Advanced Authentication 6.2 Patch Update 1 includes new features, improves usability, and resolves several previous issues.
Many of these improvements were made in direct response to suggestions from our customers. We thank you for your time and valuable input. We hope you continue to help us ensure that our products meet all your needs. You can post feedback in the Advanced Authentication forum on NetIQ Communities, our online community that also includes product information, blogs, and links to helpful resources.
For more information about this release and for the latest release notes, see the Documentation Advanced Authentication NetIQ Documentation page. To download this product, see the Advanced Authentication Product website.
If you have suggestions for documentation improvements, click Advanced Authentication NetIQ Documentation page.at the bottom of the specific page in the HTML version of the documentation posted at the
IMPORTANT:Advanced Authentication 6.3 and later will not support SLES 11 Service Pack 4.
Advanced Authentication 6.2 Patch Update 1 provides the following key features, enhancements, and fixes in this release:
Advanced Authentication 6.2 Patch Update 1 includes the following enhancements:
The following enhancements have been added to the Advanced Authentication logs:
Improved audit for Helpdesk
All of the actions of the Helpdesk administrator who logs in to the Helpdesk console are now logged, including the modification of authentication methods for a user.
Improved audit for Administration portal
Audit logs have been added to track the configuration changes (repositories, methods, chains, events, endpoints, and so on). Additionally, these logs are helpful for troubleshooting.
Username added to logs
Logs have been enhanced by adding the username of a user who performs an action.
Previously, the LDAP Password was stored in the Advanced Authentication server if caching was enabled. Now, the Advanced Authentication server does not store the LDAP password in the template data and in the local cache when you disable the LDAP Password method). This enhances security.option (see
You can now specify any attribute apart from the Filter-Id attribute in the option of the RADIUS event, which Advanced Authentication returns after the RADIUS authentication. For example, if you want to return the class attribute instead of the Filter-Id attribute, you must specify class in the of the RADIUS event.
Previously, when performing the DNS discovery for Active Directory repositories, the non-SSL mode was used on the port 389. To enable SSL, theoption has to be used and edit an individual LDAP server. For an enterprise with a large number of domain controllers, this causes delay and needs to be done every time the DNS discovery is performed.
Now, theoption has been added to use SSL for the DNS discovery on port 636. This allows Advanced Authentication to automatically discover the DNS names over SSL port 636.
This patch adds support for MySQL and PostgreSQL as repositories. The following versions are supported:
Advanced Authentication allows administrators to use the serial attribute in the API queries for enrolling the HOTP and TOTP methods with the serial number of a token. This attribute allows the administrator to enroll numerous users to the HOTP and TOTP methods in less time.
Now, Advanced Authentication allows administrators to use the non-ASCII characters while customizing the messages related to the RADIUS event. Previously, Advanced Authentication allowed only the ASCII characters in the custom messages of the RADIUS event.
Now, Advanced Authentication displays a valid error message when users select a chain with the RADIUS client method and log in to the Web authentication event. For example, when an incorrect PIN is specified, a new token code is expected, or a token resynchronization is required.
You can now configure a list of Facets to be added as part of a domain. Previously, to configure facets, the main URL and prefixes had to be specified. Now, flexibility has been added to configure the facets list.
Advanced Authentication 6.2 Patch Update 1 includes the following software fixes:
Advanced Authentication 6.2 Patch Update 1 includes the following server fixes:
This patch resolves the issue where the RADIUS server stops periodically and the RADIUS authentication fails in Advanced Authentication 6.2.
This patch resolves the issue when an administrator uploads the custom ZIP file from the Client to the Advanced Authentication server to customize the messages on the Client, Advanced Authentication erases the existing messages on the server.
Advanced Authentication merges the messages when the administrator uploads the custom ZIP file.
This patch resolves the issue where a user accesses https://aa-server-name/helpdesk, Advanced Authentication redirects user to the page (https://aa-server-name/helpdesk/authenticators) instead of the login page (https://aa-server-name/helpdesk/auth).
Now, Advanced Authentication directs user to the login page to specify the credentials.
This patch resolves the issue where in Advanced Authentication 6.1 and 6.2, the fingerprint authentication fails due to the AFIS service timeout. This issue occurs, when users initiate multiple fingerprint authentication requests simultaneously.
This patch resolves the issue where an administrator is unable to access the> tab of a configured repository in the Advanced Authentication Administration portal. Therefore, an administrator is unable to unlock the locked users of the repository.
This patch resolves the issue where the Advanced Authentication appliance installer does not install the open-vm-tools and you cannot install them manually.
Now, administrators can install the open-vm-tools on the Advanced Authentication server.
This patch resolves the issue where the Advanced Authentication Helpdesk portal does not display thetab when a helpdesk administrator logs in to the Advanced Authentication Helpdesk portal, specifies a user name, and the defined policies do not require the administrator authenticate. The administrator did see the tab on refreshing the browser.
This patch resolves the issue when you configure Windows Hello method as second-factor authenticator (for example, PIN and Windows Hello) for web authentication. For example, if user specifies the user name and PIN in the first screen, the sub-sequent screen prompts the user to place finger on the reader. The authentication does not progress when user places their enrolled finger on the reader.
This patch resolves the issue where users try to access the web authentication event on an iPhone, the screen prompts the user to download the NetIQ app. This issue occurs only on the Safari browser.
