Version 7.1.1.20240801 (August 01, 2024)
Bug Fixes
- The max number of devices option in the DeviceID policy left unassigned devices in the repository (5679)
- Cannot create a helpdesk role with only lock/unlock permission (5713)
- Removed the "/sso/version.txt" page (5728)
- In RADIUS login, OOBA timeout causes the user account to be locked (5730)
- Fixed the "Cannot get property 'user' on null object" error when scanning an expired QR code (5750)
Version 7.1.0.20240702 (July 10, 2024)
...
- Add support for GSSAPI in the LDAP connection to Active Directory servers
- Add the UI to manage system and server jobs in the Admin Console (5237)
- Exclude non-Windows devices from the desktop to Web SSO (5492)
- Improve the UI for replacing the SSL certificate of the Web consoles (5494)
- Improve the UI for managing server certificates (5495)
- Add a new set of options for the network access control in the Computer Logon Client policy (5509)
- Make the UI of the application index page customizable (5524)
- Authentication Server upgrade will not overwrite custom cipher cypher settings in the server.xl file (5566)
- Support SAML logout using HTTP-Redirect (5613)
- Add a new task for monitoring COPU load (5672)
- Add a new button to reload the license count (5688)
Bug Fixes
- The Server Certificates repository displays duplicated certificates (5496)
- SAML attributes disappear after cloning a Service Provider (5496)
- Issues with Authentication Activity Report when adding Timestamp in Condition Builder (5530)
- Log fields are empty in exported audit logs (5533)
- log4j 1.x file was accidentally re-included in the previous update (5541)
- LDAP connection failure on one identity source could bring down other services that are not directly connected to the identity source (5562)
- Fixed some issues in the SSO Federation (5591, 5592, 5616)
- Hiding domain selection caused the SSO Federation to fail (5517)
- DAS throws an exception when the RADIUS EAP certificate is missing or invalid (5691)
- Error: Cannot get property 'certificateServercertificate server' on null object (5691)
Version 7.0.0.20240411 (April 08, 2024)
...
- Password is encrypted in the communication between the SSO frontend and the SSO backend server (5306)
- Add the support of implicit UPN, i.e. a username can only can be treated as either a SAMaccount name or a an implicit UPN (5347)
- Add a new role permission ('Verify' in the 'User' object) for DHV (DualShield Helpdesk Verification) console (5370)
- Add options in the User Identity policy to control how X-User-Identity should be handled (5398)
- Change the DualShield installation on Linux OS to support systemd service (5418)
Bug Fixes
- 2FA could be bypassed by attacking the username in the Outlook Agent-Based 2FA (5365)
- The 2nd step was skipped if the 1st step was set to Computer Fingerprint in the Outlook Agent-Based 2FA (5385)
- The DualShield service was unable to automatically start in Ubunto Ubuntu 20.04 (5312)
- The geolocation feature on MobileID Push Notification did not consider reverse proxy (5322)
- The device filter feature in the Logon policy did not work properly (5356)
- Query is not saved in the Condition Builder when the value is set to 0 (5459)
- Unable to change the type of a logon procedure (5211)
- The "Export MobileID Tokens" task shows success even when it failed (4280)
- Fixed the error "org.hibernate.exception.SQLGrammarException: could not get table metadata: user_device" (5209)
- Updating the "Entity ID" of the SSO server is not reflected in the SSO metadata output/export (5399)
- Fixed the error "An internal error occurred in the Microsoft Internet extensions" related to localStorage (5397)
- Duplicated DevciePass tokens were created when the connection speed was slow (5445)
...
