This cumulative hotfix addresses the following issues:
The following is a list of issues investigated in this update.
|Product component||Resolved issue||Defect ID|
|Self-Service Site||There was an issue with custom activity controls (for example, textboxes or radiobuttons) not being visible on the Self-Service site, if multiple custom activity controls were configured. This issue has been fixed, and now the custom activity controls are always visible when they should be.||282733|
|Self-Service Site||Previously, there was a conflict with ReCaptcha settings. When a new workflow was created with ReCaptcha set to v3, this workflow did not pass, if a ReCaptcha v2 was passed earlier successfully. This issue has been fixed now by adding a condition that checks whether the site key has already been used by ReCaptcha, and resets the process accordingly.||283667|
This hotfix also includes cumulatively the following fixes:
|Product component||Resolved issue||Defect ID|
|User Site||Previously, when moving the User Site from its default /PMUser path to another location (for example, to the root of the domain URL), configured dictionary rules did not work, and image files related to the User Site could not be found by Password Manager. These issues are now fixed: images used on the site now load correctly, and the configured dictionary rules also work properly if the default path is changed.||276154|
|User Site / Self-Service Site|
Previously, users were unable to change their password due to a configuration error affecting the dictionary validation rule of user password management. The issue occured when Password Manager was installed and run with local user privileges, and the Password Manager service tried accessing the dictionary file of the configured dictionary rule with those local privileges instead of the permissions provided via domain connections. This issue has been solved and now, when Password Manager runs as local host, the service checks the presence of the dictionary file via the data provided in the domain connection.
|Self-Service Site||Previously, when changing or resetting the password on the Self-Service Site, when the password was copy-pasted from the clipboard, the Continue button was enabled even when the password failed the dictionary validation rule. The issue has been fixed by ensuring that the Continue button remains disabled if dictionary rule validation fails.||280199|
Previously, reCAPTCHA v2 protection did not work properly on the Self-Service Site, causing numerous errors:
These issues are now solved, and reCAPTCHA v2 protection now works as intended.
|Self-Service Site||When resizing the browser window of the new Self-Service site, the display of certain items, for example, the account logo or text lines, were incoherent. The appearance of the Self-Service site has been improved and the display of information responds to the browser window's width correctly.||276196|
|Self-Service Site||Previously, the Password Manager Self-Service Site displayed a CAPTCHA security image every time when searching for a user, even if the General Settings > Search and Logon Options > Security Settings > Show a security image to prevent bot attacks > Show a security image every time the search is performed setting was disabled on the Administration Site. In addition, Password Manager accepted any value provided by the user whenever the CAPTCHA check was not supposed to appear.|
This issue is now fixed, and the related security settings work as intended.
Previously, the WYSIWYG email editor (for example, in General Settings > Email Template or in the Workflow editor), had the following issues:
|267661, 85624, 85625|
|Self-Service Site||Fixed a potential vulnerability in a third-party component of Password Manager by updating jQuery library to v3.5.1.||268487|
|Administration Site||Previously, the Password Policies > Password Policy Properties > Policy Rules > User Properties Rule > Prevent users from using account properties as part of passwords > The entire value of a user property setting had a misleading name. This is because the option does not actually check the specified password against the entire length of the selected user property, if the user property contains any non-alphabetical characters (such as . or @). Instead, this setting validates the password against entire words found in the specified user property.|
To better reflect the actual behavior of this setting, it has been renamed to Entire words in properties.
