Quest® Enterprise Single Sign-On Service Pack Readme
September 29, 2009
Version 8.02 Service Pack 4
Determining if This Service Pack is Needed
Determining If This Service Pack Is Installed
This Service Pack may receive additional testing. If you are not severely affected by the issue that this Service Pack addresses, it is recommended that you install next full release of Quest Enterprise Single Sign-On as it will also include this Service Pack. This Service Pack is designed for upgrades from a previous Quest Enterprise Single Sign-On 8.02 release and can also be used for new installations.
For complete product information, please refer to the Quest Enterprise Single Sign-On product documentation.
This Service Pack addresses the issues described in the Resolved Issues section.
The following is a list of issues resolved in this Service Pack.
| Feature | Resolved Issue | Defect ID |
| General | WGSS server blocked during stop after a long inactivity period. Abstract: Some connections (client->server) were not released in the WGSS server causing the stop operation to hang. | 28943 |
| Error in WGAPI_AUTH.H prototype WGGETOTP file. Correction Description: typedef definition changed to "typedef WG_RESULT (WINAPI * WGGETOTP) ( WG_HANDLE , unsigned long , const char * * ) ;" | 31852 | |
| ACL problem for PKA with OpenLDAP. | 31331 | |
| Problems with password reset from console. When we reset the password, often the previous password is prompted to the user. So if we do not know the previous password all private info of the user is lost. Correction Description: Now, during search of the nearest DC of a computer, try to find one that can be joined. | 31845 | |
| Unable to select an item in a list. | 30621 | |
| SSOstudio: window import is doubled and causes a crash. | 31848 | |
| How to have only the reset password mode at SOS mode level? Correction Description: Set in Enatel\WiseGuard\FrameWork\ResetPassword and Enatel\WiseGuard\FrameWork\ResetPIN regitry keys a Disabled value (DWORD) to 1. | 31786 | |
| If a user set as primary administrator for the E-SSO-Concole is deleted in AD none of the other E-SSO administrators can logon to E-SSO-Console anymore. | 31757 | |
| An account with an empty password in 4.12 is not visible in E-SSO 8.02 window. Abstract: Migration problem. | 31641 | |
| Problem with shared applications and multi accounts. We have 2 applications with shared accounts. User 1 is registered to the first application: it is automatically visible in the second application. If we add a second user to the first application, a reload is necessary in the second application to make it visible. | 30626 | |
| During access to password reset server with Internet Explorer 6, there are Javascript errors. Abstract: Script error with EI6. Correction Description: Fix fields names and javascript verification functions. | 31750 | |
| Authentication problem in PKA mode. Correction Description: Update directory with LDAP credentials ciphered remotely by the card. | 31625 | |
| Password hashed when sent to directory during password change in the console (or by Reset Password). Correction Description: Add registry parameter HKLM\software\enatel\wiseguard\directory\dontcryptpasswords to not hash passwords in OpenLdap during password reset. | 31673 | |
| Audit cache file grows even if no license for audit. Correction Description: Throw away all events if AUDIT is not licensed. If PolicyManager mi_file is present, all E-SSO licenses are considered as valid. | 31363 | |
| Collect of questions/answers is requested again during primary password change when no SSO account is collected. | 31693 | |
| Wrong management of password expiration if logon user is deactivated. | 31684 | |
| Error in password reset in non Microsoft environment. | 31649 | |
| Bad German text in WGAdSetup. | 31691 | |
| Problem with biometric store on card. Abstract: Bio store on card does not work with UPEK. | 31585 | |
| Authentication problem in PKA mode. Correction Description: PKA towards Citrix. Implement remote certificate collect. | 31625 | |
| Authentication error: authentication data invalid in RFID. Correction Description: Take into account UPN without "@domain.dns" in case of RFID card. | 31577 | |
| When SSOFUS uninstalled, launching of SSOFUS.exe is not removed from HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run registry key. Correction Description: Uninstall SSOFUS Run key upon uninstallation. | 31578 | |
| Correction Description: Modification in wgjpi.data file path (environment variable) to support Vista and XP. | 31410 | |
| Workstation not locked when reader is unplugged. Abstract: This only occurs when more than one smart card reader are plugged in. Correction Description: Enhance management of PC/SC status indicators. | 31509 | |
| Web Access Manager & ESSO: cannot access web services of eSSO. Abstract: UTF8 encoding is not supported by Web service interface. Correction Description: WGSOAPUTF8Encoding registry value (WiseGuard\FrameWork\Config) makes it possible to force UTF8 encoding. | 31307 | |
| Impossible to launch SSOWatch or Enterprise Console. Abstract: Network error in AD/ADAM mode in some situations in case of network problem on the platform. | 31532 | |
