ActiveRoles 6.9.0 Generic Patch 2 (122282)

ActiveRoles 6.9.0 Generic Patch 2

This is a supported patch for Quest One ActiveRoles 6.9.0.This patch may receive additional testing. If you are not severely affected by the issue that this patch addresses, it is recommended that you install the next full release of Quest One ActiveRoles that includes this patch.

The patch includes the following updates:
 * ARS-6.9.0-Patch2.exe - Update for the Administration Service component; should be installed on the computers running Administration Service 6.9.0.
 * ARSMMC-6.9.0-Patch2.exe - Update for the MMC Interface component; should be installed on the computers running MMC Interface 6.9.0.
 * ARSWI-6.9.0-Patch2.exe - Update for the Web Interface component; should be installed on the computers running Web Interface 6.9.0.
 * ARSCollector-6.9.0-Patch2 - Update for the Collector component; should be installed on the computers running ActiveRoles Collector 6.9.0.

Please download the hotfix from solution 133478

Administration Service
 
TF00342129
Fixed: ActiveRoles may not start an automation workflow on the expected schedule. The issue occurs with automation workflows created by copying (or exporting and then importing) an existing scheduled automation workflow. The root cause of the issue is that the copy of the workflow has the same schedule ID as the original workflow.

TF00342456
Fixed: ActiveRoles does not enforce RPC encryption to protect network traffic between the Active Roles console and a remote instance of the ActiveRoles Administration Service. Even if RPC encryption is disabled on the console side, the Administration Service allows communication with the console. To address the issue, the Administration Service has been updated to reject remote connection requests unless the requesting party has RPC encryption enabled.

TF00342457
Enhancement: The ActiveRoles Admin setting is stored in the Registry on the computer running the ActiveRoles Administration Service. As a result, local administrators of that computer can view or change the ActiveRoles Admin setting. Given that the ActiveRoles Admin account has full access to all ActiveRoles settings, including permission and policy settings, the ability to change the ActiveRoles Admin setting allows a local administrator to gain full access to ActiveRoles and Active Directory objects, thereby elevating the local administrator's privileges. To address the issue, management of the ActiveRoles Admin setting has changed so that:
 - The local Registry no longer contains the ActiveRoles Admin value data.
 - The Administration Service retrieves its ActiveRoles Admin value from the ActiveRoles database rather than the local Registry.
 - Each instance of the Administration Service has a separate ActiveRoles Admin value stored and encrypted in the ActiveRoles database.
 - Only the user or group that is specified in the ActiveRoles Admin value in the ActiveRoles database and the service account of the Administration Service have the ActiveRoles Admin rights and permissions.
 - The ActiveRoles Admin rights are required to change the ActiveRoles Admin value.

You must perform the following steps for these changes to take effect:
 1. Log on as the ActiveRoles Admin for a given instance of the Administration Service, and connect the ActiveRoles console to that Administration Service instance. For instructions, see "Connecting to the Administration Service" in the ActiveRoles Administrator Guide.
 2. In the console tree, right-click the "Configuration" container and select All Tasks | Advanced Properties.
 3. Use the "Advanced Properties" dialog box to set the edsvaDSAdministrators attribute to the desired ActiveRoles Admin value. You can supply the attribute value in the form <domain>\<group> or <domain>\<user> where <group> or <user> stands for the pre-Windows 2000 name (sAMAccountName) of the desired security group or user account and <domain> is the name of the domain in which the group or user account resides.
 4. Repeat Steps 1-3 for each instance of the ActiveRoles Administration Service in your environment.

Once you have completed these steps, you can manage the ActiveRoles Admin setting by viewing or changing the edsvaDSAdministrators attribute value on the "Configuration" container in the ActiveRoles console. Note that you must be logged on as the current ActiveRoles Admin; otherwise, the Administration Service does not allow you to change the edsvaDSAdministrators attribute.

TF00345647
Fixed: In an e-mail message generated by the Notification Activity within an ActiveRoles workflow, the Operation.Target token may not function as expected. The issue occurs if the workflow starts upon a Deprovision, Move or Rename operation request. In this case, the syntax such as Operation.Target["<attribute name>"] returns nothing instead of the operation target object's attribute value.

TF00346043
Fixed: The ActiveRoles console or Web Interface may take much longer than expected to open pages for managing Exchange properties of a user or group. The issue occurs if the ActiveRoles Administration Service and Exchange servers are located in different network sites. The issue is due to a non-optimal method used by the Administration Service to select an Exchange server for remote Shell connection.

TF00346061
Fixed: If the ActiveRoles Administration Service uses remote Shell for Exchange 2010, then it may not be able to administer mailbox rights settings for Exchange mailboxes. A symptom of the issue is that the "Mailbox Rights" dialog box does not open in the ActiveRoles console or the ActiveRoles Web Interface displays an empty "Mailbox Rights" page.

TF00347006
Fixed: Permission settings may not propagate to Active Directory from the Managed Unit level as expected after you have applied Workaround 2 described in Knowledge Article 114858 at https://support.quest.com/kb/SOL114858. The issue occurs if you apply the workaround and then restart the ActiveRoles Administration Service. The root cause of the issue is that the "Enable Sync to Native Security from Managed Unit" application-setting object does not initialize correctly during a restart of the Administration Service.

TF00347782
Fixed: When you use ActiveRoles to perform Exchange recipient management tasks, memory leaks may occur on the computer running the ActiveRoles Administration Service. The issue occurs if the Administration Service employs the remote Exchange management shell, and is because the Administration Service does not dispose of all in-memory objects after closing a remote session.

