SafeNet Agent for Windows Logon
Version Number: 3.7.0
Customer Release Notes (CRN) - This document describes capabilities, resolved issues, limitations, and known issues for different product releases.
Product Description
The SafeNet Agent for Windows Logon is designed to help Microsoft enterprise customers ensure that valuable resources are accessible only by authorized users. It delivers a simplified and consistent user login experience, virtually eliminates help desk calls related to password management, and helps organizations comply with regulatory requirements.
The use of Two-Factor Authentication (2FA) instead of just traditional static passwords to access a Windows environment is a critical step for information security.
For a list of existing issues as of the latest release, refer to Known Issues.
Release Description
Release Summary – SafeNet Agent for Windows Logon v3.7.0
The following release has been issued for SafeNet Agent for Windows Logon v3.7.0:
General Availability Release - April, 2024
The SafeNet Agent for Windows Logon 3.7.0 release introduces the following three significant features.
User Choice of Authenticators (UCA)
This feature provides the end-users with the option to choose their preferred WLA authentication method during machine logon and unlock, based on their active tokens. The list of authenticators enrolled for the user (in STA) is displayed in a user-friendly way also allowing the user to save the preferred authentication method for subsequent machine logins.
For more details, refer to Running the Solution section.
User Choice of Authenticators (UCA) is only supported for interactive logon use cases. It does not apply to RDP and shared-folder access scenarios.
Multiple Offline Authenticators
This feature allows the end-users to choose their preferred WLA authentication method for machine access in offline mode. The list of authenticators, which support offline authentications, is intuitively displayed to the user to choose from. WLA now maintains the Remaining off-line authentications count for all the cached authenticator types.
Only the authenticators used for at least one online authentication are displayed, to be selected for offline authentication.
For more details, refer to Running the Solution section.
Number Matching
WLA now supports MobilePASS+ push with number matching feature, which secures push authentications to protect against MFA fatigue or push bombing attacks.
Number matching gives control to the user for every login request, because they must select the number in the push notification on their MobilePASS+ application as is displayed on the WLA login screen.
For more details, click here.
Limitation
While accessing an application via Run as different user (in outgoing RDP or shared folder access use cases), the WLA-agent installed machine displays the following UI (different than the number matching UI displayed in all other use cases):
Kiosk Support
The agent is now supported in Kiosk mode for Windows 10 and Windows 11 64-bit operating systems.
Resolved Issues
The SafeNet Agent for Windows Logon 3.7.0 release resolves a customer-reported issue.
| Issue | Synopsis |
|---|---|
| SASNOI-19577 | If interactive logon policy Display user information when the session is locked is set to Do not display user information and the user provides an empty username and password during unlock, then the user is blocked from accessing the machine as all subsequent authentications with the correct credentials fail. This issue is now fixed. |
Known Issues
| Issue | Synopsis |
|---|---|
| SASNOI-19730 | When the tokens assigned to a user in STA are in the suspended state, then, - In online mode, the following error displays during login: No Authenticators found for this user. Please contact your administrator. - In offline mode, all the authenticators on the UCA window are greyed out, and only the Emergency password option is available to log in. Workaround: The user must cancel the error window and log in using the static password (as shared by the administrator). |
| SASNOI-19696 | If there is a delay in performing authentication after entering the passcode, the UCA screen closes and falls back to the Windows screensaver. Workaround: Press Ctrl+Alt+Del to unlock the machine and restart the authentication process. To avoid this from re-occurring, you may add IdleTimeOut (as a 32-bit DWORD with decimal value, for example, 60000) registry entry at the following location and set the idle timeout value as per your preference: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Authentication\LogonUI |
| SASNOI-19347 | During authentication, the PUSH number challenge screen disappears when a user clicks outside this screen. However, the screen remains active and if the user hits the correct number on the PUSH notification, the PUSH is accepted. Workaround: None. It will be fixed in a future release. |
| SASNOI-19836 | Summary: While accessing the WLA machine in offline mode, just after an upgrade to v3.7.0, the UCA window displays Emergency password as the only option to log in. Workaround: The user can either cancel the UCA window to use offline OTPs or provide an emergency password to log in. |
Release Summary – SafeNet Agent for Windows Logon v3.6.3
The following release has been issued for SafeNet Agent for Windows Logon v3.6.3:
General Availability Release - March, 2024
The SafeNet Agent for Windows Logon 3.6.3 release resolves some customer-reported issues.
| Issue | Synopsis |
|---|---|
| SASNOI-17859 | During logon or unlock, the user credential fields are displayed with a delay of few (20-30) seconds, due to which a domain user is not able to login into the machine. This behavior is observed during network latency or when the domain controller is inaccessible and was reported in WLA v3.6.0. This issue is now fixed. |
| SASNOI-19195 | After upgrading the agent from version 3.5.x to 3.6.x, users are able to login in offline mode only after at least one successful online authentication. This issue is now fixed and the users can login in offline mode without the need of an online authentication. |
| SASNOI-19226 | WLA fails to authenticate a user whose username contains “$” and displays an error. After the fix, the username field supports “$" as a valid special character. |
| SASNOI-19578 | If Don’t display username at sign-in interactive logon windows policy is enabled, and the user enters incorrect username while unlocking the machine, the Username field is not displayed again to enter the correct credentials. In this case, the user is blocked from accessing the machine. After the fix, the login flow is working as expected. |
| SASNOI-18183 | If a user switches from online to offline mode and attempts to launch an application via “Run as administrator” that must use an OTP, then the user is not prompted for an OTP. After the fix, the authentication is working as expected in offline mode. |
| SASNOI-18237 | After changing the AD password, the users were not able to login with the changed password. This is now fixed and the users can successfully log in with the changed password. |
| SASNOI-13324 | During offline authentication, the agent did not accept emergency password for the user assigned with a GrIDsure token. This issue is fixed and the user with a GrIDsure token can use the emergency password for offline authentication. |
| SASNOI-17887 | If an invalid group is a part of the group filtering, the users experience a few minutes of authentication delay while receiving the PUSH notification. This issue is now fixed and the SafeNet authentication with PUSH OTP works as expected. |
Release Summary – SafeNet Agent for Windows Logon v3.6.2
The SafeNet Agent for Windows Logon 3.6.2 release resolves some customer-reported/known issues.
