2.3.37
------
* Released April 12, 2021
* Preliminary OnlyKey support
* Fix a bug in Replay Window -> Allow older OTPs from the same YubiKey session
* Refactor ParseOTP and TryParseOTPAndCredentials to reject SID-like and Bitlocker-recovery-like strings
* Fix a missed case of saving the OTP during an LDAP lookup
* API.ps1 Do-Default-Setup usability improvements
* Improve "Enroll for AuthLite" powershell for workstations

2.3.36
------
* Released February 16, 2021
* TwoFactorProcessesS4UPretend, a per-machine setting that makes S4U queries for a user always reflect their 2F-tagged groups instead of the 1F-tagged ones.  Useful for MECM report server.
* IsAuthLiteUser function gets "Kerberos" mode. Like "Session" but requests a service ticket and check the real groups returned in the PAC instead of trusting the windows session token.
* Self-provisioning powershell-based wizard ("Enroll in AuthLite") to solve tricky troubleshooting issues with bootstrapping work-from-home users
* Remove recovery and offline oath tokens from the localhost if the user is not in any authlite groups. Prevents formerly-Authlite users from erroneously getting the OTP field shown in the logon UI.
* Remove stale recovery token(s) on the DC side when provisioning a new one, so there's only ever one per user+workstation combo
* Rename data manager feature -> token manager in installer, Rename authlite keyprogrammer -> yubikey programmer in its standalone installer
* Restructure and debug offline credential caching, where we could try sessions in a non-optimal order and maybe fail, resolving an intermittent issue since 2018.
* During PRIMARY_CRED_TRANSFER, detect groups in the *source* instead of the target session (works better for "lock/unlock" user bootstrapping).
* Throw better DC errors when requesting offline credentials without enough access
* Include API.ps1 and group policy "template" files in AuthLite installer when picking the new "AdminAPI" installer feature (by default, will select itself to if the machine is a DC)
* API: In PrintUsersInPowerGroups function, fix weird double-counting bug related to primary group memberships

2.3.35
------
* Released December 28, 2020
* Fix Netmotion initial logon when Username field is read-only on the selected credential screen.
* Don't show failed OTP in the second-chance logon (happens when RDP client remembers an old OTP and supplies it next time).
* Refactor PCOIP credential provider wrapping
* Don't do LDAP OTP lookups when the attribute could be a bitlocker recovery key (a special case to prevent it from printing in log)
* Prevent deadlock loop triggered by doing a lookup from an LDAP query originating from the service.
* Updating yk pers to 1.2.20 (not using new features yet)
* Don't support change/repair in Add-remove-programs on DCs because we will demand UAC elevation which can't be given from within ARP.
* Complete cmake/C++ rewrite of Linux PAM support, dropping pam_python.

2.3.34
------
* Released August 12, 2020
* Replace broken Directory Picker control that caused "Select user" buttons to crash the configuration and token manager UIs when clicked.  Broken since 2.3.33.

2.3.33
------
* Released August 8, 2020
* Increase .NET framework minimum to version 4.5, to support TLS 1.2
* Update service REST client to use TLS version 1.2 so Okta API will work again

2.3.32
------
* Released July 31, 2020
* Fix NFC reading for UAC prompts on the Secure Desktop
* Delete files in the SchCache folder during install, to work around ADSI cache corruption that may occur when we update our data schema.
* More useful installer messages when DC data store installers fail
* Don't try to create a replica if current DC is already set as one (maybe avoid weird commit errors when it should just be a no-op anyway; we do this with schema already to good effect).

2.3.31
------
* Released July 26, 2020
* A bug was introducted in version 2.3.26 that could cause a crash at system boot time; corrected here.
* Key programmer: fix smart card on/off toggle for YK5 series. We weren't togglling PGP and OATH applet state, so smart card "mode" still stayed "on" and the key returned ID 0x0407 instead of 0x0403.
* Pass through a couple more credential functions to help PCoIP providers.

2.3.30
------
* Released June 21, 2020
* Offline OATH/Recovery tokens defined before version 2.3.26 and used after upgrade might break; fixed.
* Escape '\00' character in LDAP searches for completeness (even though no untrustworthy input is parsed this way)

2.3.29
------
* Released May 26, 2020
* Forgot to hide the new Pretend 2FC dialog from non-admin users opening the Config app.  No impact on security; unprivileged users would not have been allowed to save changes anyway.  But the dialog should be hidden to avoid confusion.

