
The endpoint registration request from any other IP address that is not included in the whitelist are blocked automatically.
For more information, see the Endpoint Management Options
policy in the Advanced Authentication - Administration guide.
In one of the previous versions, a 5 minute LDAP caching on the server was implemented. This increased performance and solved issues for environments where the connection to LDAP servers was unstable or slow. However, the caching opened a security issue because within these 5 minutes a locked or a deleted user, or a user with an expired password was able to authenticate.
In this release, the LDAP caching is disabled by default to enhance security but introduces an option LDAP caching, which allows you to enable the LDAP caching to improve performance.
For more information, see the Login Options
policy in the Advanced Authentication - Administration guide.
Previously, a Helpdesk administrator was allowed to share authenticators by default. This resulted in security issues because the helpdesk administrator can misuse the authenticators of users.Now, only when assigned as a member in the SHAREAUTH ADMINS role, a Helpdesk administrator can share the authenticators.
For more information, see Local Repository
in the Advanced Authentication - Administration guide.
This release introduces an option that allows you to use repositories in place of groups. You can use a group of users in a specific repository or all the users of the repository.
For more information, see Creating a Chain
in the Advanced Authentication - Administration guide.
This release introduces the command line migration tool RepoMigrationtool that allows you to migrate user’s data from a repository to another repository. This helps customers who plan for migrating one repository to another to retain authenticators and avoid re-enrollment.
For more information, see Migrating the Repositories
in the Advanced Authentication - Repo Agent guide.
The RADIUS logic has been changed from Freeradius plug-in to AuCore REST API. In addition, the RADIUS logs have been enhanced.
The samAccountName attribute can now be sent as a NameID element in the SAML response from the Advanced Authentication server. This option has been added for the integration with CyberArk when Advanced Authentication is used as the SAML identity provider.
For more information, see “Creating a SAML 2.0 Event” in the Advanced Authentication - Administration guide.
This release introduces the following widgets on the dashboard:
Total Users
Total Users Per Event
These widgets help administrators to analyze information about the number of logged in users for each event.
For more information, see “Total Users” and “Total Users Per Event” in the Advanced Authentication - Administration guide.
Advanced Authentication now allows customization of the prompt message specific to the authentication method that is displayed on the RADIUS Client.
For example, In Custom Messages policy, the administrator customizes the prompt message for SMS OTP method that is mapped to the RADIUS event. When a user initiates authentication to a RADIUS event using the SMS OTP method, the customized prompt message is displayed on the RADIUS Client.
For more information, see “Customizing Prompt Messages of the Authentication Methods for RADIUS Event” in the Advanced Authentication - Administration guide.
IMPORTANT:Only ASCII symbols are supported for the customized messages of the RADIUS event.
Previously, in the Background tasks tab of Logs, an enormous number of log entries are stored for the SQL alchemy commit and new transactions.
Log level of SQL alchemy transactions have been revised so that the debug transactions are not stored in the Background tasks.
This release introduces an option to allow users to view the serial number of an enrolled token for the HOTP and TOTP methods on the Self-Service portal.
With this release, a fresh installation of Advanced Authentication appliance includes the Netcat pre-installed for resolving the possible network connectivity issues.
The Netcat package is not available when you upgrade Advanced Authentication from version 6.1 or earlier versions.
In the Web authentication, a Resend OTP button has been added to allow users to resend OTP for all the OTP based methods such as SMS, Voice, and so on.
Now, Advanced Authentication supports the 1:N feature on the macOS. It allows to automatically detect the username when user presents an enrolled card or PKI token.
For more information, see Disabling 1:N
in the Advanced Authentication - Mac OS X Client guide.
This release extends support to the Username disclosure option for a Client cache login. The Username disclosure option allows administrators to conceal the valid user names and prevents security vulnerabilities.
Now, along with the details for the successful login attempts, log files include details for failed login attempts.
For more information, see “Logging for Windows Specific Advanced Authentication Events” in the Advanced Authentication - Windows Client guide.
An option has been added to configure the U2F timeout for authentication on all the Clients.
For more information, see “Configuring Timeout for the U2F Authentication” in the Advanced Authentication - Windows Client guide.
