Release Notes

Enhancements

• The Spring Framework JAR files used in the product have been updated to version 5.3.39.
• The PostgreSQL JDBC driver used in the product has been updated to version 42.5.6.

Issue Fixes

• An issue which prevented high availability configurations from being saved when ADSelfService Plus was using an external MS SQL database with Windows Authentication has been fixed.
• An issue where enrolled users imported from other databases received enrollment notifications repeatedly has been fixed.
• An issue where SSO logins to ADSelfService Plus failed even upon successful identity verification has been fixed. This issue occurred when ADSelfService Plus was updated to builds 6504 or later, from builds 6304 or earlier.
• An issue that prevented the Duo verification page from loading during MFA has been fixed. This issue occurred on builds 6504 through 6507.

Issue Fixed

• A memory leak issue caused while decrypting the password sent by the password sync agent.

Issue Fixes

• An issue that caused users' sessions to expire during the password reset process has now been fixed. This issue occurred on Safari browsers when audio CAPTCHA was used.
• An issue that prevented admins from increasing the number of records displayed in the MFA Trusted Browsers and MFA Trusted Machines reports has been resolved.
• An issue with the Mail Group Subscription feature, where mail groups from only two child domains could be subscribed to or unsubscribed from even when other child domains were present, has now been fixed.

Enhancement

• Password synchronization with Microsoft 365/Entra ID (Azure) and Microsoft Dynamics CRM can now be achieved using OAuth client credentials, enabling you to choose modern authentication via OAuth instead of password authentication for password synchronization.

Feature

• Integration with ManageEngine ServiceDesk Plus Cloud: Admins can now effortlessly track users' self-service actions by integrating ADSelfService Plus with ServiceDesk Plus Cloud. Upon integration, each self-service action will automatically generate a ticket in ServiceDesk Plus Cloud, ensuring seamless monitoring and management. Learn more about integrating ADSelfService Plus with ServiceDesk Plus Cloud here.

Enhancements

• The Apache Tomcat version used in the product has been updated to 9.0.93.
• Log files sent to the support team for troubleshooting from the ADSelfService Plus admin portal or manually uploaded from the ADSelfService Plus installation directory can now be selected based on the date and type of log file.
• The file cleanup functionality has been extended to log files and database backups. These files can now be configured for automatic deletion once the retention period is over.
• Exported reports from ADSelfService Plus can now be protected using a password.

Issue Fixes

• An issue where a single Windows authentication failure was counted twice against the allowed number of incorrect password attempts has now been fixed. This issue occurred on machines with the Windows login agent installed.
• An issue that reduced the size of the force enrollment pop-up on 4K monitors has now been fixed.
• An issue that prevented push notifications from being sent to Android devices has now been fixed.
• An issue with displaying the enforced password rules while changing the password of product administrator accounts has now been fixed.
• An issue that prevented users from being redirected to Duo Security for MFA if ADSelfService Plus was accessed using a URL other than the access URL has now been fixed.
• An issue that disrupted the ADSelfService Plus service during password synchronization with OpenLDAP Server for usernames containing Turkish characters has now been fixed.
• An issue that prevented access to ADSelfService Plus via any shortcut icon when the product was already running in the background has now been fixed. This issue occurred when a context path was configured for ADSelfService Plus
• An issue where users with the Password must never expire setting selected in AD were forced to change their passwords upon logging into ADSelfService Plus has now been fixed. This issue was encountered by users for whom passwordless logins were enabled.
• An issue that caused MFA using Security Questions and Answers to fail even when the answers were correct has now been fixed. This issue occurred when the Security Questions and Answers were displayed one-by-one.
• An issue that caused images in emails sent from ADSelfService Plus to be displayed as previews when viewed via the iOS Mail app has been fixed.
• An issue that prevented password expiry notifications from being sent to users whose passwords have expired, has now been fixed.

Feature

• Cached credentials in Windows machines can now be updated without a VPN. Learn more about updating cached credentials using ADSelfService Plus.

Issue Fixes

• An issue causing a blank screen when accessing the login agent on Windows machines with a base language other than English, but with the English language pack downloaded and installed, has been fixed.
• An issue with disconnecting custom Open VPN clients after the cached credentials update has been fixed.

Enhancements

• Device Management Portal support, which allows end users to manage their Duo-registered devices from the self-service portal, has now been extended to Duo Web SDK v4.
• Face authentication from Android devices can now be an additional biometric authentication method alongside fingerprint authentication for MFA.

Issue Fix

• An issue that caused the custom logo to be hidden on the machine login screen when a context path is set has now been fixed.

Hotfixes

• An issue that caused incorrect messages to be displayed during failed CAPTCHA attempts has now been fixed.
• An issue that occurred while restricting unowned licenses when multiple accounts with the same username exist across different domains has now been fixed.

Enhancements

• The PostgreSQL database bundled with ADSelfService Plus has been updated to version 14.12 for 64-bit machines.
• The Apache Tomcat version used in the product has been updated to 9.0.89.
• The JRE version used in the product has been updated to Zulu jre8_0_412.
• The JVM Wrapper version used in ADSelfService Plus has been updated to v3_5_51.
• ADSelfService Plus now utilizes the JDBC driver for SQL server connections.

Issue Fixes

• An issue that occurred from builds 6407 up to 6409, where the User Attempts Audit Report displayed the ADSelfService Plus server's loopback IP address instead of users' IP addresses has now been fixed.
• An issue preventing SP-initiated OAuth SSO logins even when authentication was successful in ADSelfService Plus has now been fixed.
• An issue with regenerating expired SAML encryption certificates when SAML authentication was configured after the certificate expired, has now been fixed.
• An issue in the mail server configuration settings where multiple email addresses could not be saved if there was a space after each comma separating them has now been fixed.
• An issue with updating the location of the VPN client in the Registry Editor when the Windows login agent was installed via GPO has been fixed.
• An issue that prevented Syslog and Splunk configurations from being saved while the TCP 7 port was disabled has now been fixed.

Issue fixes

• An issue that prevented SSO logins to Microsoft 365 has now been fixed.
• An issue that prevented the use of images with uppercase extensions in the product has now been fixed.

Issue fixes

• An issue caused by duplicated authenticator priority values, resulting in the update of ADSelfService Plus from version 6221 to 6403 to fail, has been fixed.
• An issue that prevented the modification of password expiry notifications in languages other than English upon updating ADSelfService Plus from build 6213 or earlier, has now been fixed.
• An issue causing an existing domain to disappear from ADSelfService Plus' UI when an administrator attempted to add a domain controller with the same name as the domain, has now been fixed.

Features

• New reports for deeper insights: ADSelfService Plus now offers fourteen new reports that provide deeper insights on user behavior pertaining to MFA usage and self-service actions.
  • MFA Audit Reports: This section provides comprehensive reports that audit all user actions related to enrollment and MFA, including MFA usage from mobile devices, MFA failure reports, browsers and devices trusted for MFA, and the utilization of backup codes.
  • Password Self-Service Reports: This section offers insights into users' password self-service actions, including password resets, the delivery of password expiry notifications, account unlocks, and information on current and previously blocked users.
  • Agent Reports: This section offers information pertaining to the installation of the login agent on machines in the domain. These reports were previously available under the GINA/Mac/Linux Installation section of the product console.
• SSO for ManageEngine applications: Provide one-click, secure, passwordless access to ManageEngine applications like Endpoint Central, ADAudit Plus, PAM360, and more, through SAML SSO.

Enhancements

• ADSelfService Plus now allows the configuration of RADIUS response attributes that determine the user groups or roles for VPN connections, or other purposes.
• Conditional Access policies can now be applied to VPN connections protected by MFA.
• Enrollment Notifications sent via SMS can now be configured for users opting for Quick Enrollment.
• ADSelfService Plus now allows admins to have granular control over the notifications generated for different enrollment or self-service actions.
• Admins can now receive notifications about unsuccessful user access attempts.
• Users can now be restricted from enrolling for MFA using an email or mobile number that has already been used for enrollment by another user.
• Policy Names and Conditional Access Rules pertaining to users attempting MFA are now audited, and can be viewed as part of MFA audit reports.
• The Password Synchronization feature now supports Oracle's multitenant architecture.
• Admins can now configure soon-to-expire password SMS notifications for users' secondary mobile numbers.
• Users' linked accounts can now be automatically unlocked upon successful password resets.
• Email notifications can now be sent to administrators when ADSelfService Plus restarts after a downtime period.

Enhancement

• The Tomcat version has been upgraded to 8.5.99.

Issue fixes

• An issue that occurred when logging in using Citrix Workspace in a machine with the ADSelfService Plus Windows login agent installed has now been fixed.
• An issue on macOS version 12 where the login agent freezes when using Duo MFA has been fixed.
• An issue in upgrading from builds 6400 and 6401 when syslog is configured for log forwarding in ADSelfService Plus through ManageEngine AD360 has now been fixed.
• Login failure in Windows machines caused by exceeding the idle timeout limit has now been fixed.
• An issue in synchronizing passwords that contain HTML characters using a custom script has been resolved.
• An issue causing the CSS parser JAR file to be duplicated when upgrading from builds 5806 and below has been fixed.
• An issue with displaying the customized text added in the Language Customization page has now been fixed.
• An issue with the "Trust this machine" option not functioning as intended during high user login attempts has now been fixed.

Feature

• Just-in-Time user provisioning for applications: ADSelfService Plus now supports SCIM-based Just-in-Time user provisioning for Assetsonar, Monday.com, Peakon, Slack, and more applications. Learn more about JIT provisioning in ADSelfService Plus.

Issue Fixes

• An issue causing an Invalid access URL error while authenticating with Duo Security from the ADSelfService Plus mobile site has been fixed. This issue occurred when ADSelfService Plus was utilizing a reverse proxy set up on a separate machine.
• An issue that prevented access to ADSelfService Plus via any shortcut icon when the product was already running has now been fixed.
• An issue with the enforce enrollment login script that affected the working of the Duo Universal prompt when ADSelfService Plus was using the default port for HTTP or HTTPS connections has now been fixed.
• An issue that caused an Invalid Request error when setting up mail configurations on non-English deployments of ADSelfService Plus has now been fixed.
• An issue causing the Tenant ID value in OAuth mail configurations to disappear upon integrating ADSelfService Plus with AD360, has been fixed.
• An issue that caused OAuth SSO login failures while using the PKCE code challenge has now been fixed.

Enhancements

• REST API-based integration support has been provided for the RSA authenticator.
• The RSA authenticator now supports policy-based configuration.
• A Username Pattern has been introduced for RSA authentication to efficiently manage issues caused by multiple domains having similar usernames.

Issue Fixes

• The ADSelfService Plus MFA connector for OWA MFA can now be installed on Exchange servers which also act as domain controllers
• An issue which prevented users from uploading their AD photo attribute using the directory self-update feature when the file extension of the image was in uppercase letters has been resolved.
• An issue that prevented password changes and resets using the ADSelfService Plus mobile site if the password contained a unicode character, despite the password policy mandating it, has now been fixed.
• An issue that prevented initial logins to machines using the manually-installed login agent when the ADSelfService Plus server was inaccessible, has now been fixed.
• A loading issue that domain technicians without a designated policy experienced while attempting to access ADSelfService Plus from AD360 has been fixed.
• An issue that prevented SMTP settings from being saved if the admin's display name had more than one space has now been fixed.
• An issue caused while configuring a High Availability deployment of ADSelfService Plus with an external PostgreSQL database has now been fixed.
• An issue that prevented attachments with the .docs extension from being sent with emails from ADSelfService Plus has now been fixed.
• An issue that prevented the Mobile App Deployment page from loading when the Domain Name began with a numeral has now been fixed.
• An issue that caused the Access URL to revert to the hostname when an SSL certificate was applied has now been fixed.
• Issues with password changes and resets using the SHA-1 algorithm for the OpenLDAP and 389 Directory Server have now been fixed.
• An issue that caused the login agent to display a Server Unreachable error when ADSelfService Plus had a Context Path configured has been fixed.
• An issue that caused incorrect search results to be displayed while searching for computers under the Conditional Access section has now been fixed.
• An issue that caused restricted users to consume licenses while attempting password resets or account unlocks from the self-service portal has now been fixed.

Feature

• FIDO Passkeys for phishing-resistant MFA: FIDO-compliant device-authenticators like Windows Hello, Apple Face ID/Touch ID, Android Biometrics, and security keys like YubiKeys, Google Titan Keys etc., can now be used to protect access to applications for a secure, passwordless experience.

Enhancement

• The Spring Framework JAR files used in the product have been updated to version 5.3.28.

Issue Fix

• An authenticated RCE security vulnerability (CVE-2024-0252) in the load balancer component of ADSelfService Plus has been fixed. This vulnerability was reported by Joe Zhoy.

Issues Fixed

• An LDAP injection issue that occurred during passwordless logins to ADSelfService Plus has now been fixed.
• An issue that caused an Invalid Request error when users updated their AD attributes using the directory self-update feature has now been fixed.
• A vulnerable version of the maverick-legacy-client-all.jar file used in the product has been updated to version 1.7.56.

Enhancement

• The public key certificate used while upgrading the service pack has been updated.

Issues fixed:

• An issue in the login agent versions 5.10 or below which affected MFA has now been resolved.
• An issue in the Installed Machines Report, when multiple search criteria were applied, has now been fixed.
• An issue in the functioning of the Password/Account Expiration Notification scheduler when the chosen OU was deleted in AD has now been fixed.

Feature:

• Offline MFA protection for macOS: Logins to macOS machines can now be secured using MFA even when users lack internet connectivity or are not connected to the corporate network.

Enhancements:

• macOS Sonoma is now supported by the macOS Login Agent.
• I18N support has been added to macOS login agent. The supported languages are English, French, Chinese (Simplified), German, Japanese, Polish, Spanish, and Turkish.

Issue Fixes:

• A script error that occurred when a user enrolled for offline MFA was deleted from Active Directory and another user attempted to log into their machine, has now been fixed.
• An issue in updating VPN cached credentials using a service account has now been fixed.

Note:

• ADSelfService Plus no longer offers support for the login agent on macOS versions below 10.10. Check supported versions
• To enable offline MFA for macOS and enjoy |18N support, the macOS login agent needs to be updated to the latest version (3.0). Please find the steps in this guide.