| Password Reset issue. Correction Description: As documented in http://msdn.microsoft.com/en-us/library/aa746344(VS.85).aspx, impersonate the administrative account while setting a user's password from the E-SSO Console. | 31264 | |
| Error 0x81013106 mode without connection when a server is suppressed from the domain and inserted again. Abstract: Error in E-SSO controller choice. | 31481 | |
| No correct choice of E-sso controller from SSO console. Abstract: Error in E-SSO controller choice. | 31478 | |
| Problem with an Oracle Java application using JINIT 1.3.1.xx . The SSO java files are installed but there is no detection of the windows content. Correction Description: Handle Jinitiator windows whose titles change. | 30868, 30943 | |
| Support of Arabic in console. | 30942 | |
| Cache corruption. Abstract: Wrong value found in disk cache. | 31437 | |
| After installation E-SSO does not start if default objects are set under o=netscaperoot in directory. Correction Description: Prevent from using o=netscaperoot as naming context in configuration tools in Fedora and Netscape. | 31463 | |
| E-SSO console crash when visualizing administration rights after delete of parent administrator. | 31475 | |
| Problem of web page detection with Internet Explorer 6. | 31352 | |
| New password window detection problem. | 31272 | |
| Problem of HTTP form detection with Internet Explorer 6. | 31344 | |
| Use of Windows Autologon function impossible. Correction Description: The behavior of E-SSO credential provider filter is modified as follows: if the ESSOCredentialProvider (i.e. the wrapper) is operational, check if AutoAdminLogon is correctly set in registry. If so, do not activate E-SSO credential providers, if not, behave normally (disable standard MS credential providers).That way, the AutoAdminLogon feature is managed by MS components. | 31388 | |
| "Option" not grayed at relogin in Japanese environment. | 30387 | |
| Startup Time for E-SSO Security Service is very long. Abstract: Very long opening time of cache file because of too many commits on file. | 31325 | |
| When User enters a bad policies in a application, the SSO Message Text is not coherent with the Error. Abstract: PFCP messages "for middle characters" and "for last characters" inverted. | 31400 | |
| Problem during use of SSO configuration by population. | 31348 | |
| Technical definition modifications not updated on workstations. | 31326 | |
| Abort at delay expiration after shift and card withdrawal. Correction Description: Add a timer to UserOpenSession box. | 31070 | |
| If a station goes to standby during authentication, re-authentication fails with error 0x82002006. Correction Description: If a station goes to standby while authenticating in a credential provider, try re-authenticate if authentication fails with error 0x82002006 (FMK_E_AUTH_ALREADYAUTHENTICATED). | 31069 | |
| Problem at password change on Vista. | 29995 | |
| From a Vista workstation with Advanced Login installed, if we execute a remote control on a Windows 2008 server we locally have a Windows window loading credential provider to authenticate the user (to allow him to execute his connection to the server). On the Windows 2008 servers, "Network Level Authentication" option is activated. If the user connected in card mode on his workstation wants to use an administrator account to connect to the server and enters a wrong password there is no error window. Abstract: In CREDUI scenario, authentication errors must be displayed in a message box. | 30861 | |
| After accessing a PC with RDP, and unlocking the initial local session, removing the smart card is not detected. | 29233 | |
| User creation for Novell integration; the user is not assigned to any group. Correction Description: Remove call to SetLocalAccountMembership. | 29594 | |
| Problem with biometry on some Nec notebooks. | 30390 | |
| Enterprise SSO console crash during display of audit data from Oracle 10 base. Correction Description: Clean audit events (suppress useless blank characters) and display only the maximum of possible characters in ListControl. | 30111 | |
| Audit database grows without audit license key. | 31216 | |
| Close of session if mobile workstation unplugged. Credential manager crashes and it is not possible to re-logon. Abstract: Close of session on POWER event. | 31071 | |
| Windows password requested for almost all off-line authentication. | 31176 | |
| Cache corruption. | 30973 | |
| After changing password, cannot login with windows password. But login of the fourth time, this password login succeeded. Correction Description: Internally best management of domain names to prevent problems in case of network unavailability. | 30458 | |
| Error message in the console when resetting the primary password with check-box "change password at next login": "feature not supported in this version". Abstract: Error message (without any other effect) when forcing a password and when the schema does not contain enatelPasswordLastSetTime attribute. | 31077 | |
