Products
Products
Support
Support
Contact
Contact
Sitemap
Sitemap
Shop
Shop
 
Home
Solutions
Products
Licenses
Download
Manuals
Support
News
SignOn Solutions 2012
SignOn Solutions 2008
SignOn Solutions 2006

Success Stories
My.Comtarsia

     



Build History
Build History

Build History SignOn Solutions 2006

Comtarsia Logon Client 2006
(1st April, 2011)

Build 4.1.78.x

Bug Fix:

• In PKI Proxy Logon Mode and by DWORD:HKLM\SOFTWARE\PCS\GINA\ScardSessionPasswordMode = 1 and a new session password periode is reached by unlock the workstation the new session password is generated, a SignOn Gate request is triggered and the new Session Password is assigned to the Windows-Logon-Session.

• With the Parameter DWORD:HKLM\SOFTWARE\PCS\GINA\ DisableWkstLockBtnOnPWDLogon = 1 in PWD Logon Mode the workstation lock button on the ON_SAS_PANLE is deactivated.


Comtarsia Logon Client 2006
(26th January, 2011)

Build 4.1.77.x

Bug Fix:

• When installing on Windows 2000 there was an error in the module Comt_ldap.exe.


Comtarsia Logon Client 2006
(25th November, 2010)

Build 4.1.76.x

New Features and/or Functional Changes:

• With the configuration DWORD:HKLM\SOFTWARE\PCS\GINA\Language = „french“ the logon client switches to the language French.



Comtarsia Logon Client 2006
(17th September, 2010)

Build 4.1.73.x

New Features and/or Functional Changes:

The parameter DWORD:HKLM\SOFTWARE\PCS\GINA\SCardAllowNoAction = 1 (default = 0) and ScardRemoveAction =0 (User Selection) enables a addional Smart Card remove Action (No Action).

Smart Card remove behavior in logged on state:
Remove Card: Lock Screen
Remove Card + left Strg-button: Force Logoff
Remove Card + left-Shift-button: Shutdown-Power-OFF
Remove Card + left-Alt-button: No Action


The parameter DWORD:HKLM\SOFTWARE\PCS\GINA\switchLogonMode = 1 (default = 0) a extended logon panel switch mode in PKI or PKI-PWD mode is enabled:
Key combination in logged off state:
F11+Enter -> Microsoft Gina (PKI and PKI-PWD Mode)
The parameter DisableMsGina=1 has no influence to this function.
F12+Enter -> LDAP Password Logon (PKI-PWD Mode)



Comtarsia Logon Client 2006
(23rd August, 2010)

Build 4.1.72.x

New Features and/or Functional Changes:

With the parameter DWORD:HKLM\SOFTWARE\PCS\GINA\ DisableGroupManagement = 1 (default = 0) the local group management in Domain-Logon-Mode is turned off.


Comtarsia Logon Client 2006
(20th August, 2010)

Build 4.1.71.x

New Features and/or Functional Changes:

Function Proxy-Logon:
With the parameter DWORD:HKLM\SOFTWARE\PCS\GINA\ EnableProxyLogon = 1 (default = 0) the logon client switch to the Proxy-Logon-Mode. With this mode the logon client performs an proxy authentication instead off a direct LDAP authentication. This function requires Comtarsia SignOn Proxy 2008.

PanelBitmap2:
The parameter DWORD:HKLM\SOFTWARE\PCS\GINA\PanelBitmap2 = “c:\logo2.bmp” defines the alternate panel bitmap for the dialogs in PKI mode. Format: Bitmap 350x120 RGB

DisableStartAnimate:
The parameter DWORD:HKLM\SOFTWARE\PCS\GINA\DisableStartAnimate = 1 (default = 0) disables in PKI-Mode dialog animations(insert/remove Smart Card ).


Comtarsia Logon Client 2006
(28th May, 2010)

Build 4.1.69.x

New Features and/or Functional Changes:

With the parameter DWORD:HKLM\SOFTWARE\PCS\GINA\AllowMsGinaAutoLogon = 1 and defined Winlogon/MS Gina auto logon credentials (HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon) a MS Gina auto logon is performed.
To avoid a reset of the MS Gina auto logon credentials during system boot this parameter has to be set:
DWORD:HKLM\SOFTWARE\PCS\GINA\DisableClearMSGinaAutoLogonCred = 1;

In terminal server mode on a standalone server (the name of the computer is defined as „Domain Name“) for the user local user management for remote sessions, the SignOn Gate installation is no longer required.
Also in this mode the function "Remove User" is possible for the automatic cleanup of temporary created user accounts including the profile directory.

Bug Fix:
On PKI mode (ScardEnable = 1), which is defined by this parameter: HKLM\SOFTWARE\PCS\GINA\ AutoLogonUserName, AutoLogonPassword und AutoLogonDomain, the auto logon function was not working.


Comtarsia Logon Client 2006
(28th May, 2010)

Build 4.1.68.x

Internal Build

Comtarsia Logon Client 2006   
(March, 17th 2010)

Build 4.1.67.x

New Features and/or Functional Changes:
With the parameter DWORD:HKLM\SOFTWARE\PCS\GINA\LDAP\ SCardCertAddCertificateContextToStoreFlags=2. the flag can be defined which is used when the user certificate is added in the certificate store. Possible vlaues:
• ADD_NEW(1)
• ADD_USE_EXISTING(2)
• ADD_REPLACE_EXISTING(3)
• ADD_ALWAYS(4)
• ADD_REPLACE_EXISTING_INHERIT_PROPERTIES(5)
• ADD_NEWER(6)
• ADD_NEWER_INHERIT_PROPERTIES(7)

Comtarsia Logon Client 2006   
(March, 15th 2010)

Build 4.1.66.x

Bug Fix:
• An error in the „SCardUseUIDasWindowsLogonName“ function was fixed.