The patch disables the prompt that states the user must download the NetIQ app.
This patch resolves the issue where there is a significant delay before the page returns a list of chain when a user specifies the user name on the login page of Advanced Authentication Administration portal. After the user selects a preferred chain, there is another delay before the portal displays input field. This issue occurs when you use IPv6 address format.
This patch resolves the issue where the RADIUS container restarts constantly after upgrading to Advanced Authentication 6.2. This issue occurs, when the RADIUS secret contains the characters that are prohibited (for example, comma and space).
Advanced Authentication 6.2 Patch Update 1 includes the following server fixes:
This patch resolves the issue where users use Client Login Extension (CLE) and the users' accounts are locked. Users are unable to navigate to thepage where the link is displayed.
This patch resolves the issue where users have issues logging in to a Windows workstation using theor methods, after upgrading to Advanced Authentication 6.2.
This patch resolves the issue were Advanced Authentication displays an domainname/username) on the Windows and Mac workstation., if the username is specified along with the domain name (
This patch resolves the issue where the MAC OS X Client connects to a network but is not able to reach the Advanced Authentication server or it cannot resolve the internal IP address (not connected to the VPN), the users are unable to log in and anis displayed.
This patch resolves the issues with the Windows Hello login method for the users after upgrading to Advanced Authentication 6.2.
This patch resolves the issue where the members of domain and enterprise administrator group cannot access a shared folder secured with the Logon Filter.
This patch resolves the issue where Yubikey is unable to unlock user’s non-domain Windows workstation. This issue happens when users incorrectly map their domain accounts to the local accounts.
Advanced Authentication contains additional checks to eliminate the chance of users creating incorrect mappings.
This patch resolves the issue where users are unable to start the authentication to unlock a session (KDE) if they select the authentication chain that use the Email, SMS, or Voice OTP methods.
This patch resolves the issue where a local user is unable to log in to a Windows workstation, if the tenant_name parameter is not set in the config.properties file.
NetIQ Corporation strives to ensure our products provide quality solutions for your enterprise software needs. The following issues are currently being researched. If you need further assistance with any issue, please contact Technical Support.
Advanced Authentication 6.2 Patch Update 1 includes the following known issue:
Issue: When the Global Master server is down, the configured LDAP server is not available on both the Database and the Web servers within a site.
Workaround: Perform the following steps on the Global Master server before the Global Master server goes down to ensure that the fail over process is successful:
Log in to the Administration Console as an administrator.
Clickadjacent to the configured LDAP repository.
Specify the password of LDAP repository in theand save the settings.
This initiates replication of the LDAP servers list to the database servers.
Issue: After upgrading to Advanced Authentication 6.2, when users try to authenticate to a third-party site with the SAML authentication, the browser displays an error: SAML Assertion verification failed; Please contact your administrator.
Workaround: Perform the following steps:
Log in to the server as root.
Run the following command:
docker exec -ti aaf_webauth_1 /bin/bash
Open the following file:
Modify the following content in the file setenv.sh:
export CATALINA_OPTS="$CATALINA_OPTS \ Dinternal.osp.framework.ext-context-dir=$OSP_CONF \ Dinternal.osp.framework.generic-properties-filename=$OSP_CONF/aa-osp-configuration.properties \ Dorg.apache.el.parser.SKIP_IDENTIFIER_CHECK=true
export CATALINA_OPTS="$CATALINA_OPTS \ -Dinternal.osp.framework.ext-context-dir=$OSP_CONF \ -Dinternal.osp.framework.generic-properties-filename=$OSP_CONF/aa-osp-configuration.properties \ -Dorg.apache.el.parser.SKIP_IDENTIFIER_CHECK=true \ -Dorg.apache.xml.security.ignoreLineBreaks=true
Save and restart the webauth container with docker restart aaf_webauth_1.
Recreate the event.
Download the SAML 2.0 metadata from the Advanced Authentication server and update a used Service Provider with the valid certificates
You can upgrade Advanced Authentication 6.2 to 6.2 Patch Update 1. You cannot directly upgrade from Advanced Authentication 5.x to 6.2 Patch Update 1. However, you can export the database from Advanced Authentication 5.6 and after you install Advanced Authentication 6.2 Patch Update 1, you can import the database from 5.6.
For example, to upgrade from Advanced Authentication 5.5 to 6.2 Patch Update 1, you must first upgrade from Advanced Authentication 5.5 to 5.6. Next, you must install Advanced Authentication 6.2 Patch Update 1 and import the configurations from Advanced Authentication 5.6.
For more information about migrating, see Advanced Authentication- Server Installation and Upgrade guide.
For more information about upgrading from 6.0, see Advanced Authentication- Server Installation and Upgrade guide.
Our goal is to provide documentation that meets your needs. If you have suggestions for improvements, please email Documentation-Feedback@netiq.com. We value your input and look forward to hearing from you.
For detailed contact information, see the Support Contact Information website.
For general corporate and product information, see the NetIQ Corporate website.
For interactive conversations with your peers and NetIQ experts, become an active member of our community. The NetIQ online community provides product information, useful links to helpful resources, blogs, and social media channels.
For information about legal notices, trademarks, disclaimers, warranties, export and other use restrictions, U.S. Government rights, patent policy, and FIPS compliance, see https://www.netiq.com/company/legal/.
Copyright © 2019 NetIQ Corporation, a Micro Focus company. All Rights Reserved.