Issue fixes:

• An issue where the username field was empty in User Attempts Audit report for invalid login attempts has now been fixed.
• An issue where search results in the Security Questions report were not displayed properly has now been fixed.
• An issue where the Licensed Users report was not generated when Enable user disclaimer in the Login settings was checked has now been fixed.
• An issue where the GINA installation report was not generated when using MS SQL as the database has now been fixed.
• An issue where custom attribute data containing Unicode characters was not displayed correctly when using an external MS SQL database has now been fixed.
• An issue where acknowledgement email notifications were not sent based on the priority of mail attributes has been fixed.
• An issue where mobile numbers in languages that use the RTL format were not displayed properly when Partially hide Email ID/Mobile No. on MFA pages was enabled in Advanced MFA has now been fixed.
• An issue where Trust this browser option in Advanced MFA settings did not work when attempting to log in as default Admin has now been fixed.
• An issue where the Account Expiry custom attribute value displayed a random value when set to Never Expires has now been fixed.
• An issue where the employee search was not functioning on the login page has now been fixed.
• An issue where the Duo MFA page was being blocked when the server name configured in the access URL has different letter case than the URL used to access the product has now been fixed.
• An issue in high availability (HA) configuration, either while using an MSSQL database or while employing an MSSQL database as a failover cluster setup, has now been fixed.

Enhancements:

• The vulnerable JSON library (CVE-2023-5072) used previously in the product has been upgraded to the latest version 20231013.

Features:

• Duo Universal Prompt Integration: ADSelfService Plus now supports Duo's Universal Prompt for identity verification from both the web console and the mobile app.
  Note: ADSelfService Plus' OWA connector needs to be updated to the latest version for proper functioning of Duo's Universal Prompt for OWA MFA. Please find the steps here.
• Integration with ManageEngine Log360: ADSelfService Plus can now be integrated with ManageEngine Log360, the unified SIEM solution for effective security analytics. This integration also helps meet specific compliance requirements such as FedRamp's M-21-31 by facilitating central log store and audit of application access logs.

Enhancements:

• The same AD attribute can now be configured as the answer to multiple questions for authentication using AD Security Questions.
• An option to search for login agent versions is now available in the Installed Machines Report.
• The login agent installation scheduler now supports sending the Installed Machines Report to Technicians via email.
• The Password Policy Enforcer now supports restricting users from using the values of their AD attributes as their passwords.

Issue fixes:

• An issue that caused MFA for OWA logins to fail upon encountering multiple access requests simultaneously has now been fixed.
• An issue where SMTP settings could not be saved when the From address' Display Name contained space characters has now been fixed.

Issue Fixes:

• An issue that allowed logins to the admin portal on machines where IP Restriction was enabled for admin logins has now been fixed.
• A random SQL Query Blocking issue that occurred in the MS SQL database after scheduled AD synchronization has now been fixed.
• An issue that caused logins to be slow when a large number of domains were configured has now been fixed.
• An issue that prevented access to the Enrollment tab for users under a policy in which password resets and account unlocks were not enabled has now been fixed.
• An issue that caused the Help option in the end-user portal to be hidden has now been fixed.
• An issue that prevented the deletion of users who were under unOwned licenses has now been fixed.
• An issue where the users' time of enrollment was not displayed in the user portal if they had been enrolled by an admin has now been fixed.
• An invalid date/time issue that occurred during report generation if the date and time format of the domain controller was set to the Thai calendar has now been fixed.
• An issue that caused garbled display names to be sent in emails from the product while using languages other than English has now been fixed.
• An issue caused by slow connections between the product and domain controller has now been fixed.
• An issue which prevented OAuth settings from being saved if the hostname in the Login URL used ended with .local has now been fixed.
• An issue which caused the Service Provider's OAuth configuration to fail when the OAuth response type was enforced has now been fixed.
• An issue that prevented the login agent from being installed using Windows Management Instrumentation (WMI) has now been fixed.

Enhancements:

• Mail server settings in the product now support Modern Mail Authentication.
• Cached credential update over VPNs can now be configured using a service account.
• The password change process can now be secured using CAPTCHA verification.
• The OU Popup in the product has now been enhanced to seamlessly display several thousands of organizational units.
• The login agent now supports MFA processes and self-service password reset/account unlock actions when a context path is configured.
• The Tomcat version used in the product has been upgraded to 8.5.91.

Issue Fixes:

• An issue where Offline MFA was not triggered when a reverse proxy was used and the ADSelfService Plus server was unreachable has now been fixed.
• An issue with the login agent that caused an extra login attempt to be made with an empty password during RDP logons has now been fixed.
• An issue where Endpoint MFA logins on Windows machines failed if the sAMAccountName of the user had a space has now been fixed.

Other Changes:

• For security reasons, SSL has been mandated for connections between the login agent and the ADSelfService Plus server, from build 6304.

Note:

• We recommend using the updated version of the login agent (6.4) to fix these issues. Please find the steps here.
• If the login agent is deployed in your organization via GPOs, the ReinstallAgent.vbs file must be updated to the latest version. Please find the configuration steps in this guide.

Issues fixed:

• An issue in build 6302 which caused a problem in the functioning of configured custom SAML applications has now been fixed.
• An issue which prevented users from adding a domain controller with '_' in its name has now been fixed.
• An issue in showing the display name of domains when reports were exported has now been fixed.
• An issue that caused the scroll bar to be missing when editing the self-update layout drop-down field has now been resolved.
• The Microsoft 356/Azure application logo has now been updated.

Issue fixes:

• A response code mismatch in the error message for API failure has now been fixed.
• An issue that caused the ADSelfService Plus mobile site to not load when only Self Update and Change Password were enabled under the Policy Configuration settings has now been fixed.

Enhancements:

• macOS Ventura is now supported by the macOS Login Agent.
• A user belonging to multiple domains can now use the same YubiKey device for authentication.
• Password eye icon support is now provided for the password field.
• The Embed Dashboard widget URL can now be generated with an access token to ensure security.

Issue Fixes:

• An issue where the Password Sync for MS SQL could not be saved when Windows Authentication was selected has now been fixed.
• An issue in the High Availability configuration that occurred when the parameter length exceeded 5000 characters has now been fixed.
• An issue where the password reset acknowledgement mail was sent via the SMS SMTP server instead of the SMTP Server configured in the email settings has now been fixed.
• An issue where WMI access was denied after the Microsoft security update while installing the Windows Login Agent has now been fixed.
• An issue where the Mobile number selection page was shown during endpoint MFA even when Skip the Choose Email Address/Mobile Number step and auto-trigger the verification code option was enabled has now been fixed.
• An issue that caused endpoint MFA on macOS to fail when a language other than English was set has now been fixed.
• An issue with the High Availability configuration that caused a different product configured error to be thrown when the password contained + or - characters has now been fixed.
• A brute-force vulnerability in the verification code entered during enrollment and TFA authentication has now been fixed.

Feature:

• Offline MFA protection for the remote workforce: Logging into Windows machines, RDP machine logons, and UAC elevation prompts that require credentials for privileged actions can now be secured using MFA even when users lack internet connectivity or are not connected to the corporate network.

Enhancement:

• Admins can now enable user enrollment for all mandatory MFA factors immediately upon successful verification during logins to cloud applications, portal logins, password resets, or account unlocks.

Issues fixed:

• A minor performance issue in the web portal's (including login agent's) initial loading process has now been fixed.
• A mismatch between the non-enrolled user count displayed on the product's Dashboard and the Non-Enrolled Users Report has now been fixed.
• An issue in the Password Policy Enforcer that prevented spaces from being recognized as special characters by the Windows Login Agent during password resets has now been fixed.

Enhancements:

• The Single Sign-On and MFA modules now include options to encrypt the SAML assertion and choose between a signed or unsigned SAML request and response when ADSelfService Plus is the service provider.
• An option to regenerate the SAML signing certificate has now been provided.

Issues fixed:

• An issue in the Password Sync Agent that caused the sync operation to the ADSelfService Plus server to fail has now been fixed.
• An issue where password changes from the native ADUC portal did not reflect in ADSelfService Plus' audit reports has now been fixed.
• An issue where reports exported in Turkish contained additional spaces has now been fixed.

Issues fixed:

• An authentication issue involving partially enrolled users has now been fixed.
• An issue in the Windows Login Agent which prevented users from accessing Outlook, SharePoint and shared resources from machines running Windows 10 and above has been fixed.

Issues fixed:

• An issue where the Force Enrollment using Logon Script configuration would fail when the Window Title exceeded 50 characters has now been fixed.
• An unsupported authenticator issue that caused OWA logins via the mobile site to fail has now been fixed.

Enhancements:

• The Enrolled Users Report now allows administrators to view the authenticators users have enrolled for and disenroll them from specific authenticators, using both manual and bulk disenrollment methods.
• Backup codes for technician accounts: Admins can now generate MFA backup codes for technicians from the Enrolled Users Report.
• Technicians can now be delegated the privileges of:
  • Managing users' license consumption
  • Scheduling and exporting reports
  • Customizing and managing the installation of the Windows, macOS and Linux Login Agents
  • Updating cached credentials

Issues fixed:

• An issue in the Password Sync Agent that left it susceptible to brute-force attacks has now been fixed. This issue was reported by Skay.
• A denial-of-service vulnerability in the ADSelfService Plus Mobile App Authentication API has now been fixed.

Issues fixed:

• An issue where the Windows Login Agent failed to update while installing it via GPOs has now been fixed.
• MFA issues in the Windows Login Agent caused by mismatched UPN logins, and a few other crashes have now been fixed.
• An issue in the NPS extension for VPN MFA has now been fixed.

Enhancement:

• The jQuery UI used in the product has been updated from version 1.10.0 to 1.13.2.

Enhancement:

• Support for HTTP SMS macros: The following macros are now supported for the HTTP method under custom SMS provider settings:
  • %uniqueId%: To send a random integer as a unique ID for each message request
  • %currentTime%: To send the current timestamp of the message request
  • %expiryTime%: To specify the time at which the message request expires

Issues fixed:

• An issue that caused admin login failure in the TOR browser when an admin portal restriction based on IP address was configured has now been fixed.
• An issue that caused password sync failure with the SAP NetWeaver application due to password policy mismatch has now been fixed.
• OAuth/OIDC issues caused due to mismatched formatting in the well-known configuration and issuer URLs, and invalid Key ID token responses sent to target applications has now been fixed.
• OIDC SSO login failure during IdP-initiated SSO has now been fixed.
• An issue that occurred while attaching files in the On Specific Day and Password Expiry Notification email editors has now been fixed.
• An issue in which OWA was not functioning when IP restriction was imposed via a conditional access policy has now been fixed.

Issues fixed:

• Prevented the password macro from being used in the admin/manager email notification after a password reset or change operation.

Issues fixed:

• An issue in the login agent APIs, which allowed unauthenticated access, has been fixed by securing the agent with an access key. This issue was reported by Wilfried Becard and Antonine Cervoise from Synacktiv.

Feature:

• Hardware TOTP token support: Hardware tokens such as Protectimus hardware TOTP token, Deepnet Security hardware token can now be configured as a custom TOTP authenticator for identity verification.

Enhancements:

• SMS and email verification support for VPN MFA: SMS and email verification can now be configured as an authenticator for VPN MFA.
• Bulk enrollment support for authenticators: Admins can now enroll end users for Google Authenticator, Microsoft Authenticator, Zoho OneAuth TOTP authenticator, and custom TOTP authenticators through bulk enrollment either using a CSV file or through a database fetcher.
• An option to skip the Select your mobile number/email address drop-down in the MFA verification page for SMS and email verification has now been included.

Issues fixed:

• An issue in the working of Linux agent (Cent OS 7) has now been resolved.

Important update:

• Third-party requirement for NTLMv2 SSO: To enable NTLMv2 SSO for ManageEngine ADSelfService Plus in builds 6211 and above, you have to manually download the Jespa JAR file and add it to the lib folder of the product's installation directory. For more information, click here.

Issues fixed:

• A critical RCE security vulnerability (CVE-2022-47966) caused due to a vulnerable .jar file used when SAML SSO is/was enabled in the product, has been fixed. This was reported by Khoadha of Viettel Cyber Security.
• The forced enrollment using login scripts feature didn't work for partially enrolled users. This issue has been fixed.

Enhancements:

• Notification Center: To ensure product security, a notification center has now been included to display important alerts that require admin attention.
• To ensure security, the Spring JAR files used in the product have been updated to version 5.3.21.
• To ensure security, the Commons Text JAR files used in the product have been updated to version 1.10.

Issues fixed:

• An issue that caused an infinite password sync loop when password sync is configured for Active Directory bidirectionally has now been resolved.
• An issue that caused the login agent to crash when Have I been Pwned integration was enabled and HTTP was configured has now been fixed.
• An authorization issue in Talkback APIs has now been resolved.
• A memory leak issue which caused the domain controller to restart abruptly in rare scenarios when Password Sync Agent version 2.0 was configured has now been fixed.

Issues fixed:

• An issue in the Restrict Users scheduler under License Management when there were different domains containing the same usernames has now been fixed.
• An issue that occurred while searching for a username containing '_' in reports when using an external MS SQL database has now been fixed.
• An issue in prompting MFA during VPN login when the username format was domain name/username has now been fixed.

Features:

• MFA for Windows User Account Control: All UAC elevation prompts that require credentials such as installing an application, editing the registry, and so on can now be secured using MFA.
• Machine-based MFA: Secure business-critical machines in your organization by enforcing Machine-based MFA. This allows users to access the machine only upon successful identity verification through MFA, irrespective of their enrollment status, self-service policy membership, and ADSelfService Plus server connectivity.

Issues fixed:

• An issue which caused MFA to not function as intended in Windows 11 machines during system unlock has now been fixed.

Features:

• MFA for mobile app login: ADSelfService Plus mobile app logins can now be secured with an additional layer of authentication using MFA.
• Passwordless login: Provide easy and secure access to log in to the mobile app using modern authentication factors such as biometric authentication, push notification authentication, TOTP authentication, and so on.
• Support for additional authenticators: The ADSelfService Plus mobile app now supports Zoho OneAuth authentication, custom TOTP authentication and backup recovery code support during self-service actions and mobile app logins.
• Manage device enrollment: An option to restrict the number of devices users can use to enroll for mobile app authenticators like push notification, biometric, and QR-code authentication has now been included.

