Chat now with support
Chat with Support
Self Service Tools
Knowledge Base
My Account
Notifications & Alerts
Product Support
Software Downloads
Technical Documentation
User Forums
Video Tutorials
RSS Feed
Support Essentials
Awards and Testimonials
License Agreement
Support Guide

Active Roles Product Notification

Critical Alerts

Critical Notification

Active Roles 7.4


Extensive internal testing has revealed that the latest release of Active Roles 7.4.0 has the potential to contain a systems vulnerability if very specific deployment configurations are implemented. Please note that this vulnerability does not apply to previous versions of Active Roles and is unique to 7.4 only, and only when Federated Authentication is used.

How does this affect me?

Testing exposed a potential vulnerability in Version 7.4.0 of Active Roles whereby, under very specific circumstances the Web Interface may allow users with lower privileges to impersonate an IIS logged on user when Federated authentication has been enabled. Please note: the risk of exploitation is strictly limited to configurations which have Federated Authentication enabled. If Federated Authentication is not enabled, there is no risk of any potential exploitation.


There are two methods to resolve the potential security vulnerability. 

  • For customers who have recently installed Active Roles 7.4 we have created a hotfix which will resolve the issue. More information regarding the hotfix as well as instructions to apply can be found in KB article 311495.
  • For customer who have yet to deploy Active Roles 7.4.0, we have created a new build which is available on our website. Active Roles 7.4.1 contains changes which resolve the potential security vulnerability. Active Roles 7.4.1 can be downloaded here.

Either method described above will eliminate any risk of this potential threat for Active Roles 7.4 customers.


Active Roles server 7.4.0 has been removed from the One Identity Support Portal. It has been replaced by Active Roles 7.4.1.