ADSelfService Plus Release Notes
Release Notifications Receive notifications whenever an update is released. Latest service pack
Release Notes for build 6212 (Nov 14, 2022)
- Hardware TOTP token support: Hardware tokens such as Protectimus hardware TOTP token, Deepnet Security hardware token can now be configured as a custom TOTP authenticator for identity verification.
- SMS and email verification support for VPN MFA: SMS and email verification can now be configured as an authenticator for VPN MFA.
- Bulk enrollment support for authenticators: Admins can now enroll end users for Google Authenticator, Microsoft Authenticator, Zoho OneAuth TOTP authenticator, and custom TOTP authenticators through bulk enrollment either using a CSV file or through a database fetcher.
- An option to skip the Select your mobile number/email address drop-down in the MFA verification page for SMS and email verification has now been included.
- An issue in the working of Linux agent (Cent OS 7) has now been resolved.
Release Notes for build 6211 (Oct 28, 2022)
- Third-party requirement for NTLMv2 SSO: To enable NTLMv2 SSO for ManageEngine ADSelfService Plus in builds 6211 and above, you have to manually download the Jespa JAR file and add it to the lib folder of the product's installation directory. For more information, click here.
- A major security enhancement has been made in the product.
- The forced enrollment using login scripts feature didn't work for partially enrolled users. This issue has been fixed.
Release Notes for build 6210 (Oct 21, 2022)
- Notification Center: To ensure product security, a notification center has now been included to display important alerts that require admin attention.
- To ensure security, the Spring JAR files used in the product have been updated to version 5.3.21.
- To ensure security, the Commons Text JAR files used in the product have been updated to version 1.10.
- An issue that caused an infinite password sync loop when password sync is configured for Active Directory bidirectionally has now been resolved.
- An issue that caused the login agent to crash when Have I been Pwned integration was enabled and HTTP was configured has now been fixed.
- An authorization issue in Talkback APIs has now been resolved.
- A memory leak issue which caused the domain controller to restart abruptly in rare scenarios when Password Sync Agent version 2.0 was configured has now been fixed.
Release Notes for build 6209 (Sep 30, 2022)
- An issue in the Restrict Users scheduler under License Management when there were different domains containing the same usernames has now been fixed.
- An issue that occurred while searching for a username containing '_' in reports when using an external MS SQL database has now been fixed.
- An issue in prompting MFA during VPN login when the username format was domain name/username has now been fixed.
Release Notes for build 6208 (Sep 21, 2022)
- MFA for Windows User Account Control: All UAC elevation prompts that require credentials such as installing an application, editing the registry, and so on can now be secured using MFA.
- Machine-based MFA: Secure business-critical machines in your organization by enforcing Machine-based MFA. This allows users to access the machine only upon successful identity verification through MFA, irrespective of their enrollment status, self-service policy membership, and ADSelfService Plus server connectivity.
- An issue which caused MFA to not function as intended in Windows 11 machines during system unlock has now been fixed.
Release Notes for build 6207 (Aug 29, 2022)
The ADSelfService mobile app now supports the following features and enhancements.
- MFA for mobile app login: ADSelfService Plus mobile app logins can now be secured with an additional layer of authentication using MFA.
- Passwordless login: Provide easy and secure access to log in to the mobile app using modern authentication factors such as biometric authentication, push notification authentication, TOTP authentication, and so on.
- Support for additional authenticators: The ADSelfService Plus mobile app now supports Zoho OneAuth authentication, custom TOTP authentication and backup recovery code support during self-service actions and mobile app logins.
- Manage device enrollment: An option to restrict the number of devices users can use to enroll for mobile app authenticators like push notification, biometric, and QR-code authentication has now been included.
- User enumeration prevention: An option to prevent attacks through user enumeration in the mobile app has now been introduced.
- An issue with the functioning of Accessibility VoiceOver in iOS devices has now been resolved.
Release Notes for build 6206 (Aug 18, 2022)
- An issue with the functioning of the custom range filter in Audit Reports, when there were a large number of audit records, has now been fixed.
- A performance issue while derestricting users under License Management, when there were a large number of restricted users, has now been fixed.
Release Notes for build 6205 (Aug 09, 2022)
- Enrollment report customization: The Enrolled Users Report and Non-enrolled Users Report can now be customized to view additional user information, such as their active status, last logon time, etc.
- Cloning existing policies: Existing self-service policy configuration settings can be copied to create multiple policies across domains now.
- Granular control over trust periods: The MFA trust period for browsers and machines can now be customized in terms of minutes, hours, or days.
- An issue with deleting licensed users who have an apostrophe character in their names has been fixed.
- An XSS issue that could potentially occur in the Conditional Access rule assignment section has been fixed.
Release Notes for build 6204 (Jul 29, 2022)
- The MFA and Password Policy Enforcer features have now been extended to technicians who use product authentication.
- An issue in which the functioning of the Password Sync Agent was affected when a domain flatName was specified during domain configuration has now been fixed.
- A security vulnerability which caused authenticated remote code execution in quick enrolment configuration by super admin when connecting to MySQL database has now been fixed.
Release Notes for build 6203 (Jun 30, 2022)
- A denial-of-service attack issue (CVE-2022-34829) in the ADSelfService Plus Mobile App Deployment API has now been fixed.
For more information, refer to our security advisory page.
Release Notes for build 6202 (Jun 27, 2022)
- An option to prevent user enumeration by initiating a mock MFA process has now been included. This has been implemented to mitigate CVE-2022-28987.
- An issue in which the Change Password notification was not triggered when the operation was performed via the mobile application or mobile web browser has now been fixed.
Release Notes for build 6201 (Jun 9, 2022)
- Mac Agent support has now been extended to macOS Monterey.
- XLSX format is now supported for exporting reports.
- An option to extend the portal session expiration duration to one day has now been provided.
- Performance-related issues in User Reports, Restricted Users report, Password Expiration Notification, and Unrestrict Users scheduler have now been fixed.
- An issue that blocked the database query while sending enrollment push notifications has now been resolved.
- An issue in VPN MFA when the configured MFA method was push notification has now been fixed.
Release Notes for build 6200 (May 24, 2022)
- The communication between the Password Sync Agent and the ADSelfService Plus server has now been secured with the inclusion of an access key. (CVE-2021-37423) For more information, refer to our security advisory page.
- An issue which exposed the username information in the request URL sent to the ADSelfService Plus server upon successful IdP authentication has now been fixed.
- An issue where the embedded employee search option was not displaying the desired results has now been resolved.
- To enhance security, the Spring JAR files used in the product have now been updated to version 5.3.18.
: If you have upgraded to build 6200 and are already using the Password Sync Agent, it is mandatory to reinstall the Password Sync Agent for proper functioning of the agent. Please refer to this guide
for more information on Password Sync Agent installation.
Release Notes for build 6123 (Apr 13, 2022)
- A security vulnerability which exposed admin credentials if the ADSelfService Plus server access was compromised while installing the login agent using Remcom and RemoteExec methods has now been fixed.
- A security vulnerability which caused XSS script execution in the Configured Domains page has now been fixed.
Release Notes for build 6122 (Apr 9, 2022)
- In product instances where post-action custom scripts are enabled, a security vulnerability (CVE-2022-28810) which could lead to remote code execution during password reset and password change, has been fixed. This issue was reported by Hernan Diaz, Andrew Iwamaye, Dan Kelly, and Jake Baines of Rapid7 via our Zoho Bug Bounty program.
For more information, refer to our security advisory page.
Note : If you have enabled custom scripts, follow these guidelines after upgrading to build 6122.
Release Notes for build 6121 (Mar 3, 2022)
- A security vulnerability (CVE-2022-24681) which allowed XSS script execution in the reset password, unlock account, and user must change password pages has now been fixed.
- A vulnerability (CVE-2022-29457) causing the NTLM Hash to be disclosed to operators when configuring the storage path of a remote machine in the Reports tab has now been fixed.
Release Notes for build 6120 (Feb 11, 2022)
- Site-based DC Update: Let's you assign a particular set of domain controllers (DCs) to an OU so that self-service changes made by users from that OU are quickly updated in the DCs assigned to that OU.
- Password Sync tab is now equipped with the capability to deselect all the linked accounts for password reset, account unlock, and password change operations.
- An option that allows domain display name to be shown or hidden in the end-user portal/pages has now been added in the Reset & Unlock tab.
- IP-based portal restriction will now deny technician logins from black listed IP addresses.
- Windows MFA, which was prompted for user login and screen unlock earlier will now be prompted only during user login.
- Glitches pertaining to MFA application to macOS machines whose names contained spaces have been resolved.
- When the login page was customized to display only the login button, the drop-down list had glitches. This issue has now been resolved.
- An issue which caused the failure of SAML SSO for custom applications since only "Exclusive Canonicalization with Comments" XML Canonicalization method was supported has now been fixed.
- An issue in which mail content was added to the syslog files has now been removed.
- An issue specific to the Germany locale in displaying the number in the password policy enforcer text has now been fixed.
- Text customizations done in Language Customization tab for languages other than English were not reflecting. This has been fixed.
- A memory leak issue in VPN MFA's NPS extension has now been fixed.
Release Notes for build 6119 (Dec 21, 2021)
- Log4j dependency in ADSelfService Plus has been removed to ensure security.
: If you have enabled or want to enable RSA SecurID configuration for multi-factor authentication, please read this forum post
to know more about this fix.
Release Notes for build 6118 (Nov 30, 2021)
- An issue in renewing the SAML certificate when ADSelfService Plus is the identity provider has now been fixed.
Release Notes for build 6117 (Nov 15, 2021)
- Azure AD MFA support: Azure AD MFA can now be used for identity verification during self-service reset/unlock; self-service portal login; cloud application, machine and OWA logins. This method is supported in both web and mobile applications.
- RADIUS challenge support has now been provided for RADIUS multi-factor authentication.
- An issue in the Enrolled Users Report while sorting the users' mobile numbers has now been resolved.
- OWA context was added twice in the server.xml file when service pack installation failed. This issue has now been resolved.
- An issue in which the content-type was missing in the response when the mobile site URL had js, css, image, and cewolf as resource types has now been fixed.
- When the answer to the security question were all numbers, users were unable to prove their identity for password reset/unlock account via the mobile application. This issue has now been fixed.
- A login issue which occurred when users committed an error of adding spaces in the beginning and end of the username and when the username contained % has now been fixed.
Release Notes for build 6116 (Sep 30, 2021)
- All the API endpoints have now been strengthened to be more secure.
- A security vulnerability (CVE-2021-20147) which allowed performing unauthenticated UMCP operation using REST API has now been fixed.
- Access to the domain password policy HTML (CVE-2021-20148) has now been restricted for all users.
- A minor change has been implemented to display the username and password fields on the same login page now.
Release Notes for build 6115 (Sep 24, 2021)
- When a custom attribute's display name containing \ or " was added to the employee search display column, no results were returned for an employee search. This issue has now been fixed.
- An issue in the Linux Login Agent specific to Ubuntu 18.04.5 LTS has now been resolved.
- An issue in integrating ADManager Plus with ADSelfService Plus when the provided admin/technician account's password contained % has now been fixed.
- Login issue when the username contained space has now been resolved.
Release Notes for build 6114 (Sep 7, 2021)
- SAML SSO support for ServiceDesk Plus: ADSelfService Plus now supports single-sign on (SSO) to the on-premises version of ManageEngine ServiceDesk Plus.
- Migrated from JavaPNS to Pushy library (v0.14.1) and from NotNoop to Pushy library (v0.14.1), for sending iOS notifications and pushing the mobile application respectively, when the MDM profile is installed.
Security Issue fix:
- An authentication bypass vulnerability affecting REST API URLs, rated critical, has now been fixed. [CVE-2021-40539]
Release Notes for build 6113 (Sep 1, 2021)
- An issue which restricted users with special characters in their passwords from logging in to the portal via the mobile site has now been fixed.
