Version

...

7.0.0.20240328 (April 08, 2024)

New Features & Improvements

• Password is encrypted in the communication between the SSO frontend and the SSO backend server (5306)
• Add the support of implicit UPN, i.e. a username only can be treated as either a SAMaccount name or a implicit UPN (5347)
• Add a new role permission ('Verify' in the 'User' object) for DHV (DualShield Helpdesk Verification) console (5370)
• Add options in the User Identity policy to control how X-User-Identity should be handled (5398)
• Change the DualShield installation on Linux OS to support systemd service (5418)

Bug Fixes

• 2FA could be bypassed by attacking the username in the Outlook Agent-Based 2FA (5365)
• The 2nd step was skipped if the 1st step was set to Computer Fingerprint in the Outlook Agent-Based 2FA (5385)
• The DualShield service was unable to automatically start in Ubunto 20.04 (5312)
• The geolocation feature on MobileID Push Notification did not consider reverse proxy (5322)
• The device filter feature in the Logon policy did not work properly (5356)
• Query is not saved in the Condition Builder when the value is set to 0 (5459)
• Unable to change the type of a logon procedure (5211)
• The "Export MobileID Tokens" task shows success even when it failed (4280)
• Fixed the error "org.hibernate.exception.SQLGrammarException: could not get table metadata: user_device" (5209)
• Updating the "Entity ID" of the SSO server is not reflected in the SSO metadata output/export (5399)
• Fixed the error "An internal error occurred in the Microsoft Internet extensions" related to localStorage (5397)
• Duplicated DevciePass tokens were created when the connection speed was slow (5445)

Version 6.9.0.20240119 (January 19, 2024)

New Features & Improvements

• Enroll ActiveSync devices via Mdm (4838, 4959)
• Application Diagram (4825)
• Supports iframe in the SSO customization fields such as Header, Footer etc (4647)
• Added an option in the Logon Procedure to support the Verify Host OTP mutual authentication (4772)
• Added an option in the Admin Console for changing the port number of the SSO service (4494, 4901)
• Export policy to XML file (4905)
• Present DHV (DualShield Helpdesk Verification) as a popup window (4906)
• Improve the UI of role permissions
• Support passwordless authentication via PKI certificate (5037)
• Automate the logon step with Computer Fingerprint method and DevicePass token (5207)
• Search users in multi-domains in a realm by a pre-defined order (5242)
• Failthru now supports MSCHAP2 (5273)

Bug Fixes

• Drop-down menus are displayed out of place (5126)
• Long context menus are cut off in low-res screens (5166)
• Some contents in the Modern Authentication window are not displayed correctly (5167)
• Logon session times out immediately with F5 (5186)
• Fixed two-way authentication via OTP (4766)
• changing the password of internal users took effect after 5 minutes (4812)
• SSO did not work in OWA with multiple URL bindings (4962)
• DSC - always jumped to the token page after logging in even if the feature is disabled in the user's role (5033)
• Fixed several issues in the download token function on the MobileID desktop application (5065)
• Logout dialog flashed twice in DSC & DHV modules (5074)
• Fixed input focus  issue on SSO screen when 'Prevent Name Guessing' is enabled (5096)
• An alert with 'Contains' parameter blocked Audit logs (5126)
• DAC - Replacing certificate returned error 471: Invalid certificate or bad password: java.io.IOException: keystore password was incorrect (5067)
• DAC - Image Repository: 500:java.lang.String cannot be cast to java.lang.Long (5206)
• DAC - Audit Log - log.Log null (5236)
• SSI - Windows Logon - error: Could not initialize proxy - no session (5271)
• Paralles/2X client - error: No tokens available on account (5275)
• verbose error messages vulnerability (5279)
• HSTS not applied to the endpoint /SSO (5293)

Version 6.8.1.20230919 (September 19, 2023)

Bug Fixes

• Users with custom attributes got the error "500:attrdef" at SSO login (5023)
• On the DualShield Deployment Service (DDS) portal, the icons of "request activation codes" were not displayed properly (5021)

Version 6.8.1.20230906 (September 06, 2023)

