立即与支持人员聊天
与支持团队交流

Defender 6.4.1 - Release Notes

Release Notes

One Identity Defender 6.4.1

Release Notes

03 May 2023, 12:41

These release notes provide information about the One Identity Defender release.

 

About Defender

About One Identity Defender 6.4.1

Defender enhances security by using two-factor authentication to authenticate the users who request access to valuable resources within your organization. Defender uses your current identity store within Microsoft® Active Directory® to enable two-factor authentication, taking advantage of its inherent scalability and security, and eliminating the costs and time involved to set up and maintain proprietary databases. Defender’s Web-based administration and user self-service ease the implementation of two-factor authentication for both administrators and users.

See New features.

Enhancements

The following is a list of enhancements implemented in Defender 6.4.1.

Table 1: General enhancements
Enhancement Issue ID

The user can see the full QR code for activating the Microsoft Authenticator token in Self Service portal

413633

Defender soft token for Android is now compatible with latest Android version 13

307951

Radius proxy with defender server now support push notification and FIDO2 authentication flows

402556

Known issues

The following is a list of issues, including those attributed to third-party products, known to exist at the time of release.

Table 2: General known issues
Known Issue Issue ID

Push notification authentication flows do not work properly on ADFS client.

Workaround

Push notification can be disabled. Alternatively, user can enter passcode from token manually on passcode field to login.

406536

Push notification timeout flows should not fail for EAP with radius proxy when user has more than 2 tokens

Workaround

Push notification can be disabled for the EAP client. Alternatively, user could be restricted to use only 2 tokens while using push notification with EAP client.

If both push notification and more than 3 tokens must be used then user can login by restarting the DSS service and subsequently the authentication process.

408220

MS token displays 'Bad response' error after performing reset operation on the token.

Workaround:

Use OATH Compliant tokens as those are not affected by this issue and are considered counter-based.

If user must use Google Authenticator (TOTP) or Microsoft Authenticator (Time based), then they would have to delete the existing token and program a new token.

401643

FIDO2 registration and authentication screens do not load when defender is used as proxy and the next requests are rejected.

394549

On radius proxy environments certain push notification flows do not work as expected.

Workaround:

Push notification can be disabled on radius proxy environments to allow authentication using Defender.

392972

Defender soft token for OneLogin Protect cannot be activated using the activation code.

Workaround:

Defender soft token for OneLogin Protect can be activated using the QR code from Defender management portal self service.

399821

"Push notification rejected” error is observed for timeout flow on EAP client if user has 3 or more tokens.

Workaround:

Push notification can be disabled for the EAP client. Alternatively, user could be restricted to use only 2 tokens while using push notification with EAP client.

If both push notification and more than 3 tokens must be used then user can login by restarting the authentication process on timeout.

404010

Audit trial report does not displays all the data from DSS logs

Workaround

Logs can be picked from the DSS path or from management portal DSS logs section.

325245

Defender users are unable to login using complex token policy with both FIDO2 and Android/iOS tokens

Workaround

The user can either remove or disable the FIDO2 tokens or use token only policy.

315618

Unable to register the FIDO2 token using Firefox browser

315541

Users see a blank token when the FIDO2 token is programmed and deleted by the admin

Workaround

Restart the DSS service.

316375

Windows 2022 EAP client failed to connect with the error "wlanapi.ddl" not found

300642

Desktop login offline authentication shows the Windows login logo spinning before going back to the login screen.

Workaround

Increase the IdleTimeOut for Windows Logon UI by creating the registry key below:

  • Path: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Authentication\LogonUI

  • Add a DWORD key named: IdleTimeOut

  • Set the decimal value to: 240000 (which equals 240 seconds)

This setting can also be deployed via Microsoft group policy, please consult with Microsoft's documentation on updating machine settings via GPOs.

339090

When 2012 R2 Server or Windows 8 machine is used to set up DDL component with Soft token for iOS/Android, Resend button and field to enter passcode/ "push" keyword will not be available if push notification times out.

The user needs to restart the authentication process by providing username and password.

298022

On Hyper V DDL client with Soft token for iOS/Android, certain policies are displaying incorrect message on UI upon push notification timeout if username format used is - "domain\username".

Workaround

Enter "username" instead of "domain\username" in the user name field.

298121

When 2012 R2 server or Windows 8 machine is used to set up DDL component with Soft token for iOS/Android, then any complex policy combination with token along with Defender/Active Directory password is not supported.

297740

Error message is displayed when service account is configured using UPN format in Defender Management Portal.

Workaround

Use sAMAccountName format instead of UPN format.

122498

While installing Defender Soft Token for Java on Windows OS, shortcuts were not created in the location specified during installation.

