Chat now with support
Chat mit Support

Active Roles 8.0.1 LTS - SP1 Release Notes

Active Roles 8.0.1 SP1 LTS

Active Roles 8.0.1 SP1 LTS

Release Notes

08 March 2024, 13:28

These release notes provide information about the Active Roles 8.0.1 SP1 LTS release. For the most recent documents and product information, see Active Roles Technical Documents on the One Identity support portal.

Topics:

About this release

Active Roles 8.0.1 SP1 LTS (build 8.0.1.102) is a standalone service pack release containing additional security enhancements and resolved issues compared to the original Active Roles 8.0.1 LTS (build 8.0.1.91) release.

  • For more information on the enhancements of Active Roles 8.0.1 SP1 LTS and 8.0.1 LTS, see Enhancements.

  • For more information on other resolved issues fixed in Active Roles 8.0.1 SP1 LTS and 8.0.1 LTS, see Resolved issues.

  • For more information on the list of known issues, see Known issues.

Enhancements

The following is a list of enhancements contained in Active Roles 8.0.1 LTS and its service packs. Newer service packs cumulatively contain the enhancements of previous service packs and the initial Active Roles 8.0.1 LTS release.

Enhancements in Active Roles 8.0.1 SP1 LTS

NOTE: The following enhancements are available starting from Active Roles 8.0.1 SP1 LTS (build 8.0.1.102). To check the build of your Active Roles 8.0.1 LTS installation:

  • In the Active Roles Configuration Center, navigate to (Information) > Technical Information.

  • Alternatively, open the Add or Remove Programs list of the operating system, search for One Identity Active Roles, then click its entry.

Table 1: General Active Roles enhancements
Enhancement Issue ID

General security enhancements in all Active Roles components.

444729
Enhancements in Active Roles 8.0.1 LTS

NOTE: The following enhancements are available starting from Active Roles 8.0.1 LTS (build 8.0.1.91).

Table 2: General enhancements
Enhancement Issue ID

In preparation for the deprecation of the Remote PowerShell (RPS) protocol in Exchange Online PowerShell, Active Roles 8.0.1 LTS is updated to:

  • Use Exchange Online PowerShell v3 instead of earlier versions.

  • Use cmdlet Connect-ExchangeOnline instead of the deprecated cmdlet New-PSSession when establishing Exchange Online connections.

For more information, see Announcing Deprecation of Remote PowerShell (RPS) Protocol in Exchange Online PowerShell in the Microsoft Tech Community portal.

NOTE: You can continue using cmdlet New-PSSession to connect to on-premises Exchange Server deployments.

402974
Table 3: Synchronization Service enhancements
Enhancement Issue ID

Updated the Generic SCIM Connector with the following enhancements:

  • Added support for the following Starling Connect connectors and connector versions:

    • Pipedrive 1.0

    • ServiceNow 2.0

    • SuccessFactors HR 9.0

    • WorkdayHR 3.0

    • Zendesk 1.0

    NOTE: While the Generic SCIM Connector may work with other SCIM 2.0-based Starling Connect connectors, One Identity tested it to work only with these connectors and connector versions.

  • Added new Query only synced attributes setting to support querying only attributes that are specifically defined for synchronization.

  • Added new Starling cursor-based pagination setting to support Starling Connect connectors using cursor-based pagination instead of the SCIM protocol-defined index-based pagination method.

For more information, see Configuring data synchronization with the Generic SCIM Connector in the Active Roles Synchronization Service Administration Guide.

404915

In preparation for the deprecation of the Remote PowerShell (RPS) protocol in Exchange Online PowerShell, Active Roles Synchronization Service is updated with the following enhancements:

  • Increased the minimum required version of Exchange Online PowerShell to v3.0.0.

  • Replaced New-PSSession cmdlet calls with Connect-ExchangeOnline cmdlet calls.

  • Updated the Microsoft 365 Connector (formerly known as Office 365 Connector) and the Microsoft Azure AD Connector to support certificate-based authentication and automatic configuration.

For more information on configuring the updated connectors, see Working with Microsoft 365 and Working with Microsoft Azure Active Directory in the Active Roles Synchronization Service Administration Guide.