- An issue that restricted users access to the portal even during the permitted logon hours has been resolved.
- All cookies can now be protected by enabling the HttpOnly flag.
Release Notes for build 6112 (Aug 26, 2021)
- Mac Agent support has now been introduced for macOS Big Sur.
- Mobile app support to block specific email domains and mobile number formats during user enrollment has now been provided.
- While using the mobile app to reset password/unlock account, the forced number of authentication factors were not verified. This issue has now been resolved.
- A vulnerability in the Approval Workflow module which facilitated an unauthenticated attacker to send emails to domain users has now been fixed.
- The possibility of a Boolean SQL injection attack during manual account linking for Oracle Database has been eliminated.
- The security issue of account takeover via machine account creation has now been fixed.
- The SSRF vulnerability present in the High Availability module has now been fixed.
- The issue in build 6111 with the MFA for VPN feature in which authentication was bypassed has now been resolved.
- The password changes were not applied across all linked accounts when the Force Password Synchronization option was enabled in build 6111. This issue has now been fixed.
Release Notes for build 6111 (Aug 02, 2021)
- MFA for OWA/Exchange Server: Strongly secure your Exchange environment with a dedicated multi-factor authentication (MFA) setup with over 17 advanced authentication methods, for Outlook on the Web and Exchange admin center logins.
- Support for OpenID Connect and OAuth applications: ADSelfService Plus now offers OAuth and OpenID Connect-based single sign-on for any enterprise application that supports these protocols, in addition to the already existing SAML support.
- Users will not be allowed to login if they have spaces in their passwords, for builds from 6108.
- Password expiry notifications were not being sent to the user, if the number of days for account expiry contains '0'. This issue has been resolved.
- The account linking setting for O365 application was not saved properly when single sign-on is enabled for O365. This issue has been fixed.
Release Notes for build 6110 (Jul 29, 2021)
- Fixed the account takeover issue (CVE-2021-37927) reported by HaYiCle, by enforcing SAML signature verification before logging in users through SAML SSO.
Release Notes for build 6109 (Jul 23, 2021)
- The VPN Group Name field is no longer mandatory while configuring Cisco AnyConnect for updating cached credentials over VPN.
- The issue that occurred when updating country/region under the Profile tab has been resolved.
- The issue with domain API verification in Duo configuration has now been fixed.
Release Notes for build 6108 (Jul 14, 2021)
- Passwordless Login: ADSelfService Plus and other SSO-enabled applications can now be accessed using advanced authentication methods such as biometrics, YubiKey, Google Authenticator, etc.
- Forced enrollment for machine login MFA: Enforce mandatory enrollment to ADSelfService Plus from login screens to implement MFA for machine access.
- Exclusive MFA setup for cloud applications: Customize the authentication factor set-up for service provider-initiated SSO-enabled application logins.
- SAML authenticator: SAML authentication can be included as an authentication factor for ADSelfService Plus logins, Endpoints MFA, and Applications MFA.
- Language support: ADSelfService Plus now supports Traditional Chinese language.
- The macOS login agent was not loading after a restart or shut down operation. This has been fixed.
- Enabling Hide Personalization setting did not force the admin's theme preference over the users when the users' theme preference was set before the enforcement of this setting. This issue has been resolved.
- An issue that caused trouble in the SSO login process in the latest versions of browsers has been resolved.
Release Notes for build 6107 (Jul 2, 2021)
- The jQuery library used in the product has been updated from version 1.11.3 to 3.5.1.
- The Bootstrap framework used in the product has been updated from version 3.3.6 to 3.4.1.
- The jQuery UI used in the product has been updated from version 1.9.2 to v1.10.0.
Release Notes for build 6106 (Jun 15, 2021)
- Conditional Access: You can now restrict access to the ADSelfService Plus portal and enable NTLM single sign-on, based on a user's location, device used, time of access, and IP address.
- Duo Device Management Portal: Users can now add or remove Duo-registered devices from the ADSelfService Plus portal.
- User profile images were not being displayed in the Organization Chart when Reverse Proxy was configured. This issue has been resolved.
- An OU performance issue that caused delays in information retrieval has been resolved.
- When a user is a part of many groups, the login process was slightly delayed. This issue has been resolved.
Release Notes for build 6105 (May 26, 2021)
- Admins can now configure users' managers email addresses to send them notifications about user activities like self-service password reset, self-service account unlock, password change, and enrollment.
- The email verification code generated during enrollment and user identity verification can now be sent to the admin or manager via email.
- An option has been introduced to block specific email domains and mobile formats provided during user enrollment.
- A vulnerability which lead to unauthenticated and authenticated remote code execution through PowerShell injection has been fixed.
- If the user entered an email address during enrollment and the same email address was later updated as the user's AD mail attribute value, the user did not receive scheduled notifications and the email address was displayed twice during email verification authentication. This issue has been fixed.
- When users access the end-user portal through NTLM Authentication, user actions could not be performed in certain Windows environments. This has been fixed.
- The configuration of RADIUS authenticator failed when the secret key had specific special characters (<, >, ', ", and &). This has been fixed.
- An issue that occurred in the secure links generated for email verification has been fixed.
Release Notes for build 6104 (May 8, 2021)
Vulnerability issue fixes:
- A vulnerability that in rare cases allowed bypassing CAPTCHA in the ADSelfService Plus login page has been fixed.
- A rare Cross-Site Scripting attack vulnerability in the e-mail address field used in the employee search feature has been fixed. (Reporter: Matt CVE-ID: CVE-2021-27956))
- A vulnerability that in rare cases can cause Reflected Cross-Site Scripting attacks has been fixed.
- A vulnerability that in rare cases let attackers expose information about the database application configured for password sync has been fixed.
- A vulnerability that in rare cases let attackers bypass the ADSelfService Plus' admin portal access restriction based on IP addresses has been fixed.
Release Notes for build 6103 (Apr 28, 2021)
- Zoho OneAuth's OTP authenticator can be used as an MFA method to verify users' identities during password reset and account unlock actions, ADSelfService Plus logins, and machines and VPN logins.
- The Linux login agent now supports Ubuntu version 20.x.
- The password synchronization with OpenLDAP now supports the Extended Password modify operation - (RFC-3062).
- SAML assertion attributes have been introduced to allow admins to configure the specific attributes that have to be included in the SAML response token sent to the service provider by ADSelfService Plus to prove a user's identity.
- For SAP NetWeaver password sync, the unlock account functionality is now restricted for accounts that were locked or disabled by the admins.
- An issue with configuring the Select Duration setting for scheduled reports has been fixed.
- An issue with generating reports using the Operator technician role has been fixed.
Release Notes for build 6102 (Mar 20, 2021)
- An unauthenticated remote code execution vulnerability ((CVE-2021-28958) has been fixed.
Release Notes for build 6101 (Mar 5, 2021)
- ADSelfService Plus now supports three different methods of Windows login agent installation to ensure success rate. The three methods are:
- The issue of not receiving a prompt for multi-factor authentication while using the VPN when languages other than English are personalized for the ADSelfService Plus server has been resolved.
Release Notes for build 6100 (Dec 31, 2020)
- The Tomcat server bundled with the product has been upgraded to version 8.5.57.
- The ADSelfService Plus database backup archives are now password protected.
- A security issue due to the use of fixed ciphering keys has been fixed (Zoho Bug Bounty ID: ZVE-2018-1790).
- A security issue that caused improper authorization of end user actions has been fixed (Zoho Bug Bounty ID: ZVE-2020-4164).
Release Notes for build 6013 (Nov 26, 2020)
- Support for SAML Authentication as an MFA method in the ADSelfService Plus mobile app (both iOS and Android) for self-service password reset and account unlock.
- Issue in SAML SSO logins when reverse proxy server is configured has been fixed.
Release Notes for build 6012 (Nov 12, 2020)
- MFA backup codes for authentication: Users can now prove their identity using backup codes when they cannot access the enrolled MFA authenticators or their mobile devices used for authentication. These backup codes can be generated by both users and the admins, and used for identity verification during machine and VPN logins, self-service actions, and ADSelfService Plus portal logins.
- Custom Time-based One-time Passcode (TOTP) Authenticator support: Admins can now configure any TOTP authenticator [Eg: Symantec VIP Access, FortiToken, Free-OTP, etc] as per organizational usage to verify users' identities during password reset and account unlock actions, and ADSelfService Plus, machines and VPN logins.
- Smart card multi-factor authentication: Smart card authentication will now be available as an authenticator in multi-factor authentication for ADSelfService Plus web portal login.
- ADSelfService Plus has been upgraded from two-factor authentication to multi-factor authentication for machine (Windows, macOS, and Linux), VPN and product logins.
- Admins can now link domain user accounts based on any attribute of choice with the Duo accounts for multi-factor authentication.
- Idle time limit during multi-factor authentication can be configured for machine, VPN, and product logins.
- During user identity verification through SMS and email verification codes, the drop-down menu at the end-users portal will prioritize the mail/mobile values added by the end-user during enrollment over those stored in Active Directory.
- The time taken to load Change Password tab has been reduced.
- Fixed an issue that prevented including more than 10 mail addresses in the Admin Mail Address field under Mail Settings.
- While logging into ADSelfService Plus through SAML single sign-on, it is now possible to use any authentication technique provided by the identity provider (Okta, OneLogin). Password authentication is not mandatory.
Release Notes for build 6009 (Sep 30, 2020)
- New customization options that help rebrand ADSelfService portal to best suit your requirements. With these new options you can:
- Set a background image for the portal's login page.
- Customize buttons on the users' login page.
- Select custom color for theme using the color picker field.
- The issue of license consumption by both the primary and secondary user accounts when password synchronization is enabled between two Active Directory domains.
- The issue in AltGr key usage in the Windows login agent when ADSelfService Plus' end-user portal is configured to display in languages other than English.
- Encoding failure during mail attachment when using languages other than English.
- The issue where Organization Chart generation was slowed down and CPU usage was higher than usual when the number of users in the domain increased.
Release Notes for build 6008 (Sep 9, 2020)
- Fixed an issue that prevented proper embedding of image in email content.
- If the Password Expiration Notification's retry option is disabled, managers receive an empty Soon-To-Expire Password Users Report on the specific days configured when no users fall under the report that day. This has been fixed.
Release Notes for build 6007 (Sep 4, 2020)
- Trusted devices option for Endpoint Machine Login MFA: Users can now mark their machines (Windows, macOS, or Linux) as trusted during login to skip multi-factor authentication for subsequent logins. Admins can define how long a machine should remain trusted.
Release Notes for build 6006 (Aug 27, 2020)
- Load Balancing: ADSelfService Plus now comes with a built-in load-balancing server, to help you set up multiple instances of ADSelfService Plus, and distribute incoming requests among them. This helps improve performance, eliminate downtime, and provide a better experience for end users.
- Reverse Proxy: Enable reverse proxy, by integrating with ManageEngine AD360, to improve security when making ADSelfService Plus accessible for remote access.
Release Notes for build 6005 (Aug 15, 2020)
- Multi-factor authentication (MFA) for VPN: Secure your VPN by enabling MFA via fingerprint/Face ID, Push Notification, Google Authenticator, Yubico OTP, and other wide range of authentication factors.
Release Notes for build 6004 (Aug 12, 2020)
- Users were not able to login using the mobile browser during SP-initiated SAML SSO. This has been fixed.
- Password change using the PowerShell API has been secured.
- Custom questions were not properly displayed when configuring the Auto Enrollment Scheduler using CSV file. This has been fixed.
Release Notes for build 6003 (Jul 24, 2020)
- Face ID authentication is now supported for MFA in the ADSelfService Plus iOS app.
- Security fix to prevent unauthenticated remote code execution attacks.
Release Notes for build 6002 (Jul 10, 2020)
- Fixed an issue which prevented sending the password expiration notification and expired password notification to users with Password Setting Object applied to them.