Now, Advanced Authentication administrators can set the duration of the Authentication Agent window display after a user authenticates using the Authentication Agent.
For more information, see “Configuring Time to Close the Restricted Browser” in the Advanced Authentication - Windows Authentication Agent guide.
With this release, Public API has been enhanced to provide an ability to synchronize the HOTP token counter during the enrollment of HOTP authenticator.
With this release, REST API has been enhanced to provide an ability to migrate users of an existing LDAP repository to an another repository (LDAP or External repository for Repo Agent).
This release provides the following security enhancements:
XSS vulnerabilities in the react router have been fixed.
The Slow HTTP POST vulnerability for the Denial of Service (DoS) attack has been fixed.
You can now disable the key-pair based enrollment of the PKI device and enforce the PKI enrollment using only a user certificate issued by the CA.
For more information, see “Disabling the Key-Pair Option” in the Advanced Authentication - Administration guide.
Permission have been added to access the Cache Files by the System account only.
This release introduces two security settings on the Device Service that prevents access to the digital certificates of a PKI authenticator. This enhances the security by protecting the digital certificates.
For more information, see “Configuring the Security Settings” in the Advanced Authentication - Device Service guide.
The write permission has been removed for the configuration file pam_aucore.conf of the Linux PAM Client.
Advanced Authentication 6.2 includes the following software fixes:
Advanced Authentication 6.2 includes the following server fixes:
Database Migration from Version 5.x Stopped Working With 5.6 Patch Update 7
The Advanced Authentication Server Does Not Return Available Authenticators for Clients
Phone Numbers and Emails of Users for the Web Authentication Events Are Not Masked
Web Servers Not Able to Communicate with the Database Servers
An Error Occurs When Logging In to the Administration Portal After Updating
Customized Chain Names Are Not Applicable for Web Authentication
Filters Do Not Work Appropriately for Widgets in the Dashboard
An Error is Displayed in the User Report Section of the Helpdesk Portal
Addition of two eDirectory Repositories with the Same Base DN Fails
Short Names of the Chains Are Displayed Instead of Custom Names for Web Authentication
RADIUS Authentication Does Not Work When Username Contains Spaces
Importing the database from Advanced Authentication 5.6 Patch Update 7 to version 6 does not work. The migration has been fixed and this will work from Advanced Authentication 5.6 Patch Update 8 to 6.2.
There are specific conditions that involve the offline login and use of more than one user on a workstation. In these conditions, the server does not return the available authenticators for Clients and login or unlocking the operating system is not possible.
Issue: The phone numbers and emails of the users are not masked on the authentication page for the Web authentication method.
Fix:
The option Recipient Mask has been added for the Mail Sender, SMS Sender, and Voice Sender policies that allow to mask the phone numbers and email address. For more information, see Mail Sender
, SMS Sender
, and Voice Sender
policies in the Advanced Authentication - Administration guide.
Issue: When a Database Master server is rebooted, the Web servers of the same site do not switch to the secondary Database server and this causes a delay of 15 minutes. Even after the Database Master server comes up again, the web servers display errors until those web servers are rebooted.
Fix: A 2-minute timeout has been added to fix the issue.
An error TypeError NoneType object is not iterable (Unknown Error) is displayed after installing the patch while logging in to the Administration portal. The issue does not occur after up to 30 minutes.
Issue: In a clustered environment with several sites, the Global Master server experiences issues with the heartbeat and replication. When a conflict is detected, the system must automatically ignore the incoming change. However, the system ignores the entire batch.
Fix: Now, Advanced Authentication controls whether the entire batch or just the row in conflict must be ignored.
Custom localization of method and chain names does not work in the Web Authentication.
When you apply filters for Widgets on Dashboard, sometimes the filters are not reflected, and the Dashboard fails to display the information according to the configured filters.
When a full synchronization or a quick synchronization is done for a repository, the repository name gets updated in the Logins Options policy.
After authentication, NetIQ Access Manager does not get a proper JSON response back from Advanced Authentication to indicate that the user is authenticated. (Bug 1109606)
A 503 error is displayed when navigating to the User Report tab of the Helpdesk portal on a web server.
In an Advanced Authentication server repository configuration, addition of two eDirectory repositories with the same admin base DN does not work.