| Impossible to install new SSO administration consoles. Abstract: Impossible to launch an administration tool deported from the server in cooperative mode with access point management. | 30933 | |
| Crash in ADAM mode when using population authorized to delegate an account in applicative profile parameters. | 30801 | |
| Very long logon and unlock times. Correction Description: By default groups are not read on token in 8.02. | 31076 | |
| When on the client the WiseGuard window of shutdown is present and the user select the button "Cancel", the cache is corrupted. When we open the SSOWatch > Single Sign-On Engine window, in the Account panel many applications are not registered (loss of registrations). Abstract: SSO accounts no longer in cache during loss of connection. | 30909 | |
| E-SSO controllers declared twice in enatelServers. Correction Description: Check for specialized declaration when controller starts. | 30999 | |
| During activation of disconnected emergency access mode: after challenge validation, session is opened and closed automatically. | 31028 | |
| Error message upon un-installation (ssojavaconfig.dll not found). Correction Description: Do not execute custom actions at the end of the un-installation process. | 31133 | |
| Selection of ADAM/ADLDS server impossible in E-SSO console. | 31165 | |
| Crash of WGSS.exe during authentication on non Microsoft directory. | 30816, 30822 | |
| Correction Description: Explain in on-line help that the inactivation of an application is temporary and will end when the session terminates. | 29786 | |
| Advanced Login does not start if trace directory does not exist. Correction Description: If it is impossible to create trace file, does not retry to open it. | 30859 | |
| When a user tries to change his password, if password format is incorrect, two windows appear with the same message, one is informational window and the second is alert window. | 31130 | |
| Problem with MSTelnetW2KXP and additional parameters. Correction Description: Additional parameters now fully supported. | 31044 | |
| SSO Watch does not allow Multiple Terminal Emulators. Correction Description: Modify HLLAPI plugin to take account of some specificities of InfoConnect 8.1 IHLLAPI : the default attributes of the session assumed by that interface were not the one described in the IBM implementation used. The worst case was in the DisconnectPS, which forced the physical disconnection of the emulator session and not only the logical disconnection. To deal with such case, we have forced some attributes to make sure that the default behavior would be OK. | 31109 | |
| Workstation not locked on card withdrawal. Abstract: When putting the workstation from or to sleep state, drivers/cards events generate connections to WGSS. Then setting to sleep state generates socket errors and loss of connection to WGSS. Correction Description: Do not treat card events between sleep state detection and end of sleep state detection. | 30524 | |
| Spelling mistake in "Interpret reappearance of login window..." | 31232, 31233 | |
| Scripting problem with a ssh/telnet emulator (putty). | 31003 | |
| In French Extended Manager console / "Profil applicatif" / "Général" tab, the last choice "L'application positionne l'utilisateur au niveau:" does not visualize the corresponding counter. | 31169 | |
| About "Properties" tab of an Application Object in Japanese SSOStudio Personal. The display of "Options" is wrong: the option "Enable this application" does not appear. | 31121, 31113 | |
| Some fields in SSOStudio do not appear due to the translation of SSO into Spanish that is longer than in English. | 31018 | |
| In French SSOStudio problem with window masking option. | 30991 | |
| With Japanese Extended Manager Console when you define the SOS access security policy (user security profile), and check the check-box "nb of days allowed for password access", this results in covering up the edit field on the right (where you define the number of days). | 30825 | |
| Some strings still in English in Japanese installers | 30824 | |
| No search request filter field access without mouse. | 31101 | |
| "Renew the PIN code every (day)" field does not work correctly. | 30858 | |
| Technical reference usable for several application objects of different domains. | 31143 | |
| Once a password has been forced in the E-SSO console, if a new one is forced without screen or user change, the check-box indicating the password has to be changed by the user at each new session is not taken into account, no change is required to the user. | 30346 | |
| "Windows domain" parameter contents not displayed at Windows account level. | 31004 | |
| Difference between language displayed by Windows and language effective in enrollment window. Correction Description: Proprietary dialogs take into account current language. | 29743 | |
|
User id and password not cleared in the following procedure: after Ctrl+alt+del, press "other user", enter User Id and password but do not press OK, press again "other user". Correction Description: Empty buffer before GetSOSButtonTextCorrect: empty password on tile unselection. |
29332 | |
