Chat now with support
Chat with Support

Password Manager 5.9.5 - Release Notes

Resolved Issues

The following is a list of issues addressed in this release.

Table 2:  Resolved issues

Resolved issue

Issue ID

reCAPTCHA images are not displayed in Secure Password Extension (SPE). 100051
reCAPTCHA image is not validated on user search page if more than one user is found. 100266

reCAPTCHA is not validated if proxy is configured.


Helpdesk site search limited to the specified attribute when Do not allow users to search for their accounts option is selected. 101164
Starling does not use the complete proxy settings. 106778
Error occurred while runnig password expiration task. 790395
Scheduled tasks fail in multi-processor systems. 108986
Server error in Password Manager user application. 108086

Failed to update user profile when all the options are selected as registration mode and None is selected in mandatory registration mode.


Duplicate entries observed in user search reports.


Removal of OneIdentity phone number from the Help file of PMUser site.


InstallDir registry value being reset to default.


SPE Popup notification not working as expected


User search in the Self Service site returns objects based on the AD attribute “Office”


High transaction response time observed for beyond 100Vu concurrency load in user registration scenario.


Manage My Password accepts old password during 5 minutes after the change


In-place upgrade to latest builds does not load the images without page refresh


No option to unjoin starling if it fails from PMAdmin site


Starling join and subsequent SMS/Phone authentication are not working as expected, during/after upgrades.


Server side request forgery (SSRF) Vulnerability in Password Manager user site.


Registration workflow for end user require corporate mobile phone as optional, when starling is joined.


TLS 1.0 has to be enabled for Starling authentication to work.


Password Manager service becomes unresponsive under user load.


Page scrolling does not work on iPad devices.


Error when trying to send passcode.


Dictionary rule being validated after all other policy rules are satisfied.


#USER_UPN_NAME# for Password Expiration is not working as expected.


Reset Password workflow restricts helpdesk user to reset the password if Password Age rule is configured.


Lot of errors "Input string was not in a correct format" are captured in the PM service logs.


Unable to save the web service handler Power shell code in custom web services.


Ability to remove the 0 (zero) through the script from the comment attribute.


Configure persistent country code when post configuration of user's phone number registration.


Simplify customization/localization method for country code's country name.


Users With Apostrophes in their Name Do Not Meet Password Complexity Rules.


Missing "Hide my answers for security purposes" checkbox in Forgot my password.


#USER_FIRST_NAME# and #USER_LAST_NAME# are not populated in User Enforcement Rules email notifications.


Password field does not support certain special characters leading to incorrect behavior of password strength meter.


Password Manager license key grows indefinitely and gets corrupted in the registry.

NOTE: If you are upgrading to 5.9.x, it is recommended to reinstall the license file once the upgrade is complete. Before installing the license, delete the existing SoftLicense binary value from [HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Quest Software] registry key.


User is not able to change/ reset password in self service and helpdesk workflows, when Force user to change password at next logon activity is enabled, with LDAP over SSL.


When Authentication Methods activity is configured for any workflow, user can identify the wrongly answered question from the HTTP Response object even after unchecking the Allow users to see what questions were answered correctly option.


User search with Domain\UserName does not show any results when Users must enter their logon names for identification on the Self-Service site option is selected.


When Security questions are selected as the registration mode and if both E-mail and Mobile values are configured in the Active Directory before the user registration, Access is Denied error occurs while saving Q&A profile from the PMUser site.


In the self-service site, partial username search from an external network displays the self-service tasks even if Allow user search from external network option is selected.


ARS integration section has now been removed from the Admin guide.


Content related to configuring read/write permissions to the E-Mail and Mobile attribute for Corporate Authentication is not available in the Password Manager Admin Guide.


One Identity rSMS service runs successfully with the PM service account when installed, but fails to run when the account credentials are changed.


Admin guide is now updated for occurrences of Vericloud with Vericlouds.


Password Manager Self Service site does not allow to reset the password without the challenge code if Allow users to reset passwords offline option is enabled in the Reset Password in Active directory activity of the workflow.


PM Self service site does not appear appropriately when accessed on the default browser of Android Tablet.


Maximum Password Age configured as part of PM Password Policy, does not allow user to change password when user's password expires or when user's last password change duration is greater than Maximum Password Age.