Comtarsia Logon Client 2006   
(February, 26th 2010)

Build 4.1.65.x

New Features and/or Functional Changes:
• Support for LDAP Referrals for modify operations.
The Parameter DWORD:HKLM\SOFTWARE\PCS\GINA\LDAP\LDAPFollowReferrals=0 enables this function.
• With the parameter DWORD: HKLM\SOFTWARE\PCS \ScardTimeBeforeAccess=0
A period of time can be defined, in milliseconds, which the Logon Client is waiting before to newly inserted smart card is being accessed.
• Parameter DWORD: HKLM\SOFTWARE\PCS\GINA\ScardPropCertTimeout=20000
This value defines a timeout for the Propagation of the Smart Card certificate in milliseconds.
• Parameter DWORD: ScardCheckLockKeyTimeout=60000
This value defines a timeout for the unlocking of the workstation via Smart Card in milliseconds.
• Internal improvements in the field of Smart Card Application.
• Internal optimization for the cooperation with the Comtarsia Smart Card Middleware.
• The Registry Paramenter DWORD:HKLM\SOFTWARE\PCS\GINA DisableWkstLockBtnOnSCLogon = 1 (default = 1) defines in PKI mode that in OnSas panel the button „Lock Workstation” is disabled. A workstation lock is only possible by remove the smart card.


Comtarsia Logon Client 2006   
(January, 21st 2010)

Build 4.1.64.x

Bug Fix:
• An internal error in the function in Domain User Mode was fixed.

Comtarsia Logon Client 2006   
(January, 14th 2010)

Build 4.1.63.x

Bug Fix::
• An Error in the function „LDAPGroupFilter“ was fixed.

Comtarsia Logon Client 2006   
(November, 6th 2009)

Build 4.1.60.x

New Features and/or Functional Changes:

• The Smart Card Screen Lock functionality was revised, therewith no „Decrypt“-function is anymore required.
• New Smart Card DN Mapping Modus
DWORD:HKLM\SOFTWARE\PCS\GINA\LDAP\ScardMappingMode=2
REG_SZ: HKLM\SOFTWARE\PCS\GINA\LDAP\ScardMappingMode2UserDNPrefix=““
In this mapping mode a part of the Smart Card DN for user search in LDAP is used, f.e. „CN=%CN%“: therewith is the CN-part of the Smart Card taken and afterwards traced in LDAP.
• DWORD:HKLM\SOFTWARE\PCS\GINA\ScardCryptSilent=1
With this parameter can be regulated, if the CSP-context as „silent“ should be appointed.
• DWORD:HKLM\SOFTWARE\PCS\GINA\ SCardSecurePINEntryMode=1
This parameter defines, how Smart Card Reader should be used with the Pinpad. The following vlaues are permitted:
0: a eventually existent Pinpad of the Reader is not used.
1: If a Reader with the Pinpad is available, so the Pinpad is used, otherwise the pin-entry is performed on the computer keyboard.
2: For the pin entry should be used a Reader with the Pinpad. If such is not available, no authentication will be permitted.
• Diverse interne adaptations for optimale collaboration with the Comtarsia Smart Card middleware.
• Extended error notifications in the domain Smart Card Logon

Comtarsia Logon Client 2006   
(September, 18th 2009)

Build 4.1.59.x

New Features and/or Functional Changes:

• Upgrade of the function „LogonAllowGroups“:
Via the parameter HKLM\SOFTWARE\PCS\GINA\NegateLogonAllowGroups(REG_DWORD)= 1 can the comma-separated list in paramter HKLM\SOFTWARE\PCS\GINA\LogonAllowGroups(REG_SZ) be negated, i.e. the user may be a member in none of the LDAP group from the list in LDAP, so that a LDAP-login would be possible.
Default = 0


Comtarsia Logon Client 2006   
(September, 16th 2009)

Build 4.1.58.x

New Features and/or Functional Changes:

• By the function „LDAPSearchForUser“ will furthermore always the determined DN be applied for login.


Comtarsia Logon Client 2006   
(August, 26th 2009)

Build 4.1.57.x
New Features and/or Functional Changes:

• New parameter DWORD:HKLM\SOFTWARE\PCS\GINA\LDAP\SCardUseUIDasWindowsLogonName=1
It defines, if the CN or the UID should be used as logon name.


Comtarsia SignOn Gate 2006   
(August, 24th 2009)

Build 4.1.40.x

Bug Fix:
- An error was fixed, whereby the tool didn`t work in the last builds SetLDAPAdminPassword.exe.
- An error in the WebGateway 2008 support was fixed.


Comtarsia SignOn Gate 2006   
(August, 24th 2009)

Build 1.2.40.x

New Features and/or Functional Changes:

- Extensions to support of the new Comtarsia WebGateway 2008.
o Reading of the LDAP attribute „ComtWGApplicationName“ from the user object as well as ffrom the user group objects. This attribute is a multi-value directory-string, in which Web Gateway-Sites are entered, for that the respective user is authorised. Additionally are this strings passed on „AppChooser“. More details can be found in the WebGateway 2008 Handbuch.
o Extended Smart Card support for the LDAP authentification via system user.


Comtarsia Logon Client 2006   
(May, 20th 2009)

Build 4.1.56.x

New Features and/or Functional Changes:

• Fedora Directory Server support.
• New function „SessionPasswordMode“:

HKLM\SOFTWARE\PCS\GINA\
DWORD:SCardSessionPasswordMode
0=deactivated, a new session passwort is generated each time by login.
1=absolute mode, a session passwort is valid in each case for a certain time period.
DWORD:SCardSessionPasswordValidityUnits
0=hours
1=days
2=weeks (currently not implemented)
3=months
DWORD:SCardSessionPasswordValidity
Validity of the session passworte in validity units
DWORD:SCardSessionPasswordValidityOffset
Offset in minutes; this value is added for each actual time.


Comtarsia Logon Client 2006   
(May, 8th 2009)

Build 4.1.55.x

New Features and/or Functional Changes:

• Function „LogonAllowGroups:
With this parameter HKLM\SOFTWARE\PCS\GINA\LogonAllowGroups(REG_SZ) a comma-separated list with group names ca be defined. The LDAP user must be a member at least one of this groups so that a logon is allowed. If this parameter is empty or not defined (default) an LDAP logon without checking of the LDAP group membership is possible.


Comtarsia SignOn Gate 2006   
(April, 21st 2009)

Build 1.2.39.x

New Features and/or Functional Changes:

- Hence, by LDAP Directory Replicator Sync-Requests, as well as by the Logon Client, when the user and/or the Homedir/Profile-Path is created, also ACL is set.
- When in Windows user object a new Homedir/Profile is entered via the agent, in modus „alwaysCheckACL=2“ will also ACL be set.


Comtarsia Logon Client 2006   
(XX, XX 2009)

Build 4.1.54.x

New Features and/or Functional Changes:

• Extended support for Novell eDirectory with interpretation
of the password policy


Comtarsia Logon Client 2006
(March, 6th 2009)

Build 4.1.53.x

Bug Fix:

• A bug by the SSO-functionality was fixed, whereby by users, who login for the first time, the SSO-Prozess (ComtMSSO.exe) has terminated after starting partially by itself.