Enhancement:

• User enumeration prevention: An option to prevent attacks through user enumeration in the mobile app has now been introduced.

Issues fixed:

• An issue with the functioning of Accessibility VoiceOver in iOS devices has now been resolved.

Issues fixed:

• An issue with the functioning of the custom range filter in Audit Reports, when there were a large number of audit records, has now been fixed.
• A performance issue while derestricting users under License Management, when there were a large number of restricted users, has now been fixed.

Enhancements:

• Enrollment report customization: The Enrolled Users Report and Non-enrolled Users Report can now be customized to view additional user information, such as their active status, last logon time, etc.
• Cloning existing policies: Existing self-service policy configuration settings can be copied to create multiple policies across domains now.
• Granular control over trust periods: The MFA trust period for browsers and machines can now be customized in terms of minutes, hours, or days.

Issues fixed:

• An issue with deleting licensed users who have an apostrophe character in their names has been fixed.
• An XSS issue that could potentially occur in the Conditional Access rule assignment section has been fixed.

Enhancements:

• The MFA and Password Policy Enforcer features have now been extended to technicians who use product authentication.

Issues fixed:

• An issue in which the functioning of the Password Sync Agent was affected when a domain flatName was specified during domain configuration has now been fixed.
• A security vulnerability which caused authenticated remote code execution in quick enrolment configuration by super admin when connecting to MySQL database has now been fixed.

Issues fixed:

• A denial-of-service attack issue (CVE-2022-34829) in the ADSelfService Plus Mobile App Deployment API has now been fixed.

For more information, refer to our security advisory page.

Security enhancement:

• An option to prevent user enumeration by initiating a mock MFA process has now been included. This has been implemented to mitigate CVE-2022-28987.

Issues fixed:

• An issue in which the Change Password notification was not triggered when the operation was performed via the mobile application or mobile web browser has now been fixed.

Enhancements:

• Mac Agent support has now been extended to macOS Monterey.
• XLSX format is now supported for exporting reports.
• An option to extend the portal session expiration duration to one day has now been provided.

Issues fixed:

• Performance-related issues in User Reports, Restricted Users report, Password Expiration Notification, and Unrestrict Users scheduler have now been fixed.
• An issue that blocked the database query while sending enrollment push notifications has now been resolved.
• An issue in VPN MFA when the configured MFA method was push notification has now been fixed.

Issues fixed:

• The communication between the Password Sync Agent and the ADSelfService Plus server has now been secured with the inclusion of an access key. (CVE-2021-37423) For more information, refer to our security advisory page.
• An issue which exposed the username information in the request URL sent to the ADSelfService Plus server upon successful IdP authentication has now been fixed.
• An issue where the embedded employee search option was not displaying the desired results has now been resolved.
• To enhance security, the Spring JAR files used in the product have now been updated to version 5.3.18.

Issues fixed:

• A security vulnerability which exposed admin credentials if the ADSelfService Plus server access was compromised while installing the login agent using Remcom and RemoteExec methods has now been fixed.
• A security vulnerability which allowed remote command execution in the ADSelfService Plus server while installing the login agent using Remcom and RemoteExec methods has now been fixed. This issue was reported by Wilfried Becard and Antonine Cervoise from Synacktiv.
• A security vulnerability which caused XSS script execution in the Configured Domains page has now been fixed.

Issues fixed:

• In product instances where post-action custom scripts are enabled, a security vulnerability (CVE-2022-28810) which could lead to remote code execution during password reset and password change, has been fixed. This issue was reported by Hernan Diaz, Andrew Iwamaye, Dan Kelly, and Jake Baines of Rapid7 via our Zoho Bug Bounty program.

For more information, refer to our security advisory page.

Issues fixed:

• A security vulnerability (CVE-2022-24681) which allowed XSS script execution in the reset password, unlock account, and user must change password pages has now been fixed.
• A vulnerability (CVE-2022-29457) causing the NTLM Hash to be disclosed to operators when configuring the storage path of a remote machine in the Reports tab has now been fixed.

Enhancements:

• Site-based DC Update: Let's you assign a particular set of domain controllers (DCs) to an OU so that self-service changes made by users from that OU are quickly updated in the DCs assigned to that OU.
• Password Sync tab is now equipped with the capability to deselect all the linked accounts for password reset, account unlock, and password change operations.
• An option that allows domain display name to be shown or hidden in the end-user portal/pages has now been added in the Reset & Unlock tab.
• IP-based portal restriction will now deny technician logins from black listed IP addresses.
• Windows MFA, which was prompted for user login and screen unlock earlier will now be prompted only during user login.

Issues fixed:

• Glitches pertaining to MFA application to macOS machines whose names contained spaces have been resolved.
• When the login page was customized to display only the login button, the drop-down list had glitches. This issue has now been resolved.
• An issue which caused the failure of SAML SSO for custom applications since only "Exclusive Canonicalization with Comments" XML Canonicalization method was supported has now been fixed.
• An issue in which mail content was added to the syslog files has now been removed.
• An issue specific to the Germany locale in displaying the number in the password policy enforcer text has now been fixed.
• Text customizations done in Language Customization tab for languages other than English were not reflecting. This has been fixed.
• A memory leak issue in VPN MFA's NPS extension has now been fixed.

Issues fixed:

• Log4j dependency in ADSelfService Plus has been removed to ensure security.

Issue fix:

• An issue in renewing the SAML certificate when ADSelfService Plus is the identity provider has now been fixed.

Highlight:

• Azure AD MFA support: Azure AD MFA can now be used for identity verification during self-service reset/unlock; self-service portal login; cloud application, machine and OWA logins. This method is supported in both web and mobile applications.

Enhancement:

• RADIUS challenge support has now been provided for RADIUS multi-factor authentication.

Issues fixed:

• An issue in the Enrolled Users Report while sorting the users' mobile numbers has now been resolved.
• OWA context was added twice in the server.xml file when service pack installation failed. This issue has now been resolved.
• An issue in which the content-type was missing in the response when the mobile site URL had js, css, image, and cewolf as resource types has now been fixed.
• When the answer to the security question were all numbers, users were unable to prove their identity for password reset/unlock account via the mobile application. This issue has now been fixed.
• A login issue which occurred when users committed an error of adding spaces in the beginning and end of the username and when the username contained % has now been fixed.

Issues fixed:

• All the API endpoints have now been strengthened to be more secure.
• A security vulnerability (CVE-2021-20147) which allowed performing unauthenticated UMCP operation using REST API has now been fixed.
• Access to the domain password policy HTML (CVE-2021-20148) has now been restricted for all users.
• A minor change has been implemented to display the username and password fields on the same login page now.

Issues fixed:

• When a custom attribute's display name containing \ or " was added to the employee search display column, no results were returned for an employee search. This issue has now been fixed.
• An issue in the Linux Login Agent specific to Ubuntu 18.04.5 LTS has now been resolved.
• An issue in integrating ADManager Plus with ADSelfService Plus when the provided admin/technician account's password contained % has now been fixed.
• Login issue when the username contained space has now been resolved.

Feature:

• SAML SSO support for ServiceDesk Plus: ADSelfService Plus now supports single-sign on (SSO) to the on-premises version of ManageEngine ServiceDesk Plus.

Enhancements:

• Migrated from JavaPNS to Pushy library (v0.14.1) and from NotNoop to Pushy library (v0.14.1), for sending iOS notifications and pushing the mobile application respectively, when the MDM profile is installed.

Security Issue fix:

• An authentication bypass vulnerability affecting REST API URLs, rated critical, has now been fixed. [CVE-2021-40539]

Issues fixed:

• An issue which restricted users with special characters in their passwords from logging in to the portal via the mobile site has now been fixed.
• An issue that restricted users access to the portal even during the permitted logon hours has been resolved.
• All cookies can now be protected by enabling the HttpOnly flag.

Enhancements:

• Mac Agent support has now been introduced for macOS Big Sur.
• Mobile app support to block specific email domains and mobile number formats during user enrollment has now been provided.

Issues fixed:

• While using the mobile app to reset password/unlock account, the forced number of authentication factors were not verified. This issue has now been resolved.
• A vulnerability in the Approval Workflow module which facilitated an unauthenticated attacker to send emails to domain users has now been fixed.
• The possibility of a Boolean SQL injection attack during manual account linking for Oracle Database has been eliminated.
• The security issue of account takeover via machine account creation has now been fixed.
• The SSRF vulnerability present in the High Availability module has now been fixed.
• The issue in build 6111 with the MFA for VPN feature in which authentication was bypassed has now been resolved.
• The password changes were not applied across all linked accounts when the Force Password Synchronization option was enabled in build 6111. This issue has now been fixed.

Highlights:

• MFA for OWA/Exchange Server: Strongly secure your Exchange environment with a dedicated multi-factor authentication (MFA) setup with over 17 advanced authentication methods, for Outlook on the Web and Exchange admin center logins.

Feature:

• Support for OpenID Connect and OAuth applications: ADSelfService Plus now offers OAuth and OpenID Connect-based single sign-on for any enterprise application that supports these protocols, in addition to the already existing SAML support.

Issues fixed:

• Users will not be allowed to login if they have spaces in their passwords, for builds from 6108.
• Password expiry notifications were not being sent to the user, if the number of days for account expiry contains '0'. This issue has been resolved.
• The account linking setting for O365 application was not saved properly when single sign-on is enabled for O365. This issue has been fixed.

Issue fix:

• Fixed the account takeover issue (CVE-2021-37927) reported by HaYiCle, by enforcing SAML signature verification before logging in users through SAML SSO.

Issues fixed:

• The VPN Group Name field is no longer mandatory while configuring Cisco AnyConnect for updating cached credentials over VPN.
• The issue that occurred when updating country/region under the Profile tab has been resolved.
• The issue with domain API verification in Duo configuration has now been fixed.

Features:

• Passwordless Login: ADSelfService Plus and other SSO-enabled applications can now be accessed using advanced authentication methods such as biometrics, YubiKey, Google Authenticator, etc.
• Forced enrollment for machine login MFA: Enforce mandatory enrollment to ADSelfService Plus from login screens to implement MFA for machine access.
• Exclusive MFA setup for cloud applications: Customize the authentication factor set-up for service provider-initiated SSO-enabled application logins.

Enhancements:

• SAML authenticator: SAML authentication can be included as an authentication factor for ADSelfService Plus logins, Endpoints MFA, and Applications MFA.
• Language support: ADSelfService Plus now supports Traditional Chinese language.

Issues fixed:

• The macOS login agent was not loading after a restart or shut down operation. This has been fixed.
• Enabling Hide Personalization setting did not force the admin's theme preference over the users when the users' theme preference was set before the enforcement of this setting. This issue has been resolved.
• An issue that caused trouble in the SSO login process in the latest versions of browsers has been resolved.

Enhancements:

• The jQuery library used in the product has been updated from version 1.11.3 to 3.5.1.
• The Bootstrap framework used in the product has been updated from version 3.3.6 to 3.4.1.
• The jQuery UI used in the product has been updated from version 1.9.2 to v1.10.0.

Enhancements:

• Conditional Access: You can now restrict access to the ADSelfService Plus portal and enable NTLM single sign-on, based on a user's location, device used, time of access, and IP address.
• Duo Device Management Portal: Users can now add or remove Duo-registered devices from the ADSelfService Plus portal.

Issues fixed:

• User profile images were not being displayed in the Organization Chart when Reverse Proxy was configured. This issue has been resolved.
• An OU performance issue that caused delays in information retrieval has been resolved.
• When a user is a part of many groups, the login process was slightly delayed. This issue has been resolved.

Enhancements:

• Admins can now configure users' managers email addresses to send them notifications about user activities like self-service password reset, self-service account unlock, password change, and enrollment.
• The email verification code generated during enrollment and user identity verification can now be sent to the admin or manager via email.
• An option has been introduced to block specific email domains and mobile formats provided during user enrollment.

Issues fixed:

• A vulnerability which lead to unauthenticated and authenticated remote code execution through PowerShell injection has been fixed.
• If the user entered an email address during enrollment and the same email address was later updated as the user's AD mail attribute value, the user did not receive scheduled notifications and the email address was displayed twice during email verification authentication. This issue has been fixed.
• When users access the end-user portal through NTLM Authentication, user actions could not be performed in certain Windows environments. This has been fixed.
• The configuration of RADIUS authenticator failed when the secret key had specific special characters (<, >, ', ", and &). This has been fixed.
• An issue that occurred in the secure links generated for email verification has been fixed.

Vulnerability issues fixed:

• A vulnerability that in rare cases allowed bypassing CAPTCHA in the ADSelfService Plus login page has been fixed.
• A rare Cross-Site Scripting attack vulnerability in the e-mail address field used in the employee search feature has been fixed. (Reporter: Matt CVE-ID: CVE-2021-27956))
• A vulnerability that in rare cases can cause Reflected Cross-Site Scripting attacks has been fixed.
• A vulnerability that in rare cases let attackers expose information about the database application configured for password sync has been fixed.
• A vulnerability that in rare cases let attackers bypass the ADSelfService Plus' admin portal access restriction based on IP addresses has been fixed.

Highlight:

• Zoho OneAuth's OTP authenticator can be used as an MFA method to verify users' identities during password reset and account unlock actions, ADSelfService Plus logins, and machines and VPN logins.

Enhancements:

• The Linux login agent now supports Ubuntu version 20.x.
• The password synchronization with OpenLDAP now supports the Extended Password modify operation - (RFC-3062).
• SAML assertion attributes have been introduced to allow admins to configure the specific attributes that have to be included in the SAML response token sent to the service provider by ADSelfService Plus to prove a user's identity.

Issues fixed:

• For SAP NetWeaver password sync, the unlock account functionality is now restricted for accounts that were locked or disabled by the admins.
• An issue with configuring the Select Duration setting for scheduled reports has been fixed.
• An issue with generating reports using the Operator technician role has been fixed.

Issue fix:

• An unauthenticated remote code execution vulnerability ((CVE-2021-28958) has been fixed.

Enhancement:

• ADSelfService Plus now supports three different methods of Windows login agent installation to ensure success rate. The three methods are:
  • Remcom
  • PAExec
  • WMI

Issue fix:

• The issue of not receiving a prompt for multi-factor authentication while using the VPN when languages other than English are personalized for the ADSelfService Plus server has been resolved.