Bug Fixes

• A time zone that has multiple region names was not displayed correctly (4863)
• SMS provider, Esendex, stops working after upgrading to DualShield to 6..8.0 (4916)
• In the admin console, the access to the display of the token's credential data and QR was not correctly controlled by role permissions (4890)
• In the Admin Console, when the user has not permission to display QR code, it still tries it every 30 seconds. (4952)
• In the Admin Console, the function of pushing tokens was not correctly controlled by role permissions
• A role with a resident domain can see other domains (4923)
• A role with the permission view audit logs for a specific domain only did not work correctly (4979)
• In the role permission scope list, a domain or unit name that contains dot (.) causes  ambiguity in scope definition (4926)
• The "Change Status" permission did not work correctly in token assignment (4961)
• In the Admin and Service consoles, the drop-down menu was displayed out of place (4963)
• Log fields were not included in syslog (4991)

Improvements

• Downgraded Angular to v11 in the DualShield SSO, in order to support the embedded IE browser window used in some applications such as Outlook, Box etc. (4988)
• In the role permission object list, a root or intermediary object  is now not selectable (4939)
• Enhanced permission control for the Resource Editor (4938)
• Applying the global Access-Control by Location Policy before querying in the RADIUS logon process (4988)

Version 6.8.0.20230811 (August 11, 2023)

Bug Fixes

• Unable to create more than one domain-bound policy per category (4881)
• A role with the resident unit scope could see the names of other units (4880)
• fixed the error "user_agent column is too short" (4884)
• In Outlook Anywhere, some users occasionally got multiple Device IDs (4902)

Version 6.8.0.20230731 (July 31, 2023)

Features & Improvements

• DualShield Helpdesk Verification (DHV) module that allows helpdesk operators to verify user's identity in realtime with MFA (3859)
• DeviceID can be manually enrolled by the system admins using the Admin Console (4654)
• DevicePass is supported in the Agent-Based Outlook MFA without the need to install the Device Manager (4721)
• Added a new option to the User Identity Policy to allow the use of both email and UPN as the login name (4849)
• Added token assignment to the bulk token import   (4655)
• Added bulk activate and bulk disable functions to the Device Quarantine (4667)
• Added auto refresh feature to the Device Quarantine list (4753)
• Improved the UI of the Message Templates in the Admin Console (4186)
• Added user search in the LDAP test facility (4407)
• Added Import & Export functions to the Resource Editor (4550)
• Added the Language Pack function to support any language (4549)
• Improved UI customization - removed the option "Keep this field empty" from text fields and added the option "Use system default value" for image fields. (4555)
• Removed port 80 from server.xml (4579)

Bug Fixes

• Dead loop caused by the Message Gateway Not Available alert (4139)
• Multiple policies of the same type could be added to a group/unit/user (4156)
• Upgrading from v5.9 to v6.7 failed with error "NullPointerException" (4619)
• Outlook 2FA Agent failed to remember DevicePass as the last login method (4685)
• Outlook 2FA Agent got the error "Attribute not found in the session" (4687)
• The error message "The application's global logon procedure is not found" was incorrectly inserted in the Audit Logs (4737)
• Error 500 when deleting identity attributes for internal domains (4739)
• Fixed CVE-2019-17267: "Unspecified vulnerability in FasterXML jackson-databind" (4748)
• Bypassing 2FA by changing the DASApplicationID (4455)
• CPU hogs in background jobs (4749)
• Customized challenge message in the Mobile Policy is not used in SSO (4758)
• Fixed Safe Mode Login when captcha is enabled (4421)
• Registering FIDO2 token failed with error "could not initialize proxy - no Session" (4499)
• Failed to load SSO page in Android WebView (4510)
• Syslog stopped working in v6.7 (4530)
• Fixed key input focus in several places in the SSO login process (4808)
• Fixed the issue of dropdown menus being out of place in the Admin and Self-Service consoles (4857)
• Cannot delete the last login user device (4680)

• Error 500 "Cannot invoke method save() on null object" when changing FQDN (4570)

Version 6.7.0.20230422 (April 22, 2023)

Features & Improvements

• Support Let's Encrypt on port 443 (4137)
• FIDO2 keys can be enrolled by the administrator using the admin console (4187)
• New option in the Application's settings to hide domain selection (4329)
• Extended the system health check task to check SSO & RADIUS certificate expiration date and notify the administrator (4391)
• Added a new SMS provider to support sending SMS messages via Exchange emails (4495)