Comtarsia SignOn Gate 2006
(February, 19th 2009)
Build 1.2.38.x

Bug Fix:
- A bug was fixed, whereby the Windows user-authentication was not performed with UTF-16 passwords.


Comtarsia SignOn Gate 2006
(January, 7th 2009)

Build 1.2.37.x

New Features and/or Functional Changes:

- UTF-8 assistance forLDAP passwords:
This functionality can be activated with parameter DWORD: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\ComtSOP_2006\LDAP\useUTF8Password=1. If this parameter is not available, no UTF-8 passwords will be used for the compatibility reasons.

Bug Fix:

- Ein Fehler im SSL-Stack von SOA und SOP wurde behoben, wodurch bei SSL-Zertifikaten mit einem Subjekt welches nur aus CN besteht, eine FQDN Ueberpruefung auch bei uebereinstimmenden Hostnamen immer fehlgeschlagen ist.


Comtarsia Logon Client 2006
(February, 13th 2009)

Build 4.1.52.x

Bug Fix:

• A problem by reading of the registry value „EnableLocation“ was fixed.


Comtarsia Logon Client 2006
(December, 15th 2008)

Build 4.1.51.x

New Features and/or Functional Changes:

• UTF-8 support for LDAP passwords:
This functionality can with the parameter DWORD: HKLM\SOFTWARE\PCS\GINA\LDAP\useUTF8Password=1 be activated. If this parameter is not available, no UTF-8 passwords are used for compatibility reasons.


Comtarsia Logon Client 2006
(December, 1st 2008)

Build 4.1.50.x

Bug Fix:

• A problem by evaluation of OpenLDAP Password Policy was fixed, whereby in case of password change eventual Policy response of LDAP Server was not correctly visualized to the user.


Comtarsia Logon Client 2006
(November, 18th 2008)

Build 4.1.49.x

New Features and/or Functional Changes:

• SSO: a small support program (TerminateComtMSSO.exe) was created for automatically installation of MSSO-components through software allocation. With this program can all started instances of ComtMSSO.exe be terminated at once.
Recommended installation order of the new version:
1) Copy of new TerminateComtMSSO.exe into SSO bin directory
2) Request of TerminateComtMSSO.exe in SSO bin directory
3) Copy of new MSSO-data
• SSO:
Parameter REG_SZ:HKLM\SOFTWARE\PCS\GINA\SSO\RootPath substitues the previous parameter
HKLM\SOFTWARE\PCS\GINA\MSSORootPath.
If GINA\SSO Key is not available, GINA\MSSORootPath will be further read.

Via registry parameter
HKLM\SOFTWARE\PCS\GINA\SSO
DWORD:LDAP_PWD_MODE (default:2)
DWORD:LDAP_PKI_MODE (default:2)
DWORD:OFFLINE_MODE (default:2)
DWORD:LOCAL_LOGON_MODE (default:2)
DWORD:WIN_ADS_MODE (default:2)
can be configured, if and in which mode SSO-module in the particular login category should be started.
Possible values are:
0 = SSO will not be started
1 = SSO will be started inactivated, it can be activated by user via tray-icon as required
2 = SSO will be normally started and is active from the begin
Login modi:
LDAP_PWD_MODE LDAP login with user name and password
LDAP_PKI_MODE LDAP login with Smart Card
OFFLINE_MODE Active Directory Cached Credential login
LOCAL_LOGON_MODE Login one local user
WIN_ADS_MODE Active Directory login
• The function „Enforce Logout“ functions now also in Smart Card mode.

Bug Fix:

• SSO: only SSO-Scripts are loaded which have exact ending „.dll“.
• SSO: a mistake was fixed, whereby the actual user name was not disposable by „Offline“-login in SSO.
• A mistake was fixed by the function „LDAPOUSearchListMode=1“, which in case of timeout by system user login didn`t ask the user automatically for Offline-Logon.


Comtarsia Logon Client 2006
(November, 4th 2008)

Build 4.1.48.x

New Features and/or Functional Changes:
• SSO: Internal optimizations


Comtarsia Logon Client 2006
(October, 17th 2008)

Build 4.1.47.x

Bug Fix:

• Function „AdminLogon“ didn`t work in the case, that teh user with the admin-rights entfernen nicht sich in der LDAP Passwort Expire oder Grace Logon Periode befindet nicht funktioniert. Since this build is admin logon also in this periods possible.
• It was possible in function „Workstation Logon Policy“ in ComboBox „Logon category“ in Logon Panel to change or delete completely the selected item. That led to uncomplete target OU paths and mistake on SignOn Agent by workstation OU Move Request.


Comtarsia Logon Client 2006
(October, 13th 2008)

Build 4.1.46.x

New Features and/or Functional Changes:

• Module „Managed SSO“ was enlarged for a Tray-Icon. The user has now a possibility to deactivate SSO-functionality temporary for certain actions (f.e. login with other credentials).


Comtarsia SignOn Gate 2006
(October, 2nd 2008)

Build 1.2.36.x

New Features and/or Functional Changes:

- SOP: New parameter REG_SZ: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\ComtSOP_2006\Parameter\ListenerInterface=””
With this parameter can either the IP or the hostname of the network-interfaces be indicated, which is used for incoming connections. Thereby is proxy via other eventually on the computer existing interfaces not reachable anymore.
If this parameter is not defined, empty or „*“, is SignOn Proxy on all interfaces connected.
Example: ListenerInterface=”127.0.0.1” SignOn Proxy is now only local (via 127.0.0.1) and not via network reachable anymore.
- SOP: New parameter DWORD: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\ComtSOP_2006\Parameter\syncClientLogonDC=1
This parameter has only one consequence for one on proxy configured active directory domain. If this parameter is activated, SignOn agent will be preferentially synchronised, on which also client-login will take place. Logon Client (since Version 4.1.46.4) transmits login-server by the synchronisation, when this function is activated. This performance brings advantages in field of AD-replication.
It is beneficial if on all AD domain controllers a SignOn Agent is installed. With this Build supports the proxy now up to 32 domain controllers per domain. Additional domain controllers are in SignOn proxy configurator, by means of comma separated, entered as „Secondary Server“.


