Version 6.6.0.0224 (February 24, 2023)

Features & Improvements

• Added support for SMS providers that pass authentication credentials in the HTTP header (4272)
• Fixed Apache Shiro vulnerable library (CVE-2022-40664) (4163)
• Fixed Apache Commons Text < 1.10.0 Remote Code Execution (CVE-2022-42889) (4162)
• Fixed a display problem in the Admin Console related to the newly added Resource Editor feature (4361)

Version 6.6.0.0210 (February 10, 2023)

Features & Improvements

• Resource Editor for customizing any text in any language 
• New message templates for token deactivation notice
• Supports login name format of "username@netbiosname" (4144)
• Move the credential provider filter from the computer logon client policy to the agent policy (4160)
• Improved performance of event logs (4202)
• Updated JQuery in the AppSSO module (4203)
• Added a new callback URL as a parameter to the SSO's logout URL (4231)
• Added a new "Logout URL" option to SSO Service Provider to be called at logout (4235)
• Reordered the SingleLogoutService URLS in the IDP Metadata (4279)

Bug Fixes

• Remember last login method did not always work (3957, 4290)
• SSO failed to prompt the PIN dialog when user verification is required (4150)
• FIDO2 registration failed with the error `Incorrect origin` if the reverse proxy is enabled in the IIS Agent (4153)
• Fixed several errors related to Oracle SQL (4194, 4196, 4288)
• OOBA completion caused an infinite loop (4204)
• Updating from Das v5.9.x to Das 6.5.5 caused the legacy DSS module to break (4286)

Version 6.5.5.1121 (November 21, 2022)

Bug Fixes

• SSO got stuck on the last step (4077)
• Some prompt and error messages were truncated ending "{0}" (4102)

Improvements

• Self-Service Console - the main menu is expanded by default (4074)
• Self-Service Console - if the user has no permissions at all on a section, such as Site Stamp, then the section is removed from the main menu  (4070)
• Self-Service Console - add access control permissions to the user device section (4072)

Version 6.5.5.1028 (October 28, 2022)

Bug Fixes

• Error "Unknown Algorithm Name: PROX/TOTP" when upgrading from DualShield 5.9.x to DualShield 6.5.x (3991)
• Error "org.hibernate.NonUniqueObjectException" (3990)
• Error "java.lang.NullPointerException: Cannot invoke method tokenize() on null object" occurred when a new computer logon client  is connected with an old MFA server (3984)
• Error "Cannot get property 'category' on null object" (4050)
• The Reset Password Service got an exception error when UPN was used as the login name (3993)
• The MFA server failed to initialize when AWS MySQL is being used (4025)
• The username autofill did not work in the Activate module in the DualShield Deployment Service (DDS) did not work (4033)
• Changing FQDN on Linux failed (4045)

Improvements

• Resource Editor for customization & localization (3877)
• Replaced port 8005 with port 18005 (3985)
• Added a new policy option 'Deployment Service URL' to the Self-Service Policy (4032)
• Added a new wildcard [[ACLINKUPN]] to the Activation Code message template (4036)
• Added Device Name and Device Group into the Device Filter in the Logon Policy (3915)
• Ready for FCM update in the MobileID/Android app (3989)

Version 6.5.4.0914 (Sept 14, 2022)

Bug Fixes

• Fixed a compatibility issue with the old versions of the DualShield Windows Logon client  that caused error "Cannot set property 'ip' on null object" (3980)

Improvements

• The function "Enroll DeviceCert" in the DualShield Service Console is disabled on non-Windows OS (3959)
• Added a new token permission for "Export Token" and "Download DeviceCert" in the DualShield Service Console (3961)

Version 6.5.4.0909 (Sept 09, 2022)

Bug Fixes

• Outlook Anywhere occasionally created duplicated user accounts (3912)
• FIDO did not work with Safari on MacOS (3939)
• Failed to change AD user password via RADIUS/MS-CHAP (3950)

Features & Improvements

• Added "My Certificates" in DualShield Service Console (2582)
• Added "User Sign-In Devices" in DualShield Service Console (3829)
• Added Google Authenticator support for Parallel (3892)
• Added a new "Locale" policy (3888)
• Added Device Name and Device Group to the Device Filter in the Logon Policy (3915)

Version 6.5.3.0722 (July 22, 2022)

Bug Fixes

• The option "Sign on SAML Response" was wrongly enabled by default for IIS applications, and caused the issue "OWA Error - Invalid SAML Response: Signature wrapping attack, wrong URI...". It is now disabled by default (3823)
• The user agent filter in Logon policy doesn't work for WEB SSO (3789)
• SSO user interface customization did not work in some circumstances (3797)
• Creating authorization code in the admin console did not work (3805)
• in the SendOTP API, password is transmitted in clear text
• Deleted tokens were still listed in the service console (3827)
• After a user was access denied, switching to a different user was still access denied (3843)
• In the safe mode, all access control policies were still effective (3852)