Permission Checker script unable to report the missing permissions required when the Password Manager Administrator is configured as a domain user with minimal permissions.


Though Recaptcha is enabled, error message does not appear in UI when the internet connection is disabled.


Password Manager authentication gets impacted when Microsoft updates settings for LDAP channel binding and LDAP signing.


User is not able to reset the password in the AD environment even after enabling the Force user to change password at next logon activity with LDAP over SSL.


Password Manager server reaches 100% CPU utilization intermittently.


When Authentication Methods activity is configured for any workflow, user can identify the wrongly answered question from the HTTP Response object even after unchecking the Allow users to see what questions were answered correctly option.


User Status Statistics schedule task fails with LINQ exception when processing big groups.


Few fields of the PMUser Site does not appear, when accessed on an Android Tablet Browser.


Disabled users are not able to register with Password Manager successfully.


Improper error messages appear when Google recaptcha service is not available.


Support for reCAPTCHA v3 in PM application along-with configurable reCAPTCHA score (applicable to Legacy Self service only)


When a PM service account is different than that of the logged in user account, installation of hotfix resets and locks the service account credentials.


In the self-service site, partial username search displays the self-service tasks even if Allow user search from external network option is selected.


When security questions are selected as the registration mode, Access is Denied error occurs while saving Q&A profile from the PMUser site.


Reminder to Change Password and User Status Statistics schedule task fails with timeout exception.


Service connection endpoint and replication container objects are not getting created for secondary replication instance.


Reminder to Change Password and other scheduled tasks are failing on both the replication instances.


Complexity Rule is not working as expected when the user account name has less than 3 characters.


Complexity Rule password policy validation does not consider "." and "_" as special characters.


Some of the special characters supported by windows were not supported by Password Manager while checking for complexity rule.


PM policy Complexity Rule validation fails when the characters of the user name are separated by space and are also part of the password entered.


User cannot complete registration from Self-Service site if "Personal contact method" is selected during registration.


Service connection endpoint and replication container objects are not getting created for secondary replication instance.


jQuery has to be upgraded to version 3.4 to avoid new security vulnerability, which enabled attackers to overwrite a JavaScript application object prototype.


reCAPTCHA icon does not appear in iPhone Safari/Chrome browsers.


Scheduled Task execution fails on an environment configured with SSL.


Leaf node created has permissions set to only the Computer account and the Domain Admin group, but not the Domain Users group.


Starling Unjoin fails from Password Manager due to SSL/TLS version changes in Starling.


User cannot validate password in PMADLDSUser page.


PMUser site displays "You cannot use this account to log on to the Self-Service Site" error message when user named "SAVE" is accessed.


Leaf node created has permissions set only to the Computer account and to the Domain Admin group, but not to the Domain Users group.


Support for reCAPTCHA v3 authentication(applicable to Legacy Self service site only)


Reminder to Change Password and User Status Statistics schedule task fails with timeout exception.


Starling authentication fails when spaces are present as a separator in the mobile attribute of a user.


QR Code of OPR breaks when the Windows screen resolution is more than 100%.


In Quick Connect, choosing Change password in this system independently from Active Directory option does not work as expected.

Workaround: It is recommended to use Legacy Self-Service Site.


Please complete the reCAPTCHA message is shown in the search page when a non-existing user is searched in the Password Manager Self Service site.

Workaround: Search user with valid username and correct reCAPTCHA in the Password Manager self Service site.


Installation of Password Manager 5.9.x on a non-supported OS does not show a user-friendly message.

Workaround: Password Manager installation has to always happen on a supported version of OS.


Post upgrade of Password Manager from 5.9.x onwards, Digital signatures tab is missing for few DLL files.


UI Hangs when S2FA is enabled for Admin, and when Starling is not reachable/account is disabled.


Password Manager application to use the latest available jQuery version [3.5.1] in its application.


Known Issues

The following is a list of issues, including those attributed to third-party products, known to exist at the time of release.


Table 3:  Known issues

Known issue

Issue ID

On the Helpdesk Site, if the AutoGenerated password is enabled, the AutoGenerated password is not accepted, and the button is displayed by default. This issue occurs, if the company does not have a password policy set in Active Directory.

Workaround: Set the password policy in Active Directory.