Comtarsia Logon Client 2006
(September, 29th 2008)

Build 4.1.45.x

Bug Fix:

• In PKI mode by ScardRemoveAction 3 (No Action) in OnSasPanel by Logoff/Shutdown the request to remove the Smart Card was not displayed.


Comtarsia SignOn Gate 2006 (September, 3rd 2008)
Build 1.2.35.x

New Features and/or Functional Changes:

- SOA: A „Retry“ for user administration functions was implemented, so that in a case of „directory service busy“action replay would be conducted after short delay.
- SOA: New parameter DWORD: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Comt SOA_SYS_2006\SYSTEM\ adsReplicationMinimumTimeout =0
defines the minimum timeout for ADS-replication in seconds. Is remaining TTL user-synchronisation shorter than defined „adsReplicationMinimumTimeout“, then “adsReplicationMinimumTimeout“-seconds will wait at least on replication completion.

Bug Fix:

- SOA: a bug in field of ADS-replication was fixed, which would lead to enhanced resource expenditure on agent in case of replication-timeout.


Comtarsia Logon Client 2006
(August, 21st 2008)

Build 4.1.44.x

Bug Fix:

• Bugs in Smart Card Mode with Screen Saver was fixed.


Comtarsia SignOn Gate 2006
(August, 18th 2008)

Build 1.2.34.x

New Features and/or Functional Changes:
- SSL-Functions of Proxy->Agent-Communication as well as active directory user-administration functions were optimized regarding memory expenditure.


Comtarsia SignOn Gate 2006
(July, 28th 2008)

Build 1.2.33.x

Bug Fix:

- SOP: a bug in SyncPolicy was fixed.


Comtarsia SignOn Gate 2006
(July, 23rd 2008)

Build 1.2.32.x

New Features and/or Functional Changes:
- SOA: New parameter DWORD: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Comt SOA_SYS_2006\SYSTEM\ logProcessInformation=0
If this parameter is set on „1“, information will be periodically written into log-data via SignOn Agents memory requirements. This function can only be activated in AD-mode of the agent. Release interval is determined by ADSDiscover-interval.


Comtarsia Logon Client 2006
(July, 22nd 2008)

Build 4.1.43.x

Bug Fix:

• A mistake by reading of LDAP-user groups was fixed, which in certain situations by more than 50 groups and activated SSL-encryption would lead to „Application error“.
• By SmartCard login in the case of blocked PIN of the card (too many entries of false PIN, the number of possible failed attempts is deposited on the smart card) a suitable warning will be displayed to the user.


Comtarsia SignOn Gate 2006
(July, 22nd 2008)

Build 1.2.31.x

Bug Fix:

• An “Application Error” by reading the LDAP-Usergroups was fixed. This error occurs in certain situations by more than 50 groups and activated SSL-encryption.


Comtarsia Logon Client 2006
(June, 26th 2008)

Build 4.1.42.x

New Features and/or Functional Changes:

• With the new parameter, REGSZ:HKLM\Software\PCS\Gina\RequiredSyncDomain can one or more domain names (separated by comma) be defined, of which during the synchronization via SignOn Gate, at least one domain (independently of SyncStatus) must appear in proxy reply list, in order to perform logon. Domain name corresponds to string, which is defined on SignOn Proxy for one assigned domain/agent and during login in synchronization-status window is displayed.
If the parameter is empty or not defined, login will be performed independently of SyncProxy reply list.
With the parameter: REGSZ:HKLM\Software\PCS\Gina\RequiredSyncDomainMessage
can pop-up text be defined, which appears if login is not possible due to missing domain.
With the parameter: DWORD:HKLM\Software\PCS\Gina\DontOfferCachedCredLogon=1,
is the possibility of local cached credential login prevented in the case of not reaching of the LDAP server.


Comtarsia Logon Client 2006   
(June 26th, 2008)

Build 4.1.41.x

New Features and/or Functional Changes:

• With the new Parameter, REGSZ:HKLM\Software\PCS\Gina\RequiredSyncDomain one or more domain names can be defined (comma separated) where at least one domain must be included in the account synchronization reply list (independent of the sync status), otherwise the logon is cancled. The Domain name is equivalent with the string defined on the SignOn Gate Proxy for the Domains/Agents und is displayed in the synchronization status windows during logon. If this parameter is empty or not defined, independent of the account synchronization reply list, the logon process is continued. With the parameter, REGSZ:HKLM\Software\PCS\Gina\RequiredSyncDomainMessage the Pop-up Text can be defined, which appears in case the logon is canceled, because of missing domains.
With the new Parameter, DWORD:HKLM\Software\PCS\Gina\DontOfferCachedCredLogon=1, and in case the LDAP Server is unreachable, a local logon attempt by cached credentials is not possible.


Comtarsia Logon Client 2006   
(June 11th, 2008)

Build 4.1.41.x

New Features and/or Functional Changes:

• A Bug in the functon AdminLogon was fixed. The Aminlogon fails in case the user is in a different OU as the admin user.


Comtarsia Logon Client 2006   
(June 5th, 2008)

Build 4.1.40.x

New Features and/or Functional Changes:

• With the new parameter DWORD:HKLM\Software\PCS\Gina\LDAP\ SCardCertificateRemoveMode = 1 (default:0), on each Smart Card insert event all certificates in the computer’s CertificateStore, matching the certificate filter defined in the parameter ScardCertificateFindMode, are deleted. This function ensures that only the certificate on the Smart Card matches the certificate search filter.


Comtarsia Logon Client 2006   
(May 30th, 2008)

Build 4.1.39.x

New Features and/or Functional Changes:

• With the parameter HKLM\Software\PCS\Gina\ScardDefaultContainerName a CSP default container name can be defined, from which location the user certificate is loaded. If an empty string should be used as DefaultContainerName, an underline „_“ must be set.

• With the parameter, HKLM\Software\PCS\Gina\DontOfferCtrlAltDel=1 in PKI Mode and in logged out state, the notification text about the possibility to press Ctrl-Alt-Del is disabled.

• To reduce the logon time, the PIN-Dialog is now displayed during the Smart Card data is read.


Bug Fix:

• By inserting a SmartCard without a chip, an error message is displayed and the user is not requested to enter the PIN. This behavior is now also by unlock the workstation.

• A security problem with smart card authentfication and by a locked workstation was fixed.