- Enroll ActiveSync devices via Mdm (4838, 4959)
- Application Diagram (4825)
- Supports iframe in the SSO customization fields such as Header, Footer etc (4647)
- Added an option in the Logon Procedure to support the Verify Host OTP mutual authentication (4772)
- Added an option in the Admin Console for changing the port number of the SSO service (4494, 4901)
- Export policy to XML file (4905)
- Present DHV (DualShield Helpdesk Verification) as a popup window (4906)
- Improve the UI of role permissions
- Support passwordless authentication via PKI certificate (5037)
- Automate the logon step with Computer Fingerprint method and DevicePass token (5207)
- Search users in multi-domains in a realm by a pre-defined order (5242)
- Failthru now supports MSCHAP2 (5273)
Bug Fixes
- Drop-down menus are displayed out of place (5126)
- Long context menus are cut off in low-res screens (5166)
- Some contents in the Modern Authentication window are not displayed correctly (5167)
- Logon session times out immediately with F5 (5186)
- Fixed two-way authentication via OTP (4766)
- changing the password of internal users took effect after 5 minutes (4812)
- SSO did not work in OWA with multiple URL bindings (4962)
- DSC - always jumped to the token page after logging in even if the feature is disabled in the user's role (5033)
- Fixed several issues in the download token function on the MobileID desktop application (5065)
- Logout dialog flashed twice in DSC & DHV modules (5074)
- Fixed input focus issue on SSO screen when 'Prevent Name Guessing' is enabled (5096)
- An alert with 'Contains' parameter blocked Audit logs (5126)
- DAC - Replacing certificate returned error 471: Invalid certificate or bad password: java.io.IOException: keystore password was incorrect (5067)
- DAC - Image Repository: 500:java.lang.String cannot be cast to java.lang.Long (5206)
- DAC - Audit Log - log.Log null (5236)
- SSI - Windows Logon - error: Could not initialize proxy - no session (5271)
- Paralles/2X client - error: No tokens available on account (5275)
- verbose error messages vulnerability (5279)
- HSTS not applied to the endpoint /SSO (5293)
Version 6.8.1.20230919 (September 19, 2023)
Bug Fixes
- Users with custom attributes got the error "500:attrdef" at SSO login (5023)
- On the DualShield Deployment Service (DDS) portal, the icons of "request activation codes" were not displayed properly (5021)
Version 6.8.1.20230906 (September 06, 2023)
Bug Fixes
- A time zone that has multiple region names was not displayed correctly (4863)
- SMS provider, Esendex, stops working after upgrading to DualShield to 6..8.0 (4916)
- In the admin console, the access to the display of the token's credential data and QR was not correctly controlled by role permissions (4890)
- In the Admin Console, when the user has not permission to display QR code, it still tries it every 30 seconds. (4952)
- In the Admin Console, the function of pushing tokens was not correctly controlled by role permissions
- A role with a resident domain can see other domains (4923)
- A role with the permission view audit logs for a specific domain only did not work correctly (4979)
- In the role permission scope list, a domain or unit name that contains dot (.) causes ambiguity in scope definition (4926)
- The "Change Status" permission did not work correctly in token assignment (4961)
- In the Admin and Service consoles, the drop-down menu was displayed out of place (4963)
- Log fields were not included in syslog (4991)
...
Version 6.8.0.20230811 (August 11, 2023)
Bug Fixes
- Unable to create more than one domain-bound policy per category (4881)
- A role with the resident unit scope could see the names of other units (4880)
- fixed the error "user_agent column is too short" (4884)
- In Outlook Anywhere, some users occasionally got multiple Device IDs (4902)
...