2.3.28
------
* Released May 24, 2020
* Added "Pretend 2-factor Computers" feature (don't use this unless you know what you're doing). 

2.3.27
------
* Released May 8, 2020
* Let NPS plugin authentications participate in Replay Windows. New installs will behave this way by default. Existing installs need to visit Replay Behavior to make the change.
* Improve accuracy of the Replay feature that Infers windows between DCs.

2.3.26
------
* Released March 2, 2020
* Fix bug preventing credential tile from dismissing policy error on RDP "all monitors" mode.
* Fix for long domain+usernames: OATH QR code expands in size with a larger input instead of erroring. 
* SHA256 OATH token support. SHA1 is still the default. To change for all new tokens, .\API.ps1 SetPartitionSetting -name DefaultOathAlgorithm -value SHA256
* NOTE: Because of this ^, the AuthLite schema changed, so first DC install needs Schema Admins group.
* Re-arm credential tile's SecondChance if the first logon had a bad password. Otherwise after re-entering correct password user will expect the OTP field and receive a policy error instead.
* Support 8-digit soft tokens.
* Preliminary support for Windows 10 2004 (2020-04) which is in preview: use CredUnprotectEx when CredUnprotectW fails.

2.3.25
------
* Released November 11, 2019
* Fix a race condition crash in credential tile when trying to dismiss logon policy message.
* Fix a regression added in 2.3.24(?) that caused RDP credential pass-through to stop working on 2008 server and Windows 7 RD hosts.

2.3.24
------
* Released October 27, 2019
* Improve credential tile stacking logic.
* CredprovSupportChangePassword=false will prevent the credential from trying to detect expired password scenarios, which helps for chained providers that don't stack above the built-in provider.
* CredprovPassthroughInterfaces=true will allow the credential to pass unknown QueryInterface requests on to the wrapped provider (necessary to support IConnectableCredentialProviderCredential, used by new Fortinet pre-login VPN credential tile). 
* Current settings needed to stack over Fortinet pre-login: "CredprovChain"="{AC7DD106-EAB6-4b41-AC4F-D52FD62A82C7}", "CredprovChainUsernameField"="User name", "CredprovChainPasswordField"="Password", "CredprovShowOTPField"="true", "CredprovSupportChangePassword"="false", "CredprovPassthroughInterfaces"="true"

2.3.23
------
* Released October 7, 2019
* When the installer detects it lacks UAC elevation on a DC, it will add the "Run as Administrator" registry keys to the user's shell as a convenience. Then when the right-clicks on the MSI file (which everyone always tries first) they can actually UAC launch it the same way you can for .exe's.  Without this, there's no choice other than UAC-elevating a cmd shell, CD-ing back to where the MSI is and running it that way.
* Make Token record deletion use the DirectoryEntries.Remove function instead of DirectoryEntry.DeleteTree, because it requires less permissions.  That way, members of the Provisioners group can delete records (assuming .\API.ps1 AllowProvisionersToDelete has been run).

2.3.22
------
* Released September 10, 2019
* macOS plugin to version 1.2, correcting defect in 1.1 that didn't install the uninstall script. Also the plugin directory wasn't getting overwritten correctly.
* Add UI elements to control OTP field display and UPN support.
* OTP field on Windows Logon UI reworked to display right away for users in AuthLite groups, or after initial password submit for the "other user" tile (so we can find out what user it is then determine whether to show the field).
* OTP field and UPN support default to ON for new installs.
* UI to select whether to display characters in OTP field or **dots (defaults to cleartext on NEW installs, opaque on existing installs).
* On install, if schema is current don't call "Refresh" (avoids one cause of "access denied" errors)
* Prefix the domain name in the second chance credential tile, so it's not lost (in case previous screen specified a domain other than our home one).
* Allow all users to read token last used time (it's not considered sensitive, and provisioners weren't seeing it)
* If server was promoted to a DC after AuthLite install, warn in the Configuration app.
* Support for LsaLogonUserEx2->LsaLogonUserEx3 change in the upcoming Windows 10 191X release.

2.3.21
------
* Released August 9, 2019
* Refactor UPNSupport=true features in service, map UPN to username during OATH token lookup and validation.

2.3.20
------
* Released August 7, 2019
* Fix issue introduced by 2.3.19's lookup changes which broke CredprovSecondChance use in RDP.  The domain specified by the RDP filter is in FQDN format, causing a mismatch.
* Mac plugin version 1.1 updates to support new fast-user-switching and screensaver logic.
* Improve UPNSupport=true support on the DC side so LDAP use cases (Cisco ASA Active Directory mode) can succeed.

