NetIQ Self Service Password Reset 3.3 Release Notes

July 2015

NetIQ Self Service Password Reset (SSPR) is a Web-based password management solution. It eliminates the users’ dependency on administrators to change their passwords. It reduces the workload of the helpdesk and in turn reduces the cost incurred by the company. Users can change their password and reset forgotten password based on the configured challenge-responses or the one time passwords. SSPR also allows administrators to ensure that all passwords in the organization comply with the established policies. For detailed information about NetIQ Self Service Password Reset, visit the NetIQ Self Service Password Reset Documentation Web site.

SSPR 3.3 enhances the product capability and resolves several previous issues. Many of these improvements were made in direct response to suggestions from our customers. We thank you for your time and valuable inputs. We hope you continue to help us ensure our products meet all your needs.

1.0 What’s New?

SSPR 3.3 provides the following features, enhancements and fixes in this release:

1.1 New Theme for Self Service Password Reset

The theme for Self Service Password Reset is changed to enhance the usability of the product, and to comply with the NetIQ standards.

1.2 Integrating NetIQ Advanced Authentication Framework with Self Service Password Reset

You can now configure NetIQ Advanced Authentication Framework (NAAF) settings to help the NAAF user to use the configured authentication method during a forgotten password process. For more information about using NAAF authentication methods refer, Integrating SSPR with NetIQ Advanced Authentication Framework in the NetIQ® Self Service Password Reset 3.3 Administration Guide.

1.3 One Time Password Can be Used for the Forgotten Password Process

The configuration option, One Time Password is added for enabling and configuring one time password. If you enable, and configure the settings for one time password, the users are allowed to set up the details for one time password so that they can receive the one time password during a forgotten password process. For more information about the One Time Password settings, refer Configuring One Time Password in the NetIQ® Self Service Password Reset 3.3 Administration Guide.

1.4 Different Verification Methods for Forgotten Password Process

You can now specify the required verification method for forgotten password by using the Verification Method setting. For more information about this setting refer Configuring Forgotten Password Policy for a Profile.

1.5 The LDAP Group Search Filter Available for Searching Users From the Directory

The LDAP permission setting now includes group filter in addition to LDAP filter that searches the directory depending on the filter settings.

1.6 The Forgotten Password, Helpdesk and New User Registration Policies Can Be Specified for Different User groups

You can now configure multiple profiles for different user groups with required settings in forgotten password, helpdesk and new user registration. For more information about creating a policy for a specific profile, refer Configuring LDAP and Policy Profiles.

1.7 SSPR Allows Uploading the JDBC Driver File By Using the Web Interface

You can now upload the JDBC driver file instead of copying the file. For more information about uploading the file, refer Database Driver under Configuring Database Settings

1.8 SSPR Allows Testing the Database Connection and Availability of SMS Gateway

You can now test the database connection and the also test the availability of SMS gateway. Test button is included to test the database connectivity in database settings, and SMS gateway availability in the SMS settings.

1.9 SSPR Allows Challenge/ Response policies to be Set for Each Question

You can now specify the challenge/ Response policy for each question instead of setting it globally.

1.10 SSPR Includes Configuration Template for Identity Manager

This release of SSPR includes a configuration template for Identity manager (IDM). All the settings that are required for the configuration are displayed when you select the NetIQ IDM/ OAuth Integration template.

1.11 New Audit Event Type and Audit Records

SSPR 3.3 supports new audit records such as, HelpdeskAuditRecord. For more information about audit records, refer the collector for SSPR documentation.

1.12 The Peoplesearch Functionality Can be Used for SSPR Public Web Page

You can now allow all the users to use the Peoplesearch functionality on an SSPR public web page. To allow users to use a public URL to search for LDAP users, you must select the Enable PeopleSearch Public (Non-Authenticated) Access setting in the People Search option.

1.13 SSPR Provides an Option for Enabling Users to View the Organizational Chart for a Particular User

You can now allow users to view the organizational chart in which the user’s details are provided including the details of the user’s manager, and the people who report to the user. The hierarchy level is displayed with the arrow symbol. For more information about people search refer Enabling People Search.

1.14 Software Fixes and Enhancements

The following lists the issues resolved in this release:

Error in Password Expiration Message while Using Japanese Locale

Issue: The password expiration message includes the Day text twice. [Bug 875992]

Fix: The issue is resolved now as the password expiration message is displayed correctly.

Progress Bar on an iPhone Is Not Resized after Password Reset

Issue: When you reset a password by using an iPhone, the progress bar is not resized as per the screen layout. [Bug 888533]

Fix: The issue is resolved now as the progress bar is resized on the iPhone.

Security Answer Is Incomplete if it Includes a Special Character

Issue: When you include a special character (“) in the secret answer field and click Check Answers, the response is incorrect and the text before the special character is displayed in the secret answer field. [Bug 889669]

Fix: The issue is resolved now as the secret answer field does not retain any text when the secret answer is wrong.