Upgrade Impact
While upgrading the agent, it is recommended to use the latest .agent file. For more details, refer to Upgrading the Agent section.
Resolved Issues
| Issue | Synopsis |
|---|---|
| SASNOI-18390 | While unlocking or logging into a WLA 3.6.1 protected machine, the login screen flickers due to which a user is unable to access the machine. UI flickering is now fixed and the users are presented with the appropriate login screen. |
| SASNOI-17922 | During logon/unlock, OTP and password fields are simultaneously displayed for few (10-20) seconds due to which a user is not able to login to the machine. This behavior is observed during network latency and was reported in WLA v3.6.0. This is now fixed and appropriate user credential fields (OTP and password) are displayed during the logon/unlock. |
Release Summary – SafeNet Agent for Windows Logon v3.6.1
The SafeNet Agent for Windows Logon 3.6.1 release resolves some customer-reported/known issues.
Security fix
This release introduces a security fix for the most secure version of SafeNet Agent for Windows Logon. For more details, please refer the security bulletin (ref: 20230704).
Resolved Issues
| Issue | Synopsis |
|---|---|
| SASNOI-16785 | If “Microsoft Password Caching” is enabled and user enters incorrect password while executing an application with administrator privileges, then WLA caches the incorrect password. The user does not get the password prompt to provide the correct password anymore and hence is unable to execute the application. This is now fixed and WLA does not cache the password if incorrect. |
| SASNOI-16386 | Offline authentication does not work for domain users added in a local group after restart. This is now fixed by caching the users’ appropriate group and the offline authentication works as expected. |
| SASNOI-17409 | If a user provides “*@domain” in the username field, and the log level is set to DEBUG, all the usernames of the domain are written in the agent’s log file. This issue is now fixed by restricting the username field to only support valid username characters or formats. |
Release Summary – SafeNet Agent for Windows Logon v3.6.0
The SafeNet Agent for Windows Logon 3.6.0 release offers some improvements and introduces the following features.
Application Sharing
With this release, a service provider can now share the Windows Logon application across multiple accounts (virtual servers). As a result, the users in each of these virtual servers can authenticate through the agent. Each account will manage the policies that control how their members access the shared applications. The application can be shared with up to 45 accounts that they are delegated to manage.
For more details, click here.
Two new registry settings, ApplicationId and ApplicationName, are introduced to represent the application created in STA.
Agent Deployment via Microsoft Endpoint Configuration Manager
Along with the existing agent deployment methods, Group Policy Object (GPO) and Intune, the agent can now also be deployed via a Windows-centric endpoint management tool, Microsoft Endpoint Configuration Manager, formerly known as Microsoft System Center Configuration Manager (SCCM). It enables the admins to deploy the agent on the client machines within or outside the corporate network.
For more details, refer to Deploying the agent via Microsoft Endpoint Configuration Manager section.
Enhancements
-
The Credential Provider in Policy tab of the SafeNet Windows Logon Agent Manager now defaults to Windows V2 Password Credential Provider. To wrap any other external (third-party) credential provider, for example, Microsoft Credential Provider V1, select Other Credential Provider, and enter its GUID in the subsequent text field. For more details, refer to the Policy section in Management tab.
Additionally, the WLAasV1Provider registry setting has been removed from the ADML and ADMX template.
-
The user messaging has been improved in the existing login UI/UX for near native Windows experience. For new screens, refer to Running the Solution section.
-
The Use GrIDsure Token link, displayed on the login screen is now renamed to Use a grid pattern.
-
A new parameter, AGENTSTATUS is added to enable or disable the agent while installing the agent silently. For more details, refer to the Silent Installation section in Installing the Agent.
Release Summary – SafeNet Agent for Windows Logon v3.5.2
The SafeNet Agent for Windows Logon 3.5.2 release introduces an enhancement and resolves some customer-reported issues.
Enhanced Data Protection
The agent is now compatible with Microsoft Windows native FDE tool, BitLocker.
Extended Operating System Support
The SafeNet Agent for Windows Logon now adds support of Windows Server 2022.