| After going back from hibernation, Advanced Login tile remains on "please insert your card". Even if the card is inserted, nothing happens. Correction Description: Retry framework connection when going back from hibernation. | 30526 | |
| Password and confirm password strings in English in a Japanese workstation. Correction Description: In editable fields, setting the contents must be done in a specific way. | 29334 | |
| PKA authentication does not work on Citrix server. Correction Description: Fix exchange of PKA data when connecting to a remote smart card reader. | 30570 | |
| Correction Description: Improvement: possibility to have a HelpDesk administration profile to enable only to generate a challenge. | 30710 | |
| Correction Description: Improve WGSS robustness on cache corruption. | 30316 | |
| Unstable behavior when defining an SSO technical reference with a connection window using a custom script. | 30448 | |
| Field detection does not work with Firefox 3.0.7. Abstract: A wrong refguid was passed to IserviceProvider::QueryService function. | 30575 | |
| Problem with next / back. | 29553 | |
| Newly added applications not deployed to desktops. | 30713 | |
| AD multi-domain configuration: problem of display of local domain security profiles. | 30736 | |
| Module: SSOWatch | Crash SSOWatch. | 31826 |
| SSO Watch goes in protection error when a document (pdf, picture) is opened in a transaction unit SAPGUI. Correction Description: Change in handling of SAP events. | 30828 | |
| Correction Description: Add support of lists. | 30621 | |
| Very long delay at startup of SSOWatch. Correction Description: If DontUseLogonUser key is set to 0 there is no user logon to know if the user is allowed to unlock a session does not belonging to him (in this case, he is considered as not being able to do it). Even if this key is not set, if not in Advanced Login mode, this function is not called. | 31473 | |
| SSO Watch does not auto start once it has been modified in the Control Panel. Abstract: SSOWatch not started upon 'Modify' of the MSI. Correction Description: Better check Gina Stub status during un/installation. | 31035 |
For Quest® Enterprise Single Sign-On Service Pack 3 and earlier Release Notes, please click here.
The following is a list of issues known in this Service Pack.
|
Feature |
Issue |
Defect ID |
|
SSOWatch Upgrade |
Some files which are shared by SSOWatch and Advanced Login may be duplicated in "C:\Program Files\Quest Software" and "C:\Program Files\Quest" when upgrading SSOWatch from a previous installation of Quest Enterprise Single Sign-On to version 8.02 SP4. This does not affect the functionality of either SSOWatch or Advanced Login. |
32057 |
|
Custom script for ChangePassword/ BadNewPassword |
The BadNewPassword window is not detected when using a custom script for a Change Password window and a bad new password is entered. |
32152, 32135 |
This Service Pack is a complete rebuild and repackaging of all the
Quest Enterprise Single Sign-On components.
The following Enterprise SSO 8.0 modules can be installed on the OS platforms detailed in the table below:
| Operating System | Service Packs | Mandatory Modules |
| Windows 2000 | SP2, SP3, SP4 | IE 5.5, 6.0 |
| Windows XP (Professional Edition) | SP1, SP2 | IE 6.0, 7.0 |
| Vista (All editions) | — | IE 6.0, 7.0 |
| Windows 2000 Server | SP2, SP3, SP4 | IE 5.5, 6.0 |
| Windows 2003 Server | Original, SP1, R1, R2 | IE 6.0, 7.0 |
| Windows 2008 Server | Original | IE 7.0 |
| Citrix Metaframe | 1.8 SP3 | IE 5.5, 6.0 |
| Citrix Metaframe XP | SP3 | IE 5.5, 6.0 |
Notes:
Enterprise SSO can access user information located in LDAP directories and use these directories to store SSO and security data. The directories supported by Enterprise SSO are:
| Directories | Operating System and/or Directory Versions |
| Active Directory | Windows 2000 Server SP4, Windows 2003 Server SP1 or SP2, Windows 2008 Server |
| Sun Java System Directory Server | Sun Java System Directory Server 5.2 |
| Fedora Directory Server | Fedora Directory Server 1.0.1 on Red Hat |
| OpenLDAP | OpenLDAP Directory 2.2.29 |
| Novell eDirectory | Version 8.7.3 min |
| IBM Tivoli Directory Server | Version 5.2 with fix pack 003 |
Enterprise SSO Server can store a “master” audit base on a relational database and has been validated with the following database versions running on Windows 2003 Server Enterprise Edition:
The audit cache base can also be one of the database types listed here.
| Components | Comment | Specification |
| SSOWatch, Advanced Login, Token manager | The Enterprise SSO client does not require significant resources on modern computers. For the recommended minimal configuration on Windows XP, see opposite. |
|
| ESSO Console | The Enterprise SSO Console must run on a recent specification in order to access the audit base with satisfactory performance. The size of the hard drive hosting the audit base depends on how long you want to keep the log on-line before archiving it. The audit base does not need to reside on the Enterprise SSO server itself. For a rough estimate, see opposite. |
|
For customers upgrading, there are no new Active Directory schema updates in this Service Pack.