- Fixed an issue that prevented saving multiple mail addresses under Notify Admin in the Notifications tab of Advanced Policy Configuration settings.
- Provision for verification of user enrollment status with Duo Security has been added for enhanced security.
Release Notes for build 6001 (Jul 7, 2020)
Conditional Access Policy: Use various risk factors such as IP address, device type, time of access, and geolocation to determine which self-service policy will be assigned to users. With Conditional Access Policies, you can enforce endpoint MFA or restrict access to self-service features for high-risk users, thus improving security posture without affecting user experience.
- Fixed an issue which prevented changing the SMS provider from GSM Modem to Custom HTTP.
- The drop-down fields for directory self-update were not displayed properly. This has been fixed.
- Password expiration notifications were not sent to secondary email addresses even when the Enable Notification to All Secondary Mails of Users option was enabled. This has been fixed.
- Autocomplete has been turned off for the answer fields during security questions and answers-based authentication.
- Fixed an MS SQL migration issue which prevented fetching all the MS SQL instances.
Release Notes for build 6000 (Jun 3, 2020)
- This release comes with a service pack that can be used to update your ADSelfService Plus to get the flat GUI as well as the enhancements, and bug fixes released in builds 5816 and 5817.
- The SMS notifications sent during MFA contain HTML code.
- Improper functioning of CAPTCHA when reverse proxy is configured.
Release Notes for build 5817 (May 16, 2020)
- Fixed a vulnerability which allowed a user to enable integration with other supported ManageEngine products bypassing authentication [CVE-2020-24786] , which was reported by Florian Hauser.
- Issue in using Push Notification authentication for logging into ADSelfService Plus when TFA is enabled.
Note: A service pack for this build is currently not available. If you are using an older build of ADSelfService Plus, you can still fix the issue by following the steps mentioned in this post.
Release Notes for build 5816 (Apr 23, 2020)
- Improved look and feel with flat UI: The ADSelfService Plus admin portal has been revamped with a sleeker and more streamlined flat user interface.
- Embed dashboard widgets: The dashboard graphs can be embedded in any web page using the HTML snippet provided. A URL is also provided to access the graph separately.
- Language customization: Personalize ADSelfService Plus by customizing any text displayed in the portal for your language of choice.
- SSL deployment through UI: Easily apply a SSL certificate and enable HTTPS to secure ADSSP in just a few clicks with the all new UI-based SSL certification tool.
- Technician: Administrators now have the option of providing the technician privileges to groups.
- Password Policy Enforcer has been enhanced with several new password policy rules for improved security:
- Disallow the use of specific numbers of consecutive characters from user names and old passwords
- Disallow the use of a character specific number of times consecutively.
- Ensure the password starts with an uppercase letter, lowercase letter, number, or special character.
- Disallow the last character of the password to be a number.
- Fix the number of old passwords to be restricted during password resets.
- The customized message that displays the password policy requirements during password reset or change can be reset to default.
- Directory Self-Update has been improved with the following options:
- Administrators can set the self-update layout as read only.
- Show or hide the Report To and Direct Report fields and the left panel of the self-update layout with these fields and photo upload.
- Enforce the format of information provided in the self-update fields (mobile number, email address, or letters).
- All notification messages can been enhanced with rich text editors.
- Employee Search:
- Administrators now have the option to enable the Employee Search based on self-service policy.
- Force enrollment logon script:
- Administrators now have the option to customize the enrollment logon script window's title and button text.
- IP-based restriction for admin login:
- Admin login can now be restricted to some specific or a range of IP addresses using the restrict IP address option.
Note: A service pack for this build is not available. We'll soon release the next build along with a service pack which contains all features and enhancements included in 5816.
Release Notes for build 5815 (Apr 3, 2020)
- Security fix to ensure ADSelfService Plus is immune to unauthenticated remote code execution (RCE) vulnerability (CVE-2020-11518).
Release Notes for build 5814 (Mar 11, 2020)
- Issue of unnecessary characters in SMS notifications when using the SMTP provider due to improper encoding type.
- Issue in generating the Enrollment Reports graph in the Dashboard tab.
- A vulnerability issue in the ADSelfService Plus login agent has been fixed.
- Issue of password reflection during password reset.
- Issue of a Cross-site Scripting vulnerability.
Release Notes for build 5813 (Feb 25, 2020)
- A security issue that arises when the 'User must change password at the next logon' option is enabled in Active Directory has been fixed.
Release Notes for build 5812 (Jan 27, 2020)
- Issue in enforcing the default minimum password length (i.e, 7) when product technicians change their account passwords.
Release Notes for build 5811 (Dec 28, 2019)
- Block breached passwords: ADSelfService Plus now supports integration with 'Have I Been Pwned?', which prevents the use of breached passwords during password change or reset by users.
Release Notes for build 5810 (Dec 20, 2019)
- Issue in AltGr key usage in the GINA login agent when ADSelfService Plus' end-user portal is configured in non-english display settings.
Release Notes for build 5809 (Dec 17, 2019)
- Option to resend verification codes while authenticating user identities via SMS or email.
- Issue with updating the status of the GINA login agent installation via GPO in ADSelfService Plus.
- Issue in installing the macOS login agent for users when the domain admin password contains certain special characters such as the '!' and '.'.
- Issue which caused the open re-direct vulnerability has been fixed.
Release Notes for build 5808 (Dec 9, 2019)
- Endpoint multi-factor authentication (MFA): Add an extra layer of security to Linux logins, in addition to Windows and macOS, with any of the supported 14 authentication methods including YubiKey, fingerprint authentication, RSA SecurID, and DUO Security.
- Option to perform remote installation, un-installation, customization, and re-installation of the Linux login agent from the admin console.
Release Notes for build 5807 (Dec 2, 2019)
- YubiKey authenticator support: Users can use the YubiKey device to prove their identity during self-service password resets/account unlocks, ADSelfService Plus logins, and endpoint logins.
Release Notes for build 5806 (Nov 8, 2019)
- A CSRF vulnerability that occurs in the self-update section of the end-user portal is fixed.
- Issue in the GINA/CP logon agent that could lead to privilege escalation is fixed.
Release Notes for build 5805 (Nov 5, 2019)
- A few minor bugs have been fixed.
Release Notes for build 5804 (Oct 14, 2019)
- Korean language support: The end user and the admin portal can now be personalized in the Korean language, besides the twenty other supported languages.
- Improved performance in the domain sync operations of ADSelfService Plus.
- Option to use the middleName (LDAP attribute) to greet users and admins on the welcome screen.
- Issue in deleting licensed users of ADSelfService Plus when the admin portal is customized in Polish language.
- Issue in Password Expiration Tool that listed only partial domains while configuring soon-to-expire password notifications.
- Issue in syncing passwords when resets are performed across multiple G Suite domains simultaneously.
- Issue in displaying the host display name during self-service account unlock when the force synchronization option is enabled.
- Issue which duplicates the sent notifications when Password Sync Agent is installed and more than one DC is configured under site-based DC.
- Issue in verifying user identity during Windows logon two-factor authentication (TFA) when UPN suffix is included along with the username.
- Issue which crashed the executable file in Windows logon agent when connected to VPN using Cisco Anyconnect.
- Issue in displaying users' photo in Employee Search at certain times when the session is refreshed.
- Issue which denied users access to ADSelfService Plus via the logon script in the 5803 build.
- Issue in displaying the OU in the Policy Configuration window if its description more than 250 characters.
- Issue in forwarding logs to SSL-enabled Splunk servers.
Release Notes for build 5803 (Sep 10, 2019)
- All untranslated UI text are now localized for all the languages supported by ADSelfService Plus.
- Issue which displayed the error message "Sorry, the page you requested was not found," when manually initiating multiple GINA/Mac/Linux logon agent installation processes.
- Issue in Password Expiration Notifier Tool which failed to accept the DisplayName in the From Mail address of Mail Server settings.
Release Notes for build 5802 (Aug 16, 2019)
- A minor text alignment issue while displaying the custom password policy during password change/reset is fixed.
- An injection vulnerability in the Windows and Linux login agent is fixed.
Release Notes for build 5801 (July 19, 2019)
- Two-factor authentication for macOS: Add an extra layer of security to macOS logins by enforcing two-factor authentication. Choose from thirteen authentication methods including fingerprint authentication, SMS/email verification, RSA SecurID, and DUO Security.
Release Notes for build 5800 (July 8, 2019)
- Supports Microsoft Authenticator: Users can use Microsoft Authenticator to prove their identity during self-service password resets/account unlocks, ADSelfService Plus logins, and Windows logins.
- Separate dialog box for password rules: Display the enforced password policy rules in a dialog box in the Windows password change (Ctrl + Alt + Del) screen.
Note: Download this service pack and get the sleek flat end-user portal in addition to other features and enhancements.
- Option to hide the Applications tab in the end-user portal when automatic account-linking option is enabled.
- The Enrollment Reports have been enhanced to filter partially-enrolled users.
- Enrolled Users Report has been enhanced to display a summary of users selected for disenrollment from being accidentally disenrolled.
- Issue in version 5.7 which failed to update the locally cached credentials in users' Windows machines.
- Issue in logging into the product using unique attributes (email ID or mobile number) if the sAMAccount name of a user and any deleted user is the same.
Release Notes for build 5710 (Jun 22, 2019)
- A security issue has been fixed
Release Notes for build 5709 (May 6, 2019)
- Flat user interface for the end-user portal: ADSelfService Plus' user portal gets a makeover with flat user interface.
- TFA for Windows and ADSelfSevice Plus logon now supports additional authentication methods including:
- Security Questions and Answers
- Email Verification
- SMS Verification
- Google Authenticator
- Duo Security
- RSA SecurID
- RADIUS Authentication
- Push Notification Authentication
- Fingerprint Authentication
- QR Code-Based Authentication
- TOTP Authentication
- Provision to allow users to complete their enrollment during the self-password reset/account unlock process itself after successfully proving their identity using any of the supported authentication method.
- Mobile number and email address added by users during enrollment will be verified through an OTP for improved security.
- Force users to use specific email domain names (such as gmail.com or hotmail.com) during enrollment.
- Option to mandate separate authentication techniques for enrollment and self-password reset/account unlock processes.
- Displaying the calendar field in any date-related field in the self-update layout.
Note: A service pack for this build is not available. We'll soon release the next build along with a service pack which contains all features and enhancements included in 5709.
Release Notes for build 5708 (Apr 22, 2019)
- 389 Directory Server password synchronization: Sync Active Directory password changes with 389 Directory Server passwords in real time.
The following issues have been fixed in this release:
- Failure to send emails when TLS security setting is enabled for mail server.
- Issue which failed to update the modified domain functional level in ADSelfService Plus.
- Issue which restricted licenses of users with the same name of any previously deleted user.
- Issue in displaying user disclaimers in RTL languages.
- Blank GINA/Mac installation reports being exported when MS SQL database is used.
- Script error displayed in GINA/CP password self-service portal, in Danish language.
- Script error when adding restricted IP/Server Name.
- An XSS vulnerability that could be exploited using ADSelfService Plus mobile app API has been fixed.
Release Notes for build 5707 (Mar 20, 2019)
- Support for OpenVPN: Update Cached Credentials over VPN setting extends its support for OpenVPN.
- Password expiration notifier now has an option to not inherit child OUs while sending reminders.
- Issue in configuring the password sync agent when ADSelfService Plus' server is connected through a proxy.
- Issue in migrating database to MS SQL server when SSL encryption is applied to a specific instance.
- Issue in synchronizing password changes with multiple configurations of SAP NetWeaver.
- Vulnerability issue fix in high availability mode.
- Issue which denied access via logon script when DUO is used as the two-factor authenticator.
- Issue in identity provider (IdP) initiated SAML-logout for SSO.
- Issue in displaying the default tab when user portal is accessed via mobile app or mobile site.