Comtarsia SignOn Gate 2006   
(May, 13th, 2008)

Build 1.2.30.x

New Features and/or Functional Changes:

• SOA: An automatic reset of the „ADS User Account Lockout“ is done by the SingOn Agent.


Comtarsia Logon Client 2006   
(April 24th, 2008)

Build 4.1.38.x

Bug Fix:

• On Function LDAPOUSearchListMode=1, in case the LDAP server is not reachable a wrong return value was returned to the Logon Client and therefore the user don’t get the option to perform an offline-logon.

• On function „Offline-logon“ and activated Windows Policy „DisableCAD“ after a Windows error message the Windows logon dialog was remained open.


Comtarsia SignOn Gate 2006   
(March 3rd, 2008)

Build 1.2.29.x

New Features and/or Functional Changes:

- SOA: ExceptGroups are now supporting up to 2047 characters.
- SOA: ExceptGroups now allow wildcards on the end of the string. e.g.: „testgrp*“
- SOP: The Registry value for the „LDAP Server Type“ „ADS LDAP“ was changed from 9 to 10.


Comtarsia SignOn Gate 2006   
(February 29th, 2008)

Build 1.2.28.x

New Features and/or Functional Changes:

- User attributes, which should be synchronized by the SignOn Agent in the ADS, can now be removed or set to empty. These are attributes from LDAP or the SignOn Proxy (function AttributeBasdEnvironment). In former version of the SignOn Agent it was not possible to set an attribute value to empty.
- The SignOn Agent “Proxy Accept-list” was extended to hold up to 200 entries.


Comtarsia Logon Client 2006   
(February 26th, 2008)

Build 4.1.37.x

New Features and/or Functional Changes:

• Internal changes


Comtarsia Logon Client 2006
(January, 22nd 2008)

Build 4.1.36.x

New Features and/or Functional Changes:

• After the workstation was booted and the workstation service is started, by the Parameter HKML\Software\PCS\Gina\ WaitBeforeAllowLogon (DWORD) (default:0) the time in seconds can be defined, how long the Logon Client waits before the logon dialog is released for the first logon.

• With the parameter HKML\Software\PCS\Gina\ DisableClearMSGinaAutoLogonCred (DWORD) = 1 (default:0) the Autoadmin Credentials are not deleted during the boot process.


Comtarsia LDAP Directory Replicator 2006
(December, XXth 2007)

Build 1.2.3.x

New Features and/or Functional Changes:
- Comtarsia LDAP directory replicator now desposes of a configurator.
This configurator is based on DotNet Framework 2.0, wherefore it is installed automatically by the installation program.


Comtarsia Logon Client 2006
(November 29th, 2007)

Build 4.1.35.x

New Features and/or Functional Changes:

• The functionality “No Action” was appended to the parameter Parameter HKML\Software\PCS\Gina\ SCardRemoveAction(DWORD).
0 = User selected, following actions are available:
Remove Card: Lock Screen
Remove Card + left Strg-button: Force Logoff
Remove Card + left-Shift-button: Shutdown-Power-OFF

1 = Lock Screen
2 = Force Logoff
3 = No Action

• With the parameter HKML\Software\PCS\Gina\DisableShutdown(DWORD)=1
the possibilty to perform the shutdown via LogonClient is prevented.

• With the parameter HKML\Software\PCS\Gina\ IgnoreWinPolicies (DWORD)(default:1)=0 Windows Group Policies can change Logon Client settings.
Currently implemented Windows Group Policies:

Windows GPO:Logon Client Setting:

-Shutdown: Allow system to be shut
down without having to log onDisableShutdown
Shut Down command

-Remove and prevent access to theDisableShutdown
Shut Down command

-Intercative logon: Smart cardSCardRemoveAction
removal behavior


Comtarsia Logon Client 2006
(November 23rd, 2007)

Build 4.1.34.x

New Features and/or Functional Changes:

- Support of EffectiveUserPolicy of the IBM/Tivoli Directory Server 6.1.


Comtarsia SignOn Gate 2006
(November 23rd, 2007)

Build 1.2.27.x

New Features and/or Functional Changes:

- Support of EffectiveUserPolicy of the IBM/Tivoli Directory Server 6.1.


Comtarsia Logon Client 2006
(November 19th, 2007)

Build 4.1.33.x

New Features and/or Functional Changes:

• The shutdown button is deactivated in OnSASPanel via parameter HKML\Software\PCS\Gina\DisableShutdown = 1. Furthermore, shutdown in Smart Card mode by pulling Smart Card is not possible any more.
• The new DebugLevel „9“. If this DebugLevel is set, an expanded LDAP-Log is generated.


Comtarsia SignOn Gate 2006
(November 15th, 2007)

Build 1.2.26.x

New Features and/or Functional Changes:

- Support for IBM/ Tivoli Directory Server 6.1

Bug Fix:

- The timeout of Active Directory Replication was in a way adapted, that also in the case of a timeout a response is still be sent to Proxy/Client.
- The measures were taken in the Security Agent so that data base integrity in the case of power failure is still ensured.


Comtarsia Logon Client 2006   
(November 12th, 2007)

Build 4.1.32.x

New Features and/or Functional Changes:

• Support for IBM/Tivoli Directory Server 6.1.

Bug Fix:
• A bug by Smart Card registration in combination with OpenLDAP Server was fixed.


Comtarsia Logon Client 2006   
(November 8th, 2007)

Build 4.1.31.x

New Features and/or Functional Changes:

• The support for the platform Windows X86_64 (Windows Server 2003 and Windows XP). Build 4.1.x.5 must be installed on these platforms.

Bug Fix:

• An error in the synchronization with SignOn Proxy 2006 was fixed. It was responsible for segmentation fault by communication timeout under certain circumstances.


Comtarsia Logon Client 2006   
(October 24th, 2007)

Build 4.1.30.x

Bug Fix:

- A bug in the „Screen Lock“-function in connection with the Smart Card registration was fixed.


Comtarsia SignOn Gate 2006   
(October 15th, 2007)

Build 1.2.25.x

New Features and/or Functional Changes:

- Customized function expansion


Comtarsia SignOn Gate 2006   
(September 27th, 2007)

Build 1.2.24.x

New Features and/or Functional Changes:

- A new „LDAP-AdminLogon“ Mode
DWORD:“HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\ComtSOP_2006\LDAP\LDAPUseAdminLogon”=1
In this mode SIgnOn Proxy is connected with the system user to LDAP and collects user information. For this purpose credentials of the system user should be stored in the local registry with the tool „SetLDAPAdminPassword.exe“(check parameter-description Build 1.2.23.x).
In this mode is no user password security check carried out in reference to LDAP!
- The functionality of the security agent was expended especially for more active directory domain controllers.
- At present, SignOn Agent in the active directory waits longer by starting of the system for the active directory (5 minutes).
- For active directory users, who have no Comtarsia-description (SERV_TMP_USER), expire-time is set if the option „Activate all User“ is activated.