Features & Improvements

• Added support for reCAPTCHA (3510)
• Added support for FIDO2 (3727)
• Added support for "StaticPass + OTP" in logins from non-RADIUS clients, e.g. LDAP Broker
• Added access control by the user device (3780)
• Added access control by geo velocity (3811)
• Added device filter to the logon policy (3496)
• Added geo velocity filter to the logon policy (3810)
• Added user sign-in device management in the admin console (3515)
• Version 6.5.2.0620 (June 20, 2022)
• Add the token name to the QR code of the MobileID token (3844)
• Repetition is disallowed in free navigation in GridID (3819)

Bug Fixes

• A bug in the WS-Federation protocol handler caused Office 365 Federated SSO to stop working properly (3794)
• Change to the "wreply" attribute in SSO Service Provider didn't take effect until the service restarted (3793)
• An incorrect policy could be used when there are multiple domains in a realm (3775)
• If an AD group is renamed, it became invisible in the DualShield admin console (3763)
• Web SSO could sometimes mistakenly use the DNA logon procedure (2416)

Features & Improvements

• Support Access Card authentication with Computer Logon v1.5 client 
• Support FIDO2 authentication with Computer Logon v1.5 client (not with Web SSO) (3762, 3767)
• SSO Service Provider created by the IIS Agent will have the option "Sign on SAML Response" enabled by default (3764)
• Automatically migrate MobileID token to use default FCM with MobileID v6.1 app (3767)

Known Issues

This update introduced a problem below:

Version 6.5.2.0601 (June 01, 2022)

Bug Fixes

• Upgrading failed with SQL error when Dualshield is connected to an MS-SQL 2014 server (3757)
• IIS apps, e.g. OWA, got the error "Invalid SAML Response: Signature verified failed" after upgrading to DualShield 6.5.1 (3750)
• When signing in from a new device with an Outlook client, it doesn't trigger the device registration alert
• Cross-origin resource sharing: arbitrary origin trusted (3730)
• Logon request timed out in OOBA call in a system with 2 or more Dualshield backend servers (3734)
• The option InResponseTo was not functional and the attribute was always included in the SAML response (3484)
• Extra 'S' in the SSO URL after using the change FQDN feature to change the HTTP protocol (3658)
• Failed to generate the SAML response when both assertion and response are ticked for signature (3699)
• Did not include ClientIP in intrusion alert (3713)
• Import a full-chained certificate gets the error: Certificate not chained (3745)
• Assigning token in DAC got null pointer exception (3746)
• False error messages in das6.log:  "The application's global logon procedure is not found: Desktop SSO" (3751)
• The DualShield Service Console displays Error 404 when the user has no permission in Token and Account in the Self Service Policy (3754)
• Reset token successfully but there is no confirmation on the screen at all (3756)

Features & Improvements

• Support WSFED for Outlook Web Access (OWA) and EAC (Exchange Access Console) (3758)
• Support multiple values of a SAML attribute (3648)
• Querying nested group membership took long time when checking roles and license (3709)
• New task for pushing MobileID download link in bulk by user group or domain (3718)

Version 6.5.1.0503 (May 03, 2022)

Features & Improvements

• Support Microsoft Remote Desktop Web Client (3674)
• Support TLS 1.3 (3703)
• MS-SQL JDBC driver upgraded to 10.2 (3681)

Bug Fixes

• DualShield with SQL server database upgrading to v6.5.0 failed (3671)
• Deleting and re-adding DeviceID tokens in the same user account caused the license count to increment (3488)
• The user search filter stopped working after moving to the next page (3645)
• Login via the Deepnet Authenticator (DNA) sometimes caused a deadlock (3653)
• OOBA by SMS and Call did not work in v6.5.0 (3679, 3880)
• The "Users have been inactive for n days" did not work (3690)

Version 6.5.0.0401 (April 1, 2022)

New Features

• DeviceID registration and renewal verification using Deepnet Authenticator (3469)
• Introduced DeviceID renewal (3469)
• Improved extraction of DeviceID properties (3473, 3525, 3563)
• Added FIDO2 support (3420)
• Travel velocity detection (3017)
• Replaced log4j with logback in the authentication server module (3447)
• Replaced log4j with logback in the certificate server module (3441)
• Upgraded log4j from 1.2.17 to 2.17.2 in the management console module (3451)
• New Device Sign-in support for Outlook Anywhere and ActiveSync (3516)
• New Device Sign-in support for Computer Logon (3528)
• New Device Sign-in support for Deepnet Authenticator (3529)
• Automatically renew the SSO certificate when the associated let's encrypt certificate has been renewed (3564)
• DualShield Deployment Service - support incoming username as a URL parameter 'username' (3582)
• DualShield SSO - support incoming username as the NameID attribute in the SAML request (3612)
• DualShield SSO - upgraded jquery to 3.6.0 (3590)
• Added "Send Activation Code via email" for DeviceID