- Issue in sending password expiry reminders when there's a user in the list whose PSO cannot be read due to lack of permission.
- Issue in displaying the correct order of mobile numbers in RTL languages such as Hebrew and Arabic.
- XSS Vulnerability issue fixed in the login page. [ CVE-2019-8346 ]
Release Notes for build 5706 (Mar 1, 2019)
- Support for Windows Server 2019: ADSelfService Plus extends its Active Directoy self-service password reset and account unlock capability to Windows Server 2019.
Release Notes for build 5705 (Feb 19, 2019)
- Login agent for Linux: Users can reset passwords and unlock accounts from the login prompt of their Linux machines.
- Synchronize Active Directory password resets and changes across MS SQL and PostgreSQL accounts in real time.
- Ability to link user accounts for password synchronization using the listed attributes of the provider, other than the default sAMAccountName.
- Option to synchronize account unlocks between cloud-based and on-premises accounts irrespective of the lockout status of the users' Active Directory account.
- Issue in displaying more than 500,000 of the generated Notification Delivery audits for Soon-To-Expire Password Users is fixed.
- Issue which randomly displayed 'Sorry, the page you requested is not found' when users attempt to log in to the self-service portal using any browser for the first time.
Release Notes for build 5704 (Jan 17, 2019)
- Ability to enforce custom user disclaimers: ADSelfService Plus now allows you to display custom disclaimers that users must accept before they can access the self-service portal.
- Password sync agent now supports TLS version 1.1 and 1.2.
Release Notes for build 5703 (Jan 2, 2019)
- SAML-based single sign-on (SSO) via Line Works: ADSelfService Plus supports SSO through Line Works, which acts both as identity and service provider.
- Support for multi-factor authentication (MFA) via Line Works: ADSelfService Plus now supports MFA via Line Works, in addition to One Login and Okta, for user authentication during self-service password reset and account unlock.
- Issue that caused an SSRF vulnerability (CVE-2019-3905) is fixed.
- Issue in configuring OpenLDAP with Common Name (CN) is fixed.
Release Notes for build 5702 (Dec 10, 2018)
- Issue of product crashing when the configured GINA Frame Text exceeds the character limit during translation.
- Issue which permitted users to close the password reset/account unlock window of the Windows logon agent (CVE-2018-20484).
- XSS vulnerability in the employee search, and the self-update layout (CVE-2018-20485).
- Issue in translating certain fields in the self-update layout of the end-user portal, from English to the selected language in the personalization section.
- Issue which failed to display the mobile number format for the users in the User Registration section during enrollment.
- Issue which failed to update the authentication settings for the configured mail server in the password expiration notifier free tool.
- Issue in NTLM SSO if the configured service account contains special characters.
- Issue in displaying the strength of the password entered in the reset, and change password pages.
- Issue in auto-generating passwords due to inconsistencies in the enforced password policy.
- Issue in modifying the font size of the Chinese characters in the Logon Page Customizer.
- Issue that truncates the email content sent to authenticate users' identity during two-factor authentication.
- Issue in importing enrollment data from MS SQL databases that have NTLMv2 session security enforced.
- Issue which slowed down the generation of Non-Enrolled Users Report.
- Issue which caused SAML-logout failure.
Release Notes for build 5701 (Nov 30, 2018)
The mobile app deployment feature gets a makeover with the new flat user interface and a few enhancements.
- Trial mode: Test drive this feature by deploying the ADSelfService Plus iOS app for ten users’ mobile devices, with minimal configurations.
- Automated CSR signing from ManageEngine while configuring APNs.
- Schedulers to automate iOS app installation status.
- An XML External Entity vulnerability (CVE-2018-20664) that occurs while uploading product license is fixed.
- Removed the dependancy on OpenSSL as a vulnerability fix.
- Issue in domain data sync which failed to update deleted domain objects in ADSelfService Plus.
- Issue in accessing ADSelfService Plus' portal through the older version of GINA/CP logon agent.
Release Notes for build 5700 (Nov 20, 2018)
- JRE bundled with ADSelfService Plus is updated to version 184.108.40.206.
- Apache Tomcat server bundled with ADSelfService Plus is updated to version 8.5.32.
- PostgreSQL server bundled with ADSelfService Plus is updated to version 9.4.14.
- Fixed a script issue in force enrollment logon prompt.
Release Notes for build 5607 (Oct 22, 2018)
- The AD Sync scheduler now uses DirSync Control to synchronize only the objects that were modified since the last synchronization.
Release Notes for build 5606 (Oct 16, 2018)
- Access to Password Expiration Notifier free tool for ADSelfService Plus users with technician role.
- Rebrand the self-service password reset/account unlock window of the Windows logon agent by adding your company image as browser title.
- Issue in sending SMS notifications with non-English characters due to SMS encoding.
- Issue during backup and restoration of database due to character encoding.
- Issue in selecting OUs if the selected OUs count exceed 100.
- Issue in changing password if the sAMAccountName contains space.
- Issue in changing password if the domain expects a down-level logon name instead of the entered sAMAccountName.
- Issue in changing password in the mobile browser, when the password strength analyser is disabled.
- Issue in synchronizing passwords with Office 365 when the new password contains a single quote (’).
- Issue during password synchronization which displayed multiple records for a single password reset action in the Reset Password Audit report.
- Issue which updates an invalid character in Active Directory for the entered '&' character in the My Info tab.
- Issue which failed to display user profile photo in My Info tab after it is updated in Active Directory.
- Issue in displaying the enforced password policy rules in the native Windows interface (Ctrl+Alt+Del) for non-English OSs.
- Issue in enforcing the custom password policies when the selected dictionary file contains a back slash (\) or a double quote (").
- Issue in deploying the Mac logon agent if the password of service account used contains a dollar symbol ($) or a forward slash (/).
- Issue which failed to display the password-reveal icon in the native Windows interface when the GINA/CP logon agent is installed.
- Issue which failed to list all the appropriate machines in the New Installation tab and the Installed Machines tab of the GINA/Mac Installation section.
- Issue which failed to display an error message when a user, who doesn't have administrative privileges, attempts to install GINA/CP logon agent.
- Issue which caused the login page of ADSelfService Plus to load indefinitely in Chromebook when NTLM Authentication is enabled.
- Issue in accessing certain datatype (VARCHAR2) columns while fetching enrollment data from an Oracle database connection for Quick Enrollment.
- Issue in Auto Enrollment if the imported enrollment data is encoded in UTF-8 format.
- Issue in sending the scheduled reports in HTML format to the managers.
- Issue which sent old audit data to ADSelfService Plus when there is an interruption in password sync agent service.
- Issue which failed to display the installed password sync agent status in the Windows Control Panel.
- Issue which displayed only ten of the available MS SQL server instances in the changeDB window.
- Issue which shows duplicate values of mobile and mail attributes for certain users in the Enrolled Users report.
- Issue which slowed down the generation of disabled users list during license management.
Release Notes for build 5605 (Sep 27, 2018)
- Active Directory-based security questions as an MFA method: You can set up AD-based security questions to authenticate users at the time of self-service password reset and account unlock by comparing their answers with the corresponding AD attributes' value.
Release Notes for build 5604 (Sep 25, 2018)
- An XSS vulnerability has been fixed.
Release Notes for build 5603 (Sep 21, 2018)
- SAP NetWeaver password synchronization: Synchronize AD password changes with SAP NetWeaver in real-time.
- Active Directory Federation Services (ADFS) support for logon SSO and multi-factor authentication: Now you can use ADFS to authenticate users when they attempt self-password reset and account unlock and during ADSelfService Plus single sign-on.
- One-click logout: Improve security by turning every SAML-based application connected to ADSelfService Plus into a point of logout. When users initiate a logout from the identity provider, the user is also logged out from ADSelfService Plus, and vice versa.
- ADSelfService Plus now supports the Finnish language.
- Issue in Windows logon agent (GINA/Credential Provider extension) which failed to display the password policy enforcement rules in the Ctrl+Alt+Del screen of Windows 10, version 1803 has been fixed.
Release Notes for build 5602 (Aug 17, 2018)
- Customizable verification code length: Specify the length of verification codes to be sent to users via email and SMS from the web console.
- Ability to install GINA/CP logon agent using DNS hostname: The GINA/CP logon agent can now be installed on machines using the DNS hostname in addition to the sAMAccountName.
- Issue in adding service account in domain settings when the password exceeds 100 characters.
- Issue in sending bulk emails due to minimum authentication count set in the SMTP server.
- Issue which listed machines with incomplete client software updates along with the error occurred machines.
- Issue which failed to display the title image of ADSelfService Plus when accessed via mobiles.
- Issue in changing the product logo size.
- Issue which displayed the newly imported questions from CSV as admin-defined questions instead of listing it with the user-defined questions.
- Issue which truncates SMS messages with the '&' character.
- Issue in using custom attributes with boolean datatype in the self-update layout.
- Issue in sending test SMS from the ADSelfService Plus licensed Clickatell provider.
- ADSelfService Plus now utilizes TLS 1.1 and TLS 1.2 for improved security.
- Issue in configuring OpenLDAP for password synchronization when the domain name contains space.
- Issue which accepted invalid certificates in the Mac logon agent.
- Issue in providing appropriate permissions to technicians for fetching enrollment data from the MS SQL database.
- Issue in generating reports when the MS SQL database name starts with a number.
- Issue in loading the login page when Safari browser attempts to access ADSelfService Plus using an NTLM account.
- Issue in configuring header and footer content in the authentication pages of RSA SecurID, RADIUS Authentication, and Duo Security.
- Issue in password synchronization between multiple domains when users change their password for the first time.
- Issue which denied password reset for a user if an admin had deleted another user with the same display name in Active Directory.
- Issue in password synchronization with Salesforce.
- Issue which prompted users to change their passwords when they attempt to access ADSelfService Plus using SAML-based authentication if their password is set to never expire.
Release Notes for build 5601 (Jul 30, 2018)
- ADSelfService Plus now supports Hebrew language
Release Notes for build 5600 (Jul 24, 2018)
- The Password Expiration Notifier free tool gets a makeover with a new flat user interface that makes configuring password expiration notifications easier than ever.
- Issue in expanding parent OUs to select child OUs in the GINA/Mac logon agent installation page.
- Issue in disabling product and event notification in Server Settings.
- Issue in deleting unowned licenses from the Restrict Users option.
Release Notes for build 5521 (Jun 21, 2018)
- SAML-based multi-factor authentication (MFA): For self password reset and account unlock, users can now be authenticated using SAML-based identity providers such as OneLogin and Okta.
- SAML-based SSO to access ADSelfService Plus: Allow users to authenticate themselves through SAML-based identity providers for one click access to ADSelfService Plus.
- SSO support for Blackboard: ADSelfService Plus now supports SAML-based SSO for Blackboard.
- A new option to notify ADSelfService Plus users about new features, ManageEngine events, and more.
- Issue in self password reset when the minimum password age is set.
Release Notes for build 5520 (May 31, 2018)
- Two-factor authentication for Windows login: Improve security by enforcing two-factor authentication for local interactive and remote desktop logons to Windows clients and servers.
- ServiceNow password synchronization: Now synchronize users' Active Directory passwords with their ServiceNow accounts in real-time.
- Security issue in which the HttpOnly flag was missing from the adscsrf cookie has been fixed.
Release Notes for build 5519 (May 11, 2018)
- Clone existing policies: Option to copy the existing policy configuration settings and create multiple policies from it.
Release Notes for build 5518 (May 7, 2018)
- The Change Password Audit report has been enhanced to include information on the forced password changes when users login.
- Option to set a link expiry time in the secure identity verification link, using the %linkExpireTime% macro.
- Logs can now be forwarded in Rawlog and CEF formats to any SIEM solution or a syslog server.
- Employee search's scope can be limited to that forest in which the user performing the search resides.