Resolved Issues
| Issue | Synopsis |
|---|---|
| SASNOI-8458 | The EmergencyPassword registry entry was missing in the WLA ADMX template. This registry entry has now been added in the ADML and ADMX template. |
| SASNOI-15298 | Under specific scenarios, such as in sleep or hibernate mode, the WLA-protected machine did not prompt for an OTP on logon in accordance with the configured logon policy. After the fix, the agent works as per the applied logon policy. |
| SASNOI-12472 | MobilePass+ did not show the application name when authentication request was triggered from a WLA-protected machine. After the fix, the application name (as configured in STA) is now displayed in MP+ for all the authentication requests. |
| SASNOI-14179 | The More choices option was not visible while accessing an application with elevated privileges. This issue is fixed and the More choices option is now visible in the sign-in window for the user with elevated privileges. |
| SASNOI-16626 | In some rare scenarios, after restarting the machine, the end-users were not able to authenticate in offline mode. This is fixed and the WLA offline authentication is now working correctly. |
| SASNOI-15825 | When the laptop’s lid was shut, the Skip OTP on Unlock functionality did not work as expected. This is now fixed and the agent works as per the applied logon policy. |
Release Summary – SafeNet Agent for Windows Logon v3.5.1
The SafeNet Agent for Windows Logon 3.5.1 release introduces a security fix and the following security improvement.
Security Improvement
A new registry setting, SetCachingToCurrentUser, is introduced to augment the secured storage of a user’s cached Microsoft password.
Security Fix
This release introduces a security fix for the most secure version of SafeNet Agent for Windows Logon. For more details, please refer the security bulletin (ref: 18052022).
Release Summary – SafeNet Agent for Windows Logon v3.5.0
The SafeNet Agent for Windows Logon 3.5.0 release introduces the following new features and resolves some customer-reported issues.
Removed Support of exe
From this release onwards, the agent can only be installed and upgraded using msi. Agent installation and upgrade through exe is no longer supported.
Upgrade using msi will not work if you have previously installed the agent via exe. You need to take a backup of the configuration, uninstall the agent, install it again via msi, and then apply your previous configuration.
Azure Active Directory (AD) Support
SafeNet Agent for Windows Logon is now supported for pure and hybrid Azure AD joined machines.
Intune support for deployment of WLA is added. For detailed information, click here.
Limitations
Following are the limitations of WLA agent for Azure AD joined machines:
-
The Exempt Local/Domain Administrator strong authentication will not work with pure Azure AD joined machines for domain admins. However, this feature will work as expected for the local admins.
-
The Group Filter feature will not work with pure Azure AD joined machines for domain groups. However, this feature will work as expected for the local groups.
-
Third-party federation services with Azure AD joined machines are not supported.
Support of Interactive Logon Windows Policies
SafeNet Agent for Windows Logon now supports the following interactive logon windows policies:
-
Do not display last user name
-
Display user information when the session is logged
Microsoft Credential Provider V1 Support
The Microsoft Credential Provider V1 is now only supported for Windows Server 2012.
Resolved Issues
| Issue | Synopsis |
|---|---|
| SASNOI-14865 | WLA did not retain existing users’ cached password after an MFA exempted user logs in to the machine. Subsequently, user/s of the machine are prompted for password on their next login. This is now fixed and the password caching functionality is working as expected. |
| SASNOI-14887 | WLA failed to bypass the SafeNet OTP authentication on system unlock when the windows policy was set to hide the username at login/unlock screen. After adding the support for Interactive Logon Windows Policies, this issue is resolved. NOTE: If the windows policy is set to hide the username, the screen will display a generic message "If you normally use a Token, please enter your PIN + OTP otherwise your Windows Password in Password Field". |
Release Summary – SafeNet Agent for Windows Logon v3.4.5
The SafeNet Agent for Windows Logon 3.4.5 release introduces the support of Windows 11 and resolves some customer-reported issues.
Extended Operating System Support
The SafeNet Agent for Windows Logon now adds support of Windows 11 (64-bit).
Resolved Issues
| Issue | Synopsis |
|---|---|
| SASNOI-14353 | After rebooting the WLA installed machine, the end-users were not able to authenticate in offline mode if the domain was not accessible. This is now fixed and the WLA offline authentication is working correctly. |
| SASNOI-14381 | The Logon Policy for STA for Unlock and Logon were not applied after rebooting the WLA installed machine. This is now fixed and the Logon Policy is working as expected. |
Release Summary – SafeNet Agent for Windows Logon v3.4.4
The SafeNet Agent for Windows Logon 3.4.4 release introduces some security fixes and improvements.
-
The Microsoft password of the domain administrators are no longer cached and stored by SafeNet Agent for Windows Logon.
-
The Microsoft password of other users are now protected with additional layers of encryption.
Security Fix
This release introduces security fixes for the most secure version of SafeNet Agent for Windows Logon. For more details, please refer the security bulletin (ref: 2021112).
Release Summary – SafeNet Agent for Windows Logon v3.4.3
The SafeNet Agent for Windows Logon 3.4.3 release resolves some customer-reported issues.
Security Fix
This release introduces a security fix for the most secure version of SafeNet Agent for Windows Logon. For more details, please refer the security bulletin (ref: 14102021).