Bug Fixes

• Failed to save the Product value in the task 'delete token by product' (3415)
• Error - "500:no enum constant com.deepnet.das.util.LogicalOperator", when navigating to Reports (3463)
• Error - "Gateway type not matched for TELEPHONE" in the Admin Console (3489)
• DualShield Service Console - user-defined token properties were not displayed for T-Pass and MobileID (3545)
• User's external status (Active/Disabled) change not reflected immediately (3561)
• Querying available channels for activation code raised exception (3565)
• LDAPBroker integration error: No signature of method (3569)
• In push token email, QR-Code is always included (3620)
• Searching LDAP user by internal attribute didn't work (3621)
• After LDAP user's internal attributes have been updated, DAC always shows the old values (3624)

Version 6.4.20.1215 (December 15, 2021)

Bug Fixes

• Failed to create new tokens for users who have no tokens (3438)
• Failed to work with DualShield IIS Agent if FQDN was changed in the past (3437)
• Log4J upgraded to 2.16  (3439)

Version 6.4.20.1212

This update is produced in reaction to the Log4j2 RCE Vulnerability 

This update includes the following changes:

1. Log4j is completely removed from the SSO server (the frontend) in the DualShield platform

2. Log4j 2 is completely removed from the authentication server (the backend) in the DualShield platform. Log4j 1.2.17 is kept as it can't be easily upgraded yet, but it is not susceptible to this vulnerability.

3. Log4j 2 in the certificate server (frontend) has been upgraded to the latest log4j 2.15 which has fixed this vulnerability.

Version 6.4.20.1129 (November 29, 2021)

New Features

• Add support for external SQL based user directory, e.g. Keycloak (3344, 3346)
• Release DualShield MyVD (Beta)

Bug Fixes

• In SSO, the delivery channels for the activation code were missing (3393)
• In SSO, error when attempting to register FIDO keys with PIN enabled (3328, 3376)
• In DAC, group search in the policy window did not work
• In DAC, executing the AUthentication Activity  task failed (3414)

Version 6.4.20.1029

New Features

• Support Let's Encrypt
• Support Deepnet Authenticator in RADIUS logon
• Support UAC Prompt in the Windows Logon 6.2 and the Computer Logon 1.3
• Support Network Drive Map in the Windows Logon 6.2 and the Computer Logon 1.3
• Add new device access notification
• Add token assignment expiration notification
• Improve FQDN change and certificate change and renewal
• Improve performance in AD group membership lookup when there is a larger number of nested groups
• Administrators can generate the Authorisation Code in the admin console
• Tokens can be exported from the server and import into the Computer Logon Client to be used for offline logon
• Support SID as a form of user's login identity, along with SAM account name, down-level domain logon name and UPN
• Return a RADIUS attribute with multiple values as multiple attributes of the same name

Bug Fixes

• German umlaut letters caused errors in OOBA push authentication
• Audit Logs were not exported according to the display filter
• Preview of User Interface Customisation did not work properly
• MS-SQL deadlock at a high volume of traffic
• QR code is not displayed in Gmail
• Mapping the Personal Email identity attribute to an AD attribute got the error "Attribute is intrinsic"
• Intrusion Alert did not work
• WINSSO caused exception
• MobileID OOBA push message did not beep
• Renewing a self-signed certificate resulted in different self-signed certificates in different DualShield servers in a cluster
• Unable to set a default pin in token polices
• GridID asks for resetting path even if the mode is set to free navigation
• At login, the answer in Q&A was visible
• Many minor issues were fixed in the Admin Console

Version 6.3.0.0611

New Features

• Expiration notification service for AD password
• Device Quarantine UI for DevicePass, DeviceID and DeviceCert
• Organizations and users can publish custom applications on the SSO portal and Self-Sevice console.