- British English has been added to the list of languages with which you can personalise ADSelfService Plus.
- Issue in displaying the Soon-to-Expire Password User report on the next login after a session expiry.
- Issue in logon client (GINA/ Credential Provider agent) installation if the password of the service account used to fetch the domain data contains a backslash (\).
- Issue in generating valid SAML metadata for single sign-on configuration while using default ports.
- Broken authentication vulnerabilities which can lead to unauthorized access of the product resources.
Release Notes for build 5517 (April 17, 2018)
- Users can now be restricted from having multiple active sessions in ADSelfService Plus concurrently.
- Option to automatically send Soon-to-Expire Account Users and Account Expired Users reports to users’ managers using reports scheduler.
- Now you can define multiple mobile number formats and allow users to enter their mobile number in any of the pre-defined formats during enrollment.
- jQuery bundled with ADSelfService Plus has been upgraded from 1.8.1 to 1.12.2.
- NTLMv2 jar bundled with ADSelfService Plus has been upgraded from 1.1.19 to 1.2.2.
- Vulnerability issue in the Windows logon (GINA/CP) client.
- Issue in GINA/CP installer which prevented the deployment of login agents in the latest macOS.
- Vulnerability issue which could lead to attackers exploiting unused HTTP methods in the product has been fixed.
- XSS issue in enrollment.
- Issue in loading the change password page for users with “User must change password at next logon” option enabled.
- Issue in synchronizing password changes with Oracle DB.
- Issue in configuring SonicWall Global and NetExtender VPN clients.
- Issue in migrating from PostgreSQL to MS SQL in Free Edition.
- Issue in approval workflow which failed to update the requests’ “assigned to” status in ADSelfService Plus.
Release Notes for build 5516 (March 29, 2018)
- High availability support: Ensure users have uninterrupted access to self-service password management, single sign-on, and other self-service features by enabling high availability.
- Unrestricted file upload issue which could lead to XSS and server-side command execution vulnerabilities has been fixed.
- SSRF vulnerability issue which led to NTLM hash disclosure has been fixed.
- Reflected cross site scripting vulnerability has been fixed.
- Issue in the quick search option available in the graphical reports under the dashboard.
Release Notes for build 5515 (March 12, 2018)
- Enhanced policy filtration through additional user's attribute filter: You can now configure ADSelfService Plus policies with enhanced user filtration process. In addition to OUs/Groups, users can now be filtered by using specific attributes for better usage restriction and license consumption.
- Improper authentication during SAML single sign-on that gives way to man in the middle attack by inserting fraudulent user identification has now been fixed.
Release Notes for build 5514 (February 26, 2018)
- Smart Card Authentication: The use of smart cards/ PKI/ certificates has been enabled as additional options for ADSelfService Plus login.
Release Notes for build 5513 (February 20, 2018)
- Custom SAML Applications: Any application that supports SAML 2.0 protocol for authentication can now be integrated for SSO.
- Custom VPN Providers: Updating of cached credentials through any VPN providers that allow command line arguments to establish VPN connections is now supported.
- SAML SSO support for Shufflrr and ADP.
- Option to exclude TFA for service provider(SP) initiated SAML SSO.
- Each of the SSO applications can now support multiple configurations.
- Cached credentials can now be updated using SonicWall, SonicWall Global, and Checkpoint VPN clients.
- Access to self-service portal can now be restricted to specific IP ranges via AD360 console.
Release Notes for build 5512 (February 12, 2018)
- License for unlimited users: You can now purchase a license for ADSelfService Plus that supports an unlimited number of domain users.
Release Notes for build 5511 (January 30, 2018)
- Issue in importing CSV files that contain more than 15,000 users.
- Vulnerability issues have been fixed.
- SMPP protocol for SMS server configuration now supports empty System ID too.
- Issue in configuring SAML SSO for Canvas LMS by Instructure app.
- Issue in generating CSR for wildcard certificates.
- Issue in password sync agent while synchronizing passwords between two Active Directory domains.
- Issue in properly displaying non-English characters and UI issue in user login page.
Release Notes for build 5510 (January 9, 2018)
- SSO support for three new apps: Cybozu Office, Garoon, and Mailwise.
- Two-factor authentication with SAML can now be enforced for service provider(SP) initiated login as well.
- Issue on the user login page while accessing ADSelfService Plus from favorites bar in IE11.
Release Notes for build 5509 (December 27, 2017)
- Bulk disenroll users: Select multiple users from the Enrolled Users report or import users from a CSV file to disenroll them in bulk.
- Oracle EBS password sync driver has been updated to the latest version.
- Issue in using Google Authenticator while performing password self-service from the Android mobile app.
- Issue in enrolling more than 10,000 users at once from external databases.
- Issue which failed to refresh the CAPTCHA image when using a load balancer.
- UI issue in "Choose mail/mobile recipient" page.
- Vulnerability issue in Windows login client.
Release Notes for build 5508 (December 13, 2017)
- Issue in cached credentials update when using Windows native VPN client.
- When password reset secure link is opened in a mobile web browser, it redirects the user to the login page of ADSelfService Plus instead of the password reset page. This issue appeared when ADSelfService Plus is integrated with AD360 and has now been fixed.
- Oracle Database for importing enrollment data can now be configured using service name as the connection type.
- Vulnerability issue in the Windows login client.
- Issue in check-box option during self-update.
- Issue in logging in to the self-service portal using mail attribute when its value is the same as that of UserPrincipalName.
- Change password issue when User must change password at next logon option is enabled in AD.
- Issue which displayed incorrect message during SMS verification.
Release Notes for build 5507 (November 20, 2017)
- Four new authentication methods: Biometric, QR code, time-based one-time passcode, and push notification can be used for identity verification during password self-service; all four methods come built-in with the ADSelfService Plus mobile app.
- Support for Duo Security, RSA SecurID, and RADIUS authentication methods in mobile app.
- SSO support for three new apps: Bamboo, Bonusly, and Cybozu.
- Now set different limits for self-reset password and unlock account actions in advanced policy configuration.
- Support for inetOrgPerson objects in addition to user objects for AD LDS password synchronization.
- Issue in updating the OUs' names even after manually running a refresh of domain objects in ADSelfService Plus.
- Enrolling users via CSV import has been optimized.
- Issue in viewing Organization Chart when it is opened in Internet Explorer compatibility mode.
- Issue in navigating through the reports.
- Issue in sending SMS messages through custom SMPP protocol.
Release Notes for build 5506 (October 16, 2017)
- SSO for 90+ cloud apps: Now provide users with one-click access to 16 more cloud apps such as Office 365, SugarCRM, LiveChat, Cisco Meraki, in addition to the already supported 80 apps.
- Vulnerability issue when using Google Authenticator.
- Issue where the login client software is not copied to the target machine during manual installation from the ADSelfService Plus admin portal.
- Issue where users were not able to close the enrollment pop up when the force enrollment logon script is pushed via GPO.
- Enrollment issue which forced enrolled users to enroll again when they log in to the self-service portal.
Release Notes for build 5505 (October 9, 2017)
- Employee Search feature is now supported in the ADSelfService Plus mobile web app.
- Now you can sort the Employee Search results based on attributes.
- Issue in sending enrollment notification to domains that contain a large number of non-enrolled users.
- Brazilian Portuguese language issues have been fixed.
- XSS vulnerability issue while updating manager field using self-directory update.
- Issue in accessing the HTA login script when TLS 1.2 is strictly forced.
- Issue in AD LDS password synchronization.
Release Notes for build 5504 (September 19, 2017)
- You can now use the custom attributes as macros and in password synchronization for linking Active Directory accounts with other applications.
- 'DateTime' data type has been added for creating custom attributes.
- Option to send all notifications to the secondary email addresses of users.
- Now you can customize the license expiration notification settings to suit your requirement.
- PGSQL database that comes built-in with the product has been updated to 9.2.4 version.
- Self-service (password reset, account unlock, and change password) notifications are now supported for non-AD accounts including IBM iSeries, HP UX, Office 365, G Suite, and Salesforce.
- Performance improvements.
- Issue which failed to partially hide the email address during the secure link identity verification process for password reset and account unlock.
- Some security issues have been fixed.
- [For builds 5400 and later] Issue in enforcing the product to use a particular TLS protocol.
Release Notes for build 5503 (September 5, 2017)
- ADSelfService Plus can now be integrated with SIEM solutions that support syslog such as Splunk to forward audit logs and gain advanced intelligence on user activities.
- Compliance with Vasco authentication server for RADIUS multi-factor authentication.
- Issue which caused database migration to slow down.
- Issue which caused the product startup to fail while importing enrollment data from Oracle database.
- Issue which prevents deleting unowned licensed users.
- Issue in sending soon-to-expire password notifications.
Release Notes for build 5502 (July 31, 2017)
- Single Sign-On for 80 cloud applications: Now provide users with one-click access to over 80 cloud applications.
- Option to configure display name of applications configured for password synchronization.
- Issue which restricted Free Edition users from configuring multiple AD domains after the end of trial period.
- Issue in approval workflow which failed to reflect the status of self-service requests in self-service portal.
Release Notes for build 5501 (July 14, 2017)
- Supports customization of texts in the mobile app’s home page.
- GINA installation issue when there is a newline character in frame text.
- Issue which obscured the remaining Clickatell SMS count from being viewed in the license details page.
- Issue which prevented users from accessing the Audio CAPTCHA button using the keyboard.
- Issue in editing the Manager field while configuring self-update layout.
- Issue which prevented password expiration notifications from being sent to members of domain users group.
- Issue in self-service password reset operation when a domain controller configured in Site-based DC is removed from the Domain Settings configuration.
- Unknown errors which caused the product to crash during self-service operations.
- Issue in proxy server configuration which displayed a blank page after a successful self-service operation
- Issue in installing the Password Sync Agent on FIPS compliance enabled domain controllers.
- Issue which displayed incorrect password reset status displayed for Office 365.
- Issue in installing GINA client when VPN parameters contain special characters.
- Issue in CSR generation while configuring SSL certificate.
- Issue in AD synchronizer scheduler which fails to import domain users from Active Directory.
- Server settings will be configurable when the app is opened for the first time after installation even though admin has disabled it in the product.
Release Notes for build 5500 (June 23, 2017)
- Enforce password history checks for password reset operations using password policy enforcer.
- Restrict users during license management based on their smart card status (enabled/disabled).
- Set up scheduler to automatically reinstate revoked licenses of users when specific conditions, such as user account is enabled, user account becomes active, and smart card is enabled, are met.
- Now send attachments along with password expiration notifications.
- Enroll users in bulk for Duo Security authentication by importing data from CSV files and external databases.
- Enable product downtime notifications to instantly get alerts whenever the product stops running.
- Issue in saving Access URL has been fixed.
Release Notes for build 5400 (May 25, 2017)
- Apache Tomcat server used in the product is now updated to version 8.0.
- Added an option to show/hide the “Reset Password/Unlock Account” tile from the Windows login screen.
Release Notes for build 5330 (May 3, 2017)
- Windows Server 2016 support: Adds self-service password reset and account unlock support for Active Directory users in Windows Server 2016 domain.
Release Notes for build 5329 (April 27, 2017)
- Issue in using Cisco AnyConnect VPN for cached credentials update.
- Issue in logon client (GINA/Credential Provider agent) installation caused by configuring 64-bit VPN settings for cached credentials update.
- Issue in updating to the latest build using service pack.
- Issue in starting the product using the desktop shortcut icon.
- Issue in customizing the size of non-English fonts on logon page.
Release Notes for build 5328 (April 14, 2017)
- Mobile app customization: Now you can completely customize the home screen of the app and disable access to certain features.
- Dictionary rule in password policy enforcer can now be configured to restrict password that is either an exact match of a dictionary word or has dictionary words as its substring.
- Issue in configuring OpenLDAP server over SSL.
- Alignment issue in login page when product language is set to Arabic.
- Issue in editing the email verification code message as HTML during multi-factor authentication configuration.
Release Notes for build 5327 (March 15, 2017)
- Duo Security, RSA SecurID and RADIUS-based authentication support: Self-service password reset and account unlock processes are now more secure than ever thanks to three new authentication methods for verifying users’ identities.
- RADIUS-based authentication support for two-factor authentication during login.
- Support for SMPP-based custom SMS provider.
- Issue in installing the login client software in MAC machines.
- Issue in configuring Salesforce for password sync and SSO.
- Issue in sending email verification code for login two-factor authentication when the email body contains HTML code.
- Issue which showed an error message when the change password tab is clicked.
- Issue which triggered verification code emails twice when Internet Explorer 11 is used for the self-password reset process.
- Issue in importing CSV file during auto enrollment when the domain name contains special characters.
Release Notes for build 5326 (February 24, 2017)
- AD domain-to-domain password sync: Now you can enable password synchronization between two or more Active Directory domains.
- Option to synchronize passwords only after successful password reset in Active Directory.
- Ability to identify the IP addresses of machines used to access the product via proxy server.
- XSS vulnerability in self-update manager field.
- Issue which resulted in distorted photos during self-update.
- Issue which associated technicians with wrong time zone.
Release Notes for build 5325 (February 3, 2017)
- Two-factor authentication for ADSelfService Plus login can now be configured based on OUs and groups. To configure the settings, navigate to Configuration → Policy Configuration → Select Policy → Advanced → Login TFA.
- Option to exclude smart card users from password/account expiration notifications, and soon-to-expire password users and password expired users report.
- Now you can import enrollment data from an external/in-house PostgreSQL database.
- Option to display "Select mobile no./Email address" as the default text in drop down list during verification code step.
- Issue in adding and removing domain controllers in Site-based DCs configuration.
Release Notes for build 5324 (January 20, 2017)
- 64-bit version of VPN clients are now supported for cached credentials update.
- Cisco AnyConnect VPN client is now supported for updating cached credentials.
- The photo attribute can now be set as ‘Read Only’ in self-update layout.
- Vulnerability issue in self-password reset and unlock account process.
Release Notes for build 5323 (January 11, 2017)
- The password policy enforcer feature now ensures strong passwords for your users by:
- Preventing the use of any dictionary word.
- Prohibiting the use of five consecutive characters from an old password.
- Mandating the use of at least one Unicode character.
- You can exempt a password from complying with a custom password policy if it meets a certain character length set by you.
- The password strength analyzer feature now works even without enforcing your custom password policy.
Release Notes for build 5322 (January 5, 2017)
- Issue in Windows logon agent (GINA/CP) when GINA/Mac customization scheduler is configured.
- Issue which failed to save OU and group selections during policy configuration.
Release Notes for build 5321 (December 30, 2016)
- Enhanced Force Enrollment: Now you can configure multiple force enrollment schedulers based on self-service policies.
- Option to exclude disabled users while scheduling soon-to-expire password users and password expired users reports.
- Users can be restricted to select managers from a specific set of OUs or groups during self-update of AD profile information.
- Issue in changing the database to MS SQL that is located in another untrusted domain when NTLMv2 is enabled.
- Issue in displaying password policy rules in mobile web browsers during password reset via secure email link.
- Corrected the UI text which showed reset password successful message for Office 365 change password operation.
- Issue in password reset when enforce password history option is enabled.
- Issue in ServiceDesk Plus integration.
- Issue in loading the CAPTCHA image properly when using reverse proxy.
- Protocol can be now be configured during the manual installation of logon (GINA/CP) client software.
- UI issue in multi-factor authentication configuration page when the verification code email message contains double quotes.
- Domain settings issue which prevented a domain containing a large number of users from being deleted.
- Issue in reports which showed the values available in the mail/mobile attributes instead of the attributes configured by the admin.
Release Notes for build 5320 (December 1, 2016)
- Configuring Mobile Push Management (MPM) is now a child's play. All you have to do is request the PLIST file from ADSelfService Plus support team and follow it up by getting the MDM managed certificate from Apple. For step-by-step instructions, click here.
- The server settings of ADSelfService Plus mobile app can now be remotely configured through MPM.
Release Notes for build 5319 (November 2, 2016)
- Support for RSA SecurID to protect users logging into ADSelfService Plus through two-factor authentication.
- Fixed a vulnerability issue in two-factor authentication.
Release Notes for build 5318 (September 28, 2016)
- Audio CAPTCHA support for easier accessibility.
- ServiceDesk Plus integration now allows you to automatically create tickets for end user self-service actions in the help desk software.
- Now acknowledgement notifications can be sent for enrollment, self-update and blocked user events to both end users and administrators.
- License usage details will now be included in the license expiration notification email and when exporting licensed user reports.
- Now you can import enrollment data from CSV files of any encoding type.
- Issue in displaying the login agent image (Credential Provider client) after Windows 10 anniversary update.
- Scroll bar issue in the Windows 10 login agent self-service wizard.
- Issue in NTLM SSO which turned the self-service portal into a blank page in Internet Explorer.
- Issue which caused the Enroll Now button to disappear in the force enrollment pop up.
- Issue in editing self-update layout.
- Issue in saving password expiration reminder schedulers.
- Enrollment issue which forced users to enter both their mobile and email details even when they are not made mandatory.
- Issue which caused duplicate entries in reports when they were exported in CSV file format.
- Issue which caused a script error when a user is deleted from the licensed user report.
- Issue in saving Access URL in Internet Explorer.
Release Notes for build 5317 (Sep 2016)
- Now get ADSelfService Plus in your language. Fully localized versions are available for:
Release Notes for build 5316 (Aug 2016)
- Change password issue which was caused due to a recent Windows update. Refer this forum post for more details.
Pre-requisites for this update:
- PowerShell 2.0 or higher must be present in the machine in which ADSelfService Plus is installed.
- Active Directory module for PowerShell must be installed in any one of the domain controllers configured under the domain settings of ADSelfService Plus.
Release Notes for build 5315 (Jul 2016)
- Login issue in Windows 10 when 'Other Users' option is used.
- Windows logon agent (Credential Provider) issue while establishing remote connection to any PC from Windows 10.
- Windows 10 users not being able to change their passwords from Ctrl-Alt-Delete screen, when password policy enforcer feature was enabled.
- Fixed password sync agent which caused issues in DC.
- Issues in manual linking and unlinking of AD accounts from non-AD applications in Internet Explorer.
- Employee search getting blocked in Chrome and Firefox browsers.
- Failed login attempts due to incorrect update of Bad-Pwd-Count attribute.
- Issue with character count while resetting passwords.
- Users being forced to enter their mobile numbers, which is a non-mandatory field, during enrollment.
- Issue in sending scheduled reports to admins when multiple domains are configured.
- Incorrect entries in Unlock Account Audit report.
- Customized logo set in the product not being displayed in exported reports.
Release Notes for build 5314 (May 2016)
- Issue in manual linking of Active Directory user accounts with Oracle E-Business suite.
- Issue in synchronizing password with Oracle E-Business suite during password reset.
- Issue with textarea formatting (font color, size, type) while customizing logon page in
Internet Explorer 11.
- Issues related to duplicate values while updating the drop down box options in self-update layout.
- SMTP error after update.
- GINA issue when VPN is enabled.
- GINA issue which lead to the slow loading of reset page after identity verification.
- Issue in applying service pack when ADSelfServicePlus.exe is used by other processes.
- Issue which prevented domain technician users from logging in when no policy was linked to them.
- Setting response header for help document - security issue.
- Issue with customized GINA reset icon when client software is installed through GPO.
- Issue with sending email notifications in HTML format.
- Issue which allowed users to self-update and view other users’ AD profile information.
Release Notes for build 5313 (Apr 2016)
- Two-factor authentication support (Duo security provider) to secure user login.
- Account expired notification to keep end users, their managers and administrators updated about expired accounts.
- Ability to restrict active users for license management.
- Ability to restrict admin logon page access to a range of IP addresses.
- Allow users to automatically log in to the ADSelfService Plus mobile app by enabling the 'remember me' option [For ADSelfService Plus iOS mobile app users, this feature will be released after the completion of review process by Apple.]
- Option to hide secondary mail and mobile enrollment.
- Now you can disable access to mobile web app.
- Separate hide options for mobile access and help guide on end-user page.
- Now you can easily associate a self-update layout to a policy from the self-update layout page itself.
- Separate CAPTCHA settings for select verification mode and select recipient pages.
- Now you can use display name in the from address field for email notifications.
- Issue with sending email notifications in HTML format.
- Issue in sending expiration reminders when both account expiration and password expiration fall on the same day.
- Issue which displayed Chinese characters as garbage values in the GINA button.
- Issue in installing the GINA client when the password in domain settings contains double quotes.
- Issue with the logon agent installation in the latest Mac OS version El Capitan.
- Issue which prevented Password Sync Agent installation in domain controllers running a non-English version of Windows Server OS.
- Issue which automatically capitalized the first letter of the password while trying to login through Safari mobile browser.
- Issue with the listing of security questions during password reset.
- Issue in mobile web app which failed to show the retry option during self-password reset.
- Enforce password history settings will no longer create temporary passwords containing part of the username.
- Issue which sent unencrypted user password to OpenLDAP server.
- Password expired notification filter issue in notification delivery report.
- Issue which failed to notify administrators about users' change password actions.
- Issue which duplicated security questions in database when the character ' is used while adding the question.
- Issue in showLogin page when NTLM SSO is enabled and NTLMv2 session security is forced.
- Issue with saving automatic reset & unlock scheduler configuration.
- Issue in backing up MySQL database.
- Fixed some vulnerability issues.
Release Notes for build 5312 (Mar 2016)
- Single Sign-on support for SaaS applications to simplify identity management.
- Password policy enforcer to enforce and display custom password policies across the web console, GINA/CP (Ctrl+Alt+Del) client, and password sync agent.
Release Notes for build 5311 (Feb 2016)
- Missing 'Don't inherit child OUs' option in OU/Group selection under policy configuration has been restored.
Release Notes for build 5310 (Jan 2016)
- 64-bit version of ADSelfService Plus for Windows is now available for download.
- Mobile App Deployment: Now you can push ADSelfService Plus mobile apps to end users’ devices directly from the self-service portal.
- Blank page issue in GINA portal when auto send password via text/email is enabled.
- Blank page issue when the reset password page is accessed directly by entering the URL.
- Issue in automatically unlocking the locked out accounts.
- Issue which failed to display mobile numbers during password reset/account unlock process when the number contains non-numeric characters.
- Issue which disabled force enrollment for the entire domain when force enrollment is disabled for any one self-service policy associated with that domain.
- Issue which prevented the data fetcher for external database from running.
- Issue which displayed incorrect headers and values of user report in dashboard.
- XSS vulnerability issue caused by editing the title field under rebranding settings.
- Missing file content check for title image and product logo under rebranding settings.
Release Notes for build 5309 ( Jan 2016)
- This release fixes many grammatical errors that were found in the product user interface(UI) and help documents to provide a better user experience.
Release Notes for build 5308 (Dec 2015)
- Users' secondary email address and mobile number can now be used for sending auto-generated password, enrollment notification, and password and account expiration notification.
- Now you can automatically link AD accounts with other providers for password synchronization by mapping custom attributes.
- Ability to personalize the password expired notification content.
- Ability to preview the password expiration notification template.
- Ability to automatically retry the password expiration notification in case of any failures.
- Issue which forced users to begin password reset process from scratch when password complexity rules were not met.
- Issue in sending enrollment notification to a group if it has more than 1500 members.
- Issue which caused errors in enrollment report when users’ display name exceeded 255 characters.
- Issue faced in auto-enrollment while importing mobile numbers with special characters ‘-’ and ‘()’.
- Issue faced in auto-enrollment where only the last security question of multiple questions was used to enroll users when importing from a CSV file.