Workaround

Launch Defender Soft Token for Java from the installation folder.

141508

Authentication to GC/DC is failing until the Defender Security Server Service is restarted.

Workaround

Restart Defender Security Server service manually.

142261

When a user logs in for the first time using Defender Desktop Login provider, the system takes more time to respond after the token details are entered.

TFS784380

When trying to authenticate with the Defender ISAPI Agent, the following error occurs even if a valid token response is entered:

Error Message - Invalid token response. Enter a valid token response

Workaround

The error message is displayed when the Defender ISAPI Agent is not configured correctly, for example, when the connection to the Defender Security Server is specified incorrectly. Make sure that the settings of the Defender ISAPI Agent are configured correctly.

TFS783463

The user is not allowed to log in to the system when the group name is renamed in Active Directory.

Workaround

The Admin user must log into the client machine, remove and add the group from Defender Desktop Login configuration tool (GinaConfig.exe).

TFS781927

If Test connection automatically setting in the DSS configuration is enabled, a very large number of DSS logs may be generated.

Workaround

  • Workaround 1: Disable the 'Test connection automatically' setting.
  • Workaround 2: Make sure you have enough space for DSS log files, and periodically delete old log files.
TFS712795

When a user using their GrIDsure token authenticates to a website protected by the Defender ISAPI Agent, they are unable to reset the PIP. This may happen if the user has other tokens assigned to them besides the GrIDsure token.

Workaround

Make sure that no other tokens are assigned to the user, if they are using the GrIDsure token for authentication.

TFS723423

"The user name or password is incorrect." error may occur even when user log-in to the Defender Management Portal with correct credentials. This error message may appear if the domain controller is not available to the Management Portal.

Workaround

Make sure that the Active Directory functions correctly, and the machine with Defender Management Portal is able to reach a domain controller.

TFS588772

When authenticating via Defender, users may encounter the message "You must change your password before logging on for the first time" that prevents them from logging in. This may occur if the user's password has expired and the Defender security policy is set to use the proper name or Defender ID for authentication.

Workaround

Do one of the following:

  1. Allow users to change their expired passwords using some other means.
  2. Change the Defender security policy to use a SAM account name or UPN for authentication.
TFS366713

When a user attempts to log on to a computer protected by Defender Desktop Login with a GrIDsure token for the first time the following error may appear: "Access Denied." This may occur if the user uses an alternate UPN suffix.

Workaround

Switch the user to use the default UPN suffix during the logon procedure.

TFS366722

An attempt to authenticate users using a VIP credential may fail in a child domain, when the VIP credential certificate is installed only in the root domain.

Workaround

Install the VIP credential certificate in the child domain.

TFS366743

A user, authenticating via Defender Password for the first time, is not prompted to change the password, even though the corresponding option was selected when the password was assigned to the user. This may occur if Defender Password expiration is not enabled in the corresponding security policy.

Workaround

Edit the corresponding security policy object in the Administration Console and enable expiration of the Defender Password.

TFS366794

To change the user ID setting on an access node, the DSS Service must be restarted.

Workaround

Restart the Defender Security Server service. You can use the Defender Security Server Configuration utility to do this.

TFS366822

When attempting to log on to a computer protected by Defender Desktop Login as a local user, you may see the following confusing error message: "The Defender Security Server could not log you on as your system administrator has denied you the right to log on locally."

Workaround

This error message indicates that you cannot log on as a local user without Defender authentication.

TFS366824

A user may encounter an error when trying to change the PIN on a token. This issue may occur if a GrIDsure token is also assigned to that same user.

Workaround

Make sure that users who are assigned a token with a PIN do not have a GrIDsure token assigned to them.

TFS366941

The Token Program wizard in the Defender Administration Console may skip pages and produce errors. This may occur when two or more instances of the Administration Console are running at the same time on the same computer.

Workaround

Use only a single instance of Defender Administration Console and close the multiple instances.

TFS417432

When you assign a token to a user in the Administration Console, the token may fail to immediately appear in the user's list of tokens.

Workaround

This behavior is due to the replication latency in Active Directory. View the list of tokens after the changes have been replicated.

TFS417457

After you change the user's token list in the Management Portal (e.g. assign a token to the user, or unassigning a token), the list of tokens may remain unchanged.

Workaround

This behavior is due to the replication latency in Active Directory. View the list of tokens after the changes have been replicated.

TFS417714

When using the Management Portal to unlock an account locked by Defender (not Windows), you may see a confusing confirmation message about resetting the violation count.

Workaround

When you unlock an account locked by Defender, the violation count is automatically reset as well.

TFS420395

When accessing the Management Portal for the first time, it is possible to access the Defender reports site, but the reports are non-functional. This may happen because the Management Portal service account has not yet been configured.