Bug Fix:

- A problem in data base integrity was fixed, which could block the agent under certain circumstances.
- A bug in SyncAttributes was fixed, which could prevent implementation of the user-attributes under certain circumstances.
- A bug in correlation with an empty groupmapping-list was fixed.
- A bug in SignOn Agent groupmapping-list regarding entries with more than 32 symbols was fixed.


Comtarsia Logon Client 2006   
(September 13th, 2007)

Build 4.1.29.x

Bug Fix:

- A local registration in Terminal Server Mode directly on the Server Console was not possible.


Comtarsia SignOn Gate 2006   
(September 10th, 2007)

Build 1.2.23.x

New Features and/or Functional Changes:

- If OU is already determined from the client, Proxy will use it in „OUSearchList“-Modi instead searching by itself once more for the user in all configured OUs. - A new „OUSearchList“-mode was implemented:

The OUSearchList-functionality of Comtarsia Logon Client 2006 and Comtarsia SignOn Proxy 2006 were in the way expanded, that each user can be searched in LDAP in the future. By now, with each OU one bind-attempt took place.

The old function remains, the new one can be activated via a registry-parameter.

The OUSearchList can also be stored in LDAP. This makes simple extensions/changes possible, without conducting configuration changes on the clients.

The Logon Client requires an own service-user in LDAP to perform the new OUSearchList-functionality. This user should have the necessary rights to read out OUSearchList from LDAP, as well as to search for the logon-user in all configured LDAP-OUs.

The detaillied description of LDAP-user registration with the new OUSearchList-functionality:

1) If the new OUSearchList-mode is active [1], Logon Client/Proxy connects with the credentials of LDAP-service-user deposited in the registry [2] to LDAP.
2) If a LDAP-object is deposited in the registry Attribute inclusive [3], in which contains OUSearchList, it will be read out. Otherwise is the OUSearchList read out from the local registry [4].
3) To check if the user exists in the particular OU, for each entry in the OUSearchList one LDAP-Query is deducted. The entries of the OUSearchList are scanned in the configured order. If the user is found in one OU, further scan is aborted. If the user is in none of the configured OUs found, Logon is aborted and the user gets a value configured in [5] as an error notification.
4) A LDAP-service-user is logged off and the Logon-user with user-DN as determined in 3) registered on LDAP. Here is the new OUSearchList functionality terminated and the existing Logon Client/Proxy LDAP-functionality further performed.

Registry-parameter:
Prefix for mentioned registry-keys valid for SignOn Proxy 2006:
“HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\ComtSOP_2006\LDAP”

[1] DWORD:LDAPOUSearchListMode
Defines the active OUSearchList-Mode
• „0“ or not existing: The previous OUSearchList-Mode is active
• „1“: OUSearchList-Mode described in this specification is active

[2] SZ:LDAPAdminDN and SZ:LDAPAdminPassword
Defined are LDAP-User-DN and the password of the service-user.
LDAPAdminDN has to be an absolute LDAP-DN (i.e.: uid=LogonClient, ou=ServiceUsers, o=Comtarsia), other LDAP-adjustments as for instance UserDNPrefix are here not used.
LDAPAdminPassword is deposited encrypted in the registry. Comtarsia provides a program that applies this encrypted value in the registry. It can be distributed on all computers that require the password.

[3] SZ:LDAPOUSearchListObjectDN and SZ:LDAPOUSearchListAttribute
Defines LDAP-Object-DN and LDAP-Attribute, in which OUSearchList is deposited.
LDAPOUSearchListObjectDN has to be an absolute LDAP-DN.
LDAPOUSearchListAttribute is a single-value string-attribute, the single OUSearchList-entries are separated by „;“.

[4] SZ:LDAPOUSearchList
Defines OUSearchList, if the last is drawn from the local registry. This parameter already exists.

[5] DWORD:LDAPOUSearchListErrorCode
With this registry a value can be configured that the user, if not found in LDAP, gets the error notification „The specified user does not exist“or „Invalid Username/Password “. It is recommended for the security reasons not to inform the user either the username or the password was invalid.

1 = General LDAP error
2 = Invalid username or password (recommended)
6 = User does not exist (default)
Other error codes should not be used, because this can conduct unexpected server performance.


Comtarsia Logon Client 2006   
(August 31st, 2007)

Build 4.1.28.x

New Features and/or Functional Changes:

A new „OUSearchList“-Mode was implemented:

The OUSearchList-functions of Comtarsia Logon Client 2006 and Comtarsia SignOn Proxy 2006 were extended, so that a particular user can be search for in LDAP.

This new mode can be activated via a Registry-Parameter.

An OUSearchList can be placed in LDAP, whereby extensions/changes can be simply performed, without conducting configuration changes on the Client.

In order to carry out the new OUSearchList function, the Logon Client requires its own Service User in LDAP, with the necessary authorization to read out OUSearchList from LDAP, as well as to search for Logon User in all configured LDAP-OUs.

The detailed description of LDAP-User registration with the new OUSearcList function:

1) If the new OUSearchList-Mode is activated [1], Logon Client/Proxy connects with the Credentials [2] of the LDAP User deposited in the Registry to LDAP.
2) If a LDAP Object Attribute [3] is deposited in the registry, which contains OUSearchList, it will be read out. Otherwise, is OUSearchList read out from the local registry [4].
3) For each entry in OUSearchList is LDAP-query deducted to check if the user exists in the respective OU. The entries of the OUSearchList are scanned in configured order. If the user is found in an OU, further scan is interrupted. If the user can not be found in the configured OU, Logon is aborted and the value configured in [5] shown as error to the user.
4) LDAP service user is logged off and Logon user with User-DN as determined in 3) signed in on LDAP. At this point the new OUSearchList function is completed and the existing Logon Client/Proxy LDAP function carried on.