The Q&A Policy can be saved without filling the mandatory questions fields. By leaving these fields empty, certain self-service workflows will not work.

Workaround: Always provide mandatory questions when you are configuring the Q&A Policy.


When scheduling tasks, the administrator can select a date which has already passed, and schedule a task for that day. For example, the administrator can select 2020-12-31 when, in fact, the current date is 2021-01-01. A status message is displayed of the un-register scheduled task.

Workaround: Currently, there is no workaround for this issue.


Installing the hotfix locks the service account when UPN is used as service account.

Workaround: Change the service account to "domainname\username" format and provide a password for the same service account user, and then, install the hotfix.


Users may fail to log in on the Self-Service site using their user principal names (UPNs).

Workaround: Remove the corresponding managed domain from user scopes of configured Management Policies and add it again.


On the Self-Service site, users may fail to authenticate themselves with passwords, if passwords contain only blank characters.

Workaround: Users must change passwords so that passwords do not contain only blank characters.


If you add a domain group to a user scope on the Administration site and then rename the group using standard Active Directory management tools (for instance, the “Active Directory Users and Groups” console), Password Manager may not rename the group on the User Scope page of the Administration site.

Workaround: Remove the group from the user scope and add it again.


If a user belongs to user scopes of two Management Policies, the user may receive two email notifications instead of one when enforcement rules and reminders are applied.

Workaround: Either remove the user from the user scope of one Management Policy or from user scopes of enforcement rules and reminders belonging to a single Management Policy.


If a domain management account is disabled or its password is changed, Password Manager continues to access managed domains and no errors occur.


After importing the configuration to a Password Manager instance, there may be no notification on the Administration site that the account used to connect to the domain is invalid if the Password Manager Service account is used for connection.


  • After importing the configuration to a Password Manager instance residing in a different domain or installed on a standalone server, verify each domain connection and accounts used to access domains.
  • Do not use the “Password Manager Service account” setting for connecting to managed domains if Password Manager instances are installed in different domains or on standalone servers.


Search for users may fail on the Self-Service and Helpdesk sites and a list of domain controllers for a managed domain may fail to be displayed on the Administration site, when a new domain controller is being promoted in the environment.

Workaround: Stop all Password Manager application pools in the IIS and start them after the domain controller has been promoted and corresponding changes have been replicated.


When two Management Policies have mutually exclusive user scopes, search for users on the Self-Service or Helpdesk site may fail.

Workaround: Do not create Management Policies with mutually exclusive user scopes, i.e. do not add the same groups to the scope of users allowed to access the Self-Service site in one Management Policy and to the scope of users denied access to the Self-Service site in the other Management Policy.


When several domains sharing the same UPN suffix are added to the user scope, Password Manager may fail to find users on the Self-Service site when search for users belonging to a domain other than the first one is performed by a user principal name.

Workaround: Perform the following steps on the “Search and Logon Options” page of the Administration site:

  1. Select the “Users must enter the following user account attribute for identification” option.
  2. Enter the userPrincipalName value in the text box below that option.
  3. Click Save.


After upgrade, the Password Manager service may not start as expected.

Workaround: Use the Services console (Services.msc) to start the Password Manager service: Right-click that service in the console, and then click Start.


After upgrade, you may view old QPM* application(s) in the IIS Manager console.

Workaround: You may safely delete the old QPM* application(s) in the IIS Manager console.


Form authentication fails for admin site if the domain name is not specified.

Workaround: Provide the Domain name or Username to log into the Admin site.


Browser session crashes and an error is displayed in the windows event log, when the dictionary file between the size of 10 MB to 20 MB is edited from the Password Policy.

Workaround: If any modifications have to be made to the Dictionary file exceeding size greater than 10 MB, it has to be edited from the domain machine where the Password Policy Manager (PPM) is installed.


On Windows Server 2019, services for Password Manager and rSMS is stopped.

Workaround: Ensure that the DC machine and clients are at two separate entities.


rSMS service restart is required for custom log path and custom certificate changes.


A warning is displayed by the One Identity rSMS Service when you try to uninstall/ upgrade existing Password Manager version while the rSMS service is still running.

Workaround: Accept the Warning and proceed with the uninstallation.


In Quick Connect, unable to synchronize passwords when password is changed from the target to the source Active Directory system.