Bug Fixes

• DualShield root CA did not have a CN
• When FQDN is being changed, its self-signed certificate is not updated
• In some cases, OOBA doesn't work on iOS devices if there are multiple DualShield servers in the system
• Alert messages do not appear in the Inbox
• Occasionally, creating a group policy caused Hibernate lazy init error
• On the DevicePass and DeviceCert activation page, Contact Info is missing

Version 6.2.0.0419

New Features

• Expiration notification service for token PIN and PATH
• Add "last access ip" into token
• Auto refresh user status after lockout period ends
• If the token does not have PIN, hide the "PIN" entry box
• Make "Enable Agent Registration" persistent across all DAS instances
• New UI for RADIUS server EAP options
• Add "System Info" to show info such as the version of Java, Tomcat and MySQL
• Enhance the Self-Service Policy so that the Self-Service Console can be completely customised

Bug Fixes

• At RADIUS logon, token auto provisioning did not work
• FaceSense enrollment shows black image on Mac
• Cannot download HOTP token in Deployment Service
• Scan QR code of HOTP token results "null in ocraSuite" error
• QR code of Google Authenticator was not displaying in the  Deployment Service if Authorization Code is required
• Several reflected XSS in DSC, DUA and DRP modules
• Tomcat 9 error 400 includes the Tomcat version
• A possible hibernate SQL injection in the message search function in DAC and DMC
• After upgrade to 6.0, some newly tokens cannot be seen in the user account
• SAML SP attribute entry box does not accept manual entry
• Agent's Public URL cannot be set to empty
• Upgrading 2 DualShield servers simultaneously caused optimistic lock error

Version 6.1.0.0304

Bug Fixes

• Failed to register RADIUS server 
• Failed to install DualShield on a machine where JAVA is already installed
• Unable to edit Radius Client when it is connected to multiple Radius Servers

Version 6.1.0.0301

New Features

• Deepnet Authenticator is now available for Web and Cloud applications
• New authentication method DeviceCert is now available for Web, and Cloud application as well as Modern Authentication for Office clients
• Smartcard certificate authentication method is now also available for Web and Cloud applications
• Changing FQDN is now availbale within the admin console.  
• Changing and Renewing the certificate of the web consoles is now available within the Admin Console
• New option "Download Token in MobileID App" added to the MobileID policy
• New option "Remember last login username" added to the Logon policy
• New option "Remember last login methods" added to the Logon policy

Bug Fixes

• Downloading token from the MobileID app was malfunctional
• Remembering last logon methods did not work in a multi-step logon procedure
• Disabled users were allowed to reset password 
• The system admin account (SA) was not allowed to login when the license key has expired
• Application Self Test failed with an incorrect error message
• The QR code for the Google and Microsoft Authenticator did not work
• Office 365 ECP login did not work
• Unable to add Base DN when creating a new Identity Source of OpenLDAP
• Password Reset did not work in OpenLDAP (ClearOS)
• Radius server association was lost after editing a radius client
• Selecting "MS-CHAP2" in RADIUS authentication caused RADIUS authencation to fail
• Installing DualShield on Linux without legacy components would fail
• The value of RelayState was not URL encoded
• HTTP proxy did not work
• SAML response did not include the correct value of the SAML attribute "SessionNotOnOrAfter", causing some SPs to terminate sessions  within 5 minutes
• A CORS related issue
• Trying to unregister OOBA from the MobileID app caused a JSON error
• In the admin console, some passwords such as the Access User in the Identity Source was included in the data stream
• On an iOS device clicking "Download App" in DualShield Deployment Service (DDS) console took the user to Google Play

Version 6.0.0.1008

DualShield 6 is the new generation of the DualShield MFA Platform, and DualShield 6.0.0.1008 is the first release of DualShield 6.

All of the web consoles in DualShield have been completely rewritten using the latest web technologies. 

There are many improvements and bug fixes in DualShield 6, such as

• Linux logon client that supports offline 2FA logon
• A new option to prevent naming guessing in the Web logon process 
• Using email address as the login name instead of UPN
• A new face recognition engine with improved FAR and FRR
• Change FQDN by one click in the admin console
• Change and renew web console certificate in the admin console

There are also some new key features & functions been introduced into DualShield 6:

• Localization: DualShield 6 supports international languages
• Customization: DualShield provides more flexible and convenient UI customization which will survive future upgrades
• DeviceCert Authenticator: A new generation of device fingerprinting technology that supports multiple platforms including Windows, Mac, iOS and Android, and multiple applications including Office 365.
• Deepnet Authenticator: A new innovative MFA authentication app that delivers a unified MFA experience across devices and operating systems.

However, those new key features are yet to be perfected in the upcoming new updates of DualShield 6 in the near future. 

Change Logs

6.0.0.1008

- Fix replacing console web certificate did not accept wild card certificate

- Fix replacing console web certificate with a server certificate in the repository

- Fix EAP settings was lost after upgrading from 5.9 versions

6.0.0.1007

- Fix changing FQDN # If the original FQDN includes capital letters then changing FQDN did not work properly.

6.0.0.1006

- Fix EAP settings # EAP settings were not saved properly, causing Radius clients such as NetMotion unable to connect

6.0.0.1005

First release of DualShield 6.0