- DualShield Helpdesk Verification (DHV) module that allows helpdesk operators to verify user's identity in realtime with MFA (3859)
- DeviceID can be manually enrolled by the system admins using the Admin Console (4654)
- DevicePass is supported in the Agent-Based Outlook MFA without the need to install the Device Manager (4721)
- Added a new option to the User Identity Policy to allow the use of both email and UPN as the login name (4849)
- Added token assignment to the bulk token import (4655)
- Added bulk activate and bulk disable functions to the Device Quarantine (4667)
- Added auto refresh feature to the Device Quarantine list (4753)
- Improved the UI of the Message Templates in the Admin Console (4186)
- Added user search in the LDAP test facility (4407)
- Added Import & Export functions to the Resource Editor (4550)
- Added the Language Pack function to support any language (4549)
- Improved UI customization - removed the option "Keep this field empty" from text fields and added the option "Use system default value" for image fields. (4555)
- Removed port 80 from server.xml (4579)
Bug Fixes
- Dead loop caused by the Message Gateway Not Available alert (4139)
- Multiple policies of the same type could be added to a group/unit/user (4156)
- Upgrading from v5.9 to v6.7 failed with error "NullPointerException" (4619)
- Outlook 2FA Agent failed to remember DevicePass as the last login method (4685)
- Outlook 2FA Agent got the error "Attribute not found in the session" (4687)
- The error message "The application's global logon procedure is not found" was incorrectly inserted in the Audit Logs (4737)
- Error 500 when deleting identity attributes for internal domains (4739)
- Fixed CVE-2019-17267: "Unspecified vulnerability in FasterXML jackson-databind" (4748)
- Bypassing 2FA by changing the DASApplicationID (4455)
- CPU hogs in background jobs (4749)
- Customized challenge message in the Mobile Policy is not used in SSO (4758)
- Fixed Safe Mode Login when captcha is enabled (4421)
- Registering FIDO2 token failed with error "could not initialize proxy - no Session" (4499)
- Failed to load SSO page in Android WebView (4510)
- Syslog stopped working in v6.7 (4530)
- Fixed key input focus in several places in the SSO login process (4808)
- Fixed the issue of dropdown menus being out of place in the Admin and Self-Service consoles (4857)
- Cannot delete the last login user device (4680)
Error 500 "Cannot invoke method save() on null object" when changing FQDN (4570)
...
- Support Let's Encrypt on port 443 (4137)
- FIDO2 keys can be enrolled by the administrator using the admin console (4187)
- New option in the Application's settings to hide domain selection (4329)
- Extended the system health check task to check SSO & RADIUS certificate expiration date and notify the administrator (4391)
- Added a new SMS provider to support sending SMS messages via Exchange emails (4495)
Bug Fixes
- Syslog did not work in v6.6 (4527)
- MFA could be bypassed by changing the DASApplicationID (4445)
- RD Gateway OOBA: users exempted from MFA got the "Password cannot be empty" error (4438)
- A FIDO2 key was able to be registered multple times (4444)
- The SSO login page could not be loaded in Android WebView (4510)
- Fixed following errors
- "NoSuchElementException: Cannot access first() element from an empty List" (4478)
- "Cannot cast object '0.0' with class 'java.lang.String' to class 'java.lang.Double" (4480)
- "Could not initialize proxy - no Session" (when try to register a FIDO2 token) (4499)
...
- Resource Editor for customizing any text in any language
- New message templates for token deactivation notice
- Supports login name format of "username@netbiosname" (4144)
- Move the credential provider filter from the computer logon client policy to the agent policy (4160)
- Improved performance of event logs (4202)
- Updated JQuery in the AppSSO module (4203)
- Added a new callback URL as a parameter to the SSO's logout URL (4231)
- Added a new "Logout URL" option to SSO Service Provider to be called at logout (4235)
- Reordered the SingleLogoutService URLS in the IDP Metadata (4279)
Bug Fixes
- Remember last login method did not always work (3957, 4290)
- SSO failed to prompt the PIN dialog when user verification is required (4150)
- FIDO2 registration failed with the error `Incorrect origin` if the reverse proxy is enabled in the IIS Agent (4153)
- Fixed several errors related to Oracle SQL (4194, 4196, 4288)
- OOBA completion caused an infinite loop (4204)
- Updating from Das v5.9.x to Das 6.5.5 caused the legacy DSS module to break (4286)
Version 6.5.5.1121 (November 21, 2022)
Bug Fixes
- SSO got stuck on the last step (4077)
- Some prompt and error messages were truncated ending "{0}" (4102)
...
Version 6.5.5.1028 (October 28, 2022)
Bug Fixes
- Error "Unknown Algorithm Name: PROX/TOTP" when upgrading from DualShield 5.9.x to DualShield 6.5.x (3991)
- Error "org.hibernate.NonUniqueObjectException" (3990)
- Error "java.lang.NullPointerException: Cannot invoke method tokenize() on null object" occurred when a new computer logon client is connected with an old MFA server (3984)
- Error "Cannot get property 'category' on null object" (4050)
- The Reset Password Service got an exception error when UPN was used as the login name (3993)
- The MFA server failed to initialize when AWS MySQL is being used (4025)
- The username autofill did not work in the Activate module in the DualShield Deployment Service (DDS) did not work (4033)
- Changing FQDN on Linux failed (4045)
...