Enhancements:

• The Tomcat server bundled with the product has been upgraded to version 8.5.57.
• The ADSelfService Plus database backup archives are now password protected.

Issues fixed:

• A security issue due to the use of fixed ciphering keys has been fixed (Zoho Bug Bounty ID: ZVE-2018-1790).
• A security issue that caused improper authorization of end user actions has been fixed (Zoho Bug Bounty ID: ZVE-2020-4164).

Enhancement:

• Support for SAML Authentication as an MFA method in the ADSelfService Plus mobile app (both iOS and Android) for self-service password reset and account unlock.

Issue fix:

• Issue in SAML SSO logins when reverse proxy server is configured has been fixed.

Highlights:

• MFA backup codes for authentication: Users can now prove their identity using backup codes when they cannot access the enrolled MFA authenticators or their mobile devices used for authentication. These backup codes can be generated by both users and the admins, and used for identity verification during machine and VPN logins, self-service actions, and ADSelfService Plus portal logins.
• Custom Time-based One-time Passcode (TOTP) Authenticator support: Admins can now configure any TOTP authenticator [Eg: Symantec VIP Access, FortiToken, Free-OTP, etc] as per organizational usage to verify users' identities during password reset and account unlock actions, and ADSelfService Plus, machines and VPN logins.

Enhancements:

• Smart card multi-factor authentication: Smart card authentication will now be available as an authenticator in multi-factor authentication for ADSelfService Plus web portal login.
• ADSelfService Plus has been upgraded from two-factor authentication to multi-factor authentication for machine (Windows, macOS, and Linux), VPN and product logins.
• Admins can now link domain user accounts based on any attribute of choice with the Duo accounts for multi-factor authentication.
• Idle time limit during multi-factor authentication can be configured for machine, VPN, and product logins.

Issues fixed:

• During user identity verification through SMS and email verification codes, the drop-down menu at the end-users portal will prioritize the mail/mobile values added by the end-user during enrollment over those stored in Active Directory.
• The time taken to load Change Password tab has been reduced.
• Fixed an issue that prevented including more than 10 mail addresses in the Admin Mail Address field under Mail Settings.
• While logging into ADSelfService Plus through SAML single sign-on, it is now possible to use any authentication technique provided by the identity provider (Okta, OneLogin). Password authentication is not mandatory.

Enhancements:

• New customization options that help rebrand ADSelfService portal to best suit your requirements. With these new options you can:
  • Set a background image for the portal's login page.
  • Customize buttons on the users' login page.
  • Select custom color for theme using the color picker field.

Issues fixed:

• The issue of license consumption by both the primary and secondary user accounts when password synchronization is enabled between two Active Directory domains.
• The issue in AltGr key usage in the Windows login agent when ADSelfService Plus' end-user portal is configured to display in languages other than English.
• Encoding failure during mail attachment when using languages other than English.
• The issue where Organization Chart generation was slowed down and CPU usage was higher than usual when the number of users in the domain increased.

Issues fixed:

• Fixed an issue that prevented proper embedding of image in email content.
• If the Password Expiration Notification's retry option is disabled, managers receive an empty Soon-To-Expire Password Users Report on the specific days configured when no users fall under the report that day. This has been fixed.

Enhancements:

• Trusted devices option for Endpoint Machine Login MFA: Users can now mark their machines (Windows, macOS, or Linux) as trusted during login to skip multi-factor authentication for subsequent logins. Admins can define how long a machine should remain trusted.

Highlights:

• Load Balancing: ADSelfService Plus now comes with a built-in load-balancing server, to help you set up multiple instances of ADSelfService Plus, and distribute incoming requests among them. This helps improve performance, eliminate downtime, and provide a better experience for end users.
• Reverse Proxy: Enable reverse proxy, by integrating with ManageEngine AD360, to improve security when making ADSelfService Plus accessible for remote access.

Highlight:

• Multi-factor authentication (MFA) for VPN: Secure your VPN by enabling MFA via fingerprint/Face ID, Push Notification, Google Authenticator, Yubico OTP, and other wide range of authentication factors.

Issues fixed:

• Users were not able to login using the mobile browser during SP-initiated SAML SSO. This has been fixed.
• Password change using the PowerShell API has been secured.
• Custom questions were not properly displayed when configuring the Auto Enrollment Scheduler using CSV file. This has been fixed.

Enhancement:

• Face ID authentication is now supported for MFA in the ADSelfService Plus iOS app.

Issue fix:

• Security fix to prevent unauthenticated remote code execution attacks.

Issues fixed:

• Fixed an issue which prevented sending the password expiration notification and expired password notification to users with Password Setting Object applied to them.
• Fixed an issue that prevented saving multiple mail addresses under Notify Admin in the Notifications tab of Advanced Policy Configuration settings.
• Provision for verification of user enrollment status with Duo Security has been added for enhanced security.

Highlights:

• Conditional Access Policy: Use various risk factors such as IP address, device type, time of access, and geolocation to determine which self-service policy will be assigned to users. With Conditional Access Policies, you can enforce endpoint MFA or restrict access to self-service features for high-risk users, thus improving security posture without affecting user experience.

Issues fixed:

• Fixed an issue which prevented changing the SMS provider from GSM Modem to Custom HTTP.
• The drop-down fields for directory self-update were not displayed properly. This has been fixed.
• Password expiration notifications were not sent to secondary email addresses even when the Enable Notification to All Secondary Mails of Users option was enabled. This has been fixed.
• Autocomplete has been turned off for the answer fields during security questions and answers-based authentication.
• Fixed an MS SQL migration issue which prevented fetching all the MS SQL instances.

Highlights:

• This release comes with a service pack that can be used to update your ADSelfService Plus to get the flat GUI as well as the enhancements, and bug fixes released in builds 5816 and 5817.

Issues fixed:

• The SMS notifications sent during MFA contain HTML code.
• Improper functioning of CAPTCHA when reverse proxy is configured.

Issues fixed:

• Fixed a vulnerability which allowed a user to enable integration with other supported ManageEngine products bypassing authentication [CVE-2020-24786] , which was reported by Florian Hauser.
• Issue in using Push Notification authentication for logging into ADSelfService Plus when TFA is enabled.

Features:

• Improved look and feel with flat UI: The ADSelfService Plus admin portal has been revamped with a sleeker and more streamlined flat user interface.
• Embed dashboard widgets: The dashboard graphs can be embedded in any web page using the HTML snippet provided. A URL is also provided to access the graph separately.
• Language customization: Personalize ADSelfService Plus by customizing any text displayed in the portal for your language of choice.
• SSL deployment through UI: Easily apply a SSL certificate and enable HTTPS to secure ADSSP in just a few clicks with the all new UI-based SSL certification tool.

Enhancements:

• Technician: Administrators now have the option of providing the technician privileges to groups.
• Password Policy Enforcer has been enhanced with several new password policy rules for improved security:
  • Disallow the use of specific numbers of consecutive characters from user names and old passwords
  • Disallow the use of a character specific number of times consecutively.
  • Ensure the password starts with an uppercase letter, lowercase letter, number, or special character.
  • Disallow the last character of the password to be a number.
  • Fix the number of old passwords to be restricted during password resets.
  • The customized message that displays the password policy requirements during password reset or change can be reset to default.
• Directory Self-Update has been improved with the following options:
  • Administrators can set the self-update layout as read only.
  • Show or hide the Report To and Direct Report fields and the left panel of the self-update layout with these fields and photo upload.
  • Enforce the format of information provided in the self-update fields (mobile number, email address, or letters).
  • All notification messages can been enhanced with rich text editors.
• Employee Search:
  • Administrators now have the option to enable the Employee Search based on self-service policy.
• Force enrollment logon script:
  • Administrators now have the option to customize the enrollment logon script window's title and button text.
• IP-based restriction for admin login:
  • Admin login can now be restricted to some specific or a range of IP addresses using the restrict IP address option.

Issue fix:

• Security fix to ensure ADSelfService Plus is immune to unauthenticated remote code execution (RCE) vulnerability (CVE-2020-11518).

Issues fixed:

• Issue of unnecessary characters in SMS notifications when using the SMTP provider due to improper encoding type.
• Issue in generating the Enrollment Reports graph in the Dashboard tab.
• A vulnerability issue in the ADSelfService Plus login agent has been fixed.
• Issue of password reflection during password reset.
• Issue of a Cross-site Scripting vulnerability.

Issue fix:

• A security issue that arises when the 'User must change password at the next logon' option is enabled in Active Directory has been fixed.

Issue fix:

• Issue in enforcing the default minimum password length (i.e, 7) when product technicians change their account passwords.

Feature:

• Block breached passwords: ADSelfService Plus now supports integration with 'Have I Been Pwned?', which prevents the use of breached passwords during password change or reset by users.

Issue fix:

• Issue in AltGr key usage in the GINA login agent when ADSelfService Plus' end-user portal is configured in non-english display settings.

Enhancements:

• Option to resend verification codes while authenticating user identities via SMS or email.

Issues fixed:

• Issue with updating the status of the GINA login agent installation via GPO in ADSelfService Plus.
• Issue in installing the macOS login agent for users when the domain admin password contains certain special characters such as the '!' and '.'. 
• Issue which caused the open re-direct vulnerability has been fixed.

Highlight:

• Endpoint multi-factor authentication (MFA): Add an extra layer of security to Linux logins, in addition to Windows and macOS, with any of the supported 14 authentication methods including YubiKey, fingerprint authentication, RSA SecurID, and DUO Security.

Enhancement:

• Option to perform remote installation, un-installation, customization, and re-installation of the Linux login agent from the admin console.

Highlight:

• YubiKey authenticator support: Users can use the YubiKey device to prove their identity during self-service password resets/account unlocks, ADSelfService Plus logins, and endpoint logins.

Issues fixed:

• A CSRF vulnerability that occurs in the self-update section of the end-user portal is fixed.
• Issue in the GINA/CP logon agent that could lead to privilege escalation is fixed.

Issues fixed:

• A few minor bugs have been fixed.

Highlight:

• Korean language support: The end user and the admin portal can now be personalized in the Korean language, besides the twenty other supported languages.

Enhancements

• Improved performance in the domain sync operations of ADSelfService Plus.
• Option to use the middleName (LDAP attribute) to greet users and admins on the welcome screen.

Issues fixed:

• Issue in deleting licensed users of ADSelfService Plus when the admin portal is customized in Polish language.
• Issue in Password Expiration Tool that listed only partial domains while configuring soon-to-expire password notifications.
• Issue in syncing passwords when resets are performed across multiple G Suite domains simultaneously.
• Issue in displaying the host display name during self-service account unlock when the force synchronization option is enabled.
• Issue which duplicates the sent notifications when Password Sync Agent is installed and more than one DC is configured under site-based DC.
• Issue in verifying user identity during Windows logon two-factor authentication (TFA) when UPN suffix is included along with the username.
• Issue which crashed the executable file in Windows logon agent when connected to VPN using Cisco Anyconnect.
• Issue in displaying users' photo in Employee Search at certain times when the session is refreshed.
• Issue which denied users access to ADSelfService Plus via the logon script in the 5803 build.
• Issue in displaying the OU in the Policy Configuration window if its description  more than 250 characters.
• Issue in forwarding logs to SSL-enabled Splunk servers.

Issues fixed:

• All untranslated UI text are now localized for all the languages supported by ADSelfService Plus.
• Issue which displayed the error message "Sorry, the page you requested was not found," when manually initiating multiple GINA/Mac/Linux logon agent installation processes.
• Issue in Password Expiration Notifier Tool which failed to accept the DisplayName in the From Mail address of Mail Server settings.

Issues fixed:

• A minor text alignment issue while displaying the custom password policy during password change/reset is fixed.
• An injection vulnerability in the Windows and Linux login agent is fixed.

Highlight:

• Two-factor authentication for macOS: Add an extra layer of security to macOS logins by enforcing two-factor authentication. Choose from thirteen authentication methods including fingerprint authentication, SMS/email verification, RSA SecurID, and DUO Security.

Highlights:

• Supports Microsoft Authenticator: Users can use Microsoft Authenticator to prove their identity during self-service password resets/account unlocks, ADSelfService Plus logins, and Windows logins.
• Separate dialog box for password rules: Display the enforced password policy rules in a dialog box in the Windows password change (Ctrl + Alt + Del) screen.

Enhancements:

• Option to hide the Applications tab in the end-user portal when automatic account-linking option is enabled.
• The Enrollment Reports have been enhanced to filter partially-enrolled users.
• Enrolled Users Report has been enhanced to display a summary of users selected for disenrollment from being accidentally disenrolled.

Issues fixed:

• Issue in version 5.7 which failed to update the locally cached credentials in users' Windows machines.
• Issue in logging into the product using unique attributes (email ID or mobile number) if the sAMAccount name of a user and any deleted user is the same.

Issues fixed:

• A security issue has been fixed

Highlights:

• Flat user interface for the end-user portal: ADSelfService Plus' user portal gets a makeover with flat user interface.
• TFA for Windows and ADSelfSevice Plus logon now supports additional authentication methods including:
  • Security Questions and Answers
  • Email Verification
  • SMS Verification
  • Google Authenticator
  • Duo Security
  • RSA SecurID
  • RADIUS Authentication
  • Push Notification Authentication
  • Fingerprint Authentication
  • QR Code-Based Authentication
  • TOTP Authentication

Enhancements:

• Provision to allow users to complete their enrollment during the self-password reset/account unlock process itself after successfully proving their identity using any of the supported authentication method.
• Mobile number and email address added by users during enrollment will be verified through an OTP for improved security.
• Force users to use specific email domain names (such as gmail.com or hotmail.com) during enrollment.
• Option to mandate separate authentication techniques for enrollment and self-password reset/account unlock processes.
• Displaying the calendar field in any date-related field in the self-update layout.

Feature:

• 389 Directory Server password synchronization: Sync Active Directory password changes with 389 Directory Server passwords in real time.