Bug Fixes

• Syslog did not work in v6.6 (4527)
• MFA could be bypassed by changing the DASApplicationID (4445)
• RD Gateway OOBA: users exempted from MFA got the "Password cannot be empty" error (4438)
• A FIDO2 key was able to be registered multple times (4444)
• The SSO login page could not be loaded in Android WebView (4510)
• Fixed following errors
  • "NoSuchElementException: Cannot access first() element from an empty List" (4478)
  • "Cannot cast object '0.0' with class 'java.lang.String' to class 'java.lang.Double" (4480)
  • "Could not initialize proxy - no Session" (when try to register a FIDO2 token) (4499)

Version 6.6.0.0224 (February 24, 2023)

Features & Improvements

• Added support for SMS providers that pass authentication credentials in the HTTP header (4272)
• Fixed Apache Shiro vulnerable library (CVE-2022-40664) (4163)
• Fixed Apache Commons Text < 1.10.0 Remote Code Execution (CVE-2022-42889) (4162)
• Fixed a display problem in the Admin Console related to the newly added Resource Editor feature (4361)

Version 6.6.0.0210 (February 10, 2023)

Features & Improvements

• Resource Editor for customizing any text in any language 
• New message templates for token deactivation notice
• Supports login name format of "username@netbiosname" (4144)
• Move the credential provider filter from the computer logon client policy to the agent policy (4160)
• Improved performance of event logs (4202)
• Updated JQuery in the AppSSO module (4203)
• Added a new callback URL as a parameter to the SSO's logout URL (4231)
• Added a new "Logout URL" option to SSO Service Provider to be called at logout (4235)
• Reordered the SingleLogoutService URLS in the IDP Metadata (4279)

Bug Fixes

• Remember last login method did not always work (3957, 4290)
• SSO failed to prompt the PIN dialog when user verification is required (4150)
• FIDO2 registration failed with the error `Incorrect origin` if the reverse proxy is enabled in the IIS Agent (4153)
• Fixed several errors related to Oracle SQL (4194, 4196, 4288)
• OOBA completion caused an infinite loop (4204)
• Updating from Das v5.9.x to Das 6.5.5 caused the legacy DSS module to break (4286)

Version 6.5.5.1121 (November 21, 2022)

Bug Fixes

• SSO got stuck on the last step (4077)
• Some prompt and error messages were truncated ending "{0}" (4102)

Improvements

• Self-Service Console - the main menu is expanded by default (4074)
• Self-Service Console - if the user has no permissions at all on a section, such as Site Stamp, then the section is removed from the main menu  (4070)
• Self-Service Console - add access control permissions to the user device section (4072)

Version 6.5.5.1028 (October 28, 2022)

Bug Fixes

• Error "Unknown Algorithm Name: PROX/TOTP" when upgrading from DualShield 5.9.x to DualShield 6.5.x (3991)
• Error "org.hibernate.NonUniqueObjectException" (3990)
• Error "java.lang.NullPointerException: Cannot invoke method tokenize() on null object" occurred when a new computer logon client  is connected with an old MFA server (3984)
• Error "Cannot get property 'category' on null object" (4050)
• The Reset Password Service got an exception error when UPN was used as the login name (3993)
• The MFA server failed to initialize when AWS MySQL is being used (4025)
• The username autofill did not work in the Activate module in the DualShield Deployment Service (DDS) did not work (4033)
• Changing FQDN on Linux failed (4045)

Improvements

• Resource Editor for customization & localization (3877)
• Replaced port 8005 with port 18005 (3985)
• Added a new policy option 'Deployment Service URL' to the Self-Service Policy (4032)
• Added a new wildcard [[ACLINKUPN]] to the Activation Code message template (4036)
• Added Device Name and Device Group into the Device Filter in the Logon Policy (3915)
• Ready for FCM update in the MobileID/Android app (3989)

Version 6.5.4.0914 (Sept 14, 2022)

Bug Fixes

• Fixed a compatibility issue with the old versions of the DualShield Windows Logon client  that caused error "Cannot set property 'ip' on null object" (3980)

Improvements

• The function "Enroll DeviceCert" in the DualShield Service Console is disabled on non-Windows OS (3959)
• Added a new token permission for "Export Token" and "Download DeviceCert" in the DualShield Service Console (3961)