Once the installation has been completed, you will be prompted to restart the Quest ESSO server. Please also be aware that the Quest ESSO services will automatically be restarted during the upgrade.
Once the installation has been completed, you will be prompted to restart the
client workstation for the update to take effect.
Please refer to the Quest ESSO Installation Guide for detailed instructions regarding installation steps of the other components and for first time installations.
Alternatively, select 'Help' then 'About' on the desired component.
| info@quest.com | |
| Quest Software, Inc. World Headquarters 5 Polaris Way Aliso Viejo, CA 92656 USA | |
| Web | http://www.quest.com |
Refer to our Web site for regional and international office information.
Quest Support is available to customers who have a trial version of a Quest
product or who have purchased a commercial version and have a valid maintenance
contract.
Quest Support provides around the clock coverage with SupportLink,
our web self-service. Visit SupportLink at http://support.quest.com/.
From SupportLink, you can do the following:
View the Global Support Guide for a detailed explanation of support programs,
online services, contact information, and policy and procedures.
The guide
is available at: http://support.quest.com/pdfs/Global%20Support%20Guide.pdf.
This guide is available in English only.
© 2009 Quest Software, Inc. ALL RIGHTS RESERVED
This document contains proprietary information protected by copyright. The software described in this document is furnished under a software license or nondisclosure agreement. This software may be used or copied only in accordance with the terms of the applicable agreement. No part of this guide may be reproduced or transmitted in any form or by any means, electronic or mechanical, including photocopying and recording for any purpose other than the purchaser’s personal use without the written permission of Quest Software, Inc.
If you have any questions regarding your potential use of this material, contact:
| legal@quest.com | |
| Quest Software World Headquarters LEGAL Dept 5 Polaris Way Aliso Viejo, CA 92656 | |
| Web | http://www.quest.com |
Refer to our Web site for regional and international office information.
Quest, Quest Software, the Quest Software logo, Aelita, Akonix, AppAssure, Benchmark Factory, Big Brother, ChangeAuditor, DataFactory, DeployDirector, ERDisk, Foglight, Funnel Web, GPOAdmin, iToken, I/Watch, Imceda, InLook, IntelliProfile, InTrust, Invirtus, IT Dad, I/Watch, JClass, Jint, JProbe, LeccoTech, LiteSpeed, LiveReorg, MessageStats, NBSpool, NetBase, Npulse, NetPro, PassGo, PerformaSure, Quest Central, SharePlex, Sitraka, SmartAlarm, Spotlight, SQL LiteSpeed, SQL Navigator, SQL Watch, SQLab, Stat, StealthCollect, Tag and Follow, Toad, T.O.A.D., Toad World, vAMP, vAnalyzer, vAutomator, vControl, vConverter, vDupe, vEssentials, vFoglight, vMigrator, vOptimizer Pro, vPackager, vRanger, vRanger Pro, vReplicator, vSpotlight, vToad, Vintela, Virtual DBA, VizionCore, Vizioncore vAutomation Suite, Vizioncore vEssentials, Xaffire, and XRT are trademarks and registered trademarks of Quest Software, Inc in the United States of America and other countries. Other trademarks and registered trademarks used in this guide are property of their respective owners.
The information in this document is provided in connection with Quest products. No license, express or implied, by estoppel or otherwise, to any intellectual property right is granted by this document or in connection with the sale of Quest products. EXCEPT AS SET FORTH IN QUEST'S TERMS AND CONDITIONS AS SPECIFIED IN THE LICENSE AGREEMENT FOR THIS PRODUCT, QUEST ASSUMES NO LIABILITY WHATSOEVER AND DISCLAIMS ANY EXPRESS, IMPLIED OR STATUTORY WARRANTY RELATING TO ITS PRODUCTS INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTY OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE, OR NON-INFRINGEMENT. IN NO EVENT SHALL QUEST BE LIABLE FOR ANY DIRECT, INDIRECT, CONSEQUENTIAL, PUNITIVE, SPECIAL OR INCIDENTAL DAMAGES (INCLUDING, WITHOUT LIMITATION, DAMAGES FOR LOSS OF PROFITS, BUSINESS INTERRUPTION OR LOSS OF INFORMATION) ARISING OUT OF THE USE OR INABILITY TO USE THIS DOCUMENT, EVEN IF QUEST HAS BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES. Quest makes no representations or warranties with respect to the accuracy or completeness of the contents of this document and reserves the right to make changes to specifications and product descriptions at any time without notice. Quest does not make any commitment to update the information contained in this document.