Issues fixed:

The following issues have been fixed in this release:

• Failure to send emails when TLS security setting is enabled for mail server.
• Issue which failed to update the modified domain functional level in ADSelfService Plus.
• Issue which restricted licenses of users with the same name of any previously deleted user.
• Issue in displaying user disclaimers in RTL languages.
• Blank GINA/Mac installation reports being exported when MS SQL database is used.
• Script error displayed in GINA/CP password self-service portal, in Danish language.
• Script error when adding restricted IP/Server Name.
• An XSS vulnerability that could be exploited using ADSelfService Plus mobile app API has been fixed.

Enhancements:

• Support for OpenVPN: Update Cached Credentials over VPN setting extends its support for OpenVPN.
• Password expiration notifier now has an option to not inherit child OUs while sending reminders.

Issues fixed:

The following issues have been fixed in this release:

• Issue in configuring the password sync agent when ADSelfService Plus' server is connected through a proxy.
• Issue in migrating database to MS SQL server when SSL encryption is applied to a specific instance.
• Issue in synchronizing password changes with multiple configurations of SAP NetWeaver.
• Vulnerability issue fix in high availability mode.
• Issue which denied access via logon script when DUO is used as the two-factor authenticator.
• Issue in identity provider (IdP) initiated SAML-logout for SSO.
• Issue in displaying the default tab when user portal is accessed via mobile app or mobile site.
• Issue in sending password expiry reminders when there's a user in the list whose PSO cannot be read due to lack of permission.
• Issue in displaying the correct order of mobile numbers in RTL languages such as Hebrew and Arabic.
• XSS Vulnerability issue fixed in the login page. [ CVE-2019-8346 ]

Feature:

• Support for Windows Server 2019: ADSelfService Plus extends its Active Directoy self-service password reset and account unlock capability to Windows Server 2019.

Highlight:

• Login agent for Linux: Users can reset passwords and unlock accounts from the login prompt of their Linux machines.

Enhancements:

• Synchronize Active Directory password resets and changes across MS SQL and PostgreSQL accounts in real time.
• Ability to link user accounts for password synchronization using the listed attributes of the provider, other than the default sAMAccountName.
• Option to synchronize account unlocks between cloud-based and on-premises accounts irrespective of the lockout status of the users' Active Directory account.

Issues fixed:

• Issue in displaying more than 500,000 of the generated Notification Delivery audits for Soon-To-Expire Password Users is fixed.
• Issue which randomly displayed 'Sorry, the page you requested is not found' when users attempt to log in to the self-service portal using any browser for the first time.

Feature:

• Ability to enforce custom user disclaimers: ADSelfService Plus now allows you to display custom disclaimers that users must accept before they can access the self-service portal.

Enhancement:

• Password sync agent now supports TLS version 1.1 and 1.2.

Features:

• SAML-based single sign-on (SSO) via Line Works: ADSelfService Plus supports SSO through Line Works, which acts both as identity and service provider.
• Support for multi-factor authentication (MFA) via Line Works: ADSelfService Plus now supports MFA via Line Works, in addition to One Login and Okta, for user authentication during self-service password reset and account unlock.

Issues fixed:

• Issue that caused an SSRF vulnerability (CVE-2019-3905) is fixed.
• Issue in configuring OpenLDAP with Common Name (CN) is fixed.

Issues fixed:

• Issue of product crashing when the configured GINA Frame Text exceeds the character limit during translation.
• Issue which permitted users to close the password reset/account unlock window of the Windows logon agent (CVE-2018-20484).
• XSS vulnerability in the employee search, and the self-update layout (CVE-2018-20485).
• Issue in translating certain fields in the self-update layout of the end-user portal, from English to the selected language in the personalization section.
• Issue which failed to display the mobile number format for the users in the User Registration section during enrollment.
• Issue which failed to update the authentication settings for the configured mail server in the password expiration notifier free tool.
• Issue in NTLM SSO if the configured service account contains special characters.
• Issue in displaying the strength of the password entered in the reset, and change password pages.
• Issue in auto-generating passwords due to inconsistencies in the enforced password policy.
• Issue in modifying the font size of the Chinese characters in the Logon Page Customizer.
• Issue that truncates the email content sent to authenticate users' identity during two-factor authentication.
• Issue in importing enrollment data from MS SQL databases that have NTLMv2 session security enforced.
• Issue which slowed down the generation of Non-Enrolled Users Report.
• Issue which caused SAML-logout failure.

Enhancements:

The mobile app deployment feature gets a makeover with the new flat user interface and a few enhancements.

• Trial mode: Test drive this feature by deploying the ADSelfService Plus iOS app for ten users’ mobile devices, with minimal configurations.
• Automated CSR signing from ManageEngine while configuring APNs.
• Schedulers to automate iOS app installation status.

Issues fixed:

• An XML External Entity vulnerability (CVE-2018-20664) that occurs while uploading product license is fixed.
• Removed the dependancy on OpenSSL as a vulnerability fix.
• Issue in domain data sync which failed to update deleted domain objects in ADSelfService Plus.
• Issue in accessing ADSelfService Plus' portal through the older version of GINA/CP logon agent.

Enhancements:

• JRE bundled with ADSelfService Plus is updated to version 1.8.0.162.
• Apache Tomcat server bundled with ADSelfService Plus is updated to version 8.5.32.
• PostgreSQL server bundled with ADSelfService Plus is updated to version 9.4.14.

Issue Fix:

• Fixed a script issue in force enrollment logon prompt.

Enhancement:

• The AD Sync scheduler now uses DirSync Control to synchronize only the objects that were modified since the last synchronization.

Enhancement:

• Access to Password Expiration Notifier free tool for ADSelfService Plus users with technician role.
• Rebrand the self-service password reset/account unlock window of the Windows logon agent by adding your company image as browser title.

Issues fixed:

• Issue in sending SMS notifications with non-English characters due to SMS encoding.
• Issue during backup and restoration of database due to character encoding.
• Issue in selecting OUs if the selected OUs count exceed 100.
• Issue in changing password if the sAMAccountName contains space.
• Issue in changing password if the domain expects a down-level logon name instead of the entered sAMAccountName.
• Issue in changing password in the mobile browser, when the password strength analyser is disabled.
• Issue in synchronizing passwords with Office 365 when the new password contains a single quote (’).
• Issue during password synchronization which displayed multiple records for a single password reset action in the Reset Password Audit report.
• Issue which updates an invalid character in Active Directory for the entered '&' character in the My Info tab.
• Issue which failed to display user profile photo in My Info tab after it is updated in Active Directory.
• Issue in displaying the enforced password policy rules in the native Windows interface (Ctrl+Alt+Del) for non-English OSs.
• Issue in enforcing the custom password policies when the selected dictionary file contains a back slash (\) or a double quote (").
• Issue in deploying the Mac logon agent if the password of service account used contains a dollar symbol ($) or a forward slash (/).
• Issue which failed to display the password-reveal icon in the native Windows interface when the GINA/CP logon agent is installed.
• Issue which failed to list all the appropriate machines in the New Installation tab and the Installed Machines tab of the GINA/Mac Installation section.
• Issue which failed to display an error message when a user, who doesn't have administrative privileges, attempts to install GINA/CP logon agent.
• Issue which caused the login page of ADSelfService Plus to load indefinitely in Chromebook when NTLM Authentication is enabled.
• Issue in accessing  certain datatype (VARCHAR2) columns while fetching enrollment data from an Oracle database connection for Quick Enrollment.
• Issue in Auto Enrollment if the imported enrollment data is encoded in UTF-8 format.
• Issue in sending the scheduled reports in HTML format to the managers.
• Issue which sent old audit data to ADSelfService Plus when there is an interruption in password sync agent service.
• Issue which failed to display the installed password sync agent status in the Windows Control Panel.
• Issue which displayed only ten of the available MS SQL server instances in the changeDB window.
• Issue which shows duplicate values of mobile and mail attributes for certain users in the Enrolled Users report.
• Issue which slowed down the generation of disabled users list during license management.

Feature:

• Access to Password Expiration Notifier free tool for ADSelfService Plus users with technician role.
• Rebrand the self-service password reset/account unlock window of the Windows logon agent by adding your company image as browser title.

Issue fixed:

• An XSS vulnerability has been fixed.

Highlights:

• SAP NetWeaver password synchronization: Synchronize AD password changes with SAP NetWeaver in real-time.
• Active Directory Federation Services (ADFS) support for logon SSO and multi-factor authentication: Now you can use ADFS to authenticate users when they attempt self-password reset and account unlock and during ADSelfService Plus single sign-on.
• One-click logout: Improve security by turning every SAML-based application connected to ADSelfService Plus into a point of logout. When users initiate a logout from the identity provider, the user is also logged out from ADSelfService Plus, and vice versa.
• ADSelfService Plus now supports the Finnish language.

Issue fixed:

• Issue in Windows logon agent (GINA/Credential Provider extension) which failed to display the password policy enforcement rules in the Ctrl+Alt+Del screen of Windows 10, version 1803 has been fixed.

Enhancements:

• Customizable verification code length: Specify the length of verification codes to be sent to users via email and SMS from the web console.
• Ability to install GINA/CP logon agent using DNS hostname: The GINA/CP logon agent can now be installed on machines using the DNS hostname in addition to the sAMAccountName.

Issues fixed:

• Issue in adding service account in domain settings when the password exceeds 100 characters.
• Issue in sending bulk emails due to minimum authentication count set in the SMTP server.
• Issue which listed machines with incomplete client software updates along with the error occurred machines.
• Issue which failed to display the title image of ADSelfService Plus when accessed via mobiles.
• Issue in changing the product logo size.
• Issue which displayed the newly imported questions from CSV as admin-defined questions instead of listing it with the user-defined questions.
• Issue which truncates SMS messages with the '&' character.
• Issue in using custom attributes with boolean datatype in the self-update layout.
• Issue in sending test SMS from the ADSelfService Plus licensed Clickatell provider.
• ADSelfService Plus now utilizes TLS 1.1 and TLS 1.2 for improved security.
• Issue in configuring OpenLDAP for password synchronization when the domain name contains space.
• Issue which accepted invalid certificates in the Mac logon agent.
• Issue in providing appropriate permissions to technicians for fetching enrollment data from the MS SQL database.
• Issue in generating reports when the MS SQL database name starts with a number.
• Issue in loading the login page when Safari browser attempts to access ADSelfService Plus using an NTLM account.
• Issue in configuring header and footer content in the authentication pages of RSA SecurID, RADIUS Authentication, and Duo Security.
• Issue in password synchronization between multiple domains when users change their password for the first time.
• Issue which denied password reset for a user if an admin had deleted another user with the same display name in Active Directory.
• Issue in password synchronization with Salesforce.
• Issue which prompted users to change their passwords when they attempt to access ADSelfService Plus using SAML-based authentication if their password is set to never expire.

Enhancement:

• ADSelfService Plus now supports Hebrew language.

Enhancement:

• The Password Expiration Notifier free tool gets a makeover with a new flat user interface that makes configuring password expiration notifications easier than ever.

Issues fixed:

• Issue in expanding parent OUs to select child OUs in the GINA/Mac logon agent installation page.
• Issue in disabling product and event notification in Server Settings.
• Issue in deleting unowned licenses from the Restrict Users option.

Features:

• SAML-based multi-factor authentication (MFA): For self password reset and account unlock, users can now be authenticated using SAML-based identity providers such as OneLogin and Okta.
• SAML-based SSO to access ADSelfService Plus: Allow users to authenticate themselves through SAML-based identity providers for one click access to ADSelfService Plus.

Enhancements:

• SSO support for Blackboard: ADSelfService Plus now supports SAML-based SSO for Blackboard.
• A new option to notify ADSelfService Plus users about new features, ManageEngine events, and more.

Issues fixed:

• Issue in self password reset when the minimum password age is set.

Highlights:

• Two-factor authentication for Windows login: Improve security by enforcing two-factor authentication for local interactive and remote desktop logons to Windows clients and servers.
• ServiceNow password synchronization: Now synchronize users' Active Directory passwords with their ServiceNow accounts in real-time.

Issues fixed:

• Security issue in which the HttpOnly flag was missing from the adscsrf cookie has been fixed.

Enhancement:

• Clone existing policies: Option to copy the existing policy configuration settings and create multiple policies from it.

Enhancements:

• The Change Password Audit report has been enhanced to include information on the forced password changes when users login.
• Option to set a link expiry time in the secure identity verification link, using the %linkExpireTime% macro.
• Logs can now be forwarded in Rawlog and CEF formats  to any SIEM solution or a   syslog server.
• Employee search's scope can be limited to that forest in which the user performing the search resides.
• British English has been added to the list of languages with which you can personalise ADSelfService Plus.

Issues fixed:

• Issue in displaying the Soon-to-Expire Password User report on the next login after a session expiry.
• Issue in logon client (GINA/ Credential Provider agent) installation if the password of the service account used to fetch the domain data contains a backslash (\).
• Issue in generating valid SAML metadata for single sign-on configuration while using default ports.
• Broken authentication vulnerabilities which can lead to unauthorized access of the product resources.

Enhancements:

• Users can now be restricted from having multiple active sessions in ADSelfService Plus concurrently.
• Option to automatically send Soon-to-Expire Account Users and Account Expired Users reports to users’ managers using reports scheduler.
• Now you can define multiple mobile number formats and allow users to enter their mobile number in any of the pre-defined formats during enrollment.
• jQuery bundled with ADSelfService Plus has been upgraded from 1.8.1 to 1.12.2.
• NTLMv2 jar bundled with ADSelfService Plus has been upgraded from 1.1.19 to 1.2.2.

Issues fixed:

• Vulnerability issue in the Windows logon (GINA/CP) client.
• Issue in GINA/CP installer which prevented the deployment of login agents in the latest macOS.
• Vulnerability issue which could lead to attackers exploiting unused HTTP methods in the product has been fixed.
• XSS issue in enrollment.
• Issue in loading the change password page for users with “User must change password at next logon” option enabled.
• Issue in synchronizing password changes with Oracle DB.
• Issue in configuring SonicWall Global and NetExtender VPN clients.
• Issue in migrating from PostgreSQL to MS SQL in Free Edition.
• Issue in approval workflow which failed to update the requests’ “assigned to” status in ADSelfService Plus.

Enhancement:

• High availability support: Ensure users have uninterrupted access to self-service password management, single sign-on, and other self-service features by enabling high availability.