- Issue in updating Manager field in self-update from force enrollment page.
- Issue faced in enrollment when mobile format is specified, where users were forced to enter secondary mobile numbers even when it was not mandated.
- Issue in executing UpdateManager.bat file when the product is installed in a drive other than the default drive.
- Issue faced with displaying dateTime macro in subject field of Scheduled Reports.
- Issue faced while sending password expiration notification that sent incorrect days for expiration when notification has been configured to be sent on specific days.
Release Notes for build 5307 (Nov 2015)
- The password self-service logon agent (Credential Provider extension) has been enhanced to support Windows 10.
- Enrolled Users report can now be filtered based on enrollment type; also shows secondary email address & mobile number used for verification code.
- Now you can filter the logon agent (GINA/CP extension) reports based on operating system and sort the result.
- Now you can search the Security Questions report based on questions.
- Ability to run a custom script after a self-unlock account action.
- Ability to add request headers in Custom SMS settings.
- Issue caused by Password Strengthener when the restricted patterns length exceeds 1000 characters.
- Issue in sending Email & SMS (Custom SMS provider) when SSL is enabled by the SMTP/SMS provider.
- Issue in password expiry notification configuration, which caused notification to be sent on password expiry date without being set.
- Issue in installing the logon agent using the product user interface when scheduler is running in background.
- Issue which crashed the application while restricting service accounts without necessary permission.
- Issue in closing the logon agent (GINA/CP extension) window.
- Issue in inactive users report generation, when multiple DCs are configured for a domain.
Release Notes for build 5306 (Oct 2015)
- Now you can set a limit for the number of password resets and account unlocks a user can perform in a given number of days.
- Issue in directory self-update when a custom attribute is added to the layout.
- Issue in importing CSV files by technicians who are logged in using ADSelfService Plus authentication.
- Issue which prevented users from changing their passwords using ADSelfService Plus mobile site when ‘Users must change password at next logon' option is enabled in Active Directory.
- Issue which failed to show the success message for Google Apps password reset and change passwords.
- License expiry notification sent 2 days before expiration has been removed.
Note: As Google has deprecated its clientLogin API, ADSelfService Plus will not be able to support manual linking of Google Apps and Active Directory accounts. However, we are working to bring back the manual linking option and it will be available soon. Until then, we have enabled automatic linking of accounts using the sAMAccountName@GoogleDomainName.com format by default.
Release Notes for build 5305 (Aug 2015)
- Business Logic for Self-Update: You can now configure your organization’s business logic for self-update to auto-populate attribute values based on user input.
- Option to overwrite enrollment data while automatically fetching data from external data sources.
- Password Sync Agent can now invoke a post action custom script.
- Slowness issue in password reset, account unlock and change password when password sync for Google Apps.
- Issue in automatically linking AD and Salesforce accounts for password sync.
- Issue in "Access admin login from" when DNS name of the server is not resolved.
- Issue which appeared when custom script contains special characters.
Release Notes for build 5304 (Aug 2015)
- Issue in accessing the self service portal through GINA due to a script error.
- XSS vulnerabilities have been fixed for improved security.
- Issue in enrolling users from external database when the total number of users exceed a certain limit.
- Issue in license management while accessing unowned licenses.
- SSO issue which prevented Mac users from accessing the self service portal.
- Issue in editing the self update layout through Internet Explorer.
- Issue which prevented technician users from viewing the self service policies associated with password sync.
Release Notes for build 5303 (Jul 2015)
- Now update local cached password when remote users reset their passwords in Active Directory through the GINA/CP client.
Release Notes for build 5302 (Jun 2015)
- Mobile Push Notification support for enrollment and password expiry notifications.
- Now automatically enroll users by creating a scheduler for importing enrollment data from a CSV file from any shared location.
- Added an option to choose the security settings (none, SSL, TLS) during custom SMS provider configuration.
- Admins can now enable forced enrollment for specific users by manually configuring the built-in logon script file.
- Issue in self-updating mobile number using Internet Explorer.
- Issue which allowed users to edit the read-only fields during self-update.
- Issue which prevented users from updating the country field during self-update.
- Issue in updating the product when another process running on a virtual IP is using the same port number.
- Issue which consumed 100% CPU when account expiry scheduler with “on specific days” is enabled.
- Issue in enrolling with Google Authenticator when ENTER key is pressed.
- Issue which failed to display the logo in mobile apps.
Release Notes for build 5301 (May 2015)
- Option to set the keystore password, which will be encrypted for heightened security, directly using the product UI.
- Issue in automatically enrolling users using external data source when ‘Overwrite enrollment data’ option is enabled.
- Issue in syncing Oracle Database and Office 365 passwords when the password contains special characters.
- Issue which caused the loss of enrollment data while editing security questions.
- Issue which launched the Choose Manager pop-up in a new tab.
- Issue in external data source fetcher when the query contains XSS character.
- Issue in sending SMS when the message contains blank space.
- Issue in navigating through the OUs in tree view under the Reports tab when the OU name contains special characters.
- Issue which failed to save OUs with special characters while configuring password expiry notification schedulers.
- Issue which failed to load the custom logo in mobile app.
- Issue in saving advanced policy configuration when the username macro is used in the automation tab.
- Organization Chart issue which showed extra columns in the result.
- Script error in GINA login page when login option is enabled.
- Issue which failed to accept the keystore password while importing SSL certificates.
Release Notes for builds 5207 to 5300 (Apr 2015)
- Help desk assisted self-password reset and account unlock using Active Directory attributes as security questions to verify user identity.
- Updates Java Runtime Environment package to version 7.
- Supports TLS 1.2 for heightened security.
- Admins can now receive real-time notifications as and when end-users perform reset password/account unlock.
- Ability to copy an existing self-update layout and create a new one from it.
- Supports multiple mobile number formats; you can also force users to comply with the specified formats during self-update.
- Supports cross-database migration; easily migrate all the product data from your existing database to another (except to MySQL).
- Fixed an issue caused by the deprecation of Google Apps provisioning API. We have now migrated to the Google's new Directory API.
- Issue which prevented users assigned as ‘technicians’ from changing their passwords.
- Issue which prevented users from selecting recipient mobile number to receive verification codes.
- Issue in generating reports after restoring the database from a backup.
- Issue in Notification Delivery Report which displayed duplicate user records.
- Issue which sent multiple license expiry notification emails.
- Issue which failed to update the Dashboard when a user is logged in as a technician.
- Issue which showed the ‘My Info’ tab instead of the default tab after uploading photo.
- Issue which prevented default admin from viewing the enrollment notification schedulers created by technicians.
- Fixed an issue which caused users assigned as ‘technicians’ to be logged in as domain users.
- Issue which failed to apply the force enrollment script to users who are newly added to a group with self-service policy applied to it.
- Issue in self-update which allowed end-users to edit the ‘read-only’ fields.
- Issue in self-update which displayed an empty page when users edit the sAMAccountName field.
- Issue in embedding cross domain employee search in Internet Explorer.
- Issue in integrating other ManageEngine products in ADSelfService Plus (applies to customers who have updated their old builds using service pack).
- Issue in changing the mobile browser title.
- Issue which prevented the ACCESS URL from being used during GINA installation and customization.
- Proxy settings is now enabled for HTTPS connections too.
- The following security issue have been fixed: CSRF, Cross Frame Scripting (XSF)/Click Jacking, Weak Cache Policy/Server Cache Policy, MIME-SNIFFING, Cross Origin Resource Sharing (CORS), Browser Autocomplete Issue HttpOnly and Secure Flag, Directory Listing, SHA1WithRSA for CSR creation, jQuery migrated to new version to avoid Vulnerability, Session Fixation, HTTP Methods Blocking.
Release Notes for build 5206 (Feb 2015)
- Issue which prevented migration from 5203 to 5204/5205 build when MS SQL database is in use.
- Issue which displayed sAMAccountName instead of displayName while choosing the Manager in self-update.
Release Notes for build 5205 (Feb 2015)
- Now easily integrate custom SMS gateway providers using the product GUI.
- Notification emails to alert you when licensed user count reaches its maximum limit.
- Notification emails to alert you about license and AMS expiry.
- Issue in change password when it is done by a service account user with only change password permission.
- Reset Password issue which displays the error ‘Problem in Change Password’ when enforce password history settings is enabled.
- Issue in accessing password reset wizard from the login screen when multibyte characters are used in the GINA/CP button.
- Issue in AD LDS and OpenLDAP configurations for customers migrating from old builds.
- Password Sync Agent installation issue in non-English OS has been fixed.
- Password Sync Agent issue which failed to sync passwords of users whose username contains more than 16 characters.
- Issue in password sync agent audit log which stored the application IP address instead of the domain controller IP address has been fixed.
- Issue which doesn’t prompt users to enter their alternate email address for receiving verification code.
- Issue in configuring ‘Connection Security (SSL/TLS)’ under Mail Settings
- Issue in saving mail server settings when the from address or admin mail address contains a top level domain name with more than 4 characters.
- Issue in taking manual backup using backupdb.bat.
- Issue which prevented any of the multi-factor authentication option from being set as mandatory.
- Issue in setting a default tab under ‘Tab Customization’.
- Issue in accessing cross domain organization charts when logged in as a domain user.
- Disabled the "Interactive Services Detection" message pop-up which appears when ADSelfService Plus is configured to run as a service.
- http://server:port/showLogin.cc?domainName=%domainName% - Now you can use Domain Flat Name or Domain DNS Name for the %domainName% macro.
- Fixed slowness issues in product and report generation.
Release Notes for build 5204 (Jan 2015)
- Send real-time Email and/or SMS notifications to end-users as and when their Active Directory passwords are changed or reset natively in Windows.
- Reset Password and Change Password audit reports have been enhanced to include native password changes (Ctrl+Alt+Del screen) and password resets (ADUC console)
Release Notes for build 5203 (Jan 2015)
- OpenLDAP and AD LDS based directories are now supported for self-service password management and password synchronization.
- Issue in employee search which fails to show the result when search filters are used.
- Issue which failed to display enrollment prompt to dis-enrolled users when they log in to the self-service portal
- Issue in password reset which showed 'specified network password is incorrect' even after successful reset when password history settings is enforced
Release Notes for build 5202 (Dec 2014)
Features & Enhancement
- Now you have the option to enable CAPTCHA on the login page after a certain number of failed login attempts.
- Issue which prevented service account users from self-updating attributes even when they have sufficient rights.
- Issue which added new users to the restricted users list because of no last logon time.
- Issue which affected the dashboard UI when AD blocker is enabled on the browser.
- Fixed an issue in password sync agent by excluding password capture from a new computer joined to the domain.
- Issue which prevented the addition of Technician operation role when there is a large number of restricted users.
- Fixed a bug that showed incorrect error message to users, whose accounts are locked out, when they try to log in to ADSelfService Plus
Release Notes for build 5201 (Dec 2014)
- Introducing Password Sync Agent: Now synchronize native password changes (password change through Ctrl+Alt+Del screen and password reset through ADUC) in Windows Active Directory with the users’ associated IT systems and applications in real-time.
Release Notes for build 5200 (Nov 2014)
- Multiple Login Options: Users can log in to the self-service portal with any AD attribute with unique value such as mail and telephoneNumber.
- Now verify users’ identity by sending them an email containing a secure password reset/account unlock link.
- Ability to restrict service accounts using license management to free up license count.
- Issue in self-update which displays incorrect value in the manager field.
- Issue in automated password reset.
Release Notes for build 5116 (Nov 2014)
- Issue which disrupts GINA UI when caps lock is pressed while entering the password.
- SSO issue in Chrome browser.
- Issue in password expiry notification when it is configured for a group with a large distinguishedName.
- Issue in password expiry notification delivery report which failed to show the delivery status properly.
- Issue which ignores the default system language and displays the product only in English.
- Issue in reports when they are generated for OUs containing special characters.