Resolved Issues
| Issue | Synopsis |
|---|---|
| SASNOI-12798 | WLA ignored the users in the exempted group and prompted for multi-factor authentication for all the users after a machine restart. This is now fixed and WLA does not prompt for MFA for users who are in the exempted group. |
| SASNOI-12894 | When a user initiated an RDP session from a WLA protected machine, the "more choices" option was not visible thereby inhibiting the Switch User functionality. This is fixed, now the "more choices" option is visible and the Switch User functionality is accessible. |
| SASNOI-12787 | Multi-factor authentication was bypassed when
the group filter is selected to "Only selected groups must use SafeNet"
by entering a username in an incorrect email format. For more details please refer the security bulletin (ref: 14102021). |
| SASNOI-13543 | For user logins configured to "Skip OTP on Unlock", the WLA protected machine used to hang during system unlock, if the user provides the correct password preceded by two incorrect password attempts. After the fix, the machine no longer hangs for the above scenario. |
Release Summary – SafeNet Agent for Windows Logon v3.4.2
The SafeNet Agent for Windows Logon 3.4.2 release resolves some customer-reported issues.
Resolved Issues
| Issue | Synopsis |
|---|---|
| SASNOI-12926 | The WLA offline authentication is now working correctly. |
| SASNOI-12391 | The WLA login does not hang even if it does not have access to the VPN. The offline authentication works correctly in this case. |
| SASNOI-13027 | The login screen flickering issue in Windows 10 is now resolved. |
Release Summary – SafeNet Agent for Windows Logon v3.4.0
The SafeNet Agent for Windows Logon 3.4.0 release supports the below new features.
Network/IP based Policies for Logon
The SafeNet Agent for Windows Logon can now synchronize with the IP network based policy within the STA console for logon scenario. The re-authentication time for Windows logon is decided based on the public IP range specified in the policy. After the re-authentication time expires, users enabled with this policy would be prompted for an OTP.
- The logon policy feature is not supported in Remote Desktop Protocol (RDP) sessions.
- Currently, IPv6 is not a supported format for the logon policy.
Thales Branding
The SafeNet Agent for Windows Logon has been redesigned with the Thales branding.
With this release, the Management Console name is changed to SafeNet Windows Logon Agent Manager.
Reduced Operating System Support
The SafeNet Agent for Windows Logon v3.4.0 has now stopped the support for Windows 7 (32-bit, 64-bit) and Windows Server 2008 R2 (64-bit).
Release Summary – SafeNet Agent for Windows Logon v3.3.3
The SafeNet Agent for Windows Logon 3.3.3 release resolves a customer-reported issues.
Resolved Issues
| Issue | Synopsis |
|---|---|
| SASNOI-12141 | The Windows 2019 machine now does not hang when the user (who is not a part of MFA group) logins successfully through WLA after 2-3 wrong attempts initially. |
| SASNOI-12257 | The login functionality now works correctly and the user does not get prompted for an OTP again if they enter a wrong AD password. |
Release Summary – SafeNet Agent for Windows Logon v3.3.2
The SafeNet Agent for Windows Logon 3.3.2 release resolves some customer-reported issues.
Resolved Issues
| Issue | Synopsis |
|---|---|
| SASNOI-11688 | On cancelling the PUSH authentication from the WLA login screen, the request took longer than expected to go back to the normal logon screen. Code refactoring has been done to resolve the issue. |
| SASNOI-11427 | The PUSH message on the Windows Logon Agent did not show where the request was coming from. Now, the PUSH authentication request successfully displays a proper message on the pop-up window. |
Release Summary – SafeNet Agent for Windows Logon v3.3.0
The SafeNet Agent for Windows Logon 3.3.0 release introduces the below new features and resolves a customer-reported issue.
Network/IP based Logon Policies
The SafeNet Agent for Windows Logon can now synchronize with the IP network based policy within the STA console. The re-authentication time for Windows unlock is decided based on the public IP range specified in the policy. After the re-authentication time expires, users enabled with this policy would be prompted for an OTP.
Currently, IPv6 is not a supported format for the logon policy.
Extended Operating System Support
The SafeNet Agent for Windows Logon v3.3.0 now supports Windows Server 2019 (64-bit).
Resolved Issues
| Issue | Synopsis |
|---|---|
| SASNOI-8729 | The Remaining off-line authentications is now displayed correctly in the SafeNet Windows Logon Agent Manager window. |
Known Issues
The below table provides a list of known issues as of the latest release.
| Issue | Synopsis |
|---|---|
| SASNOI-11134 | Summary: Wrong proxy password given in WLA, the scenario is not working as expected. Workaround: Restart the WLANotificationService. |
Functionality not supported
The following functionality is not supported by SafeNet Agent for Windows Logon:
-
Skip OTP on Unlock with Remote Desktop Access
There is no ReAuth token created when the user logs in through RDP for this. Hence, an error displays as there is no token found when verified for session validation.
Release Summary – SafeNet Agent for Windows Logon v3.2.0
The SafeNet Agent for Windows Logon 3.2.0 release introduces two new features and resolves a customer-reported issue.
Re-Authentication after Session Expiry
The SafeNet Agent for Windows Logon can now synchronize with the re-authentication time logon policy within the STA console. After the re-authentication time expires, users enabled with this policy would be prompted for an OTP.
Remotely configuring agent through GPO after installation
The SafeNet Agent for Windows Logon now allows the administrators to configure the agent with the updated configurations: Server Connection URLs and BSIDKey, remotely via GPO. With this release, the Agent Management Console is enhanced to pick up configurations from the latest agent file in the Installation Directory and configure the agent with the relevant values automatically. For more details, refer to the SafeNet Agent for Windows Logon Installation and Configuration Guide.