Version 6.5.4.0914 (Sept 14, 2022)
Bug Fixes
- Fixed a compatibility issue with the old versions of the DualShield Windows Logon client that caused error "Cannot set property 'ip' on null object" (3980)
...
Version 6.5.4.0909 (Sept 09, 2022)
Bug Fixes
- Outlook Anywhere occasionally created duplicated user accounts (3912)
- FIDO did not work with Safari on MacOS (3939)
- Failed to change AD user password via RADIUS/MS-CHAP (3950)
...
Version 6.5.3.0722 (July 22, 2022)
Bug Fixes
- The option "Sign on SAML Response" was wrongly enabled by default for IIS applications, and caused the issue "OWA Error - Invalid SAML Response: Signature wrapping attack, wrong URI...". It is now disabled by default (3823)
- The user agent filter in Logon policy doesn't work for WEB SSO (3789)
- SSO user interface customization did not work in some circumstances (3797)
- Creating authorization code in the admin console did not work (3805)
- in the SendOTP API, password is transmitted in clear text
- Deleted tokens were still listed in the service console (3827)
- After a user was access denied, switching to a different user was still access denied (3843)
- In the safe mode, all access control policies were still effective (3852)
...
- Added support for reCAPTCHA (3510)
- Added support for FIDO2 (3727)
- Added support for "StaticPass + OTP" in logins from non-RADIUS clients, e.g. LDAP Broker
- Added access control by the user device (3780)
- Added access control by geo velocity (3811)
- Added device filter to the logon policy (3496)
- Added geo velocity filter to the logon policy (3810)
- Added user sign-in device management in the admin console (3515)
- Version 6.5.2.0620 (June 20, 2022)
- Add the token name to the QR code of the MobileID token (3844)
- Repetition is disallowed in free navigation in GridID (3819)
Bug Fixes
- A bug in the WS-Federation protocol handler caused Office 365 Federated SSO to stop working properly (3794)
- Change to the "wreply" attribute in SSO Service Provider didn't take effect until the service restarted (3793)
- An incorrect policy could be used when there are multiple domains in a realm (3775)
- If an AD group is renamed, it became invisible in the DualShield admin console (3763)
- Web SSO could sometimes mistakenly use the DNA logon procedure (2416)
...
Version 6.5.2.0601 (June 01, 2022)
Bug Fixes
- Upgrading failed with SQL error when Dualshield is connected to an MS-SQL 2014 server (3757)
- IIS apps, e.g. OWA, got the error "Invalid SAML Response: Signature verified failed" after upgrading to DualShield 6.5.1 (3750)
- When signing in from a new device with an Outlook client, it doesn't trigger the device registration alert
- Cross-origin resource sharing: arbitrary origin trusted (3730)
- Logon request timed out in OOBA call in a system with 2 or more Dualshield backend servers (3734)
- The option InResponseTo was not functional and the attribute was always included in the SAML response (3484)
- Extra 'S' in the SSO URL after using the change FQDN feature to change the HTTP protocol (3658)
- Failed to generate the SAML response when both assertion and response are ticked for signature (3699)
- Did not include ClientIP in intrusion alert (3713)
- Import a full-chained certificate gets the error: Certificate not chained (3745)
- Assigning token in DAC got null pointer exception (3746)
- False error messages in das6.log: "The application's global logon procedure is not found: Desktop SSO" (3751)
- The DualShield Service Console displays Error 404 when the user has no permission in Token and Account in the Self Service Policy (3754)
- Reset token successfully but there is no confirmation on the screen at all (3756)
...