Issues fixed:

• Unrestricted file upload issue which could lead to XSS and server-side command execution vulnerabilities has been fixed.
• SSRF vulnerability issue which led to NTLM hash disclosure has been fixed.
• Reflected cross site scripting vulnerability has been fixed.
• Issue in the quick search option available in the graphical reports under the dashboard.

Enhancement:

• Enhanced policy filtration through additional user's attribute filter: You can now configure ADSelfService Plus policies with enhanced user filtration process. In addition to OUs/Groups, users can now be filtered by using specific attributes for better usage restriction and license consumption.

Issues fixed:

• Improper authentication during SAML single sign-on that gives way to man in the middle attack by inserting fraudulent user identification has now been fixed.

Highlights:

• Smart Card Authentication: The use of smart cards/ PKI/ certificates has been enabled as additional options for ADSelfService Plus login.

Highlights:

• Custom SAML Applications: Any application that supports SAML 2.0 protocol for authentication can now be integrated for SSO.
• Custom VPN Providers: Updating of cached credentials through any VPN providers that allow command line arguments to establish VPN connections is now supported.

Enhancements:

• SAML SSO support for Shufflrr and ADP.
• Option to exclude TFA for service provider(SP) initiated SAML SSO.
• Each of the SSO applications can now support multiple configurations.
• Cached credentials can now be updated using SonicWall, SonicWall Global, and Checkpoint VPN clients.
• Access to self-service portal can now be restricted to specific IP ranges via AD360 console.

Enhancement:

• License for unlimited users: You can now purchase a license for ADSelfService Plus that supports an unlimited number of domain users.

Issues fixed:

• Issue in importing CSV files that contain more than 15,000 users.
• Vulnerability issues have been fixed.
• SMPP protocol for SMS server configuration now supports empty System ID too.
• Issue in configuring SAML SSO for Canvas LMS by Instructure app.
• Issue in generating CSR for wildcard certificates.
• Issue in password sync agent while synchronizing passwords between two Active Directory domains.
• Issue in properly displaying non-English characters and UI issue in user login page.

Highlights:

• SSO support for three new apps: Cybozu Office, Garoon, and Mailwise.
• Two-factor authentication with SAML can now be enforced for service provider(SP) initiated login as well.

Issue fixed:

• Issue on the user login page while accessing ADSelfService Plus from favorites bar in IE11.

Enhancement:

• Bulk disenroll users: Select multiple users from the Enrolled Users report or import users from a CSV file to disenroll them in bulk.

Issues fixed:

• Oracle EBS password sync driver has been updated to the latest version.
• Issue in using Google Authenticator while performing password self-service from the Android mobile app.
• Issue in enrolling more than 10,000 users at once from external databases.
• Issue which failed to refresh the CAPTCHA image when using a load balancer.
• UI issue in "Choose mail/mobile recipient" page.
• Vulnerability issue in Windows login client.

Issues fixed:

• Issue in cached credentials update when using Windows native VPN client.
• When password reset secure link is opened in a mobile web browser, it redirects the user to the login page of ADSelfService Plus instead of the password reset page. This issue appeared when ADSelfService Plus is integrated with AD360 and has now been fixed.
• Oracle Database for importing enrollment data can now be configured using service name as the connection type.
• Vulnerability issue in the Windows login client.
• Issue in check-box option during self-update.
• Issue in logging in to the self-service portal using mail attribute when its value is the same as that of UserPrincipalName.
• Change password issue when User must change password at next logon option is enabled in AD.
• Issue which displayed incorrect message during SMS verification.

Highlights:

• Four new authentication methods: Biometric, QR code, time-based one-time passcode, and push notification can be used for identity verification during password self-service; all four methods come built-in with the ADSelfService Plus mobile app.
• Support for Duo Security, RSA SecurID, and RADIUS authentication methods in mobile app.
• SSO support for three new apps: Bamboo, Bonusly, and Cybozu.

Enhancement:

• Now set different limits for self-reset password and unlock account actions in advanced policy configuration.
• Support for inetOrgPerson objects in addition to user objects for AD LDS password synchronization.

Issues fixed:

• Issue in updating the OUs' names even after manually running a refresh of domain objects in ADSelfService Plus.
• Enrolling users via CSV import has been optimized.
• Issue in viewing Organization Chart when it is opened in Internet Explorer compatibility mode.
• Issue in navigating through the reports.
• Issue in sending SMS messages through custom SMPP protocol.

Highlight:

• SSO for 90+ cloud apps: Now provide users with one-click access to 16 more cloud apps such as Office 365, SugarCRM, LiveChat, Cisco Meraki, in addition to the already supported 80 apps.

Issues fixed:

• Vulnerability issue when using Google Authenticator.
• Issue where the login client software is not copied to the target machine during manual installation from the ADSelfService Plus admin portal.
• Issue where users were not able to close the enrollment pop up when the force enrollment logon script is pushed via GPO.
• Enrollment issue which forced enrolled users to enroll again when they log in to the self-service portal.

Highlight:

• Employee Search feature is now supported in the ADSelfService Plus mobile web app.

Enhancement:

• Now you can sort the Employee Search results based on attributes.

Issues fixed:

• Issue in sending enrollment notification to domains that contain a large number of non-enrolled users.
• Brazilian Portuguese language issues have been fixed.
• XSS vulnerability issue while updating manager field using self-directory update.
• Issue in accessing the HTA login script when TLS 1.2 is strictly forced.
• Issue in AD LDS password synchronization.

Enhancement:

• You can now use the custom attributes as macros and in password synchronization for linking Active Directory accounts with other applications.
• 'DateTime' data type has been added for creating custom attributes.
• Option to send all notifications to the secondary email addresses of users.
• Now you can customize the license expiration notification settings to suit your requirement.
• PGSQL database that comes built-in with the product has been updated to 9.2.4 version.
• Self-service (password reset, account unlock, and change password) notifications are now supported for non-AD accounts including IBM iSeries, HP UX, Office 365, G Suite, and Salesforce.
• Performance improvements.

Issues fixed:

• Issue which failed to partially hide the email address during the secure link identity verification process for password reset and account unlock.
• Some security issues have been fixed.
• [For builds 5400 and later] Issue in enforcing the product to use a particular TLS protocol. 

Features:

• ADSelfService Plus can now be integrated with SIEM solutions that support syslog such as Splunk to forward audit logs and gain advanced intelligence on user activities.

Enhancement:

• Compliance with Vasco authentication server for RADIUS multi-factor authentication.

Issues fixed:

• Issue which caused database migration to slow down.
• Issue which caused the product startup to fail while importing enrollment data from Oracle database.
• Issue which prevents deleting unowned licensed users.
• Issue in sending soon-to-expire password notifications.

Highlight:

• Single Sign-On for 80 cloud applications: Now provide users with one-click access to over 80 cloud applications.

Enhancement:

• Option to configure display name of applications configured for password synchronization.

Issues fixed:

• Issue which restricted Free Edition users from configuring multiple AD domains after the end of trial period.
• Issue in approval workflow which failed to reflect the status of self-service requests in self-service portal.

Features:

• Supports customization of texts in the mobile app’s home page.

Issues fixed:

• GINA installation issue when there is a newline character in frame text.
• Issue which obscured the remaining Clickatell SMS count from being viewed in the license details page.
• Issue which prevented users from accessing the Audio CAPTCHA button using the keyboard.
• Issue in editing the Manager field while configuring self-update layout.
• Issue which prevented password expiration notifications from being sent to members of domain users group.
• Issue in self-service password reset operation when a domain controller configured in Site-based DC is removed from the Domain Settings configuration.
• Unknown errors which caused the product to crash during self-service operations.
• Issue in proxy server configuration which displayed a blank page after a successful self-service operation
• Issue in installing the Password Sync Agent on FIPS compliance enabled domain controllers.
• Issue which displayed incorrect password reset status displayed for Office 365.
• Issue in installing GINA client when VPN parameters contain special characters.
• Issue in CSR generation while configuring SSL certificate.
• Issue in AD synchronizer scheduler which fails to import domain users from Active Directory.
• Server settings will be configurable when the app is opened for the first time after installation even though admin has disabled it in the product.

Enhancements:

• Enforce password history checks for password reset operations using password policy enforcer.
• Restrict users during license management based on their smart card status (enabled/disabled).
• Set up scheduler to automatically reinstate revoked licenses of users when specific conditions, such as user account is enabled, user account becomes active, and smart card is enabled, are met.
• Now send attachments along with password expiration notifications.
• Enroll users in bulk for Duo Security authentication by importing data from CSV files and external databases.
• Enable product downtime notifications to instantly get alerts whenever the product stops running.

Issues fixed:

• Issue in saving Access URL has been fixed.

Enhancements:

• Apache Tomcat server used in the product is now updated to version 8.0.
• Added an option to show/hide the “Reset Password/Unlock Account” tile from the Windows login screen.

Features:

• Windows Server 2016 support: Adds self-service password reset and account unlock support for Active Directory users in Windows Server 2016 domain.

Issues fixed:

• Issue in using Cisco AnyConnect VPN for cached credentials update.
• Issue in logon client (GINA/Credential Provider agent) installation caused by configuring 64-bit VPN settings for cached credentials update.
• Issue in updating to the latest build using service pack.
• Issue in starting the product using the desktop shortcut icon.
• Issue in customizing the size of non-English fonts on logon page.

Enhancements:

• Mobile app customization: Now you can completely customize the home screen of the app and disable access to certain features.
• Dictionary rule in password policy enforcer can now be configured to restrict password that is either an exact match of a dictionary word or has dictionary words as its substring.

Issues fixed:

• Issue in configuring OpenLDAP server over SSL.
• Alignment issue in login page when product language is set to Arabic.
• Issue in editing the email verification code message as HTML during multi-factor authentication configuration.

Features:

• Duo Security, RSA SecurID and RADIUS-based authentication support: Self-service password reset and account unlock processes are now more secure than ever thanks to three new authentication methods for verifying users’ identities.
• RADIUS-based authentication support for two-factor authentication during login.
• Support for SMPP-based custom SMS provider.

Issues fixed:

• Issue in installing the login client software in MAC machines.
• Issue in configuring Salesforce for password sync and SSO.
• Issue in sending email verification code for login two-factor authentication when the email body contains HTML code.
• Issue which showed an error message when the change password tab is clicked.
• Issue which triggered verification code emails twice when Internet Explorer 11 is used for the self-password reset process.
• Issue in importing CSV file during auto enrollment when the domain name contains special characters.

Enhancements:

• AD domain-to-domain password sync: Now you can enable password synchronization between two or more Active Directory domains.
• Option to synchronize passwords only after successful password reset in Active Directory.
• Ability to identify the IP addresses of machines used to access the product via proxy server.

Issues fixed:

• XSS vulnerability in self-update manager field.
• Issue which resulted in distorted photos during self-update.
• Issue which associated technicians with wrong time zone.

Enhancements:

• Two-factor authentication for ADSelfService Plus login can now be configured based on OUs and groups. To configure the settings, navigate to Configuration → Policy Configuration → Select Policy → Advanced → Login TFA.
• Option to exclude smart card users from password/account expiration notifications, and soon-to-expire password users and password expired users report.
• Now you can import enrollment data from an external/in-house PostgreSQL database.
• Option to display "Select mobile no./Email address" as the default text in drop down list during verification code step.

Issue fixed:

• Issue in adding and removing domain controllers in Site-based DCs configuration.

Enhancements:

• 64-bit version of VPN clients are now supported for cached credentials update.
• Cisco AnyConnect VPN client is now supported for updating cached credentials.
• The photo attribute can now be set as ‘Read Only’ in self-update layout.

Issue fixed:

• Vulnerability issue in self-password reset and unlock account process.

Enhancements:

• The password policy enforcer feature now ensures strong passwords for your users by:
  • Preventing the use of any dictionary word.
  • Prohibiting the use of five consecutive characters from an old password.
  • Mandating the use of at least one Unicode character.
• You can exempt a password from complying with a custom password policy if it meets a certain character length set by you.
• The password strength analyzer feature now works even without enforcing your custom password policy.

Issues fixed:

• Issue in Windows logon agent (GINA/CP) when GINA/Mac customization scheduler is configured.
• Issue which failed to save OU and group selections during policy configuration.

Enhancements:

• Enhanced Force Enrollment: Now you can configure multiple force enrollment schedulers based on self-service policies.
• Option to exclude disabled users while scheduling soon-to-expire password users and password expired users reports.
• Users can be restricted to select managers from a specific set of OUs or groups during self-update of AD profile information.

Issues fixed:

• Issue in changing the database to MS SQL that is located in another untrusted domain when NTLMv2 is enabled.
• Issue in displaying password policy rules in mobile web browsers during password reset via secure email link.
• Corrected the UI text which showed reset password successful message for Office 365 change password operation.
• Issue in password reset when enforce password history option is enabled.
• Issue in ServiceDesk Plus integration.
• Issue in loading the CAPTCHA image properly when using reverse proxy.
• Protocol can be now be configured during the manual installation of logon (GINA/CP) client software.
• UI issue in multi-factor authentication configuration page when the verification code email message contains double quotes.
• Domain settings issue which prevented a domain containing a large number of users from being deleted.
• Issue in reports which showed the values available in the mail/mobile attributes instead of the attributes configured by the admin.

Enhancements:

• Configuring Mobile Push Management (MPM) is now a child's play. All you have to do is request the PLIST file from ADSelfService Plus support team and follow it up by getting the MDM managed certificate from Apple. For step-by-step instructions, click here.
• The server settings of ADSelfService Plus mobile app can now be remotely configured through MPM.

Features:

• Support for RSA SecurID to protect users logging into ADSelfService Plus through two-factor authentication.

Issue fixed:

• Fixed a vulnerability issue in two-factor authentication.

Features:

• Audio CAPTCHA support for easier accessibility.
• ServiceDesk Plus integration now allows you to automatically create tickets for end user self-service actions in the help desk software.

Enhancements:

• Now acknowledgement notifications can be sent for enrollment, self-update and blocked user events to both end users and administrators.
• License usage details will now be included in the license expiration notification email and when exporting licensed user reports.
• Now you can import enrollment data from CSV files of any encoding type.