Resolved Issues
| Issue | Synopsis |
|---|---|
| SASNOI-10179 | Group filtering on SafeNet Agent for Windows Logon is now working correctly. |
Known Issues
The below table provides a list of known issues as of the latest release.
| Issue | Synopsis |
|---|---|
| SASNOI-10817 | Summary: The Skip OTP functionality for SafeNet Agent for Windows Logon does not work as expected. If the WLA Notification Service is either stopped or deleted, the agent fails to bypass the SafeNet OTP authentication on system unlock. Workaround: None, will be fixed in a future release. |
| SASNOI-11008 | Summary: On Windows 8.1 unlock, the system does not always prompt for an OTP after a specific re-authentication time. Workaround: None, will be fixed in a future release. |
Release Summary – SafeNet Agent for Windows Logon v3.1.1
The SafeNet Agent for Windows Logon 3.1.1 release resolves a customer-reported issue.
Resolved Issues
| Issue | Synopsis |
|---|---|
| SASNOI-10566 | The users logged in the system using only the Windows password, bypassing the Push OTP if the authentication attempt is timeout. Now, the login functionality works correctly, and the SafeNet Authentication with the PUSH OTP is not bypassed erroneously. |
Known Issues
The below table provides a list of known issues as of the latest release.
| Issue | Synopsis |
|---|---|
| SASNOI-10665 | The Skip OTP on Unlock feature does not work as expected as Logon tab is disabled on STA. For the new users, the Skip OTP at Unlock will not work via the Agent Management Console. |
Release Summary – SafeNet Agent for Windows Logon v3.1.0
The SafeNet Agent for Windows Logon 3.1.0 release introduces a new feature and resolves some customer-reported issues. This release has reintroduced the support for the FIPS mode.
Logon Policies Sync with STA
This release will enable SafeNet Agent for Windows Logon to sync logon policies configured from the STA console. Now, customer or operator can configure logon policies from the STA console through the Logon Policies tab and configured policies are synced with SafeNet Agent for Windows Logon on the next authentication request.
Resolved Issues
| Issue | Synopsis |
|---|---|
| SASNOI-6639 | WLA server status check and Authentication from console is working fine now with TVP (Enable SSL Certificate Check). |
| SASNOI-10258 | Users can now login to the agent in the Spanish language. While log in to the agent, there is no need to change the language. |
Release Summary – SafeNet Agent for Windows Logon v3.0.0
The SafeNet Agent for Windows Logon 3.0.0 release introduces a new feature. This release excludes the support for the FIPS mode.
WLA Integration with STA
This release will enable the SafeNet Agent for Windows Logon to be integrated with STA. Now, customer or operator can add the WLA application within the application management and download installer, configuration and GPO files from the STA console. With this release, the installer is also enhanced to pick up the server connection configurations from the relevant file and automatically configure the agent.
Release Summary – SafeNet Agent for Windows Logon v2.3.5
The SafeNet Agent for Windows Logon 2.3.5 introduces support for:
- The FIPS mode within the operating system with AES-GCM and RSA key standards.
- The FIPS mode for decrypting the agent’s BSID key.
Release Summary – SafeNet Agent for Windows Logon v2.3.2
The SafeNet Agent for Windows Logon 2.3.2 release resolves some customer-reported issues.
Resolved Issues
| Issue | Synopsis |
|---|---|
| SASNOI-8920 | The agent now enforces Local Administrator Accounts through GPO or Registry. |
| SASNOI-9013 | The domain security group are not excluded from Two-Factor Authentication (2FA). |
| SASNOI-9761 | If logged in user's user ID is single character, the agent not display offline OTP count. |
Release Summary – SafeNet Agent for Windows Logon v2.3.1
The SafeNet Agent for Windows Logon 2.3.1 release resolves some customer-reported issues.
Resolved Issues
| Issue | Synopsis |
|---|---|
| SASNOI-9046 | The agent now enforces 2FA for users who login using alternate UPN suffix. |
| SASNOI-9045 | The Windows Logon screen does not become unresponsive on losing the network connection. Code refactoring has been done, ensuring that if the login functionality does not work, the users are authenticated using the offline mode. |
| SASNOI-8855 | The group membership functionality now applies correctly, ensuring that the members in the bypass SafeNet authentication group can now login using only their AD credentials. |
| SASNOI-8849 | Some code modifications have been made, improving the login speed of the agent. |
| SASNOI-8839 | If an internet timeout error is encountered, the users are authenticated using the offline mode. |
Release Summary – SafeNet Agent for Windows Logon v2.3.0
The SafeNet Agent for Windows Logon 2.3.0 release introduces two new features.
Bypass SafeNet Authentication on System Unlock
The SafeNet Agent for Windows Logon now allows the administrators to bypass SafeNet OTP authentication on system unlock. The feature, Skip OTP on Unlock reduces friction of entering OTP every time a user unlocks a machine. For more details, refer the SafeNet Agent for Windows Logon Installation and Configuration Guide.
Bypass SafeNet Authentication for All Applications
The SafeNet Agent for Windows Logon now allows the administrators to bypass SafeNet OTP authentication for all applications at once, by adding a wildcard, an asterisk (*) in the FilterProcess Registry flag. The feature is useful in instances where an administrator does not explicitly want to add all the applications that must be excluded from the OTP authentication. For more details, refer the SafeNet Agent for Windows Logon Installation and Configuration Guide.
Release Summary – SafeNet Agent for Windows Logon v2.2.8
The SafeNet Agent for Windows Logon 2.2.8 release introduces an enhancement and resolves some customer-reported issues.
