Advanced Authentication 6.2 Patch Update 2 Release Notes

Integration with Office 365 Without ADFS

This patch adds support for the integration of Advanced Authentication with Office 365. With this integration, you can set up the strong multi-factor authentication to Office 365 without ADFS. This integration approach eliminates the additional configurations and expenses required to deploy and maintain the ADFS service.

Also, this patch introduces an option in the SAML event settings to allow the Advanced Authentication server to send the ImmutableId (User objectId) as the NameID element to achieve seamless authentication. This option is required for integrating Advanced Authentication with Microsoft Office 365 without ADFS.

For more information, see Configuring Integration with Office 365 Without ADFS in the Advanced Authentication - Administration guide.

Enhanced Performance for the Bulk Enrollment of Users

This patch reduces the time consumed during the bulk enrollment process of users in large environments.

Provision to Add the TOTP Authenticator Using a Seed

Now users can add the TOTP authenticator in the Desktop OTP tool manually using a seed. The seed can be generated either on the Advanced Authentication Self-Service portal or in a third-party software. To use the seed with Advanced Authentication it is required to enable the manual enrollment in the OATH OTP method of the Advanced Authentication Administration portal.

For more information, see Enrolling with the Secret Key in the Advanced Authentication- User guide.

Support for Windows 10 Version 1903

This patch extends support for the Windows 10 version 1903.

Issue with RADIUS Authentication

During high activity with the RADIUS server, sometimes the authentication fails and users have to authenticate again. This issue occurs due to the memory corruption in the third-party component (freeradius). To overcome this issue, the RADIUS container is scheduled to restart frequently.

Advanced Authentication Server Does Not Send the RADIUS Challenge

This patch resolves the issue where the Advanced Authentication server does not send the additional challenge from the RADIUS server to a RADIUS Client. Instead, the server returns an Access-Reject packet during the RADIUS authentication. Here, the Advanced Authentication server acts as a RADIUS proxy between the third party RADIUS server and a RADIUS Client.

LDAP Servers Are Unavailable When the Global Master Server Is Down

This patch resolves the issue when the Global Master server is down, the configured LDAP server is unavailable on both the database and the web servers within a site.

Importing the Database from Advanced Authentication 6.1 to 6.2 Fails

This patch resolves the issue when the import of database from Advanced Authentication 6.1 to 6.2 fails.

Full Synchronization Removes the Enrolled Authenticators

This patch resolves the issue where the full synchronization of a repository might remove the users’ authenticators. This might happen if there are more than a thousand groups in the repository and sometimes when some users are skipped during the synchronization. In this case, the users along with their authenticators are removed from the Advanced Authentication database.

Now, Advanced Authentication does not remove the users from the database instead retains the enrolled authenticators for a specified duration. Administrators can customize the time duration. This prevents the loss of authenticators during the full synchronization.

For more information, see Users Synchronization Options in the Advanced Authentication - Administration guide.

Security Issue: Helpdesk Administrator Can Reset the Authentication Methods of a Full Administrator

This patch resolves the security issue where a helpdesk administrator is allowed to re-enroll the methods of a full administrator in the Users to Manage page of the Advanced Authentication Helpdesk portal. This might result in a helpdesk administrator misusing the administrator’s credentials.

Now, if a helpdesk administrator specifies the user name of a full administrator in the Users to Manage page, Advanced Authentication displays an error message No permission to manage this user. Are you an Enroll Admin?. This prevents the helpdesk administrator from re-enrolling the methods of a full administrator.

Issue with the Memory of Docker Container and the Portals Are Inaccessible Inconsistently

This patch resolves the issue where the docker containers run out of memory and subsequently the Advanced Authentication portals are inaccessible. This issue occurs after upgrading to Advanced Authentication 6.2 Patch Update 1.

Issue with Enrolling the Fingerprint on an Android Smartphone to the FIDO 2.0 Method

This patch resolves the issue where users are unable to enroll the fingerprint that exists on an android smartphone to the FIDO 2 method.

Now, users can utilize the fingerprint on an android smartphone to enroll and authenticate with the FIDO 2.0 method.

The Activity of Unlocking a User is Not Logged

This patch resolves the issue where the unlocking activity of a user is not logged in syslog files.

Advanced Authentication Does Not Work with Amazon Web Services

This patch resolves the issue when the Advanced Authentication server is hosted on the Amazon Web Services, the services stop after a period of about 10 minutes.

Expired Password Blocks Users from Logging into the Web Authentication Events

This patch resolves the issue where a user is not allowed to log in with an expired password. The system does not provide a mechanism to change or register a new password.

A Bad Gateway Is Displayed for the Web Authentication

This patch resolves the issue where an error invalid request block size is displayed on the web server during the web authentication. This issue occurs because the size of the cookie header that is sent exceeds the limit set for UWSGI.

Now, the buffer-size has been increased to 8192 bytes.

Issue with the Facet Settings

This patch resolves the issue where users cannot enroll the U2F method when Facets primary server URL suffix in the Facets settings contains a custom port.

The symdb.log File is not Exported Along with the Other Log Files

This patch resolves the issue where the symdb.log file is not generated and exported in the debug logs location (\opt\symdb\logs) from the Administration portal.

The symdb.log File Does not Contain Previous Logs

This patch resolves the issue where the symdb.log file does not contain all of the previous logs as compared to the other log files, where the older files are stored.

Domain Controller Does Not Complete the Boot Process

This patch resolves the issue where after installing the Logon filter and rebooting the server results in an infinite server reboot loop.

To fix this issue, perform one of the following actions:

Issue in Authenticating with the Re-enrolled Methods on Windows Client When the Cached Login Is Enforced

This patch resolves the issue where if you enable the forced cached logon (forceCachedLogon: true) on Windows Client, you cannot authenticate with the re-enrolled methods.

Now, during the first login with the re-enrolled authenticator, the cached authenticator gets cleared. When you log in the next time, you can authenticate with the authenticator.

Issue with Enrolling the Fingerprint Method on Windows 7 Professional

This patch resolves the issue where users are unable to enroll the Fingerprint method on Windows 7 Professional.

Issue with Login on Mac OS Client

This patch resolves the issue when users try to log in to the Mac OS Client with an expired password (on the Active Directory), a message You must change your password is repeatedly displayed.

Now, the user login window is displayed after clicking OK. You must change your password message does not repeat.