Chat now with support
Chat with Support

Safeguard Authentication Services 5.0 - Release Notes

Safeguard Authentication Services 5.0

Safeguard Authentication Services 5.0

Release Notes

August 2020

These release notes provide information about the Safeguard Authentication Services 5.0 release.

About this release

Safeguard Authentication Services extends the capabilities of UNIX, Linux, and Mac systems to seamlessly and transparently join Active Directory and integrate Unix identities with Active Directory Windows accounts.

Safeguard Authentication Services 5.0 is a minor release that includes these features:

  • Ansible support (224151)

  • Explicit mapping of users to valid certificates (198067)

  • Group policy updates (198055)
  • macOS: Added functionality (198050)

  • Support for unattended join using windows Offline Domain Join (ODJ) credentials (198057)
  • License validator (198066)

    CAUTION: For license validator (198066), if you upgrade Safeguard for Authentication Services before adding the license, the caches will empty and SAS will be unusable. You can add the license then either rejoin or restart vasd and run vastool flush. You can update the Control Center any time without issue.

    For more information on licensing changes and obtaining a new license, see the About licensing section of the Safeguard Authentication Services Upgrade Guide.

For additional information see:

CAUTION: You must upgrade all Windows components on all Windows systems to Authentication Services 4.2.1 or higher before modifying the QAC (Quest Authentication Configuration) in Active Directory using Control Center from QAS 4.2.0 or higher. For more information, please see the KB Article 314330.

New features in version 5.0

New features in version 5.0

The new feature in Safeguard Authentication Services5.0 follow.

Ansible support (224151)

Infrastructure Administrators can use Ansible 2.9 or later for the following functions, including generating reports.

  • Install, upgrade, and uninstall Safeguard Authentication Services (SAS) software packages and create reports to summarize software deploy status
  • Configure and join Safeguard Authentication Services to my AD domain including:
    • Perform preflight checks

    • Modify vas.conf

    • Modify users/groups.allow and users/groups.deny

    • Modify user/group overrides

    • Join/unjoin SAS from domain

    • Create reports to summarize configure/join status

Authentication Services Ansible Collection

The One Identity Authentication Services Ansible Collection, referred to as ansible-authentication-services, consists of roles, modules, plugins, report templates, and sample playbooks to automate software deployment, configuration, Active Directory joining, profiling, and report generation for Safeguard Authentication Services. Go to: https://github.com/OneIdentity/ansible-authentication-services.

Ansible details

For Ansible information consult:

NOTE: One Identity open source projects are supported through One Identity GitHub issues and the One Identity Community. This includes all scripts, plugins, SDKs, modules, code snippets or other solutions. For assistance with any One Identity GitHub project, please raise a new Issue on the One Identity GitHub project page. You may also visit the One Identity Community to ask questions. Requests for assistance made through official One Identity Support will be referred back to GitHub and the One Identity Community forums where those requests can benefit all users.

Explicit mapping of users to valid certificates (smart card) (198067)

Mapping certificates to users can be done implicitly or explicitly. Authentication Services supports mapping one cert to one user or mapping multiple certs to one user. Mapping one cert to multiple users is not supported. For details, see the Smart Cards Administration Guide, Map certificate to user (implicit and explicit).

Group policy updates (198055)

Safeguard Authentication Services can apply additional policies to Unix systems:

  • mac OS X policies are updated
  • Privileged Manager Policies are updated

License validator (198066)

New licenses have to be added prior to upgrading to version 5.0. If you have a mixed environment with some clients running on 5.0 and some running on an older version, you will need to have both licenses available.

CAUTION: If you upgrade Safeguard for Authentication Services before adding the license, the caches will empty and SAS will be unusable. You can add the license then either rejoin or restart vasd and run vastool flush. You can update the Control Center any time without issue.

Windows Administrators can load the Safeguard Authentication Services license into Active Directory.

Unix Administrators must have a current license.

macOS: Added functionality (198050)

The following functionality was added for macOS platforms. For additional information, see KB 322901.

  • Installation is from the One Identity Support page.
  • In Application Properties, an Options tab has been added to control App Store and Game Center settings. For example, you can choose to allow software update notifications.
  • In Media Access Properties, there are two new settings:
    • Allow AirDrop
    • Allow transfers with Finder or iTunes
  • Software Update Properties have been added related to purchasing or installing apps.
  • System Preference Properties selection was enhanced.
  • Wireless Profile Properties now include the ability to use hidden networks, auto join networks, proxies, protocol configurations, and authentication. This policy also works with vascert to provide a certificate that can be used to join a network.

Support for unattended join using Windows Offline Domain Join (ODJ) credentials (198057)

An Administrator can use a Windows Offline Domain Join (ODJ) credential instead of a keytab for scripting an unattended installation of Safeguard Authentication Services to enhance security.

There must be connectivity from the Unix machine to domain controllers. When using this method of joining AD, the [domain] is not needed on the vastool join command, nor credentials. That information will come from the file. More information is in the vastool man page.

The join can work in the following ways:

  • vastool join [some flag] <path to the offline join file>
  • vastool join to use a newly defined environment variable that points to the location of the offline join file
  • vastool join to use if the flag wasn't passed and the environment variable is not set, a predefined location is checked for the offline join file

Resolved issues

The following is a list of issues addressed in this release.

Table 1: General resolved issues
Resolved Issue Issue ID
Corrected situation where vasd starting without daemon caused a segmentation fault (segfault). vasd is now able to start and run without issue. 246117

Fixed calls to krb5_cc_initialize() on AIX in a threaded process.

244563

DES option does not display. The default_etypes_des was removed from vas.conf during a fresh join.

228495

Selinux policy allows vasd getattr access on the disable_ipv6 file.

199545

Known issue

The following is a list of issues, including those attributed to third-party products, known to exist at the time of release.

Table 2: Known issues
Known Issue Issue ID

You must upgrade all Windows components on all Windows systems to Authentication Services 4.2.1 or higher before modifying the QAC (Quest Authentication Configuration) in Active Directory using Control Center from QAS 4.2.0 or higher. For more information, please see the KB Article 314330.

This was corrected in Authentication Services 4.2.1.

198991

Self Service Tools
Knowledge Base
Notifications & Alerts
Product Support
Software Downloads
Technical Documentation
User Forums
Video Tutorials
RSS Feed
Contact Us
Licensing Assistance
Technical Support
View All
Related Documents

The document was helpful.

Select Rating

I easily found the information I needed.

Select Rating