Issues fixed:

• Issue in displaying the login agent image (Credential Provider client) after Windows 10 anniversary update.
• Scroll bar issue in the Windows 10 login agent self-service wizard.
• Issue in NTLM SSO which turned the self-service portal into a blank page in Internet Explorer.
• Issue which caused the Enroll Now button to disappear in the force enrollment pop up.
• Issue in editing self-update layout.
• Issue in saving password expiration reminder schedulers.
• Enrollment issue which forced users to enter both their mobile and email details even when they are not made mandatory.
• Issue which caused duplicate entries in reports when they were exported in CSV file format.
• Issue which caused a script error when a user is deleted from the licensed user report.
• Issue in saving Access URL in Internet Explorer.

Enhancements:

• Now get ADSelfService Plus in your language. Fully localized versions are available for:
  • Chinese
  • Dutch
  • French
  • German
  • Italian
  • Japanese
  • Russian

Issues fixed:

• Change password issue which was caused due to a recent Windows update. Refer this forum post for more details.
  

  Pre-requisites for this update:

  • PowerShell 2.0 or higher must be present in the machine in which ADSelfService Plus is installed.
  • Active Directory module for PowerShell must be installed in any one of the domain controllers configured under the domain settings of ADSelfService Plus.

Issues fixed:

• Login issue in Windows 10 when 'Other Users' option is used.
• Windows logon agent (Credential Provider) issue while establishing remote connection to any PC from Windows 10.
• Windows 10 users not being able to change their passwords from Ctrl-Alt-Delete screen, when password policy enforcer feature was enabled.
• Fixed password sync agent which caused issues in DC.
• Issues in manual linking and unlinking of AD accounts from non-AD applications in Internet Explorer.
• Employee search getting blocked in Chrome and Firefox browsers.
• Failed login attempts due to incorrect update of Bad-Pwd-Count attribute.
• Issue with character count while resetting passwords.
• Users being forced to enter their mobile numbers, which is a non-mandatory field, during enrollment.
• Issue in sending scheduled reports to admins when multiple domains are configured.
• Incorrect entries in Unlock Account Audit report.
• Customized logo set in the product not being displayed in exported reports.

Issues fixed:

• Issue in manual linking of Active Directory user accounts with Oracle E-Business suite.
• Issue in synchronizing password with Oracle E-Business suite during password reset.
• Issue with textarea formatting (font color, size, type) while customizing logon page in
  Internet Explorer 11.
• Issues related to duplicate values while updating the drop down box options in self-update layout.
• SMTP error after update.
• GINA issue when VPN is enabled.
• GINA issue which lead to the slow loading of reset page after identity verification.
• Issue in applying service pack when ADSelfServicePlus.exe is used by other processes.
• Issue which prevented domain technician users from logging in when no policy was linked to them.
• Setting response header for help document - security issue.
• Issue with customized GINA reset icon when client software is installed through GPO.
• Issue with sending email notifications in HTML format.
• Issue which allowed users to self-update and view other users’ AD profile information.

Feature:

• Two-factor authentication support (Duo security provider) to secure user login.

Enhancements:

• Account expired notification to keep end users, their managers and administrators updated about expired accounts.
• Ability to restrict active users for license management.
• Ability to restrict admin logon page access to a range of IP addresses.
• Allow users to automatically log in to the ADSelfService Plus mobile app by enabling the 'remember me' option [For ADSelfService Plus iOS mobile app users, this feature will be released after the completion of review process by Apple.]
• Option to hide secondary mail and mobile enrollment.
• Now you can disable access to mobile web app.
• Separate hide options for mobile access and help guide on end-user page.
• Now you can easily associate a self-update layout to a policy from the self-update layout page itself.
• Separate CAPTCHA settings for select verification mode and select recipient pages.
• Now you can use display name in the from address field for email notifications.

Issues fixed:

• Issue with sending email notifications in HTML format.
• Issue in sending expiration reminders when both account expiration and password expiration fall on the same day.
• Issue which displayed Chinese characters as garbage values in the GINA button.
• Issue in installing the GINA client when the password in domain settings contains double quotes.
• Issue with the logon agent installation in the latest Mac OS version El Capitan.
• Issue which prevented Password Sync Agent installation in domain controllers running a non-English version of Windows Server OS.
• Issue which automatically capitalized the first letter of the password while trying to login through Safari mobile browser.
• Issue with the listing of security questions during password reset.
• Issue in mobile web app which failed to show the retry option during self-password reset.
• Enforce password history settings will no longer create temporary passwords containing part of the username.
• Issue which sent unencrypted user password to OpenLDAP server.
• Password expired notification filter issue in notification delivery report.
• Issue which failed to notify administrators about users' change password actions.
• Issue which duplicated security questions in database when the character ' is used while adding the question.
• Issue in showLogin page when NTLM SSO is enabled and NTLMv2 session security is forced.
• Issue with saving automatic reset & unlock scheduler configuration.
• Issue in backing up MySQL database.
• Fixed some vulnerability issues.

Features:

• Single Sign-on support for SaaS applications to simplify identity management.
• Password policy enforcer to enforce and display custom password policies across the web console, GINA/CP (Ctrl+Alt+Del) client, and password sync agent.

Issue fixed:

• Missing 'Don't inherit child OUs' option in OU/Group selection under policy configuration has been restored.

Features:

• Missing 'Don't inherit child OUs' option in OU/Group selection under policy configuration has been restored.

Issues fixed:

• Blank page issue in GINA portal when auto send password via text/email is enabled.
• Blank page issue when the reset password page is accessed directly by entering the URL.
• Issue in automatically unlocking the locked out accounts.
• Issue which failed to display mobile numbers during password reset/account unlock process when the number contains non-numeric characters.
• Issue which disabled force enrollment for the entire domain when force enrollment is disabled for any one self-service policy associated with that domain.
• Issue which prevented the data fetcher for external database from running.
• Issue which displayed incorrect headers and values of user report in dashboard.
• XSS vulnerability issue caused by editing the title field under rebranding settings.
• Missing file content check for title image and product logo under rebranding settings.

Enhancements:

• Users' secondary email address and mobile number can now be used for sending auto-generated password, enrollment notification, and password and account expiration notification.
• Now you can automatically link AD accounts with other providers for password synchronization by mapping custom attributes.
• Ability to personalize the password expired notification content.
• Ability to preview the password expiration notification template.
• Ability to automatically retry the password expiration notification in case of any failures.

Issues fixed:

• Issue which forced users to begin password reset process from scratch when password complexity rules were not met.
• Issue in sending enrollment notification to a group if it has more than 1500 members.
• Issue which caused errors in enrollment report when users’ display name exceeded 255 characters.
• Issue faced in auto-enrollment while importing mobile numbers with special characters ‘-’ and ‘()’.
• Issue faced in auto-enrollment where only the last security question of multiple questions was used to enroll users when importing from a CSV file.
• Issue in updating Manager field in self-update from force enrollment page.
• Issue faced in enrollment when mobile format is specified, where users were forced to enter secondary mobile numbers even when it was not mandated.
• Issue in executing UpdateManager.bat file when the product is installed in a drive other than the default drive.
• Issue faced with displaying dateTime macro in subject field of Scheduled Reports.
• Issue faced while sending password expiration notification that sent incorrect days for expiration when notification has been configured to be sent on specific days.

Feature:

• The password self-service logon agent (Credential Provider extension) has been enhanced to support Windows 10.

Enhancements:

• Enrolled Users report can now be filtered based on enrollment type; also shows secondary email address & mobile number used for verification code.
• Now you can filter the logon agent (GINA/CP extension) reports based on operating system and sort the result.
• Now you can search the Security Questions report based on questions.
• Ability to run a custom script after a self-unlock account action.
• Ability to add request headers in Custom SMS settings.

Issues fixed:

• Issue caused by Password Strengthener when the restricted patterns length exceeds 1000 characters.
• Issue in sending Email & SMS (Custom SMS provider) when SSL is enabled by the SMTP/SMS provider.
• Issue in password expiry notification configuration, which caused notification to be sent on password expiry date without being set.
• Issue in installing the logon agent using the product user interface when scheduler is running in background.
• Issue which crashed the application while restricting service accounts without necessary permission.
• Issue in closing the logon agent (GINA/CP extension) window.
• Issue in inactive users report generation, when multiple DCs are configured for a domain.

Enhancements:

• Now you can set a limit for the number of password resets and account unlocks a user can perform in a given number of days.

Issues fixed:

• Issue in directory self-update when a custom attribute is added to the layout.
• Issue in importing CSV files by technicians who are logged in using ADSelfService Plus authentication.
• Issue which prevented users from changing their passwords using ADSelfService Plus mobile site when ‘Users must change password at next logon' option is enabled in Active Directory.
• Issue which failed to show the success message for Google Apps password reset and change passwords.
• License expiry notification sent 2 days before expiration has been removed.

Enhancements:

• Business Logic for Self-Update: You can now configure your organization’s business logic for self-update to auto-populate attribute values based on user input.
• ​Option to overwrite enrollment data while automatically fetching data from external data sources.
• Password Sync Agent can now invoke a post action custom script.

Issues fixed:

• Slowness issue in password reset, account unlock and change password when password sync for Google Apps.
• Issue in automatically linking AD and Salesforce accounts for password sync.
• Issue in "Access admin login from" when DNS name of the server is not resolved.
• Issue which appeared when custom script contains special characters.

Issues fixed:

• Issue in accessing the self service portal through GINA due to a script error.
• XSS vulnerabilities have been fixed for improved security.
• Issue in enrolling users from external database when the total number of users exceed a certain limit.
• Issue in license management while accessing unowned licenses.
• SSO issue which prevented Mac users from accessing the self service portal.
• Issue in editing the self update layout through Internet Explorer.
• Issue which prevented technician users from viewing the self service policies associated with password sync.

Feature:

• Now update local cached password when remote users reset their passwords in Active Directory through the GINA/CP client.

Enhancements:

• Mobile Push Notification support for enrollment and password expiry notifications.
• Now automatically enroll users by creating a scheduler for importing enrollment data from a CSV file from any shared location.
• Added an option to choose the security settings (none, SSL, TLS) during custom SMS provider configuration.
• Admins can now enable forced enrollment for specific users by manually configuring the built-in logon script file.

Issues fixed:

• Issue in self-updating mobile number using Internet Explorer.
• Issue which allowed users to edit the read-only fields during self-update.
• Issue which prevented users from updating the country field during self-update.
• Issue in updating the product when another process running on a virtual IP is using the same port number.
• Issue which consumed 100% CPU when account expiry scheduler with “on specific days” is enabled.
• Issue in enrolling with Google Authenticator when ENTER key is pressed.
• Issue which failed to display the logo in mobile apps.

Enhancement:

• Option to set the keystore password, which will be encrypted for heightened security, directly using the product UI.

Issues fixed:

• Issue in automatically enrolling users using external data source when ‘Overwrite enrollment data’ option is enabled.
• Issue in syncing Oracle Database and Office 365 passwords when the password contains special characters.
• Issue which caused the loss of enrollment data while editing security questions.
• Issue which launched the Choose Manager pop-up in a new tab.
• Issue in external data source fetcher when the query contains XSS character.
• Issue in sending SMS when the message contains blank space.
• Issue in navigating through the OUs in tree view under the Reports tab when the OU name contains special characters.
• Issue which failed to save OUs with special characters while configuring password expiry notification schedulers.
• Issue which failed to load the custom logo in mobile app.
• Issue in saving advanced policy configuration when the username macro is used in the automation tab.
• Organization Chart issue which showed extra columns in the result.
• Script error in GINA login page when login option is enabled.
• Issue which failed to accept the keystore password while importing SSL certificates.

Features:

• Help desk assisted self-password reset and account unlock using Active Directory attributes as security questions to verify user identity.

Enhancement:

• Updates Java Runtime Environment package to version 7.
• Supports TLS 1.2 for heightened security.
• Admins can now receive real-time notifications as and when end-users perform reset password/account unlock.
• Ability to copy an existing self-update layout and create a new one from it.
• Supports multiple mobile number formats; you can also force users to comply with the specified formats during self-update.
• Supports cross-database migration; easily migrate all the product data from your existing database to another (except to MySQL).

Issues fixed:

• Fixed an issue caused by the deprecation of Google Apps provisioning API. We have now migrated to the Google's new Directory API.
• Issue which prevented users assigned as ‘technicians’ from changing their passwords.
• Issue which prevented users from selecting recipient mobile number to receive verification codes.
• Issue in generating reports after restoring the database from a backup.
• Issue in Notification Delivery Report which displayed duplicate user records.
• Issue which sent multiple license expiry notification emails.
• Issue which failed to update the Dashboard when a user is logged in as a technician.
• Issue which showed the ‘My Info’ tab instead of the default tab after uploading photo.
• Issue which prevented default admin from viewing the enrollment notification schedulers created by technicians.
• Fixed an issue which caused users assigned as ‘technicians’ to be logged in as domain users.
• Issue which failed to apply the force enrollment script to users who are newly added to a group with self-service policy applied to it.
• Issue in self-update which allowed end-users to edit the ‘read-only’ fields.
• Issue in self-update which displayed an empty page when users edit the sAMAccountName field.
• Issue in embedding cross domain employee search in Internet Explorer.
• Issue in integrating other ManageEngine products in ADSelfService Plus (applies to customers who have updated their old builds using service pack).
• Issue in changing the mobile browser title.
• Issue which prevented the ACCESS URL from being used during GINA installation and customization.
• Proxy settings is now enabled for HTTPS connections too.
• The following security issue have been fixed: CSRF, Cross Frame Scripting (XSF)/Click Jacking, Weak Cache Policy/Server Cache Policy, MIME-SNIFFING, Cross Origin Resource Sharing (CORS), Browser Autocomplete Issue  HttpOnly and Secure Flag, Directory Listing, SHA1WithRSA for CSR creation, jQuery migrated to new version to avoid Vulnerability, Session Fixation, HTTP Methods Blocking.

Issues fixed:

• Issue which prevented migration from 5203 to 5204/5205 build when MS SQL database is in use.
• Issue which displayed sAMAccountName instead of displayName while choosing the Manager in self-update.

Enhancements:

• Now easily integrate custom SMS gateway providers using the product GUI.
• Notification emails to alert you when licensed user count reaches its maximum limit.
• Notification emails to alert you about license and AMS expiry.