When custom names are used for chains in the Web authentication, the short names of the chains are displayed in place of the custom names during authentication.
When the username contains spaces, the RADIUS authentication does not work.
Advanced Authentication 6.2 includes the following Client fixes:
A Blank Screen Is Displayed While Unlocking a Windows Client
Login to Windows Clients Fails If the Domain Password Is Expired
Unable to Unlock the Client Workstation If Verification of Certificate Is Enabled
Sign-In Button Is Displayed After Tapping the Card During Windows Login
Windows Sign-In Text Is Displayed on Background of the Lock Screen
Users Cannot Change the Login Credentials on a Terminal Client for a Remote Session
The U2F Method Does Not Work When Used In a Second Factor Authentication
Mac OS Does Not Cache the Repository Name of the Last Logged In User
Uninstalling a Client Does Not Remove Respective Endpoint from the Server
Unable to Authenticate with the Face Recognition Method on a Terminal Client
Unable to Enroll the FIDO 2.0 Method on the Microsoft Edge Browser
DigitalPersona Reader Not Accessible for a Third Party Application
Fingerprint Authentication Fails After a Migration from Version 5
Sometimes the Device Service May Hang or Crash After a Restart
A blank screen is displayed without any controls when users try to unlock a workstation if some combination of the following Microsoft policies are used:
Interactive logon: Display user information when the session is locked
Interactive logon: Do not display last user name
Issue: With the user switching disabled, when users try to log in to Windows Client with the expired domain password, a prompt to change the password is displayed. However, the prompt does not contain the password change form. Therefore, users are allowed neither to change password nor log in to the Windows Client.
Issue: In Windows Client login screen, when a user specifies the LDAP password or Password, the specified characters appear in the Password field after a significant delay. This happens for a screen with high resolution.
Fix: Now, the keystroke delay has been optimized.
Issue: If the Client workstation contains a valid certificate and the parameter verifyServerCertificate is set to true, the domain users are unable to log in since November 14, 2018.
Fix: Now, the CA certificate is bundled with the Client distributive packages and validity has been extended for 5 years.
Issue: Previously, to log in to a Windows workstation with the Card method, a user had tap the card on the reader, and click Sign in.
Fix: Now, the user can tap the card the reader and log in successfully.
While unlocking a Windows workstation, if users delay in selecting the authentication chain, a Windows sign-in text is displayed when the Microsoft Interactive logon policy is configured as follows:
Display user information when session is locked: Do not displayed user information
Do not require CTRL+ALT+DEL: Not Defined
Don't display last signed-in: Enabled
Don't display username at sign-in: Enabled
When users try to log in to the Windows Client for the first time, an error message Internal Server Error is displayed. This is due to the Firewall settings that blocks all outbound connections.
Now, the Cache Service creates the required records in the Windows firewall.
Issue: When a user initiates a terminal session, a prompt to select the chain is displayed. However, an auto-selected user is a currently logged in instead of the Remote Desktop application saved user and users are not allowed to change it.
Fix: Now, the Remote Desktop application saved user can log in to a terminal session by default. This complies with the Microsoft Windows behavior. Moreover, an administrator can set the parameter select_terminal_client_user: false (default value is true) to allow the users to change the login credentials on the terminal client during remote login.
When the U2F method is used along with another method (for example, Password and U2F), the login screen does not respond after a user authenticates to the first method.
Issue: Previously, to log in to a Windows workstation that has been locked, the user had to click Switch user, tap the relevant card, and proceed authentication with the other methods of the assigned chain.
Fix: Now, irrespective of whether Windows is locked or not, the user can tap the card on the reader and proceed authentication with the other methods of the assigned chain.
Sometimes, in the Windows Client login and unlock screen, the show password icon is not displayed when a user specifies the password in the Password field. This icon helps users to validate the specified password.
Mac OS does not cache the repository name of the last logged in user.
The Mac OS login page does not display the notification when Caps Lock in on.
When a Client is uninstalled, the respective endpoint is not removed from the Advanced Authentication server. This issue happens because of the Firewall settings that blocks all outbound connections.
when an administrator customizes a message in Custom Messages policy, the customized messages are not displayed on Mac OS Client.