Workaround: Restart the Quick Connect Capture Agent Service on all the source and target systems.


On the Password Manager Administrator site, the page keeps loading after removing a custom workflow that was added.

Workaround: Refresh the page to completely delete the custom workflow.


Password Manager self-service site is not launched on SPE through a 32-bit system.

Workaround: Recommend to use the Legacy self-service site on a 32-bit system.


The user interface does not function as expected, when a large organizational unit (OU) is unregistered and the unregister task is stopped.

Workaround: Refresh the unregister user page.


Unable to edit or delete the translated questions in the Q&A profile.

Workaround: Add another translated language to edit the previous translated question.


The Password Policy Rules are not displayed in the Legacy self service site or the Password Manager self service site for Password Manager ADLDS.

Workaround: Password Policy rules are displayed when the configured ADLDS instance and the Password Manager server instance is configured on the same machine


Not able to access the Password Manager Administrator site when the domain user is the member of the local PMAdmin group.

Workaround: For PM versions 5.8.x or later, users must be a part of the local PMAdmin group and either of IIS_IUSRS or Administrators group to access the PMAdmin site.


#OPERATOR_ACCOUNT_NAME#, #OPERATOR_IP#, #WORKFLOW_RESULT#, and #WORKFLOW_SUMMARY# parameters are not populated in the email notification.


After upgrading Password Manager to 5.9.x, duplicate URL references are created for user site.

Workaround: Open the location where the shortcuts of the URL are present and delete, if not required.


Allow users to specify different password for this system option is not working as expected.

Workaround: Restart the Quick Connect Capture Agent Service on all the source and target systems.


After upgrading to Password Manager 5.9.x ADLDS version, search and logon page under General Settings menu displays an error when modified.

Workaround: Replace the sAMAccountName attribute with cn in the Helpdesk site page under search and logon options for the option Users must enter the following user account attribute for identification.


Issues in user search setting for Helpesk in ADLDS.

Workaround: Search the user by the cn attribute though mail is the specified attribute in the helpdesk site of search and logon options.


In Password Manager ADLDS, the UI is not updated when a password policy is created.

Workaround: After a new policy is created, Click Save and immediately cancel the wizard of Create policy. Page refreshes to display the already created policy


After upgrading to 5.9.x, My notification for a custom workflow cannot be edited in the Password Manager Self Service site.

Workaround: It is recommended to use Legacy Self Service Site to edit My Notification.


User Status Statistics, scheduled task fails intermittently.


Symmetry rule fails to validate the password containing non-consecutive characters.

Workaround: Administrators must avoid configuring the symmetry criteria Maximum number of consecutive characters within a password, that read the same in both directions (pass4554word) under the Symmetry Rule.


In the Password Manager Self-Service site of the ADLDS version of Password Manager, Change Language link of Q & A profile is not available in the Register page.

Workaround: It is recommended to use the Legacy self-service site.


When appropriate Authentication methods are not selected,Forgot My Password workflow screen is blank.

Workaround: It is recommended to configure the Register workflow settings making Security Questions as one of the registration modes.


Dictionary rule is not working as expected when 2 beginning characters of a dictionary word option is selected.

Workaround: Configure the complete word from the dictionary(QPMDictionary.txt) as part of the Dictionary rule.


During Password reset, helpdesk site accepts both previous/old passwords.

Workaround: user has to manually enter a different password during a short duration of password reset.


Post upgrade of Password Manager from 5.6.3 to 5.9.x, My questions and answers profile workflow still exists.

Workaround: Navigate toMy questions and answers profile workflow. Open the Workflow Settings page and navigate to the Availability tab. Click Never under Enable the workflow and Show the workflow on the Self-Service site options, and then click OK.


In the Password Manager version 5.8.2 and 5.9.x, reconnecting to a domain is successful only after the two attempts.

Workaround: Clicking on Add Domain Connection for two times will add a new domain connection.


Inappropriate error message appears when recaptcha not entered for the second time.

Workaround: Search users with correct username and recaptcha.


In the Password Manager self-service site of the Password Manager version 5.9.x, password history does not appear.

Workaround: It is recommended to use the Legacy self-service site.


In the Password Manager self-service site, select language option does not change the language in the Display user agreement action.