403476

The Synchronization Service Capture Agent now supports Local Security Authority (LSA). For more information, see Configuring Additional LSA Protection in the Microsoft Windows Server documentation.

125828

Table 4: Web Interface enhancements
Enhancement Issue ID

The Active Roles Web Interface was updated to support quick searches for AD LDS and Azure AD objects. These settings are enabled by default: disabling them will result in AD LDS and Azure AD objects not appearing in quick search results.

412502

Resolved issues

The following is a list of issues addressed in Active Roles 8.0.1 LTS and its service packs. Newer service packs cumulatively contain the resolved issues of previous service packs and the initial Active Roles 8.0.1 LTS release.

Resolved issues in Active Roles 8.0.1 SP1 LTS

NOTE: The following issues were fixed only in Active Roles 8.0.1 SP1 LTS (build 8.0.1.102). To check the build of your Active Roles 8.0.1 LTS installation:

  • In the Active Roles Configuration Center, navigate to (Information) > Technical Information.

  • Alternatively, open the Add or Remove Programs list of the operating system, search for One Identity Active Roles, then click its entry.

Table 5: General Active Roles resolved issues
Resolved Issue Issue ID

Previously, Active Roles forced rebuilding dynamic groups each time a member was added to or removed from the dynamic group.

This issue is now fixed, so Active Roles now rebuilds dynamic groups only if the rebuild is triggered manually or with a Scheduled Task.

443493

Table 6: Console (MMC Interface) resolved issues
Resolved Issue Issue ID

Previously, the change history for operation types Deprovision, Undo Deprovision and Run Scheduled Workflow remained indefinitely in the Management History database despite running the Change Tracking Cleanup scheduled task.

The issue is now fixed and old Management History records are deleted as expected.

399889

Table 7: Active Roles Synchronization Service resolved issues
Resolved Issue Issue ID

Previously, the Azure AD Connector could fail to find all objects in Azure during import tasks.

This issue could occur if HttpClient timed out during Graph API requests, for example because of network issues. In such cases, Azure AD Connector could not handle the timeout correctly.

The issue was fixed by:

  • Modifying the import process so that it stops when a timeout occurs, preventing the successful import of incomplete data.

  • Implementing a new retry policy which retries the request up to 3 times before timeout, minimizing the chance of the issue occurring.

437816

Table 8: Active Roles Web Interface resolved issues
Resolved Issue Issue ID

Previously, when using Active Roles in a forest topology with:

  • One root domain,

  • Several child domains,

  • Active Directory Federation Services and Active Roles with federated authentication configured on one of the child domains,

Then users registered in another child domain of the forest could not log in to the Active Roles Web Interface.

This issue was fixed by making sure that if Active Roles does not find the user in the current domain, then it continues searching for them in the forest using wider referral scopes each time it fails.

447483

Previously, authentication would fail under the following conditions:

  • When using WS-Federation authentication to the Web Interface.

  • When authenticating a user from an Active Directory forest or domain that is trusted by the AD domain that Active Roles is joined to.

  • When that authenticated user in the trusted AD domain has a UPN suffix that exists in both AD domains.

The issue has been resolved.

437298

Previously, when creating an Azure or hybrid user, the Licenses tab did not populate even if the Azure tenant had licenses assigned. The issue is now resolved.

433681

Resolved issues in Active Roles 8.0.1 LTS

NOTE: The following issues were fixed in Active Roles 8.0.1 LTS (build 8.0.1.91) and its service packs.

Table 9: Active Roles Service resolved issues
Resolved Issue Issue ID

Previously, scheduled Active Roles operations could fail with the following error if the Active Directory domain controller (DC) assigned to perform the scheduled operation was unavailable:

The server is not operational.

This issue occurred because Active Roles did not fall back to another working DC in the Disaster Recovery Plan (DRP) process in such cases, and is now fixed.

407373
Table 10: Configuration Transfer Wizard resolved issues
Resolved Issue Issue ID

Previously, the Active Roles Configuration Transfer Wizard could not be installed, even if the required Active Roles ADSI Provider was installed.