|Password Manager Service||Previously, deleting the Password Manager log folder resulted in the Password Manager Service being unable to start. This issue has been fixed so that the Password Manager Service now automatically re-creates the log folder upon launch if the specified folder does not exist.||274716|
|Password Manager||Fixed a potential logo pixelation on the Splash Screen.||273659|
|Self-Service Site||If the Display user agreement workflow step was added to a workflow, and it was customized with HTML modifiers, the text showed up in a raw format on the Self-Service Site. The text now shows up formatted, and correctly, if HTML modifiers were used in the workflow step.||272671|
|Helpdesk Site||On the HelpDesk site users were unable to authenticate with some special characters in the password. The issue has been fixed.||115992|
|Password Manager Service||In scenarios where the configuration environment contains multiple PM servers, there was an issue with replication caused by RADIUS scheduled task. Now, when RADIUS scheduled task runs, the shared storage files are only updated, if needed.||272902|
|Password Manager Service||There was an issue with IP address logging. If there was a Network Load Balancer in the configuration enviroment, then the logged IP address was the NLB's IP address instead of the client's IP address. To correct this, a X-Forwarded-For header has been added in an extra line to the log file. This way, the IP address sequence starts with the client's IP address and it is followed by the IP addresses of each router and NLB, separated with comma (,).||84855|
|Self-Service Site||Before, when using the Self-Service Site to create custom activities or workflows, the ActivityFailure error message was missing. Now, if an error occurs, this error message is visible.||271412|
|Self-Service Site||There was an issue with the duplication of error messages. These duplicated error messages are now removed.||262221|
|Self-Service Site||The Self-Service Site handled custom activity scripts differently compared to the legacy Self-Service Site. Certain activity controls showed an incorrect value, not the "text" data that should have appeared on the screen. The issue has been fixed and now the expected value is shown.||267337|
|Self-Service Site||During initialization, the user could not select custom certificates on the Self-Service Site Initialization page. Now the dropdown lists all available certificates and the user is able to select any them.||267634|
|Offline Password Reset||In cases, when the user is different from the last logged in user, or due to a policy restriction, Windows does not store the data of the last logged in user, when there is an attempt to reset the user's password offline with the generation of a challenge code, the generated code was invalid and not accepted. This issue is fixed now.||268648|
|Self-Service Site||Previously, enabling reCAPTCHA v3 on the Self-Service site did not work, and users could bypass the reCAPTCHA check regardless of its results. This issue is now fixed and reCAPTCHA v3 is supported on the Self-Service site.||251284|
|Password Policy Manager||Previously, the Password Policy Manager component did not work when Local Security Authority (LSA) protection was enabled in the environment in which Password Manager has been running. This issue has been fixed by replacing the previously unsigned DLLs with signed DLLs.|
NOTE: This change affects only Password Manager installations that have Password Policy Manager installed in an LSA-enabled environment. It does not affect installations that do not have Password Policy Manager installed, or that have Password Policy Manager installed in an environment with LSA disabled.
|Self-Service Site||Previously, if the maximum password age rule failed, the Next button was unavailable. This issue has been fixed and now the Next button is available.||264254|
|Self-Service Site||Previously, when the Unlock My Account workflow was set to be always visible, the account header showed the user status as Registered+Locked even when the user status was unlocked. This issue has been fixed and now the account header shows the user status appropriately.||262655|
|Self-Service Site||Previously, when the language was set to Chinese (Traditional), when entering a password to access the Manage My Profile page, the page failed to load and an error message appeared. This issue has been fixed and now the page loads normally.||264289|
|Self-Service Site||Previously, during RADIUS 2FA authentication an error occured when two AD attributes (mobile phone and email) were not filled. The issue has been fixed so that RADIUS 2FA authentication can be used now even when these two AD attributes are not filled.||261694|
|Self-Service Site||Previously, when using RADIUS 2FA authentication or Starling authentication where a pincode is typed in, an error occured when the Enter key was used instead of clicking on Continue. This issue has been fixed and now it works with both the Enter key and with Continue.||262442|
|Helpdesk Site||Previously, when using the Reset password workflow at the Helpdesk Site to generate a new password, the Next button was unavailable. This issue has been fixed and the Next button is now available.||263377|
|Self-Service Site||The /PMSelfService URL name was previously case-sensitive, meaning that if it has not been typed exactly, then the page did not load, or was redirected to the root of IIS. This has been fixed by making /PMSelfService case-insensitive.||261808|
|Self-Service Site||Previously, the new Self-Service Site could not be reached if a non-standard port number (other than 80 or 443) has been specified in the IIS settings. This issue has been fixed so that the Self-Service Site can now be reached even when non-standard port numbers are used in the IIS settings.||261730|
|Self-Service Site||Previously, if showing domain selection was configured on the Admin Site, the setting was only available on the Self-Service Site for the HelpDesk role. This issue has been fixed, so domain selection is now available on the Self-Service Site for every role.||262435|
Please download the hotfix here.