Version 6.5.4.0909 (Sept 09, 2022)

Bug Fixes

• Outlook Anywhere occasionally created duplicated user accounts (3912)
• FIDO did not work with Safari on MacOS (3939)
• Failed to change AD user password via RADIUS/MS-CHAP (3950)

Features & Improvements

• Added "My Certificates" in DualShield Service Console (2582)
• Added "User Sign-In Devices" in DualShield Service Console (3829)
• Added Google Authenticator support for Parallel (3892)
• Added a new "Locale" policy (3888)
• Added Device Name and Device Group to the Device Filter in the Logon Policy (3915)

Version 6.5.3.0722 (July 22, 2022)

Bug Fixes

• The option "Sign on SAML Response" was wrongly enabled by default for IIS applications, and caused the issue "OWA Error - Invalid SAML Response: Signature wrapping attack, wrong URI...". It is now disabled by default (3823)
• The user agent filter in Logon policy doesn't work for WEB SSO (3789)
• SSO user interface customization did not work in some circumstances (3797)
• Creating authorization code in the admin console did not work (3805)
• in the SendOTP API, password is transmitted in clear text
• Deleted tokens were still listed in the service console (3827)
• After a user was access denied, switching to a different user was still access denied (3843)
• In the safe mode, all access control policies were still effective (3852)

Features & Improvements

• Added support for reCAPTCHA (3510)
• Added support for FIDO2 (3727)
• Added support for "StaticPass + OTP" in logins from non-RADIUS clients, e.g. LDAP Broker
• Added access control by the user device (3780)
• Added access control by geo velocity (3811)
• Added device filter to the logon policy (3496)
• Added geo velocity filter to the logon policy (3810)
• Added user sign-in device management in the admin console (3515)
• Version 6.5.2.0620 (June 20, 2022)
• Add the token name to the QR code of the MobileID token (3844)
• Repetition is disallowed in free navigation in GridID (3819)

Bug Fixes

• A bug in the WS-Federation protocol handler caused Office 365 Federated SSO to stop working properly (3794)
• Change to the "wreply" attribute in SSO Service Provider didn't take effect until the service restarted (3793)
• An incorrect policy could be used when there are multiple domains in a realm (3775)
• If an AD group is renamed, it became invisible in the DualShield admin console (3763)
• Web SSO could sometimes mistakenly use the DNA logon procedure (2416)

Features & Improvements

• Support Access Card authentication with Computer Logon v1.5 client 
• Support FIDO2 authentication with Computer Logon v1.5 client (not with Web SSO) (3762, 3767)
• SSO Service Provider created by the IIS Agent will have the option "Sign on SAML Response" enabled by default (3764)
• Automatically migrate MobileID token to use default FCM with MobileID v6.1 app (3767)

Known Issues

This update introduced a bug below:problem below:

Version 6.5.2.0601 (June 01, 2022)

Bug Fixes

• Upgrading failed with SQL error when Dualshield is connected to an MS-SQL 2014 server (3757)
• IIS apps, e.g. OWA, got the error "Invalid SAML Response: Signature verified failed" after upgrading to DualShield 6.5.1 (3750)
• When signing in from a new device with an Outlook client, it doesn't trigger the device registration alert
• Cross-origin resource sharing: arbitrary origin trusted (3730)
• Logon request timed out in OOBA call in a system with 2 or more Dualshield backend servers (3734)
• The option InResponseTo was not functional and the attribute was always included in the SAML response (3484)
• Extra 'S' in the SSO URL after using the change FQDN feature to change the HTTP protocol (3658)
• Failed to generate the SAML response when both assertion and response are ticked for signature (3699)
• Did not include ClientIP in intrusion alert (3713)
• Import a full-chained certificate gets the error: Certificate not chained (3745)
• Assigning token in DAC got null pointer exception (3746)
• False error messages in das6.log:  "The application's global logon procedure is not found: Desktop SSO" (3751)
• The DualShield Service Console displays Error 404 when the user has no permission in Token and Account in the Self Service Policy (3754)
• Reset token successfully but there is no confirmation on the screen at all (3756)

Features & Improvements

• Support WSFED for Outlook Web Access (OWA) and EAC (Exchange Access Console) (3758)
• Support multiple values of a SAML attribute (3648)
• Querying nested group membership took long time when checking roles and license (3709)
• New task for pushing MobileID download link in bulk by user group or domain (3718)