This issue was caused by a version checking problem, and is now fixed.

389286

Table 11: Console (MMC Interface) resolved issues
Resolved Issue Issue ID

Previously, when applying both an Access Template (AT) using a Full Control permission and another granular AT denying access to certain password-related attributes (such as PasswordNeverExpires, UserCannotChangePassword, UserMustChangePasswordAtNextLogon) to a user, the deny AT did not take effect for the user.

This issue was caused by the AT specifying an explicit deny not taking precedence over the AT using the Full Control permission.

The issue was fixed by ensuring that explicit deny ATs always take precedence over inherited allow permissions.

410412

Previously, in certain environments, Active Roles might not update Dynamic Groups in time when adding a new rule or forcing a rebuild. Also, in case of more than 1,000 changes, the changes were not processed until the nightly scheduled task.

To solve this problem, Active Roles features a rebuilt Dynamic Group logic that removes the 1,000 group member limit for normal group membership changes, and also ensures that changes are now always processed immediately.

405859

Previously, when configuring the mail configuration in Configuration > Server Configuration > Mail Configuration > Default Mail Settings Properties to use Exchange Web Services with Exchange Online and send approval responses by email, response emails sent by approvers could stuck indefinitely without being processed by Active Roles. This problem did not affect approval workflows using on-premises Exchange Server mailboxes.

The issue was caused by approval notifications not supporting Exchange Web Service modern authentication, and is now fixed.

404659

Previously, when configuring the mail configuration in Configuration > Server Configuration > Mail Configuration > Default Mail Settings Properties to use Exchange Web Services with Exchange Online and send approval responses by email, the mailto: links of approval workflow notification emails always contained the service account address even if an impersonated account was configured in the mail configuration settings.

The issue was caused by approval notifications not supporting Exchange Web Service modern authentication, so Active Roles could not collect emails from the impersonated account. Instead, it was falling back to the service account address.

This issue is now fixed, so when you configure an impersonated account address, that email address will appear properly in the approval workflow email messages.

404217

Previously, the change history for operation types Deprovision, Undo Deprovision and Run Scheduled Workflow remained indefinitely in the Management History database despite running the Change Tracking Cleanup scheduled task.

The issue is now fixed and old Management History records are deleted as expected.

399889

Previously, users received an Access denied error in the Web Interface when attempting to create a new cloud-only user if any of the following Access Templates (ATs) were assigned to them in the Active Roles Console:

  • Azure Cloud User - Full Control

  • Azure Cloud User - Create Objects

  • Any custom AT based on the settings of Azure Distribution Group - Create Objects

  • Any custom AT in which you assigned the Full Control permission on the Azure users container.

This issue is now fixed, and assigning these ATs to users now delegate the proper administration permissions.

392939

Previously, when adding members to a room mailbox with the Properties > Resource Information > Resource in-policy requests > Selected recipients setting, deleting an added user either via Active Roles or native Active Directory tools resulted in Active Roles failing to load the list of added users.

This issue occurred because Active Roles Console could not load the list of assigned users due to the null value of deleted users, and was fixed by filtering out deleted users from the list.

390095

Previously, undoing the deprovision of a user object that was originally licensed via group-based licensing would result in the previous license reassigned to the object directly instead of inheriting it from the group.

The issue is fixed and now if a user has a license inherited from a group, after deprovisioning and undo-deprovisioning it, the license will be inherited from the group again instead of being reassigned directly.

388433

Table 12: Management Tools resolved issues
Resolved Issue Issue ID

Previously, the Active Roles Management Pack for SCOM showed an incorrect version number.

This issue is now fixed.

405577
Table 13: Installer resolved issues
Resolved Issue Issue ID

Previously, attempting to install Microsoft OLE DB Driver for SQL Server via the Active Roles installer required users to manually install the prerequisite Microsoft Visual C++ Redistributable for Visual Studio packages, as they were not included in the Active Roles installation package.

This issue was fixed by including the packages in the installer.

411389

Previously, in the Introduction page of the installer, the Release Notes URL was incorrect and did not work.