Workaround: It is recommended to use the Legacy version of self-service site.


Few column data required for custom activities are not available on the reports generated on ADLDS.


Location sensitive Authentication (LSA) feature does not work if self-service site request contain IPV6 address.

Workaround: Do not access the self service site from an external network, where the request contains an IPV6 address. LSA currently works only for IPv4 addresses.


Forgot My Password, Manage My Passwords fails in ADLDS environment, when the userscope is configured with ADLDS account.

Workaround: Do not configure the userscope of Password Manager for ADLDS using "The following AD LDS account:"


Corporate phone attribute does not get imported from primary instance onto the secondary replication instance in the Re-initialization page.

Workaround: The Corporate phone attribute could be manually changed on the secondary instance to have the same value for Corporate Phone on both the PM Instances.


Users receive both default and custom email notifications, when Q&A profile is updated with any other language(other than English) in the Self service site.

Workaround : Change the settings in Email user if workflow succeeds workflow to Customize for the Select email template to use: option.


Password Manager for ADLDS does not support Dictionary rule in OI Password policies.

Workaround: Do not configure dictionary rule in Password Manager for ADLDS.


When the Select default Language for email in the Email Template is configured as English(United States), users will receive emails only in English irrespective of the language chosen during registration, in the Self service site.


Web interface customization does not get applied on Password Manager(AD and ADLDS), when the App pool account is a domain user with minimal permission.


Unregister user task does not run when scheduled from the secondary instance of the Password Manager server.

Workaround: It is recommended to schedule an Unregister Users task on the Primary instance of Password Manager.


reCAPTCHA v3 does not work in Password Manager self-service site.

Workaround: It is recommended to use reCAPTCHA v2 instead of reCAPTCHA v3 for reCAPTCHA activity.


Post upgrade, Active Directory sites (Scheduled Task) are in disabled state.

Workaround: Post upgrade, manually enable the Active Directory sites.


System Requirements

This section provides system requirements for installing and running Password Manager and its components.

Password Manager Service and Administration Site requirements

Before installing Password Manager, ensure your system meets the following minimum hardware and software requirements for Full Installation and Distributed Installation, if you have the Self-Service site and Helpdesk site installed on separate systems.

Table 4:  Password Manager Service and Administration Site requirements




1.6 GHz or higher


At least 4 GB RAM

Hard Disk Space

2.7 GB of free disk space

NOTE: If .Net Framework is already installed, then installation may take less space.

Operating System

Password Manager can be run on any of the following operating systems:

  • Microsoft Windows Server 2012 R2
  • Microsoft Windows Server 2016
  • Microsoft Windows Server 2019


  • Password Manager is not supported on Windows Server Core mode setup.
  • It is recommended not to install Password Manager on the machine where Domain Controller (DC) server is installed.

Internet Information Services

On the Web server, Password Manager requires any of the following IIS versions:

  • Microsoft Internet Information Services 7.0
  • Microsoft Internet Information Services 7.5
  • Microsoft Internet Information Services 8.0
  • Microsoft Internet Information Services 10.0

To ensure best practice security, Password Manager should be configured to use HTTPS. For more information, see Administrator Guide.

Web Browser

Microsoft Internet Explorer 11

Microsoft Edge

Mozilla Firefox 10 or later

Apple Safari 5 or later

Google Chrome 15 or later

Microsoft .NET Framework

Microsoft .NET Framework 4.7.2

NOTE: You must install .NET Framework before you install Password Manager.

Visual C++ Runtime Libraries

Visual C++ Runtime Libraries 2017

Visual C++ Runtime Libraries 2010

Visual C++ Runtime Libraries x86 and x64 are included with the Password Manager distribution package.

You must install Visual C++ Runtime Libraries 2010 and Visual C++ Runtime Libraries 2017 before you install Password Manager.

Acrobat Reader

Acrobat Reader DC

Acrobat Reader DC 17.009.20044 is included with the Password Manager distribution package.

Minimum screen resolution

1280*1024 pixels

Password Manager supports Windows Server 2012 R2 and later versions in domain and forest functional levels, including domains operating in a mixed mode. Note that Password Manager installation is not supported on Windows 2008 and earlier versions.

Related Documents

The document was helpful.

Select Rating

I easily found the information I needed.

Select Rating