2.3.19
------
* Released July 1, 2019
* Supply more information to pre-authentication lookups so mismatches can be detected in the local cache. This fixes issues that occur when a YubiKey is reassigned and a workstation doesn't notice.
* Adjust the LOGON_NO_OPTIMIZED and MsV1_0ChangeCachedPassword lookups to be just for YubiKeys (only thing we need to check) and fall back to DC if local doesn't know the answer (use case: first time someone logs in as an AuthLite user, uses YubiKey, and their password is expired). 
* Adjust Lookup service logic slightly: add Offline Oath when scope of "All" is requested, which is only done by clients who want to know offline things.   * NfcEnterAfterScan setting so the credential tile will auto-submit (if the password is filled), and the desktop reader app will append an Enter instead of a Tab after the OTP field.

2.3.18
------
* Released May 11, 2019
* Catch malformed regex in event log trace override so they don't break everything. (This affected almost no one)
* FastShortCircuitUsernames setting to prevent AuthLite core processing as soon as possible for usernames matching a regular expression (for performance troubleshooting, not normally needed)

2.3.17
------
* Released May 10, 2019
* Change in NetMotion support: detect whether user has an interactive session when deciding how to send OTP between credential tile and windows core.
* Initial Colemak keyboard layout detection for YubiOTP processing.
* Fix 2.3.16 regression that would break NPS installed on a member server when used in UserPIN mode.

2.3.16
------
* Released April 10, 2019
* If there's an OTP in the username field *and* in the password field, throw away the one from username and use the one from password.  This is to address UIs which remember an old OTP in the username field (i.e. RDP) and where our instructions have indicated the user should just put password and otp in.  (It used to prefer the first OTP and leave the password incorrect)
* Don't uselessly passthru lookup requests when the scope indicates local records only (changes output from new 1311 "no logon server" error given by 2.3.15 change back to expected "no local keys found")

2.3.15
------
* Released April 5, 2019
* Added setting TolerateLookupDomainFailures. Set to "true" for logging in across a "forest wide" trust if the AuthLite user resides in an implicitly trusted domain in the trusted forest.

2.3.14
------
* Released March 14, 2019
* UPNSupport fix: Call the UPNLookup function even if the domain is specified instead of empty.  Office 365 pass-through agent of AD Connect does it this way.
* Duplicate the fix for PRIMARY_CRED_TRANSFER limiting logic into KerbTransferCredentialsMessage logic, since it seems to be causing a similar 
problem of throwing away valid kerberos tickets at unlock time.
* Make Forced 2-factor Processes logic check all groups even when there's one 
or more 2-factor tag groups found in the session. Originally the whole check
was skipped access was allowed if the session contained any 2F tags, which 
runs contrary expectation of how the feature is described.

2.3.13
------
* Released February 21, 2019
* Add new setting CredprovChainIUnknownWorkaround. Set to string "true" to workaround the nFront password filter bug which returns a null pointer for QueryInterface of IUnknown.
* Add setting CredprovSecondChanceOnLogonFailure. Set to true to use CredprovSecondChance behavior for offline logons (i.e. laptop cached domain credentials).  Without this value, CredprovSecondChance only triggers on the policy restriction error code, which only occurs with online LAN logons.
* Change CredprovSecondChance code to look for Window ClassID of the logon UI instead of just the Window name, because the latter is language-dependent and won't work outside of English.

2.3.12
------
* Released January 17, 2019
* Allow client-side Win32 authentications that specify an empty domain (with an OTP in username or password field) to lookup and compare properly instead of failing to match a username.

2.3.11
------
* Released November 19, 2018
* Complete replacement of Yubico libraries with new versions that support the changed API of YubiKey v5.
* standalone YubiKey Programmer (AuthLite Key Programmer) : change mode setting to support new Yubico API across different key versions.  
* YubiKey Programmer: Removed multiple port selection since it's not easily supported and doesn't increase programming speed.
* Added logic in NFC listening code to understand different URL format emitted by the YubiKey v5

2.3.10
------
* Released October 29, 2018
* Increase max message size between lsass and service to allow large settings blobs.