Workaround

Navigate to the Management Portal Administration user interface and configure the service account.

TFS421707

When you point the mouse cursor on the "Authentication requests by DSS" diagram in the Management Portal Dashboard, the tooltip may list an incorrect value, while the diagram displays the correct value for the number of authentication requests.

Workaround

Do either of the following:

  1. Use the value on the diagram.
  2. Reload the web page (CTRL+F5) to update the value in the tooltip.
TFS421715

When you use the Defender Integration Pack for ActiveRoles, the Defender license allocation value seen in the ActiveRoles Administration Console may be different from the values in the Defender Administration Console. This may occur in a multi-domain environment when ActiveRoles Server accesses a domain using a domain controller that is not a global catalog.

Workaround

Use the values in the Defender Administration Console, these are the correct values.

TFS429274

When you program mobile software tokens using the Defender Integration Pack for Active Roles, the option to program the tokens in challenge-response mode is available. Selecting this option may produce an error.

Workaround

Defender software tokens for mobile devices currently do not support challenge-response mode. Ignore this option.

TFS431278

When trying to access a site protected by the Defender ISAPI Agent, you may see the following error: "Calling LoadLibraryEx on ISAPI filter failed." This may occur if the web site protected by the ISAPI Agent is a 32-bit site running on a 64-bit IIS.

Workaround

If you need to run a 32-bit web site, consider running it on a 32-bit computer with a 32-bit IIS and install the 32-bit version of the Defender ISAPI Agent.

TFS435240

When you enter a verification code when requesting a software token through the Self-Service Portal, you may see the following confusing error message: "The link has expired."

Workaround

This error message means that the verification code has expired.

Start over by requesting a software token.

TFS436701

In an environment where the Defender EAP Agent is used in conjunction with the Soft Token for Windows, the passcode from the token may not be accepted when establishing a VPN connection. This issue occurs when Soft Token for Windows is programed in challenge-response mode.

Workaround

Program the Soft Token for Windows in synchronous mode.

TFS439473

The Defender EAP Agent may not integrate with the Soft Token for Windows to retrieve the token response automatically. This issue occurs on a 64-bit operating system.

Workaround

Launch the Soft Token for Windows, and enter the passcode in the VPN client manually.

TFS441655

Users who are directly assigned to an access node cannot be moved to a different OU.

Workaround

Un-assign the user from the access node, move the user, and then assign the user back to the access node. To prevent this issue, assign groups rather than individual users to access nodes.

TFS452765

When Defender EAP Agent is used with a VPN connection, the dialog box to enter the token response does not appear. This issue may occur if EAP Agent is installed on a computer running Windows 10 operating system.

Workaround

Use the EAP Agent installed on a computer running an operating system other than Windows 10.

TFS462928

When you try to uninstall the Defender Soft Token for Java, the uninstallation wizard may finish successfully, but no application files are removed. This may occur on computers running Windows 8 or later with User Account Control enabled.

Workaround

Open the command prompt as administrator and run the following command: java -jar <path to uninstaller file>

TFS487077

When configuring the option "Use service account for all actions" in the Management Portal settings, the 'Save' button is not enabled to save the changes.

Workaround

Re-enter and re-confirm the service account password to enable the 'Save' button.

TFS504067

When searching for tokens on the Management Portal, a token is displayed as assigned to a single user, even though the token is assigned to more than one user. This occurs when Internet Explorer is used as the browser. 

Workaround

Use a different supported browser.

TFS504432

When trying to authenticate through the ISAPI Agent the following error is displayed: "Invalid Token Response.", even though you have entered the correct token response.   This occurs when DSS is unavailable.

Workaround

Make sure that the DSS is available and retry the login attempt.

TFS591408

When Web Service API is the only Defender component installed on a computer, it does not work.

Workaround

Install Defender Management Shell or Management Portal component on the same computer.

TFS597986

After upgrading to the latest version of the Web Service API, both the old and the new versions of the component are present in Windows "Installed Programs" list.

Workaround

Only the latest version gets installed. You can ignore the old version that is listed.

TFS598397

When requesting an SMS token through the Self-Service Portal, the Program Token wizard finishes successfully, but the token is not assigned.   This occurs when out-of-band verification is used and the verification link is opened on a device different from the original one.

Workaround

On the final page of the Program Token wizard, click Back, click Next, and then click Finish.

TFS598605
自助服务工具
知识库
通知和警报
产品支持
下载软件
技术说明文件
用户论坛
视频教程
RSS订阅源
联系我们
获得许可 帮助
技术支持
查看全部
相关文档

The document was helpful.

选择评级

I easily found the information I needed.

选择评级