- Issue in showing the status message during unlock account process when retry option is enabled.
- Issue in linking accounts for password synchronization.
- Issue in synchronizing passwords when force synchronization is enabled.
Release Notes for build 5115 (Oct 2014)
- Issue in sending password expiry notifications on specific days.
- Issue in sending password expiry notification to unlimited users in Free Edition.
- Issue in syncing Office 365 passwords when you are using an older version of Microsoft online services module.
- Issue which syncs password with Active Directory even though the user's AD account is not selected during password reset or change.
- Issue which displays incorrect user count in the security questions and answers report.
- Issue which shows incorrect count in user reports under Dashboard.
- Issue in notification delivery report where incorrect status is shown for enrollment notifications sent to users.
- Issue which shows incorrect status message during self-unlock account if a domain is configured using insufficient permissions.
These issues will be fixed in our upcoming release.
- GINA issue: In Windows Server 2003 and XP machines the GINA icon and its frame text will disappear when Caps Lock is pressed while entering passwords.
- Translation issue: Some of the new features will have texts only in English.
Release Notes for build 5114 (Sep 2014)
- Option for users to choose the language of their choice from the log in page itself.
- OUs selected during report generation will now be preserved and reused for reports displayed on the dashboard.
- Issue in GINA/Credential Provider which failed to start the password reset/unlock account wizard from the logon screen.
- Issue which prevented product administrators from editing Domain settings and generating Enrolled users report.
Release Notes for build 5113 (Aug 2014)
- Crop Photo option – Users now have the ability to crop their photos before self-updating them in Active Directory.
- New macros added – dateTime and reportName; can be used in the subject of notification emails.
- Issue that displayed incorrect password policy message when maximum password age is set to never expire has been fixed.
Release Notes for build 5112 (Aug 2014)
- Issue that causes pages to be displayed incorrectly when the browser's default language is not supported by the product.
- Issue that requires the users enrolled with mandatory questions to enroll again.
Release Notes for build 5111 (Aug 2014)
- Some issues that appeared when Japanese is selected as the default language. The issues that have been fixed are:
- Issue that displays a blank pop up window when the “Automatic Reset and Unlock” feature is accessed from the dashboard.
- Issue in deleting licensed users.
- Issue in displaying the force enrollment message.
Release Notes for build 5110 (Aug 2014)
- Google Authenticator is now supported by the Android and iPhone apps as one of the multi-factor authentication options.
- Issue in self password reset when the user name contains apostrophe.
- Issue which prevents users from logging in to ADSelfService Plus when they have comma in their distinguished name and have the "change password at next logon" flag set.
- Issue that displayed the system error message to end-users during change password.
Release Notes for build 5109 (July 2014)
- Issue in customizing the logon page.
- Issue in Self Directory Update that forced users to fill non-mandatory, but number-only fields.
- Issue in sending test emails when SMTP authentication is used.
- Issue that forced users to enroll for verification code when mobile number format setting is enabled.
- Issue that refreshed the CAPTCHA code whenever the ENTER key is pressed during reset password/unlock account operations.
- Issue that runs GINA/Mac Customization Scheduler repeatedly ever after successful customization.
- Issue in displaying email/mobile number fields during reset password/unlock account when the respective data have been deleted in Active Directory.
- Login page issue for users who have "user must change password at next logon" setting enabled for them.
Release Notes for build 5108 (July 2014)
- ADSelfService Plus integration with ADManager Plus now enables you to take control of users’ self-service actions with the new Self-Service Approval Workflow feature.
- Password Expired users can now change their passwords when they log in to ADSelfService Plus.
- Mobile App now has a 'Desktop Site' option; allows users to switch to the desktop version of ADSelfService Plus.
- Issue in customizing the logon page.
Release Notes for build 5107 (June 2014)
- Zendesk and Microsoft Dynamics CRM are now supported for self-service password management and synchronization.
- ServiceDesk Plus is now integrated with ADSelfService Plus; allows admins and end-users to quickly access the help desk software.
- I18n support for mobile apps; all the 17 languages supported by the web console are now supported by the mobile apps.
- Now easily deploy the Mac login agents from the web console itself.
- Issue in linking Office 365 sub domain accounts by end-users for password sync
- Issue in closing the ‘Edit Questions’ dialog box
Release Notes for build 5106 (June 2014)
- Default admins can now view report schedulers and all its information created by users associated with the ‘Technician’ role.
- OUs selected during report generation will now be preserved and re-used while generating reports in the future.
- Issue with force enrollment.
- Issue that displayed the list of restricted users from default domain to all the technicians regardless of the domain they belong to.
- Blank screen issue when unlock account page is refreshed.
- Issue that throws a ‘page not found’ error when username exceeds 100 characters during reset password/unlock account process.
Release Notes for build 5105 (May 2014)
- Google Authenticator is now supported as part of our multi-factor authentication set up to further secure reset password/unlock account process.
- Facility to make any or all of the multi-factor authenticator techniques mandatory.
- Option that allows admins to rearrange the order of identity verification steps during reset password/unlock account process.
- An issue that displays force enrollment notification to non-policy users when a custom logon script is used.
- Issue in selecting security questions during enrollment when users change their choice of questions.
Release Notes for build 5104 (Apr 2014)
- Issue in adding domains to the product when their names start with numeric value.
- Issue with ADSelfService Plus Credential Provider when accessed from the UAC prompt.
- Issue that allowed users to log in using invalid passwords if guest login is enabled on the machine running ADSelfService Plus.
- Issue in enrolling with security answers through Android app.
- Issue in applying the default admin time zone settings to technicians.
- Issue in enrolling with security answers that are longer than 100 characters.
- Issue in reports page and in accessing help from the end-users portal when context path is set.
Release Notes for build 5103 (Apr 2014)
- You can now export the restricted users list in a desired file format
- Now completely exclude restricted users from showing up anywhere in the product
- Issue in automatic password reset
- Issue in accessing native mobile apps and mobile webapp
- Issue in displaying verification code enrollment information when email option alone is enabled
- Issue with displaying header logo in scheduled reports when HTML is selected as the storage format
Release Notes for build 5102 (Mar 2014)
- Alternate Email IDs and Mobile numbers of users stored in any AD attribute can now be used for sending verification codes.
- Admins can auto-enroll users by importing their Email IDs and/or Mobile Numbers from a CSV file or external database.
Release Notes for build 5101 (Mar 2014)
- Now you can select the protocol (HTTP/HTTPS) to be used for Mac login agent during installation itself
- Issue in generating user reports when the database (PostgreSQL) server is installed in another machine
- Issue that force users to go back or sign out when they login using Single Sign-On
- Issue in saving ‘Automatic Reset Password’ settings
- Issue in accessing the help guide when context path is added
- Issue in translating the label ‘Description’ when reports are exported
Release Notes for build 5100 (Feb 2014)
- Login Agent for Mac OS X to allow AD domain users to reset passwords and unlock accounts right from the OS X login screen itself.
- Group-based configuration of self-service policies, enrollment settings and password synchronizer for fine-grained management.
- Now self-service policies will take effect based on their priorities as set by the admin.
- Issue in saving report schedulers.
- Issue in performing quick search in reports.
- Issue in showing the status of change password actions when enrollment is disabled.
Release Notes for build 5041 (Jan 2014)
- Added an option to email generated reports
- Issue with updating profile details when the update button is clicked more than once
- Issue with updating the Advanced Policy Configuration settings from Security Center
Release Notes for build 5040 (Jan 2014)
- Password Expiry Notifier is now part of our FREE Edition; allows you to notify UNLIMITED users. Also, gains a slew of enhancements including:
- SMS notifications to alert users of their impending password expiry
- Option to select users based on groups for sending password expiry notifications
- Ability to schedule and send reports of users’ password/account expiry to their managers
- Send password expiry notifications immediately with the ‘Run Now’ option
- You can now notify password expired users too
- Enabling SSO now requires you to configure NTLMv2, which has been added to enhance security
- Option to hide ‘Click here to troubleshoot’ link in Reset Password / Unlock Account failure page
- Issue in removing added OUs while configuring GINA/CP scheduler
- Issue in enabling the ‘Force User to prove their identity via both verification methods’ option
How to Upgrade?
Highlights of Previous Releases (build 4500 to 5032)
- Unified Self-Service Password Management -Synchronize Windows Active Directory Password/Account changes made using ADSelfService Plus with range of cloud-based and on-premises apps. The following apps are supported:
- Google Apps
- Office 365
- IBM AS400 / iSeries
- HP UX systems
- Oracle Database
- Oracle E-business Suite
- Free iPhone & Android App for self-service password management: ADSelfService Plus native apps for iPhone and Android allows end-users to reset their lost passwords, unlock their locked-out accounts, change their expiring passwords and synchronize password changes with a variety of non-Windows systems and cloud-based applications remotely from their iOS and Android devices. Get the free app from Get the Apps.
- Mobile Web App: Mobile browser support for devices running on any platform including Android, iOS and Windows Mobile
- Mobile App Rebranding: Ability to customize mobile app with your own company logo
- Mail Group Subscription: Self-Service Mail Group Subscription to allow users to subscribe to or unsubscribe from mail groups of their choice
- SMS/E-Mail Verification Codes to provide additional security when End-Users Reset Password / Unlock Accounts
- Enforce Stronger Passwords with "Password Strength Analyzer"
- Instant DC Updater: The actions by a user (password reset or account unlock), can be instantly updated between sites and across all or specified domain controllers
- Enrollment Notification: Scheduler to invite the 'non-enrolled & new domain' users to enroll with ADSelfService Plus as well as delivery reports for the notifications.
- Force Users to Enroll - Now force users to enroll with ADSelfService Plus as soon as they log in to their machines.
- Extract Audit Reports specific to a domain with the help of built-in filters.
- Heightened security against 'Cross-site scripting', 'CSRF issue', and 'Denial of Service attack'.
- SSL Certification Tool: Helps you to generate CSR and offers guidelines to install SSL certificate
- Report Scheduler: Scheduler for mailing admin the detailed reports of ADSelfService Plus (User, Audit & Enrollment Reports)
- Restrict User Scheduler: Scheduler for restricting the inactive users of a domain from accessing the application
- Support for Windows 8 and Windows Server 2012 operating systems
- Support for Postgres Database server (as product database) in addition to already supported MySQL and MS SQL databases.
- Support for 17 languages including Dutch, Swedish, Chinese, Spanish, Russian, and Arabic.
- Support for 3rd party GINA/CP agents:ADSelfService Plus is now compatible with the following 3rd party GINA/CP agents:
- Zenworks Endpoint Security agent
- 2X agent
- Toshiba Logon Provider
- Cisco NAC agent
- OneX Credential Provider
- Sophos Safeguard Disk Encryption
- Cisoc VPN client
- Checkpoint Full Disk Encryption (pre-boot authentication not supported)
Click here for the complete list of Features, Fixes and Enhancements from previous releases.
Some other benefits of ADSelfService Plus - Self Service Reset Password Management
Free Active Directory users from attending lengthy help desk calls by allowing them to self-service their password resets/ account unlock tasks. Hassle-free password change for Active Directory users with ADSelfService Plus ‘Change Password’ console.
Get seamless one-click access to 100+ cloud applications. With enterprise single sign-on, users can access all their cloud applications with their Active Directory credentials. Thanks to ADSelfService Plus!
Intimate Active Directory users of their impending password/account expiry by mailing them these password/account expiry notifications.
Synchronize Windows Active Directory user password/account changes across multiple systems, automatically, including Office 365, G Suite, IBM iSeries and more.
Ensure strong user passwords that resist various hacking threats with ADSelfService Plus by enforcing Active Directory users to adhere to compliant passwords via displaying password complexity requirements.
Portal that lets Active Directory users update their latest information and a quick search facility to scout for information about peers by using search keys, like contact number, of the personality being searched.
Thank you for subscribing