2.3.9
-----
* Released October 24, 2018
* NFC fix: Prefer "PICC" NFC reader devices over "SAM", which is helpful for ACS ACR1252 Dual Reader devices

2.3.8
-----
* Released August 28, 2018
* When UPNSupport=true, workstations will cache UPN->domain\username mappings, so logon in that format will still work when offline (tokens map to the short username)
* Fix race condition after an LDAP lookup of the OTP for multiple simultaneous authentications of username/password.

2.3.7
-----
* Released August 4, 2018
* Fix regression bug introduced in 2.3.6 preventing programming YubiKeys through the Configuration app.
* Add the ability for Configuration app's programmer to correctly set up YubiKeys when Public ID setting is not equal to 16.

2.3.6
-----
* Released August 2, 2018
* Fix bug preventing Token Manager Export of unassigned tokens.
* Fix bugs in Configuration app's OATH provisioning dialog pertaining to QR code/secret showing/hiding.
* Strip spaces and tabs from license key before setting, to prevent errors
* Show total count of users on the License screen
* Replay Window option to allow backwards YubiKey OTPs from the "same session"(to solve VPN 1-2-1 problem)
* Don't abort group pairs dialog loading when adding the same 1F tag group more than once (an 'apply' after that would have deleted anything after the failure point)
* Event Logging advanced feature to mute events based on a regular expression
* Settings to support better coexistence with Sophos Safeguard (contact Support for assistance; settings not exposed in UI yet)
* New OATH tokens with automatic secrets (i.e. soft tokens) will be prevented from drifting.  As opposed to hardware tokens where clock drift is expected and must be tracked.  Old pre-existing soft token records can be converted to new fomat; contact support for assistance.

2.3.5
-----
* Released June 4, 2018
* Ability to transfer 2F groups to an S4U logon of the same process within 5 seconds, if configured to do so.  (Preliminary support for advanced ADFS claim rules.)
* UI error messages when separate OTP field (NFC) contains something that doesn't parse as an OTP.
* Better catching and analysis of DetectKerberosMismatch exceptions.
* Try to prevent flagging Kerberos tickets for replacement after a Kerberos unlock fails (to prevent acquiring fresh but 1-factor tickets).

2.3.4
-----
* Released January 29, 2018
* Ability to define a Replay Window that will stay alive for its whole duration even if a newer OTP is seen in the mean time.
* Ability to restrict Replay initiators to a different (shorter) duration than the full window participants.

2.3.3
-----
* Released January 22, 2018
* Escape out of NFC Listening even when smart card is still present
* Enhance workstation event logging to detect when Kerberos tickets are supposed to be 2-factor but aren't.
* Stop logging events for Kerberos package "cached" logon types, which are not supported by Windows and always fail.
* If initial load of settings from DC fails due to "no logon servers available" keep trying every 10 seconds rather than skipping until next cache timeout (20 minutes)
* Add the ability to turn on tracing for a subset of domain systems, matching a regular expression.
* Record symbolic names for common status return codes.
* Don't complain about service target address for LDAP when the request is coming in from a remote machine.
* When the extra/third OTP field is shown, and the credential tile switches to password change mode, keep the password and OTP filling their correct separate fields.
* Change the "AuthLite Logon" link's popup message box deponding on whether the username field is visible/editable or not.


2.3.2
-----
* Released December 30, 2017
* Make installer reject 2008 R1 since it does not have the BCryptDeriveKeyPBKDF2 needed by the 2.3 codebase.

2.3.1
------
* Released December 27, 2017
* Fix incorrect UpgradeCode in installer. Anyone who has 2.3.0 will need to uninstall it and any vestigial remainders of other versions first. Settings and data are retained.
* Try to make sure the AuthLite Service starts.  Recent Windows 10 updates prevent the "netlogon" service from starting for several minutes during application of the updates at startup time.  This causes Windows to give up trying to start the AuthLite service, thus it stays down even though it is "Automatic".  New watchdog detects this state and starts the service as soon as netlogon comes up.

2.3.0
-----
* Released December 21, 2017
* Matching feature set of v2.2.27, but using FIPS 140-2 validated crypto libraries.
* Note this is a BREAKING CHANGE for the few customers who are using "OTP and PIN" VPN authentication.  (This is ONLY for PIN users, and if you don't know what that means, this does not affect you.)  All existing PINs from v2.2 will not be recognized, and users will have to set a new PIN in the self-service portal (or have an admin set a new one for them via powershell) before they'll be allowed into the VPN.
* For previous product changes before the v2.3 branch, please see AuthLite_v2.2_Change_Log.txt