When an administrator customized a message in the Custom Messages policy, the customized messages are not displayed on the Linux Terminal.
When users try to log in to the terminal client with Face Recognition method for a remote session, an error message face service is not available is displayed.
Issue: On Self-Service portal, when users try to enroll the FIDO 2.0 method using the U2F device, an error message Web authentication is not supported in this browser is displayed.
Reason: Users can enroll the FIDO 2.0 method on Microsoft Edge 17 or further supported versions.
Issue: When a third-party application requires to use the DigitalPersona reader, but the reader is busy with the Advanced Authentication Device Service that is installed on the workstation.
Fix: By default, Device Service now uses a cooperative mode and the DigitalPersona reader is not locked for exclusive use by the Device Service. The mode is customizable.
Issue: After migrating from Advanced Authentication 5.6 to version 6.1, when users authenticate on Windows Client with the Fingerprint method using the Secugen Hamster Pro 20, an error message mismatch is displayed.
Reason: In version 6, another fingerprint engine is available and the old engine which handled the enrollment in version 5 saved the fingerprints with a very low quality.
Fix: An option is included to configure the Device Service to use the old fingerprint engine. For more information, see Mismatch Error After Migrating from Advanced Authentication 5.6 to 6.0.
Sometimes Advanced Authentication Device Service may hang or crash when an administrator restarts the service.
In Windows, after upgrading Advanced Authentication Device Service 6.0 to version 6.1, the PKI plug-in with card reader does not work.
In Windows, users are unable to delete the incorrect password with the Backspace key when the language is set to Hebrew.
NetIQ Corporation strives to ensure our products provide quality solutions for your enterprise software needs. The following issues are currently being researched. If you need further assistance with any issue, please contact Technical Support.
Advanced Authentication 6.2 includes the following known issues:
Issue: The Repo Agent fails to sync data with Advanced Authentication server when the Repo Name contains spaces.
Previously, there was an issue where uploading a localization package from the Client to the server rewrote the localization messages used by the server.
This issue was fixed by merging the server and Client localization packages. However, after this change some of the messages are still not localized on the server.
Issue: On macOS 10.14.2, when the Client goes in the sleep mode and a user tries to log in, the authentication window does not appear.
Reason: This issue is related to Apple and a fix should be provided in the forthcoming macOS release.
Issue: When a user specifies <aa-server-name>/helpdesk in a browser to access the Advanced Authentication Helpdesk portal, the user is redirected to the Helpdesk Authenticators page (/helpdesk/authenticators) instead of the login page of the Helpdesk portal (/helpdesk/auth).
Workaround: Users can either append /auth as a suffix to the URL <aa-server-name>/helpdesk or click the User icon > Log Out on the Helpdesk Authenticators page to navigate to the login page of the Helpdesk portal.
You can upgrade Advanced Authentication 6.1 to 6.2. You cannot directly upgrade from Advanced Authentication 5.x to 6.2. However, you can export the database from Advanced Authentication 5.6 to 6.2. After you install Advanced Authentication 6.2, you can import the database from 5.6.
For example, to upgrade from Advanced Authentication 5.5 to 6.2, you must first upgrade from Advanced Authentication 5.5 to 5.6. Then, you must install 6.2 and import the configurations from 5.6.
For more information about migrating, see in the Advanced Authentication- Server Installation and Upgrade guide.
For more information about upgrading from 6.0, see Upgrading Advanced Authentication
in the Advanced Authentication- Server Installation and Upgrade guide.
Our goal is to provide documentation that meets your needs. If you have suggestions for improvements, please email Documentation-Feedback@netiq.com. We value your input and look forward to hearing from you.
For detailed contact information, see the Support Contact Information website.
For general corporate and product information, see the NetIQ Corporate website.
For interactive conversations with your peers and NetIQ experts, become an active member of our community. The NetIQ online community provides product information, useful links to helpful resources, blogs, and social media channels.
For information about legal notices, trademarks, disclaimers, warranties, export and other use restrictions, U.S. Government rights, patent policy, and FIPS compliance, see https://www.netiq.com/company/legal/.
Copyright © 2019 NetIQ Corporation, a Micro Focus company. All Rights Reserved.