This issue is now fixed.

388317
Table 14: Synchronization Service resolved issues
Resolved Issue Issue ID

Previously, when running the Azure BackSync with the Azure AD Connector for several thousand users, Synchronization Service did not indicate the number of processed user objects until all user objects were processed. Because of this, it could appear that nothing happened until the on-screen counter jumped to the total number of processed objects.

The issue is fixed, and now the counter of processed objects in the Azure AD Connector increases gradually, as expected.

401938

Previously, the Synchronization Service Capture Agent recorded and processed password change events for computer accounts.

This behavior was changed so that the Capture Agent no longer logs and forwards password change events for computer accounts to the Synchronization Service.

307297

Previously, the SCIM Connector did not support synchronizing data from WorkdayHR via Starling Connect.

This issue was fixed by updating the WorkdayHR schema.

294258
Table 15: Web Interface resolved issues
Resolved Issue Issue ID

Previously, when setting a custom global color scheme in Customization > Global settings > Color scheme, the customized Web Interface scheme could appear incorrectly in the user interface, with the sidebar colors, various selected elements and certain panes not following the base color of the scheme.

This issue was fixed by adjusting the management of customized Web Interface themes.

407336

Previously, customizing the Web Interface could negatively impact the functionality and performance of object search queries. Following customization, queries in the Web Interface could return too many objects, and query searches could slow down due to performing complex internal filtering before displaying query results in the Web Interface.

This issue is now fixed, so customized Web Interface instances now work without the listed problems.

395064

Previously, searching for Azure objects took approximately 15-20 seconds.

The issue has been resolved by modifying Microsoft Graph API pagination to reduce network traffic. As a result, searching for Azure objects is now significantly faster.

389314

Previously, when selecting an AD LDS user, the Web Interface returned an Unable to load contents error instead of listing the available user management actions.

This issue is now fixed, and the list of actions is now populated correctly.

386102

Previously, using a personal view to open an Organizational Unit (OU) whose name contained special characters resulted in a Directory object not found error.

This issue was caused by Active Roles removing these special characters from the OU name when saving the configured personal view, and it is now fixed.

322727

Previously, when using the Customization > Directory Objects > Customize Navigation Bar > General option of the Web Interface to open the Item Properties of the Reload button or the Restore Default button, clicking OK to close the dialog without any changes and reloading the configuration resulted in the changed Reload or Restore Default button no longer working.

This issue occurred because Active Roles was unable to get the target URL of these buttons, resulting in the Item Properties > URL to open field appearing empty in the Web Interface. If this field was left empty, clicking OK in the dialog to save the button settings broke the button.

To fix the issue, the Web Interface now sends a pop-up alert to inform users that the URL to open field cannot be left empty.

322689

Previously, when copying a shared, equipment or room mailbox in the Web Interface, the copied mailbox did not inherit the original mailbox type, and was created as a standard User Mailbox instead. In other words, the value of its msExchRecipientDisplayType attribute was always set to 1073741824 instead of inheriting the original value.

This issue was caused by a Web Interface infrastructure problem, and was fixed by implementing a switch case to determine the type of mailbox and add the proper attribute during the copy process.

307164

Previously, if a user was assigned to a group with a temporary membership, attempting to assign the same group membership again to the user via the Member of > Add command resulted in Active Roles overwriting the temporary group membership of the user. This behavior differed from the Active Roles Console, which returned an error message in this scenario.

To ensure that the Web Interface works the same as the Active Roles Console, the Web Interface was updated to filter out already added elements, and return the following message when attempting to assign the user again to the same group:

The object 'groupName' is already in the list and cannot be added for the second time.
289342
Self-Service-Tools
Knowledge Base
Benachrichtigungen und Warnmeldungen
Produkt-Support
Software-Downloads
Technische Dokumentationen
Benutzerforen
Videoanleitungen
RSS Feed
Kontakt
Unterstützung bei der Lizenzierung
Technische Support
Alle anzeigen
Verwandte Dokumente

The document was helpful.

Bewertung auswählen

I easily found the information I needed.

Bewertung auswählen