Enhanced Security
The AES-GCM encryption algorithm is now used to provide faster and a more secure way to protect data exchange between the SafeNet Agent for Windows Logon and the SAS solution. Enabled by enhanced security, the agent delivers a more robust, and dependable authentication experience. A more secure key standard, like AES-GCM, can also help you comply with your organization's security policy requirements.
This feature is supported on SAS Cloud and SAS PCE/SPE v3.8.1 onwards.
To use the AES-GCM key standard, the administrator has to download a new Agent.bsidkey file from the SAS, and update the same (in the agent) at Configuration Management > Communications > Agent Encryption Key File.
Resolved Issues
| Issue | Synopsis |
|---|---|
| SASNOI-8871 | Leading and trailing spaces in usernames will now be removed by the agent, and only the trimmed values will be passed to the Active Directory for group lookup. This ensures that the group filter functionality applies correctly, and the SafeNet authentication is not bypassed, erroneously. |
| SASNOI-8651 | MSI silent installation documentation enhanced. For details, refer SafeNet Agent for Windows Logon Installation and Configuration Guide. |
| SASNOI-8622 | The SafeNet Agent for Windows Logon will now correctly authenticate users via the offline mode even during network connectivity issues or unavailability of the Domain Controller. The issue was encountered since the user groups were getting partially fetched due to network disruptions, leading to authentication bypasses. |
| SASNOI-8309 | Users will now be able to successfully authenticate to their machines after a Sleep operation. |
| SASNOI-6646 | Group Filter functionality (available on the Policy tab of the SafeNet Windows Logon Agent Manager) now works for users in the external domain, allowing administrators to enforce or bypass the SafeNet authentication, as per their requirements. |
| SASNOI-3115 | Administrators will now be able to successfully authenticate to a user's machine (as the user) using the emergency password. |
Release Summary – SafeNet Agent for Windows Logon v2.2.7
The SafeNet Agent for Windows Logon 2.2.7 release introduces new features and resolves some customer-reported issues.
Exclude Credential Filters
Administrators can modify the CompatibleFilters registry entry to add Credential Filters of specific Credential Providers, which are compatible and can be wrapped with our custom Credential Provider. For more details, refer the SafeNet Agent for Windows Logon Installation and Configuration Guide.
Bypass SafeNet Authentication
To prevent applications from applying the SafeNet authentication, administrators can modify the FilterProcess registry entry. For more details, refer the SafeNet Agent for Windows Logon Installation and Configuration Guide.
Resolved Issues
| Issue | Synopsis |
|---|---|
| SASNOI-8245 | A correct error message is displayed when SAS service is timed out during the logon process. |
| SASNOI-8237 | Users can configure Communication Timeout field up to 1 second. |
| SASNOI-8234 | ACL vulnerability is now fixed for WLA agent. |
| SASNOI-7855 | Users can logon using the WLA agent with maximum supported PIN length and number of disconnected authentications. |
| SASNOI-6858 | Incompatible Filter warning is removed for SpecOps uReset client when accessing SafeNet Windows Logon Agent Manager console. |
Release Summary – SafeNet Agent for Windows Logon v2.2.6
The SafeNet Agent for Windows Logon 2.2.6 release resolves some customer-reported issues.
Resolved Issues
| Issue | Synopsis |
|---|---|
| SASNOI-8143 | The Communication Timeout setting will now work even if there is congestion or blockage in the underlying network. |
| SASNOI-8069 | Users will now be able to successfully login, after a reboot or from the lock screen, using the V2 credential provider. The SafeNet Agent for Windows Logon now submits authentication requests in the correct format, REALM\username. |
Release Summary – SafeNet Agent for Windows Logon v2.2.5
The SafeNet Agent for Windows Logon 2.2.5 release resolves some customer-reported and known issues.
Resolved Issues
| Issue | Synopsis |
|---|---|
| SASNOI-7773 | It is now possible to switch between users even if the SafeNet Agent for Windows Logon is in the enabled state. |
| SASNOI-7623 | The Username field cannot be edited after providing an incorrect AD password, ensuring that login attempts by any other user are not possible. |
| SASNOI-7506 | The credential tile provider, Courion AD Password Reset (Core Security, SecureAuth), now wraps correctly with the SafeNet Agent for Windows Logon v2.2.1. |
Release Summary – SafeNet Agent for Windows Logon v2.2.4
The SafeNet Agent for Windows Logon 2.2.4 release includes a feature enhancement, and resolves some known issues.
Domain Groups not Nested in Local Groups
The option, Domain groups are not nested in Local group, if selected indicates that no Nested Groups (Domain groups are nested in the Local group) are present inside the Selected Groups field. Domain lookup is skipped in such a case, helping improve the login delay time.
To enable this option, navigate to SafeNet Windows Logon Agent Manager > Policy > Group Authentication Exceptions.
Resolved Issues
| Issue | Synopsis |
|---|---|
| SASNOI-7340 | The SafeNet Agent for Windows Logon now switches over to the primary SAS server (if it becomes available) before the timeout if the secondary SAS server is not configured, or is unavailable. |
| SASNOI-7230 | The performance of the SafeNet Agent for Windows Logon is enhanced, ensuring that it logins faster. |
| SASNOI-7022 | The SafeNet Agent for Windows Logon now allow users to successfully authenticate (using Offline authentication) using Windows 10 machines when connected through a Wi-Fi network, not connected to the LAN. |
| SASNOI-6901 | The SafeNet Agent for Windows Logon v2.1 now allow users to login successfully using certificate/ smartcard based authentications. |
| SASNOI-6328 | All exempted AD users of nested groups are now correctly bypassed from SAS OTP authentication. |
| SASNOI-3012 | Since .NET 3.5 Framework is deprecated for Windows 8.1/10, the dependency to install it for running the agent, is now removed. The SafeNet Agent for Windows Logon works on .NET 4.5 Framework. |
Release Summary – SafeNet Agent for Windows Logon v2.2.1
The SafeNet Agent for Windows Logon 2.2.1 resolves a customer-reported defect.
Resolved Issues
| Issue | Synopsis |
|---|---|
| SASNOI-7200 | Normal users will now be able to access the SafeNet Agent for Windows Logon console without any error. |
| SASNOI-6710 | After a user’s password reset, the user will now be able to change his or her password at the time of next login. |
Release Summary – SafeNet Agent for Windows Logon v2.2.0
The SafeNet Agent for Windows Logon 2.2.0 introduces a new feature and resolves some customer-reported defects.
Third Party Network Provider Software Compliance
It provides the following two options:
- Allow all applications: This option allows you to install the agent without updating the registry keys under
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\NetworkProvider\Order]. This option is selected by default on the Management console.
Sometimes, selecting this option creates a conflict between the SafeNet Agent for Windows Logon and the third-party network provider software. In such a case, you need to uninstall the third-party network provider software and remove its registry entry. Before executing this operation, you need to perform the following steps:
1. Ensure that the Allow all applications option is selected, and click Apply.
2. Close the Management console.
- Allow only SafeNet compliant applications: This option allows you to reset the registry key under
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\NetworkProvider\Order] to“ProviderOrder"=" RDPNP,LanmanWorkstation,webclient".
Resolved Issues
This release resolves some known issues. Please find below details of the solutions provided.
| Issue | Synopsis |
|---|---|
| SASNOI-6691 | User will now be able to add local groups in the SafeNet Agent for Windows Logon. |
| SASNOI-6601 | After the agent installation or while opening the Windows Logon Agent console, the network provider doesn’t get changed automatically. |
| SASNOI-6563 | The Windows Logon Agent is now working as per the proxy server settings. |
Release Summary – SafeNet Agent for Windows Logon v2.1
The SafeNet Agent for Windows Logon 2.1 introduces new features and resolves some customer-reported defects.
Allow Network Path without OTP
A capability to allow enabling/ disabling network path access without OTP is added to Policy tab of SafeNet Windows Logon Agent Manager. The Allow windows explorer without OTP checkbox, if enabled, allow Windows explorer to run without SafeNet Authentication (bypassing the SafeNet OTP option).
Extended Operating System Support
The SafeNet Agent for Windows Logon 2.1 now supports Windows Server 2016 (64-bit).
Support for Credential Providers
Support for the following Credential Providers is added:
-
Microsoft Credential Provider Tile Version 1 (V1)
-
Microsoft Credential Provider Tile Version 2 (V2)
-
Other [external (third-party)] Credential Provider(s) (like, ServiceNow)
Wrap Third-Party Credential Providers
By default, the SafeNet Agent for Windows Logon wraps Microsoft Credential Provider. A new setting enables an administrator to wrap other external providers as well.
Display Other Credential Providers
By default, the SafeNet Agent for Windows Logon filters out (do not display) any other credential provider. Using DoNotFilter registry entry, the administrators can enable a view where other credential providers can also be displayed.
Resolved Issues
This release resolves some known issues. Please find below details of the solutions provided.
| Issue | Synopsis |
|---|---|
| SASNOI-6583 | Users will now be able to successfully login to Windows 10 machines via RDP using AD credentials. Allow outgoing RDP connection without OTP functionality is fixed, ensuring that SAS authentication can be bypassed, if required, when making an outgoing RDP connection. |
| SASNOI-6554 | The cursor now positions back to the Password field after an unsuccessful login attempt. |
| SASNOI-6327 | Unlocking a Windows 10 machine (after the SafeNet Agent for Windows Logon 2.1 installation, but on a machine not having ServiceNow) now displays the login screen. Earlier, it used to display only a blank screen. |
| SASNOI-6318 | Login Tiles on a Windows 7 machine (after the SafeNet Agent for Windows Logon 2.1 installation, but on a machine not having ServiceNow) are now displayed even after entering ServiceNow GUID in WrapCredentialProvider registry entry. |
| SASNOI-6256 | Users will now be able to access the network shared path on Windows 8 (and 8.1) machines. |
| SASNOI-6225 | The Hide Microsoft credential tile option (of Credential Tile Filter dropdown menu in the Policy tab) now hides the Windows credential tile from the user. |
| SASNOI-6220 | The Username field is now available with non-English languages on Windows 10 machines. |
| SASNOI-6169 | The authentication conflict between the SafeNet Agent for Windows Logon and Govt CAC Smart Card login is now resolved by adding capability that allows to enable/ disable network path access without OTP. The Allow windows explorer without OTP check box, if enabled, allow Windows explorer to run without SafeNet Authentication (bypassing the SAS OTP option). |
| SASNOI-6133 | The message, If you normally use a Token, please enter your PIN + OTP otherwise your Windows Password in Password Field now also displays for Windows 7 login screens, making it consistent with Windows 8 and Windows 10 login screens. |
| SASNOI-6131 | The Other User tile, which was earlier displayed when a user attempted to log-off/ switch user on a Windows 7 machine, is now removed. When a user now attempts to log-off/ switch user on a Windows 7 machine, the user will directly be prompted for an OTP to unlock the machine. |
| SASNOI-2890 | The SafeNet Agent for Windows Logon 2.1 now supports .NET 4.5 package, thus resolving the TLS 1.1/1.2 issue over Hyper Text Transfer Protocol Secure (HTTPS) connections. |
| SASNOI-2721 | The support for Microsoft Credential Provider Tile Version 2 ensures that third-party password reset tools now displays password reset text link while the SafeNet Agent for Windows Logon is enabled and working. |
Release Summary – SafeNet Agent for Windows Logon v2.0
The SafeNet Agent for Windows Logon 2.0 introduces new features and repairs several customer-reported defects.
Push Authentication
The SafeNet Agent for Windows Logon supports Push OTP when working with MobilePASS+.
Push Authentication is supported when working with SAS Cloud Edition. For SAS PCE/SPE, Push Authentication is only supported with version 3.9 (and onwards).
ADMX Support
The SafeNet Agent for Windows Logon 2.0 supports the use of ADMX files for defining the Administrative Template policy settings in the Windows Group Policy tools.
Active Directory Search
Performance of the Active Directory Search feature has been enhanced.
Proxy Server Settings
Proxy server settings can now be configured in the Configuration Management interface.
Gemalto Branding
The SafeNet Agent for Windows Logon Management user interface has been redesigned with Gemalto branding.
Resolved Issues
This release resolves some known issues. Please find below details of the solutions provided.
| Issue | Synopsis |
|---|---|
| SASNOI-2882 | The SafeNet Agent for Windows Logon now supports TLS 1.1/1.2 on Windows 7 with the agent configured without TVP. |
| SASNOI-3132 | Windows password is now validated correctly in Windows 10 Spanish. |
| SASNOI-2963 | The Exempt Administrator feature now functions as expected. |
| SASNOI-2892 | Windows 10 now remembers the previous user name. |
| SASNOI-2907 SASNOI-3113 | Performance has been greatly enhanced when logging on with the SafeNet Agent for Windows Logon. |
| SASNOI-2896 | In Windows 8 the Switch User option is now supported. |
| SASNOI-2897 | The GrIDsure logon grid is now displayed at an appropriate size and with a high visual quality. |
| SASNOI-3122 | The failover setting (selected or not selected) configured during the installation process is now applied correctly in the Configuration Management window following installation. |
| SASNOI-2978 | The Windows Group Policy security settings option Do not display last user name now functions correctly. |
Advisory Notes
Proxy Settings Following Upgrade
If proxy was activated in the SafeNet Agent for Windows Logon 1.13, to continue working with proxy following upgrade to version 2.0, go to Configuration Management > Communications > Proxy Settings, enter the credentials (username and password) and click Apply.
Known Issues
The following table provides a list of known issues as of the latest release.
| Issue | Synopsis |
|---|---|
| SASNOI-19218 | Summary: The "Exempt Local/Domain Administrator strong authentication" feature does not work for the users of a custom domain group who are also a nested member of any of the following built-in groups. - Domain Admins - Enterprise Admins - Schema Admins - Group Policy Creator Owner In this case, the users are not able to bypass the SafeNet OTP and they need to login via MFA. Workaround: None. It will be fixed in a future release. |
| SASNOI-19527 | Summary: Offline authentication does not work after the agent upgrade from v3.4.x. Workaround: The end-users need to perform at least one successful online authentication for subsequent offline login attempts. |
| SASNOI-17150 | Summary: The default value of 10, for the Minimum offline threshold setting in the management console cannot be changed. Workaround: None. It will be fixed in a future release. |
| SASNOI-14902 | Summary: After upgrading the agent, the password caching feature does not work when logging in to a WLA protected machine, even if Enable Microsoft Password Caching is selected in the SafeNet Windows Logon Agent Manager > Policy tab. Workaround: After the upgrade, users need to provide their password for the first login to a WLA protected machine. For subsequent logins, password caching feature works as expected. It will be fixed in a future release. |
| SASNOI-12552 | Summary: The Skip OTP on Unlock feature does not work for the subsequent unlock after logout. Post that one instance, it works as expected. |
| SASNOI-12518 | Summary: After configuring network policy for skipping OTP on logon, OTP won't be skipped for a new user logging in for the first time using "other user" logon tile. For all subsequent login attempts for that user, OTP would be skipped according to the network policy. |
| SASNOI-8630 | Summary: It is not possible to enforce SafeNet authentication on nested groups over an external domain. Workaround: None, will be fixed in a future release. |
| SASNOI-2825 | Summary: In Windows 8, 10, Server 2012 and Server 2012 R2, the Autoadminlogon feature does not function. Workaround: None, will be fixed in a future release. |
| SASNOI-3323 | Summary: Hybrid Mode is not supported when a Local User is included in a Domain Group. Workaround: None, will be fixed in a future release. |
| SASNOI-2818 | Summary: If SafeNet Agent for Windows Logon is installed on an Exchange Server machine, when accessing the Windows Logon agent application console, the user is prompted for an OTP password when not required. Workaround: None, will be fixed in a future release. |