Registry-Parameter:
Prefix that applies for the mentioned Registry-Keys for Logon Client 2006:
“HKEY_LOCAL_MACHINE\SOFTWARE\PCS\GINA\LDAP”

[1] DWORD:LDAPOUSearchListMode
Defines the active OUSearchList-Mode
• „0“ or not existing: The previous OUSearchList-Mode is active
• „1“: OUSearchList-mode described in this specification is active

[2] SZ:LDAPAdminDN and SZ:LDAPAdminPassword
Defines the LDAP-User-DN and the password of the service-user.
LDAPAdminDN has to be an absolute LDAP-DN (i.e.: uid=LogonClient, ou=ServiceUsers, o=Comtarsia), other LDAP-adjustments as for instance UserDNPrefix are not used here.
LDAPAdminPassword is deposited encrypted in the registry. Comtarsia provides a program that applies this encrypted value to the registry. It can be distributed on all computers that require the password.

[3] SZ:LDAPOUSearchListObjectDN and SZ:LDAPOUSearchListAttribute
Defines LDAP-Object-DN and LDAP-Attribute, in which the OUSearchList is being deposited.
LDAPOUSearchListObjectDN has to be an absolute LDAP-DN.
LDAPOUSearchListAttribute is a Single-Value String-Attribute, the single OUSearchList-entries are separated by „;“.

[4] SZ:LDAPOUSearchList
Defines OUSearchList, if it is drawn from the local registry. This parameter already exists.

[5] DWORD:LDAPOUSearchListErrorCode
With this registry-value can be configured that the user, if not found in LDAP, gets the error notification „The specified user does not exist“or „Invalid Username/Password “. It is recommended for security reasons not to inform the user if the username or the password was invalid.

1 = General LDAP Error
2 = Invalid username or password (recommended)
6 = User does not exist (default)
Other error codes should not be used, because this can conduct unexpected server performance.


Comtarsia Logon Client 2006   
(August 21st, 2007)

Build 4.1.27.x

New Features and/or Functional Changes:

- A new parameter SCardCertificateFindMode was implemented. It is used to establish the attributes, used to search the certificate in CertificateStore. This makes only sense when default-mapping provides no correlation.

Parameter: HKLM\Software\PCS\Gina\LDAP
„SCardCertificateFindMode“ DWORD = 0
0 = IssuerSerialMode (Default): Search for corresponding issuer and serial number of the certificate
1 = SimpleMode: The first located certificate is used independently on the correspondence.
2 = SubjectMode: The first certificate, of which the subject corresponds, is used.


Comtarsia SignOn Gate 2006   
(August 16th, 2007)

Build 1.2.22.x

New Features and/or Functional Changes:

- A new parameter LDAPGroupsSearchBase was implemented. Via this parameter a Base-DN for the group search can be specified.

Parameter:
HKLM\SYSTEM\CurrentControlSet\Services\ComtSOP_2006\LDAP
„LDAPGroupsSearchBase“ REG_SZ = „“
If the value does not exist or is empty, LDAPBaseDN is used. If the last value symbol is a „,“, LDAPBaseDN is attached.

Bug Fix:
- SOP Linux: a problem with the Thread-IDs under openSUSE 10.2 was fixed.


Comtarsia Logon Client 2006   
(August 14th, 2007)

Build 4.1.26.x

New Features and/or Functional Changes:

- A new parameter „SCardMappingUseLDAPBaseDN“ was implemented to define if the BaseDN from the Smart Card or the configured LDAPBaseDN is used for LDAP searches. This parameter is useful if the Smart Card DN differs from the LDAP base DN.

Parameter: HKLM\Software\PCS\Gina\LDAP
„SCardMappingUseLDAPBaseDN“ DWORD = 0
0 = SCardBaseDN (Default) The BaseDN of the Smartcard is used.
1 = LDAPBaseDN The configured LDAPBaseDN is used.


Comtarsia Logon Client 2006   
(August 9th, 2007)

Build 4.1.25.x

New Features and/or Functional Changes:

- A new parameter „LDAPGroupsSearchBase“ for defining a Base-DN for the group search was implemented.

Parameter: HKLM\Software\PCS\Gina\LDAP
„LDAPGroupsSearchBase“ REG_SZ = „“
If the value doesn’t exist or is empty, the LDAPBaseDN is used as base for the group search. If the last character is a „,“, the LDAPBaseDN is appended.

Bug Fixes:
- A problem with the logon scripts was solved.


Comtarsia SignOn Gate 2006   
(July 12th, 2007)

Build 1.2.21.x

New Features and/or Functional Changes:

- SOP: LDAPOUSearchList supports now up to 64 entries.
- SOP: the function LDAPGroupTypes was expanded for „ibm-allGroups“. If „ibm-allGroups“-bit is settled, user groups are determined on the basis of ibm-allGroups-Attribute from the LDAP-user object. The value „LDAPGroupTypes“ is a bit field.

The parameter HKLM\SYSTEM\CurrentControlSet\Services\ComtSOP_2006\LDAP
„LDAPGroupTypes“:DWORD (Default = 3)
groupOfNames 0x1
groupOfUniqueNames 0x2
posixGroup 0x4
ibm-allGroups 0x8

- SOA: a new parameter „LDRFilter“ was added. The performance of SignOnAgent by LDR-SyncRequest can be operated via this parameter. The value „LDRFilter“ is a bit field. „Deny ADS Replication“-bit of LDRFilter replaces the value „ReplicateIfLDR“. SOA does not load the value „ReplicateIfLDR“ any more.

The parameter HKLM\SYSTEM\CurrentControlSet\Services\ComtSOA_SYS_2006\SYSTEM
„LDRFilter“:DWORD (Default = 1)
Deny ADS Replication 0x1
Deny Set Expire Time 0x2
Deny Set Last Logon Time on create 0x4
Deny Set Last Logon Time on update 0x8

- SOA: „Account Expire Time“ of the ADS-user object is settled also if it is longer than that, which is configured via „usrInactiveDisable“.
- SOA: the default parameter value „acctExpPercent“ was changed to 100 (expire time has to be set each time) to preserve the initial performance.
- SOA: If „Threshold User Time to Live“ changed, SOA-service will be also new started.
- SOA: A new variable „SOAHomeDirPath“, which can be settled on SOP via AttributeBasedEnvironment, is now supported. When this variable is settled and the word „CLIENT“ as homeDirPath on SOA configured, variable SOAHomeDirPath is used to lay out and settle ACL of HomeDir and CLCHomeDirPath is entered as homeDir in the user object.
If SOAHomeDirPath is not settled, CLCHomeDirPath is used, as originally, to generate as well as to settle ACL.