Version 6.5.1.0503 (May 03, 2022)

Features & Improvements

• Support Microsoft Remote Desktop Web Client (3674)
• Support TLS 1.3 (3703)
• MS-SQL JDBC driver upgraded to 10.2 (3681)

Bug Fixes

• DualShield with SQL server database upgrading to v6.5.0 failed (3671)
• Deleting and re-adding DeviceID tokens in the same user account caused the license count to increment (3488)
• The user search filter stopped working after moving to the next page (3645)
• Login via the Deepnet Authenticator (DNA) sometimes caused a deadlock (3653)
• OOBA by SMS and Call did not work in v6.5.0 (3679, 3880)
• The "Users have been inactive for n days" did not work (3690)

...

• DeviceID registration and renewal verification using Deepnet Authenticator (3469)
• Introduced DeviceID renewal (3469)
• Improved extraction of DeviceID properties (3473, 3525, 3563)
• Added FIDO2 support (3420)
• Travel velocity detection (3017)
• Replaced log4j with logback in the authentication server module (3447)
• Replaced log4j with logback in the certificate server module (3441)
• Upgraded log4j from 1.2.17 to 2.17.2 in the management console module (3451)
• New Device Sign-in support for Outlook Anywhere and ActiveSync (3516)
• New Device Sign-in support for Computer Logon (3528)
• New Device Sign-in support for Deepnet Authenticator (3529)
• Automatically renew the SSO certificate when the associated let's encrypt certificate has been renewed (3564)
• DualShield Deployment Service - support incoming username as a URL parameter 'username' (3582)
• DualShield SSO - support incoming username as the NameID attribute in the SAML request (3612)
• DualShield SSO - upgraded jquery to 3.6.0 (3590)
• Added "Send Activation Code via email" for DeviceID

Bug Fixes

• Failed to save the Product value in the task 'delete token by product' (3415)
• Error - "500:no enum constant com.deepnet.das.util.LogicalOperator", when navigating to Reports (3463)
• Error - "Gateway type not matched for TELEPHONE" in the Admin Console (3489)
• DualShield Service Console - user-defined token properties were not displayed for T-Pass and MobileID (3545)
• User's external status (Active/Disabled) change not reflected immediately (3561)
• Querying available channels for activation code raised exception (3565)
• LDAPBroker integration error: No signature of method (3569)
• In push token email, QR-Code is always included (3620)
• Searching LDAP user by internal attribute didn't work (3621)
• After LDAP user's internal attributes have been updated, DAC always shows the old values (3624)

Version 6.4.20.1215 (December 15, 2021)

Bug Fixes

• Failed to create new tokens for users who have no tokens (3438)
• Failed to work with DualShield IIS Agent if FQDN was changed in the past (3437)
• Log4J upgraded to 2.16  (3439)

...

• Add support for external SQL based user directory, e.g. Keycloak (3344, 3346)
• Release DualShield MyVD (Beta)

Bug Fixes

• In SSO, the delivery channels for the activation code were missing (3393)
• In SSO, error when attempting to register FIDO keys with PIN enabled (3328, 3376)
• In DAC, group search in the policy window did not work
• In DAC, executing the AUthentication Activity  task failed (3414)

...

• Support Let's Encrypt
• Support Deepnet Authenticator in RADIUS logon
• Support UAC Prompt in the Windows Logon 6.2 and the Computer Logon 1.3
• Support Network Drive Map in the Windows Logon 6.2 and the Computer Logon 1.3
• Add new device access notification
• Add token assignment expiration notification
• Improve FQDN change and certificate change and renewal
• Improve performance in AD group membership lookup when there is a larger number of nested groups
• Administrators can generate the Authorisation Code in the admin console
• Tokens can be exported from the server and import into the Computer Logon Client to be used for offline logon
• Support SID as a form of user's login identity, along with SAM account name, down-level domain logon name and UPN
• Return a RADIUS attribute with multiple values as multiple attributes of the same name

Bug Fixes

• German umlaut letters caused errors in OOBA push authentication
• Audit Logs were not exported according to the display filter
• Preview of User Interface Customisation did not work properly
• MS-SQL deadlock at a high volume of traffic
• QR code is not displayed in Gmail
• Mapping the Personal Email identity attribute to an AD attribute got the error "Attribute is intrinsic"
• Intrusion Alert did not work
• WINSSO caused exception
• MobileID OOBA push message did not beep
• Renewing a self-signed certificate resulted in different self-signed certificates in different DualShield servers in a cluster
• Unable to set a default pin in token polices
• GridID asks for resetting path even if the mode is set to free navigation
• At login, the answer in Q&A was visible
• Many minor issues were fixed in the Admin Console

...