CRLF Header Injection Attack

Issue: SSPR is susceptible to the CRLF Header Injection attacks. The SSPR server sends a client response to the client via the response header. [Bug 902467]

Fix: The issue is resolved now as the SSPR is no longer susceptible to the CRLF Header Injection attack.

XXE Attacks in the Configuration Editor

Issue: In the Configuration Editor, an attacker can read local files by injecting external XML files. [Bug 902735]

Fix: The issue is resolved now as the Configuration Editor is no longer susceptible to the XXE attacks.

Password Field Does Not Accept A Space

Issue: When you enter a space in the Password field, the authentication fails. [Bug 911037]

Fix: The issue is resolved now as the password field accepts a space.

iPad Users Unable to View the Challenge Questions List

Issue: When trying to answer challenge questions, the iPad users are unable to view the challenge questions list. [Bug 915886]

Fix: The issue is resolved now as an iPad user can view the challenge questions list.

SSPR Does Not Read Windows Server 2003 Complexity Rule Automatically

Issue: In SSPR, the Windows Server 2003 Complexity rule is not read automatically even after it is configured in the eDirectory. [Bug 924780]

Fix: The issue is resolved now as the Windows Server 2003 Complexity rule is read automatically.

New User Creation Fails when the Optional Attribute Value Is Not Provided

Issue: When you try to create a new user without providing the optional attribute value, the registration fails. [Bug 929341]

Fix: The issue is resolved now as the new user account is created successfully even when there is no optional attribute value provided.

Unable To Use Customized Email Addresses

Issue: When you configure an alternate email address in the To field of the Forgotten Password Verification Email section, the configured email address does not receive the password reset link. [Bug 930640]

Fix: The issue is resolved now as the configured email address receives the password reset link.

2.0 System Requirements

For detailed information about hardware and software requirements, see Installation Requirements in the NetIQ® Self Service Password Reset 3.3 Administration Guide.

3.0 Installing and Upgrading SSPR

SSPR is available for download in the following two formats:

  • (Recommended for new installation) SSPR.msi: An executable file that contains SSPR Web archive and tools.

  • SSPR_3.3.ZIP: A compressed zip file that contains SSPR Web archive and tools

For more information about how to install SSPR, see Installing SSPR in the NetIQ® Self Service Password Reset 3.3 Administration Guide.

For information about how to upgrade SSPR, see Upgrading SSPR in the NetIQ® Self Service Password Reset 3.3 Administration Guide.

4.0 Known Issues

NetIQ Corporation strives to ensure our products provide quality solutions for your enterprise software needs. The following issues are currently being researched. If you need further assistance with any issue, please contact Technical Support.

4.1 New User Registration Fails When Minimum Password Age is Defined

Issue: In an Active Directory or an Oracle Directory group policy if you have defined the minimum password age for a user then, new user registration fails.

Workaround: To workaround this issue, the SSPRConfiguration file must include the following properties tag:

<properties type="app"> <property key="newUser.ldap.useTempPassword">false</property></properties>

The SSPRconfiguration file is available at the WEB-INF folder. By default the location of the SSPRConfiguration file is C:\Program Files (x86)\NetIQ Self Service Password Reset\apache-tomcat-7.0.50\webapps\sspr\WEB-INF.

4.2 Users Can Change Password Even When Changing the Password is Restricted in the Active Directory

Issue: When you select User cannot change password in the Active Directory settings page, a user is restricted to change password. But when the user attempts to change the password by using the Forgotten password link, SSPR allows the user to change the password instead of restricting the user.

Workaround: When you restrict a user from changing the password, you must ensure that you disable the Use Proxy When Password Forgotten setting from the Active Directory template by using configuration editor.

4.3 Cannot Access the SSPR Page When using Internet Explorer Version 11

Issue: When using secured (https) connection to launch the SSPR web console, Internet Explorer 11 does not display the SSPR page.

Workaround: The Administrator must update the Operating System with the latest patch before connecting to the secured SSPR web console.

NOTE:For Windows 2008 server, SSPR is supported only on Chrome and Firefox browser.

4.4 Users Unable to Login with Old Password If the Forgotten Password Process is Started But Not Completed

Issue: When a user starts the password change process by clicking Forgotten password, a random password is generated and if the user cancels the process without completing it then, user cannot use the old password. This happens because SSPR recognizes the random password is generated when the user clicks on Forgotten password.

Workaround: Perform the following for different directories:

  • For Active Directory, you can enable the Use Proxy When Password Forgotten setting from the Configuration Editor.

  • For eDirectory, you require to enable the Allow admin to retrieve passwords option from the eDirectory settings page.

  • For Oracle Directory Server, the user needs to complete the forgotten password process and then use the new password to login.

5.0 Contact Information

Our goal is to provide documentation that meets your needs. If you have suggestions for improvements, please email Documentation-Feedback@netiq.com. We value your input and look forward to hearing from you.

For detailed contact information, see the Support Contact Information Web site.

For general corporate and product information, see the NetIQ Corporate Web site.