- Support Microsoft Remote Desktop Web Client (3674)
- Support TLS 1.3 (3703)
- MS-SQL JDBC driver upgraded to 10.2 (3681)
Bug Fixes
- DualShield with SQL server database upgrading to v6.5.0 failed (3671)
- Deleting and re-adding DeviceID tokens in the same user account caused the license count to increment (3488)
- The user search filter stopped working after moving to the next page (3645)
- Login via the Deepnet Authenticator (DNA) sometimes caused a deadlock (3653)
- OOBA by SMS and Call did not work in v6.5.0 (3679, 3880)
- The "Users have been inactive for n days" did not work (3690)
...
- DeviceID registration and renewal verification using Deepnet Authenticator (3469)
- Introduced DeviceID renewal (3469)
- Improved extraction of DeviceID properties (3473, 3525, 3563)
- Added FIDO2 support (3420)
- Travel velocity detection (3017)
- Replaced log4j with logback in the authentication server module (3447)
- Replaced log4j with logback in the certificate server module (3441)
- Upgraded log4j from 1.2.17 to 2.17.2 in the management console module (3451)
- New Device Sign-in support for Outlook Anywhere and ActiveSync (3516)
- New Device Sign-in support for Computer Logon (3528)
- New Device Sign-in support for Deepnet Authenticator (3529)
- Automatically renew the SSO certificate when the associated let's encrypt certificate has been renewed (3564)
- DualShield Deployment Service - support incoming username as a URL parameter 'username' (3582)
- DualShield SSO - support incoming username as the NameID attribute in the SAML request (3612)
- DualShield SSO - upgraded jquery to 3.6.0 (3590)
- Added "Send Activation Code via email" for DeviceID
Bug Fixes
- Failed to save the Product value in the task 'delete token by product' (3415)
- Error - "500:no enum constant com.deepnet.das.util.LogicalOperator", when navigating to Reports (3463)
- Error - "Gateway type not matched for TELEPHONE" in the Admin Console (3489)
- DualShield Service Console - user-defined token properties were not displayed for T-Pass and MobileID (3545)
- User's external status (Active/Disabled) change not reflected immediately (3561)
- Querying available channels for activation code raised exception (3565)
- LDAPBroker integration error: No signature of method (3569)
- In push token email, QR-Code is always included (3620)
- Searching LDAP user by internal attribute didn't work (3621)
- After LDAP user's internal attributes have been updated, DAC always shows the old values (3624)
Version 6.4.20.1215 (December 15, 2021)
Bug Fixes
- Failed to create new tokens for users who have no tokens (3438)
- Failed to work with DualShield IIS Agent if FQDN was changed in the past (3437)
- Log4J upgraded to 2.16 (3439)
...
- Add support for external SQL based user directory, e.g. Keycloak (3344, 3346)
- Release DualShield MyVD (Beta)
Bug Fixes
- In SSO, the delivery channels for the activation code were missing (3393)
- In SSO, error when attempting to register FIDO keys with PIN enabled (3328, 3376)
- In DAC, group search in the policy window did not work
- In DAC, executing the AUthentication Activity task failed (3414)
...
- Support Let's Encrypt
- Support Deepnet Authenticator in RADIUS logon
- Support UAC Prompt in the Windows Logon 6.2 and the Computer Logon 1.3
- Support Network Drive Map in the Windows Logon 6.2 and the Computer Logon 1.3
- Add new device access notification
- Add token assignment expiration notification
- Improve FQDN change and certificate change and renewal
- Improve performance in AD group membership lookup when there is a larger number of nested groups
- Administrators can generate the Authorisation Code in the admin console
- Tokens can be exported from the server and import into the Computer Logon Client to be used for offline logon
- Support SID as a form of user's login identity, along with SAM account name, down-level domain logon name and UPN
- Return a RADIUS attribute with multiple values as multiple attributes of the same name
Bug Fixes
- German umlaut letters caused errors in OOBA push authentication
- Audit Logs were not exported according to the display filter
- Preview of User Interface Customisation did not work properly
- MS-SQL deadlock at a high volume of traffic
- QR code is not displayed in Gmail
- Mapping the Personal Email identity attribute to an AD attribute got the error "Attribute is intrinsic"
- Intrusion Alert did not work
- WINSSO caused exception
- MobileID OOBA push message did not beep
- Renewing a self-signed certificate resulted in different self-signed certificates in different DualShield servers in a cluster
- Unable to set a default pin in token polices
- GridID asks for resetting path even if the mode is set to free navigation
- At login, the answer in Q&A was visible
- Many minor issues were fixed in the Admin Console
...