• Expiration notification service for AD password
• Device Quarantine UI for DevicePass, DeviceID and DeviceCert
• Organizations and users can publish custom applications on the SSO portal and Self-Sevice console.

Bug Fixes

• DualShield root CA did not have a CN
• When FQDN is being changed, its self-signed certificate is not updated
• In some cases, OOBA doesn't work on iOS devices if there are multiple DualShield servers in the system
• Alert messages do not appear in the Inbox
• Occasionally, creating a group policy caused Hibernate lazy init error
• On the DevicePass and DeviceCert activation page, Contact Info is missing

...

• Expiration notification service for token PIN and PATH
• Add "last access ip" into token
• Auto refresh user status after lockout period ends
• If the token does not have PIN, hide the "PIN" entry box
• Make "Enable Agent Registration" persistent across all DAS instances
• New UI for RADIUS server EAP options
• Add "System Info" to show info such as the version of Java, Tomcat and MySQL
• Enhance the Self-Service Policy so that the Self-Service Console can be completely customised

Bug Fixes

• At RADIUS logon, token auto provisioning did not work
• FaceSense enrollment shows black image on Mac
• Cannot download HOTP token in Deployment Service
• Scan QR code of HOTP token results "null in ocraSuite" error
• QR code of Google Authenticator was not displaying in the  Deployment Service if Authorization Code is required
• Several reflected XSS in DSC, DUA and DRP modules
• Tomcat 9 error 400 includes the Tomcat version
• A possible hibernate SQL injection in the message search function in DAC and DMC
• After upgrade to 6.0, some newly tokens cannot be seen in the user account
• SAML SP attribute entry box does not accept manual entry
• Agent's Public URL cannot be set to empty
• Upgrading 2 DualShield servers simultaneously caused optimistic lock error

Version 6.1.0.0304

Bug Fixes

• Failed to register RADIUS server 
• Failed to install DualShield on a machine where JAVA is already installed
• Unable to edit Radius Client when it is connected to multiple Radius Servers

...

• Deepnet Authenticator is now available for Web and Cloud applications
• New authentication method DeviceCert is now available for Web, and Cloud application as well as Modern Authentication for Office clients
• Smartcard certificate authentication method is now also available for Web and Cloud applications
• Changing FQDN is now availbale within the admin console.  
• Changing and Renewing the certificate of the web consoles is now available within the Admin Console
• New option "Download Token in MobileID App" added to the MobileID policy
• New option "Remember last login username" added to the Logon policy
• New option "Remember last login methods" added to the Logon policy

Bug Fixes

• Downloading token from the MobileID app was malfunctional
• Remembering last logon methods did not work in a multi-step logon procedure
• Disabled users were allowed to reset password 
• The system admin account (SA) was not allowed to login when the license key has expired
• Application Self Test failed with an incorrect error message
• The QR code for the Google and Microsoft Authenticator did not work
• Office 365 ECP login did not work
• Unable to add Base DN when creating a new Identity Source of OpenLDAP
• Password Reset did not work in OpenLDAP (ClearOS)
• Radius server association was lost after editing a radius client
• Selecting "MS-CHAP2" in RADIUS authentication caused RADIUS authencation to fail
• Installing DualShield on Linux without legacy components would fail
• The value of RelayState was not URL encoded
• HTTP proxy did not work
• SAML response did not include the correct value of the SAML attribute "SessionNotOnOrAfter", causing some SPs to terminate sessions  within 5 minutes
• A CORS related issue
• Trying to unregister OOBA from the MobileID app caused a JSON error
• In the admin console, some passwords such as the Access User in the Identity Source was included in the data stream
• On an iOS device clicking "Download App" in DualShield Deployment Service (DDS) console took the user to Google Play

...