Console (MMC Interface)
 
TF00345687
Enhancement: Given an organizational unit (OU) that contains a large number of objects, the ActiveRoles console may take a long time to list all sub-OUs held in that OU. The issue occurs in the following scenario. Suppose, a given OU contains several sub-OUs along with a large number of users (20,000+). When you select the containing OU, the console may not display all sub-OUs unless you configure filter options to ensure that the console lists all objects (both users and sub-OUs) held in the OU. However, significantly increasing the filter threshold (for example, setting 20,000 instead of 2,000 items to display per folder) results in a long delay before the console displays the entire contents of the OU. The issue occurs because the console does not distinguish between OUs and other object types (such as users) when enumerating the contents of the OU. To address the issue, the ActiveRoles console and service have been updated to list all sub-OUs first and then list other objects held in a given OU.

TF00348404
Fixed: The ActiveRoles console may incorrectly identify managed AD DS domain objects as AD LDS objects. The issue occurs if you have an AD LDS directory partition registered for management with ActiveRoles and the distinguished name (DN) of that partition matches the parent part of the domain's DN. For example, the following DNs would cause the issue:
  DN of the AD LDS directory partition - DC=lab,DC=local
  DN of the AD DS domain - DC=ndtest,DC=lab,DC=local
A symptom of the issue is that the console shows the domain objects as AD LDS objects, with orange icons and reduced property pages.

Web Interface
 
TF00328082
Fixed: Incorrect behavior of the "Properties" button in the Web Interface entry for a read-only DN-syntax attribute, such as managedObjects: When you select an object from the list provided by the entry, the "Properties" button is unavailable (grayed out). The expected behavior is that the "Properties" button is available regardless of whether the list is read-only or can be modified.

TF00341564
Fixed: When switched to a non-English language, the Web Interface encounters an error condition if you choose the "Customization | Reload" command. The error message reads "Error: Object reference not set to an instance of an object."

TF00342460
Fixed: Switching the Web Interface to a non-English language may have no effect on the error message that appears if you click OK in the "E-mail Address" dialog box without specifying an e-mail address: The message text remains in English when you switch the Web Interface to a different language.

TF00342477
Fixed: Switching the Web Interface to a non-English language may have no effect on the confirmation message that appears if you choose to delete an object: The message text remains in English when you switch the Web Interface to a different language.

TF00342480
Fixed: Switching the Web Interface to a non-English language may have no effect on the "Browse" button in the "Messaging Records Management," "Roles Assignment Policy" or "Address Book Policy" dialog box: The button label remains in English when you switch the Web Interface to a different language. The same issue with the "Browse" button occurs on the page where you can select mailbox policies when creating a mailbox.

TF00342485
Fixed: When switched to a non-English language, the Web Interface may incorrectly render the setting name or description on the "Mailbox Settings" page, inserting a literal code fragment to the text box.

TF00342486
Fixed: Switching the Web Interface to a non-English language may have no effect on the "Clear" button in the "Messaging Records Management" dialog box: The button label remains in English when you switch the Web Interface to a different language.

TF00345835
Fixed: The toolbar with the buttons for adding or removing groups is missing from the "Member Of" page for AD LSD Proxy objects in the Web Interface, so you cannot use the "Member Of" page to add or remove AD LDS Proxy objects from groups.

TF00345803
Fixed: Authenticated users can use the ActiveRoles Web Interface to upload files to the Temp folder in the Web application root directory, and retrieve files from that folder. This can lead to an unprivileged user uploading a malicious file and using the hosted file to compromise an administrative session. To address the issue, the Web Interface has been updated to:
 - Prevent upload of files other than picture files to the Temp folder.
 - Deny execution of script files from the Temp folder.
 - Mangle the name of the uploaded files in the Temp folder.
 - Prohibit access to the files in the Temp folder via an HTTP/GET request.

TF00345806
Fixed: In the ActiveRoles Web Interface, the ReloadMetaData.aspx page is vulnerable to open redirect. By using the ReturnUrl query string parameter in the destination URL of that page, the Web Interface user can be redirected to a malicious Web page. To address the issue, the ReloadMetaData.aspx page has been updated to no longer use redirection, disregarding the ReturnUrl parameter.

TF00345819
Fixed: With ActiveRoles approval rules configured so that requests for adding and removing users from groups require approval, the Web Interface may not create an approval task as expected when you remove a user from a group. The issue occurs if you add a user to a group and then remove a user from a group within a single ASP.NET session on the Web server, and is due to a defect that blocks the Web Interface from submitting remove requests for approval.

TF00345860
Fixed: On the "Member Of" page in the Web Interface, there is no visual indication of the groups from which the Web Interface user cannot remove members. To address the issue, the Web Interface now changes the way that the "Member Of" page displays such read-only groups: If the Web Interface user does not have permission to remove members from a given group, the name of that group appears shaded.

TF00346299
Fixed: In the ActiveRoles Web Interface, a duplicate of the "Exchange Properties" command may appear in the MENU pane after you have performed the "Establish E-mail Address" task on a user account. As a result, the Web Interface menu for that user account contains two instances of the "Exchange Properties" command.

Collector
 
TF00342458
Fixed: ActiveRoles Collector, a component intended to prepare data for ActiveRoles Report Pack, may not use RPC encryption when retrieving data from a remote instance of the ActiveRoles Administration Service. As the Administration Service now rejects non-encrypted connection requests, Collector has been updated to ensure RPC encryption of network traffic between the Collector and Administration Service hosts.