- Expiration notification service for AD password
- Device Quarantine UI for DevicePass, DeviceID and DeviceCert
- Organizations and users can publish custom applications on the SSO portal and Self-Sevice console.
Bug Fixes
- DualShield root CA did not have a CN
- When FQDN is being changed, its self-signed certificate is not updated
- In some cases, OOBA doesn't work on iOS devices if there are multiple DualShield servers in the system
- Alert messages do not appear in the Inbox
- Occasionally, creating a group policy caused Hibernate lazy init error
- On the DevicePass and DeviceCert activation page, Contact Info is missing
...
- Expiration notification service for token PIN and PATH
- Add "last access ip" into token
- Auto refresh user status after lockout period ends
- If the token does not have PIN, hide the "PIN" entry box
- Make "Enable Agent Registration" persistent across all DAS instances
- New UI for RADIUS server EAP options
- Add "System Info" to show info such as the version of Java, Tomcat and MySQL
- Enhance the Self-Service Policy so that the Self-Service Console can be completely customised
Bug Fixes
- At RADIUS logon, token auto provisioning did not work
- FaceSense enrollment shows black image on Mac
- Cannot download HOTP token in Deployment Service
- Scan QR code of HOTP token results "null in ocraSuite" error
- QR code of Google Authenticator was not displaying in the Deployment Service if Authorization Code is required
- Several reflected XSS in DSC, DUA and DRP modules
- Tomcat 9 error 400 includes the Tomcat version
- A possible hibernate SQL injection in the message search function in DAC and DMC
- After upgrade to 6.0, some newly tokens cannot be seen in the user account
- SAML SP attribute entry box does not accept manual entry
- Agent's Public URL cannot be set to empty
- Upgrading 2 DualShield servers simultaneously caused optimistic lock error
Version 6.1.0.0304
Bug Fixes
- Failed to register RADIUS server
- Failed to install DualShield on a machine where JAVA is already installed
- Unable to edit Radius Client when it is connected to multiple Radius Servers
...
- Deepnet Authenticator is now available for Web and Cloud applications
- New authentication method DeviceCert is now available for Web, and Cloud application as well as Modern Authentication for Office clients
- Smartcard certificate authentication method is now also available for Web and Cloud applications
- Changing FQDN is now availbale within the admin console.
- Changing and Renewing the certificate of the web consoles is now available within the Admin Console
- New option "Download Token in MobileID App" added to the MobileID policy
- New option "Remember last login username" added to the Logon policy
- New option "Remember last login methods" added to the Logon policy
Bug Fixes
- Downloading token from the MobileID app was malfunctional
- Remembering last logon methods did not work in a multi-step logon procedure
- Disabled users were allowed to reset password
- The system admin account (SA) was not allowed to login when the license key has expired
- Application Self Test failed with an incorrect error message
- The QR code for the Google and Microsoft Authenticator did not work
- Office 365 ECP login did not work
- Unable to add Base DN when creating a new Identity Source of OpenLDAP
- Password Reset did not work in OpenLDAP (ClearOS)
- Radius server association was lost after editing a radius client
- Selecting "MS-CHAP2" in RADIUS authentication caused RADIUS authencation to fail
- Installing DualShield on Linux without legacy components would fail
- The value of RelayState was not URL encoded
- HTTP proxy did not work
- SAML response did not include the correct value of the SAML attribute "SessionNotOnOrAfter", causing some SPs to terminate sessions within 5 minutes
- A CORS related issue
- Trying to unregister OOBA from the MobileID app caused a JSON error
- In the admin console, some passwords such as the Access User in the Identity Source was included in the data stream
- On an iOS device clicking "Download App" in DualShield Deployment Service (DDS) console took the user to Google Play
...