Skip to main content

12.6.1

Features and improvements

Privileged access - local service mode

  • The local service mode server CGI has been updated to reduce how often calculated attribute updates are sent to iddiscover :

    1. When the CGI determines that password updates need to be sent to the client, it issues one or more sub-requests back to the connecting client. The client responds with a new connection, when this takes place, to report password update results. This new connection no longer attempts to check if calculated attribute updates are needed.

    2. When the CGI determines that the workstation communication key has expired, it issues a sub-request back to the connecting client. The client responds with a new connection, when this takes place, to report the key update result. This new connection no longer attempts to check if calculated attribute updates are needed.

    3. When the client goes into resync mode, the CGI no longer performs its usual separate iddiscover batch when considering calculated attribute updates. Instead, the calculated attributes are included in the main iddiscover resync batch.

  • The local service mode client has been updated to no longer send updates for account attributes pwda and llogon.

  • Default descriptions and default values for system variables RES_ATTRIBUTE_UPDATE_DELAY and RES_DELAY_UPDATE_ATTRIBUTES have been updated:

    • RES_ATTRIBUTE_UPDATE_DELAY is now 1440 (once a day) instead of 60 (once an hour).

    • RES_DELAY_UPDATE_ATTRIBUTES is now "pwda,llogon" instead of "pwda". This is meant to compensate for local service mode clients that have not been updated to contain the fix above.

      The descriptions of both system variables have been update to be more clear.

Database

Added a sproc SesslogDelete to be called from dbcmd to clean up old sesslog data.

SOAP API

Added SUCCESS/FAILTARGETS session tags in UserPasswordSync and UserAccountsUnlock

  • Made UserPasswordSync run password reset in parallel.

Resolved issues

Proxy servers

  • Fixed a small memory leak in some cryptographic functions that would accumulate over long periods of time in service processes.

Question sets

  • Support was fixed for the external question set plugin, so answers provided one at a time, instead of all at once, for the same question set can be properly validated.

Auto discovery

  • Changed discovery to load the @passwordExpiration and @lastPasswordChange pseudoattributes for accounts instead of merely loading them into the “expiry” table.

  • Profile attribute values are properly removed during auto discovery if the account whose attributes populated those profile attributes becomes detached from the profile.

  • Auto discovery was fixed, so existing non-source-of-profile, non-associated accounts in the database become associated to profiles after changing the target system to source of profiles and enabling auto-association.

  • Fixed a discovery issue that occurs when multiple source-of-profile accounts would be renamed to the same name but a profile of the new name already exists (and may or may not have the same casing).

  • Updated auto discovery, so Source of Profile target accounts that don't produce profiles can still auto-associate to other profiles.

Target systems

  • Fixes deletion of a target not working correctly if the target has accounts that are members of a group on another target and that were at one point unknown

SAML

  • Softened the Content-Security-Policy form-action policy to allow SAML to function out of the box. Additional manual hardening is recommended .

REST API

  • Removed token creation on login to CGIs.

  • Changed wix attribute to correctly run stored procedure on upgrade.

SOAP API

  • The IDAPI service was updated to simultaneously support the deprecated and new SOAP endpoints.

  • Fixed an idapi crash when WFResultSet is executed by multiple concurrent callers.

Unix

  • Remove build-id links from hid-common, hid-idapi, hid-pamutil, and hid-mobproxy rpms to improve compatibility.

Onboarding

  • Fixed an issue when re-onboarding the same user (with same profile ID) that account and profile attributes couldn't be populated properly.

Privileged access

  • Fixed local workstation service issues (client side and server side) caused by out of band account deletions (hard disk restore, virtual machine revert, etc).

  • Fixed issue in 1.2 -> 1.3 upgrade for Scenario.pam_team_privilege_trustees that would cause the script to give up completely on a partial failure.

  • Fixed an issue to allow local service mode calculated computer attributes to be updated more reliably:

    lastSuccessConnection

    lastFailedConnection

    failedAttempts

    compDiscovered

    compNotDiscoveredDays

  • Updated the discovered system "lastload" value to current time when computer attributes are modified so that nightly auto discovery can more accurately set computer attributes compNotDiscoveredPastThreshold and compNotDiscoveredDays.

  • Included computer attribute compNotDiscoveredPastThreshold in the list of local service mode calculated attribute to be updated (see fix 1) so that a dormant local service mode system that resumes connecting to the instance can get itself "rediscovered" without having to wait for the next nightly auto discovery.

  • Increased default value of system variable LWS_LAST_CONNECTION_UPDATE_INTERVAL from 30 to 1440 (one day) so that local service mode computer attribute lastSuccessConnection updates less often. This is to reduce load on the iddiscover service and replication.

  • Reduced how often local service mode computer attribute sourceAddress. Only update this when other computer attributes are being updated. This is to reduce load on the iddiscover service and replication.

  • Added a variable LWS_ENABLE_NETWORK_ADAPTER_ATTRIBUTE_DISCOVERY with default true value. When true, the LWS CGI (pamlws.exe) will submit network adapter computer attributes to iddiscover , leading to their storage in the database. When false, network adapter computer attributes will not be sent to iddiscover and stored in the database. When false, the load on the iddiscover service and replication will be decreased, especially in cases where local service mode systems are often moved from one network to another (e.g. laptop often moving between home and office).

  • Added index to speed up import rule evaluations.

  • Optimized the PolicyRuleAccountPrepare stored procedure.

  • Fixed an issue where local workstation service resynchronizations could fail to complete properly.

  • Fixed an issue with phased authorization where a request, with an unenacted operation, could not be approved after phase 2 (or phase >1) authorizer approves it.

  • Fixed local service mode service crash bug triggered by account rename.

Performance

  • Fixed a small memory leak in some cryptographic functions that would accumulate over long periods of time in service processes.

Session monitoring

  • Improved session monitor recorded sessions search:

    • Added session state column to search pane

    • Added session state field to details in the actions panel for an individual recorded session

    • Fixed functionality of session state advanced search term, and updated choices to be “In progress”, “Stale”, and “Complete”

  • Improve smonc.exe logs to include filesystem error details where possible.

  • Added checking when uploading a file to request a file attribute, so it would fail if the file name's length exceeds the size of the corresponding db field to store such value.

Notification

  • Changed web notifications to sanitize HTML markup only when a raw string is used. Please ensure that you review any web notifications configured via custom skin file tags and properly sanitize any HTML in them.

In this section: