2.0.78 ------ * Released December 28, 2016 * Allow msi caller to specify MACHINETYPE property, so that image builders can install AuthLite before joining the eventual machines to the domain. * Extra code to gracefully handle when the MS API RegisterWaitForSingleObject WT_EXECUTEONLYONCE occasionally executes more than once. 2.0.77 ------ * Released October 29, 2016 * Installer flags added to prevent install on Server 2016 (use 2.2) and servers with "Additional LSA Protection" configured (not supported yet) 2.0.76 ------ * Released July 29, 2016 * Added support for YubiKey v4 in "OTP"-only mode 2.0.75 ------ * Released March 17, 2016 * Update installer and files to new EV Authenticode signing certificate. 2.0.74 ------ * Released November 17, 2015 * Support for YubiKey version 4 2.0.73 ------ * Released July 13, 2015 * (Note there was no public release of 2.0.72) * Add option to preserve old log files instead of clobbering them back to _0 at each system boot. Only (optionally) used by core presently. * Fixed Service's check of the "auto dump" registry flag, so that stopping the service properly triggers a log dump operation. Useful to capture tailing logs at system shutdown (since auth providers do not get any kind of notification of this). * Log version number in core log. * Check for presence of "natural" 2-factor tag before doing 2FC checks. e.g. when using Domain Admins in that capacity and a natural (non-authlite) DA logs on, skip 2FC checks against the session. Without this check, the natural DA could be blocked by 2FC policy even though it is not in actuality an AuthLite user. * Include Logon Server in client logon events. 2.0.71 ------ * Released July 5, 2015 * Allow 1F->2F tag replacement to work on authentications that have an implied OTP, such as post-LDAP authentications. 2.0.70 ------ * Released July 1, 2015 * Fix whitespace problem in LDIF import files (only affects manual schema importers) * Grant RODCs permission to write to the counter update timestamp attribute by default. 2.0.69 ------ * Released June 17, 2015 * Added "System" checkbox to "Forced 2-Factor Processes" dialog. This is useful for 2012 R2 Remote Desktop Gateway, which no longer sends the real authentication through the "tsgateway" service. 2.0.68 ------ * Released June 1, 2015 * Refactor and improve workstation credential tracking to catch some cases where offline logon could break after some online/offline lock/unlock combinations. 2.0.67 ------ * Released April 27, 2015 * Credential provider UI: Don't statically depend on DSOUND.dll because Server Core doesn't have it. Fixes error on 2008 server core (2012 server core broke too, but silently failed). 2.0.66 ------ * Released April 16, 2015 * Add support for YubiKey Edge production version. 2.0.65 ------ * Released April 15, 2015 * Add optional property NOSHORTCUTS=1 to MSI so it can be installed without dropping any shortcuts into start menus (all functionality remains) 2.0.64 ------ * Released March 11, 2015 * Allow proper logon of usernames for non-AuthLite users to end in a dash followed by digits. * Stop trying to update DPAPI secrets on a DC, which led to (harmless) error messages. 2.0.63 ------ * Released March 2, 2015 * Map logon types to text for more readable event log entries. * Avoid certain scenarios where Windows caches a 1-factor password hash on the machine even though 2-factor authentication is enforced for that user. For further information, see http://www.collectivesoftware.com/_kb/authlite-upgrade-advisory-4 2.0.62 ------ * Released January 23, 2015 * Added support for NPS/IAS servers that reside on domain member servers which are not domain controllers. 2.0.61 ------ * Released January 7, 2015 * Fixed a limitation in the installer which caused upgrades to v2.0.60 fail, because the event source "AuthLite" already existed during the install phase. This occurred because the event source was being directed to a different file. The installer now notices this situation and removes the old event source before installing the new one. 2.0.60 ------ * Released January 5, 2015 * Moved logging of ALL AuthLite events out of the general "Application" event log into the "AuthLite Security" event log. Customers seem to gravitate toward the latter and not understand they need to look in the former. So hopefully this will be less confusing. Also the general app log is not really designed for high volume logging anyway. 2.0.59 ------ * Released January 4, 2015 * NFC Listener DLL now ignores smart card readers whose name starts with "Yubico", because that indicates that a Yubikey NEO is plugged in to USB, and that will not help us read NFC OTPs. * Also, disable the Credential Provider's NFC triggering when it is being used in a client application such as Remote Desktop. Otherwise, it will compete with the "NeoNfc" system tray application. 2.0.58 ------ * Released December 5, 2014 * Add support for detecting Yubikey Plus hardware ID so it can be programmed for use with AuthLite. This is NOT using the U2F feature of the keys, simply supporting the OTP and Challenge/Response as usual. (Every time Yubico has a new product we need to integrate a new product ID to recognize it.) 2.0.57 ------ * Released November 25, 2014 * Add additional logic to better secure LDAP client requests. For more information, see http://www.collectivesoftware.com/_kb/authlite-upgrade-advisory-3 2.0.56 ------ * Released November 3, 2014 * Support for recognizing U2F NEOs as yubikeys so AuthLite can program them (in OTP mode). 2.0.55 ------ * Released October 5, 2014 * Option to allow all domain controllers to infer when a Yubikey replay window has been opened by one of their peers. This can prevent replay failures when you have extremely fast intra-site replication. In order to use this feature successfully, the clocks on your DCs must agree very closely. 2.0.54 ------ * Released September 15, 2014 * Allow administrative override when selecting strange groups for User Group Pairs. This allows admins to select Domain Admins as a 2-factor Tag group, and other useful things. * Removed old "CREATEREPLICA=0" code from installer, as it no longer works. The correct command line argument for the installer is now: ADDLOCAL=Replica,DataManager,Nfc or some subset of that comma delimeted list. without specifying ADDLOCAL, it takes defaults, which are currently to install Replica and DataManager on DCs. 2.0.53 ------ * Released August 26, 2014 * Catch a possible unhandled exception that could occur if the logon session is closed so fast that UpdateSecrets runs after it is already gone. * 2-factor Computers gains the ability to enforce by IP address/range, which is not susceptible to computer name tracking failures. * Added UI to control event log threshold globally. 2.0.52 ------ * Released August 19, 2014 * NFC reader support for Yubikey NEO at login screen and on the desktop. Requires an NFC PC/SC smartcard reader, or a Windows 8 "Proximity" class device. * Refactor installer UI to allow easier feature selection. 2.0.51 ------ * Released August 14, 2014 * Fix a race condition that resulted in a momentary use-after-free of a handle. This could in principle cause heap corruption and thus an eventual crash on busy systems. 2.0.50 ------ * Released August 7, 2014 * Installer flag DATAMANAGER=1 to put Data Manager onto non-DCs if desired. Must connect to a DC by File->Connect -> Other Active Directory Partition, then entering the IP of a DC (other fields can remain blank) 2.0.49 ------ * Released July 9, 2014 * Protect against kerberos ticket processing trying to run twice at the same time. * When the logged on session is 1F and the unlock is 2F, we were getting unhandled exceptions because the 2F unlock did not anticipate that its primary session might not have a 2F secret in it. * Fix 1-factor PAP (RADIUS) to support OATH code in the password field. 2.0.47 ------ * Released May 9, 2014 * Change default Subauth fail cases from returning STATUS_WRONG_PASSWORD to STATUS_LOGON_FAILURE. This prevents Windows from forwarding the request to the PDC-Emulator, which is not something we want to do if we know the authentication should fail. (If the PDC-Emulator gets the request, then it will see the forwarder as the client, and perhaps make the wrong decision about enforcing 2FA). 2.0.46 * Released May 7, 2014 * New setting that allows AuthLite to discern the IP address of an LDAP client doing a bind, and use that IP as the authentication "source" for purposes of 2-factor Computers list and Replay Windows. Prior to this ability, all LDAP authentications always appeared to originate on the localhost DC itself, due to the design of Microsoft's LDAP service. 2.0.45 ------ * Released April 24, 2014 * Correct a LogWarning format bug that could lead to a thread crash if the customer had extra debug logging turned on. * Fix for users who received "Incorrect Password" when they tried to log in to an offline workstation: treat the alphabetic case of the username the same way Windows is doing internally. Thanks to several customers for assisting to find and resolve this issue. 2.0.44 ------ * Released April 10, 2014 * Fix error that prevented certain Server 2012 DCs from booting successfully when AuthLite is installed. (Was not intermittent, but depended on each DC.) * Fixed several issues with Read-only DC support. * Switched reader/writer lock underpinnings from custom classes to Boost library shared_mutex. * Implemented TCP connection pooling between the authentication core and the AuthLite Service. (Fixes issue where customers with many thousand authentications per minute on a DC could run out of ports due to TCP TIME_WAIT.) 2.0.42 ------ * Released March 10, 2014 * Fixed a bug in token enrollment challenge/response to properly support domains that reject NTLMv1 responses. * Clean up app.config files to avoid a service startup bug on XP. * Allow forest-wide selection of AuthLite Group Pairs. This enables each domain (if properly configured) to notice the AuthLite traits of users from other domains in the forest. 2.0.41 ------ * Released February 7, 2014 * Added a missing function to support 2-factor IAS on some Windows 2003 servers 2.0.40 ------ * (Not released separately, see next release date) * When the directory service thread queue is full, pick and run queued local LDAP traffic on extra threads, in order to prevent the possibility of starvation deadlocks. This functionality replaces a partial workaround that had been in place since the origin of AuthLite v2. The older solution could still occasionally result in deadlocks during the busiest times on a loaded server; something we did not see in the wild until now. This superior new approach should entirely prevent the possibility. 2.0.39 ------ * Released January 2, 2014 * When IAS/NPS plugin is active, force authentications from that service to enforce 2-factor for AuthLite users. This is the common sense expected behavior, but could have been broken by setting Replay policy behavior to Retry, depending on other configurations. For further information, see http://www.collectivesoftware.com/_kb/authlite-upgrade-advisory-2 * Skip logon client processing on a DC during AccessForTrustee calls, so the thread's memory of the calling process is retained properly in all cases. 2.0.38 ------ * Released December 22, 2013 * Run partition container create and permission set operations always, not just upon new partition creation. Add option NORODC=1 to skip RODC permission setting. 2.0.37 ------ * Released December 8, 2013 * Don't show Remote Data Store config tab on an RODC * Replica installer changes: If a replica is requested on an RODC, put it into the correct property. Before, the RODC would attempt to acquire a writeable copy, which is impossible, and the servers would just ref-bounce to a functional copy on a Writeable DC. * Partition installer changes: Upon new partition creation (or forced REPAIRPARTITION=1) add read permissions for RODCs, and write permission to the counter attributes. Better error catching for issues that crop up due to lagging replication. * AD Data store: if operating on an RODC, send writes to a Writeable DC. 2.0.36 ------ * Released November 29, 2013 * Allow AuthLite's .NET apps and service to function on a system with FIPS group policy enabled. This requires .NET framework v4. * Warn about a system's FIPS compliance status during installation. 2.0.35 ------ * Released November 26, 2013 * Add Authenticated Users (this object only) Read permissions on partition root, so non-admins can traverse it to read the Settings container. This fixes a bug caused by over-tightened permissions from the AuthLite Upgrade Advisory#1 release. 2.0.34 ------ * Released November 18, 2013 * Added support for token-specific intervals. * Added UI support for importing hardware TOTP OATH tokens. * Added support for auto-initializing and tracking OATH token time drift. 2.0.33 ------ * Released November 17, 2013 * Fix for Key Programmer that missed one case where yubikey programming failed but was reported as success. * Added support for Yubikey "locking" (access codes) to Key Programmer. * Fix bug introduced in 2.0.30 that caused old Replay Window settings to be ineffective until re-saved in new format. 2.0.32 ------ * Released November 11, 2013 * Add additional permission restrictions. For further information, see http://www.collectivesoftware.com/_kb/authlite-upgrade-advisory-1 2.0.31 ------ * Released November 10, 2013 * Fix a bug that caused duplication of event log items. * Event log items for data protection / caching operations on client machines. * Fix a bug that caused logins to fail sometimes when offline CR caching failed. * Fix a bug that caused offline CR caching to fail in certain cases, which would in turn cause offline logins for that user to fail next time. * Don't log an error event for STATUS_NO_LOGON_SERVERS in general Dispatch, because it is not informative and is already covered individually by each operation's logging. * If there is no IP address for a logon event (meaning it is initiated locally) set the IP source to ::ffff:127.0.0.1 so that IP-based Replay windows can be constructed to match this case. * Fix UI bug that caused the Forced 2-factor Computers dialog to believe it had modifications when it did not. 2.0.30 ------ * Released November 6, 2013 * Both .Net frameworks 2 and 4 supported with a seamless upgrade. * Small improvements to Core Event Logging * Fix for Password Change operation issue occurring on Forced 2-factor computers * Setting to change whether authentications with Unknown hostname should be considered as Forced 2-factor computers (defaults to yes, which was the old implicit behavior) * Allow Key Programmers to be selected from any domain in the forest * Replay Windows support IP net/ranges * Replay Windows can now specify a set of computers that may initiate a window but not share it with other initiators. 2.0.29 ------ * (Not publicly released) 2.0.28 ------ * Released October 11, 2013 * Config UI now allows 2-factor Tag groups to be members of Builtin Local groups. 2.0.27 ------ * Released October 8, 2013 * Corrected NullReferenceException in Configuration tool introduced in last build. * Data Manager lists Last Modified date in a properly sortable format. 2.0.26 ------ * Released October 1, 2013 * Added versioning to YubikeyLib* DLLs because the installer was not properly updating them with new versions. 2.0.25 ------ * Released September 28, 2013 * Configuration UI displays a nicer message when SIDs cannot be mapped to domain objects. * Sanity check the groups chosen in the AuthLite User Group Pairs dialog, to prevent user error. * Core logs useful events into the Application Event log now. * Squelch "Record not found for Public ID" messages by default on member machines, since it was not an error but an expected condition. 2.0.24 ------ * Fix a flaw that caused unlock operations to fail in some cases on a DC in a 2-factor session. 2.0.23 ------ * Select last-used credential tile as default, more like the native Windows 7 behavior. 2.0.22 ------ * Detect Read-only DC (RODC) as a condition for showing Remote Data Store tab. * Emit text encodings for OATH tokens in addition to the QR code. * Don't enforce 2-factor process checks for S4U login, because by definition it does not use any user credentials. 2.0.21 ------ * Case insensitive modhex decoding in the Service code. * Return invalid format instead of "unused" on OTP parsing failure (no effective difference, but more correct this way). 2.0.20 ------ * Support v3 Token information structs (impacts 2012 server). 2.0.19 ------ * Don't skip reading SID settings on non-DC's (impacts 2-factor process forcing). 2.0.18 ------ * First non-beta build.