Issues fixed:

• Issue in change password when it is done by a service account user with only change password permission.
• Reset Password issue which displays the error ‘Problem in Change Password’ when enforce password history settings is enabled.
• Issue in accessing password reset wizard from the login screen when multibyte characters are used in the GINA/CP button.
• Issue in AD LDS and OpenLDAP configurations for customers migrating from old builds.
• Password Sync Agent installation issue in non-English OS has been fixed.
• Password Sync Agent issue which failed to sync passwords of users whose username contains more than 16 characters.
• Issue in password sync agent audit log which stored the application IP address instead of the domain controller IP address has been fixed.
• Issue which doesn’t prompt users to enter their alternate email address for receiving verification code.
• Issue in configuring ‘Connection Security (SSL/TLS)’ under Mail Settings
• Issue in saving mail server settings when the from address or admin mail address contains a top level domain name with more than 4 characters.
• Issue in taking manual backup using backupdb.bat.
• Issue which prevented any of the multi-factor authentication option from being set as mandatory.
• Issue in setting a default tab under ‘Tab Customization’.
• Issue in accessing cross domain organization charts when logged in as a domain user.
• Disabled the "Interactive Services Detection" message pop-up which appears when ADSelfService Plus is configured to run as a service.
• http://server:port/showLogin.cc?domainName=%domainName% - Now you can use Domain Flat Name or Domain DNS Name for the %domainName% macro.
• Fixed slowness issues in product and report generation.

Feature:

• Send real-time Email and/or SMS notifications to end-users as and when their Active Directory passwords are changed or reset natively in Windows.

Enhancement:

• Reset Password and Change Password audit reports have been enhanced to include native password changes (Ctrl+Alt+Del screen) and password resets (ADUC console)

Feature:

• OpenLDAP and AD LDS based directories are now supported for self-service password management and password synchronization.

Issues fixed:

• Issue in employee search which fails to show the result when search filters are used.
• Issue which failed to display enrollment prompt to dis-enrolled users when they log in to the self-service portal
• Issue in password reset which showed 'specified network password is incorrect' even after successful reset when password history settings is enforced

Features & Enhancement:

• Now you have the option to enable CAPTCHA on the login page after a certain number of failed login attempts.

Issues fixed:

• Issue which prevented service account users from self-updating attributes even when they have sufficient rights.
• Issue which added new users to the restricted users list because of no last logon time.
• Issue which affected the dashboard UI when AD blocker is enabled on the browser.
• Fixed an issue in password sync agent by excluding password capture from a new computer joined to the domain.
• Issue which prevented the addition of Technician operation role when there is a large number of restricted users.
• Fixed a bug that showed incorrect error message to users, whose accounts are locked out, when they try to log in to ADSelfService Plus

Features:

• Introducing Password Sync Agent: Now synchronize native password changes (password change through Ctrl+Alt+Del screen and password reset through ADUC) in Windows Active Directory with the users’ associated IT systems and applications in real-time.

Features:

• Multiple Login Options: Users can log in to the self-service portal with any AD attribute with unique value such as mail and telephoneNumber.
• Now verify users’ identity by sending them an email containing a secure password reset/account unlock link.
• Ability to restrict service accounts using license management to free up license count.

Issues fixed:

• Issue in self-update which displays incorrect value in the manager field.
• Issue in automated password reset.

Issues fixed:

• Issue which disrupts GINA UI when caps lock is pressed while entering the password.
• SSO issue in Chrome browser.
• Issue in password expiry notification when it is configured for a group with a large distinguishedName.
• Issue in password expiry notification delivery report which failed to show the delivery status properly.
• Issue which ignores the default system language and displays the product only in English.
• Issue in reports when they are generated for OUs containing special characters.
• Issue in showing the status message during unlock account process when retry option is enabled.
• Issue in linking accounts for password synchronization.
• Issue in synchronizing passwords when force synchronization is enabled.

Issues fixed:

• Issue in sending password expiry notifications on specific days.
• Issue in sending password expiry notification to unlimited users in Free Edition.
• Issue in syncing Office 365 passwords when you are using an older version of Microsoft online services module.
• Issue which syncs password with Active Directory even though the user's AD account is not selected during password reset or change.
• Issue which displays incorrect user count in the security questions and answers report.
• Issue which shows incorrect count in user reports under Dashboard.
• Issue in notification delivery report where incorrect status is shown for enrollment notifications sent to users.
• Issue which shows incorrect status message during self-unlock account if a domain is configured using insufficient permissions.

Known Issues:

These issues will be fixed in our upcoming release.

• GINA issue: In Windows Server 2003 and XP machines the GINA icon and its frame text will disappear when Caps Lock is pressed while entering passwords.
• Translation issue: Some of the new features will have texts only in English.

Enhancements:

• Option for users to choose the language of their choice from the log in page itself.
• OUs selected during report generation will now be preserved and reused for reports displayed on the dashboard.

Issues fixed:

• Issue in GINA/Credential Provider which failed to start the password reset/unlock account wizard from the logon screen.
• Issue which prevented product administrators from editing Domain settings and generating Enrolled users report.

Enhancements:

• Crop Photo option – Users now have the ability to crop their photos before self-updating them in Active Directory.
• New macros added – dateTime and reportName; can be used in the subject of notification emails.

Issues fixed:

• Issue that displayed incorrect password policy message when maximum password age is set to never expire has been fixed.

Issues fixed:

• Issue that causes pages to be displayed incorrectly when the browser's default language is not supported by the product.
• Issue that requires the users enrolled with mandatory questions to enroll again.

Issues fixed:

• Some issues that appeared when Japanese is selected as the default language. The issues that have been fixed are:
  • Issue that displays a blank pop up window when the “Automatic Reset and Unlock” feature is accessed from the dashboard.
  • Issue in deleting licensed users.
  • Issue in displaying the force enrollment message.

Enhancements:

• Google Authenticator is now supported by the Android and iPhone apps as one of the multi-factor authentication options.

Issues fixed:

• Issue in self password reset when the user name contains apostrophe.
• Issue which prevents users from logging in to ADSelfService Plus when they have comma in their distinguished name and have the "change password at next logon" flag set.
• Issue that displayed the system error message to end-users during change password.

Issues fixed:

• Issue in customizing the logon page.
• Issue in Self Directory Update that forced users to fill non-mandatory, but number-only fields.
• Issue in sending test emails when SMTP authentication is used.
• Issue that forced users to enroll for verification code when mobile number format setting is enabled.
• Issue that refreshed the CAPTCHA code whenever the ENTER key is pressed during reset password/unlock account operations.
• Issue that runs GINA/Mac Customization Scheduler repeatedly ever after successful customization.
• Issue in displaying email/mobile number fields during reset password/unlock account when the respective data have been deleted in Active Directory.
• Login page issue for users who have "user must change password at next logon" setting enabled for them.

Feature:

• ADSelfService Plus integration with ADManager Plus now enables you to take control of users’ self-service actions with the new Self-Service Approval Workflow feature.

Enhancements:

• Password Expired users can now change their passwords when they log in to ADSelfService Plus.
• Mobile App now has a 'Desktop Site' option; allows users to switch to the desktop version of ADSelfService Plus.

Issues fixed:

• Issue in customizing the logon page.

Enhancements:

• Zendesk and Microsoft Dynamics CRM are now supported for self-service password management and synchronization.
• ServiceDesk Plus is now integrated with ADSelfService Plus; allows admins and end-users to quickly access the help desk software.
• I18n support for mobile apps; all the 17 languages supported by the web console are now supported by the mobile apps.
• Now easily deploy the Mac login agents from the web console itself.

Issues fixed:

• Issue in linking Office 365 sub domain accounts by end-users for password sync
• Issue in closing the ‘Edit Questions’ dialog box

Enhancements:

• Default admins can now view report schedulers and all its information created by users associated with the ‘Technician’ role.
• OUs selected during report generation will now be preserved and re-used while generating reports in the future.

Issues fixed:

• Issue with force enrollment.
• Issue that displayed the list of restricted users from default domain to all the technicians regardless of the domain they belong to.
• Blank screen issue when unlock account page is refreshed.
• Issue that throws a ‘page not found’ error when username exceeds 100 characters during reset password/unlock account process.

Enhancements:

• Google Authenticator is now supported as part of our multi-factor authentication set up to further secure reset password/unlock account process.
• Facility to make any or all of the multi-factor authenticator techniques mandatory.
• Option that allows admins to rearrange the order of identity verification steps during reset password/unlock account process.

Issues fixed:

• An issue that displays force enrollment notification to non-policy users when a custom logon script is used.
• Issue in selecting security questions during enrollment when users change their choice of questions.

Issues fixed:

• Issue in adding domains to the product when their names start with numeric value.
• Issue with ADSelfService Plus Credential Provider when accessed from the UAC prompt.
• Issue that allowed users to log in using invalid passwords if guest login is enabled on the machine running ADSelfService Plus.
• Issue in enrolling with security answers through Android app.
• Issue in applying the default admin time zone settings to technicians.
• Issue in enrolling with security answers that are longer than 100 characters.
• Issue in reports page and in accessing help from the end-users portal when context path is set.

Enhancements:

• You can now export the restricted users list in a desired file format
• Now completely exclude restricted users from showing up anywhere in the product

Issues fixed:

• Issue in automatic password reset
• Issue in accessing native mobile apps and mobile webapp
• Issue in displaying verification code enrollment information when email option alone is enabled
• Issue with displaying header logo in scheduled reports when HTML is selected as the storage format

Enhancements:

• Alternate Email IDs and Mobile numbers of users stored in any AD attribute can now be used for sending verification codes.
• Admins can auto-enroll users by importing their Email IDs and/or Mobile Numbers from a CSV file or external database.

Enhancement:

• Now you can select the protocol (HTTP/HTTPS) to be used for Mac login agent during installation itself

Issues fixed:

• Issue in generating user reports when the database (PostgreSQL) server is installed in another machine
• Issue that force users to go back or sign out when they login using Single Sign-On
• Issue in saving ‘Automatic Reset Password’ settings
• Issue in accessing the help guide when context path is added
• Issue in translating the label ‘Description’ when reports are exported

Features:

• Login Agent for Mac OS X to allow AD domain users to reset passwords and unlock accounts right from the OS X login screen itself.
• Group-based configuration of self-service policies, enrollment settings and password synchronizer for fine-grained management.
• Now self-service policies will take effect based on their priorities as set by the admin.

Issues fixed:

• Issue in saving report schedulers.
• Issue in performing quick search in reports.
• Issue in showing the status of change password actions when enrollment is disabled.

Enhancements:

• Added an option to email generated reports

Issues fixed:

• Issue with updating profile details when the update button is clicked more than once
• Issue with updating the Advanced Policy Configuration settings from Security Center

Enhancements:

• Password Expiry Notifier is now part of our FREE Edition; allows you to notify UNLIMITED users. Also, gains a slew of enhancements including:
  • SMS notifications to alert users of their impending password expiry
  • Option to select users based on groups for sending password expiry notifications
  • Ability to schedule and send reports of users’ password/account expiry to their managers
  • Send password expiry notifications immediately with the ‘Run Now’ option
  • You can now notify password expired users too
• Enabling SSO now requires you to configure NTLMv2, which has been added to enhance security
• Option to hide ‘Click here to troubleshoot’ link in Reset Password / Unlock Account failure page

Issues fixed:

• Issue in removing added OUs while configuring GINA/CP scheduler
• Issue in enabling the ‘Force User to prove their identity via both verification methods’ option

How to Upgrade?

• Download Service Pack (for existing customers)
• Download latest build (for new customers)

• Unified Self-Service Password Management -Synchronize Windows Active Directory Password/Account changes made using ADSelfService Plus with range of cloud-based and on-premises apps. The following apps are supported:
  • Google Apps
  • Office 365
  • Salesforce
  • Zoho
  • IBM AS400 / iSeries
  • HP UX systems
  • Oracle Database
  • Oracle E-business Suite
• Free iPhone & Android App for self-service password management: ADSelfService Plus native apps for iPhone and Android allows end-users to reset their lost passwords, unlock their locked-out accounts, change their expiring passwords and synchronize password changes with a variety of non-Windows systems and cloud-based applications remotely from their iOS and Android devices. Get the free app from Get the Apps.
• Mobile Web App: Mobile browser support for devices running on any platform including Android, iOS and Windows Mobile
• Mobile App Rebranding: Ability to customize mobile app with your own company logo
• Mail Group Subscription: Self-Service Mail Group Subscription to allow users to subscribe to or unsubscribe from mail groups of their choice
• SMS/E-Mail Verification Codes to provide additional security when End-Users Reset Password / Unlock Accounts
• Enforce Stronger Passwords with "Password Strength Analyzer"
• Instant DC Updater: The actions by a user (password reset or account unlock), can be instantly updated between sites and across all or specified domain controllers
• Enrollment Notification: Scheduler to invite the 'non-enrolled & new domain' users to enroll with ADSelfService Plus as well as delivery reports for the notifications.
• Force Users to Enroll - Now force users to enroll with ADSelfService Plus as soon as they log in to their machines.
• Extract Audit Reports specific to a domain with the help of built-in filters.
• Heightened security against 'Cross-site scripting', 'CSRF issue', and 'Denial of Service attack'.
• SSL Certification Tool: Helps you to generate CSR and offers guidelines to install SSL certificate
• Report Scheduler: Scheduler for mailing admin the detailed reports of ADSelfService Plus (User, Audit & Enrollment Reports)
• Restrict User Scheduler: Scheduler for restricting the inactive users of a domain from accessing the application
• Support for Windows 8 and Windows Server 2012 operating systems
• Support for Postgres Database server (as product database) in addition to already supported MySQL and MS SQL databases.
• Support for 17 languages including Dutch, Swedish, Chinese, Spanish, Russian, and Arabic.
• Support for 3rd party GINA/CP agents:ADSelfService Plus is now compatible with the following 3rd party GINA/CP agents:
  • Zenworks Endpoint Security agent
  • 2X agent
  • Toshiba Logon Provider
  • Cisco NAC agent
  • OneX Credential Provider
  • Sophos Safeguard Disk Encryption
  • Cisoc VPN client
  • Checkpoint Full Disk Encryption (pre-boot authentication not supported)

Click here for the complete list of Features, Fixes and Enhancements from previous releases.

Some other benefits of ADSelfService Plus - Self Service Reset Password Management