Comtarsia Logon Client 2006   
(July 11th, 2007)

Build 4.1.24.x

New Features and/or Functional Changes:

- The password change dialog of the function “ForcePasswordChange”, which is being triggered by the LDAP attribute „clcforcepasswordchange“ was changed to support a user exit. With the Registry Parameter HKLM\Software\PCS\Gina „DenyCancleForcePWDChangeDlg“ DWORD = 1 the user exit can be disabled.

- The function LDAPGroupTypes expanded with the value „ibm-allGroups“. If the „ibm-allGroups“-bit is set, the user group are read out from the “ibm-allGroups-Attributs” of the LDAP users object. The Registry entry „LDAPGroupTypes“ is a bit mask.

Parameter HKML\Software\PCS\Gina\LDAP
„LDAPGroupTypes“:DWORD (Default = 3)
groupOfNames 1
groupOfUniqueNames 2
posixGroup 4
ibm-allGroups 8


Comtarsia Logon Client 2006   
(July 3rd, 2007)

Build 4.1.23.x

New Features and/or Functional Changes:

- The LDAPOUSearchList now supports up to 64 entries.

- Additional to the HWAdmin function a HWAdminTemp function was implemented to assign temporary Administrator rights to a user.

Parameter: HKLM\Software\PCS\Gina
„HWAdminTempGroup“:REG_SZ
Defines the name of the LDAP group in which the user has to be a member of, to get temporary Administrator rights.

„HWAdminAttribute“:REG_SZ
Specifies an attribute in the LDAP users object which contains names of workstations for which the user is allowed to become HWAdmin.

„HWAdminTempExpireDateAttribute“:REG_SZ
Specifies a LDAP attribute, which defines the exact date in the format „JJJJMMTThhmmss“ when the temporary Administrator rights will expire.

At the time of logon the Logon Client reads these parameters from the LDAP server and determines based on the local workstation time, how long the user gets the temporary Administrator right.

„HWAdminTempMaxAllowedExpireTimeOffset”:DWORD
Specifies the maximum allow offset between the local workstation time and the time defined in the LDAP attribute „HWAdminTempExpireDateAttribute“.

„HWAdminTempForceLogoffNotify1“:DWORD
Sepcifies the number of seconds, how long before the forced logoff the user will be informed as a popup notice. (This notice can be closed by the user)

„HWAdminTempForceLogoffNotify2“:DWORD
Sepcifies the number of seconds, how long before the end of the HWAdmin session a dialog will popup which will inform the user with an count down displaying the remaining time.

The Logon Client maintains an timestamp to prevent manipulations with changing the system time.

If the user gets Administrator rigths with „HwAdminGroup“, the HWAdminTemp function is disabled.

The user will be logged off even when the screen is locked; which can cause data loss.


Comtarsia SignOn Gate 2006   
(June 28th, 2007)

Build 1.2.20.x

New Features and/or Functional Changes:

- AttributeBasedEnvironment supports now up to 30 entries.

Bug Fix:

- SOP: a bug with LDAP-groups was fixed.
- SOA: The password was overwritten by the Web-Client Sync. This bug was fixed.


Comtarsia SignOn Gate 2006   
(June 11th, 2007)

Build 1.2.19.x

Bug Fix:

- SOP: LDAP-Attribute for AttributeBasedEnvironement is now correctly selected also for UID-user.
- SOP: If in AttributeBasedEnvironment more symbols are cut off than available, an empty value will be provided.


Comtarsia SignOn Gate 2006   
(June 6th, 2007)

Build 1.2.18.x

Bug Fix:

- SOP: a bug in AttributeBasedEnvironment in correlation with empty LDAP-Attributes and cutoff-operators was fixed.


Comtarsia Logon Client 2006   
(June 4th, 2007)

Build 4.1.22.x

New Features and/or Functional Changes:

- The LDAPOUSearchList now supports up to 30 entries.


Comtarsia SignOn Gate 2006   
(June 4th, 2007)

Build 1.2.17.x

New Features and/or Functional Changes:
- The LDAPOUSearchList supports now up to 30 entries.
- Change of AttributeBased*-functions:
The Filter rules are for the purpose of more clearness applied on AttributeBasedEnvironment. Exclusively AttributeBasedEnvironment-entries are applied for the AttributeBasedOUs/Groups.
- Presently, the syntax of AttributeBasedEnvironment and AttributeBasedOU is:
Symbolchain%Variable% Symbolchain [%Variable%[ Symbolchain]]
%Variable% is replaced by the value set in AttributeBasedEnvironment.


Comtarsia Logon Client 2006   
(May 23rd, 2007)

Build 4.1.21.x

New Features and/or Functional Changes:

- The function „Workstation Logon Policy“ was changed, so that if the local workstation is not a member of an Sub-OU, the text “Please select…” is being displayed in the domain field. If only one Sub-OU is con`tained in the list, it is automatically pre-selected.


Comtarsia Logon Client 2006   
(May 16th, 2007)

Build 4.1.20.x

New Features and/or Functional Changes:

- The function „Workstation Logon Policy“ ,in case the Domain Comtroller is not reachable, performs a second attempt to retrieve the data from another DC’s (if another DC’s are available). This make sure that a short down time of a DC do not cause a empty list on the logon panel.


Comtarsia SignOn Gate 2006   
(May 11th, 2007)

Build 1.2.16.x

Bug Fix:
- SOA: a bug with ADS sub-domains was fixed.


Comtarsia Logon Client 2006   
(May 7th, 2007)

4.1.19.x

New Features and/or Functional Changes:

- With the parameter REG_SZ:HKLM\SOFTWARE\PCS\GINA\ WM_LDAP_OPT_REFERRALS = 1 (default = 0) automatic following of LDAP referral for the function „Workstation Logon Policy“ can be enabled. With Build 4.1.18.x the following of referral is always enabled.


Comtarsia Logon Client 2006   
(April 25th, 2007)

Build 4.1.18.x

New Features and/or Functional Changes:

With the parameter REG_SZ:HKLM\SOFTWARE\PCS\GINA\ " GPUpdate_CMD= 1 the command for the GroupPolicy activation for the function can be configured freely. Default: „gpupdate.exe“
Example-configuration for Windows 2000:
GPUpdate_CMD = „secedit /refreshpolicy machine_policy /enforce“

PKCS11 Support:
DWORD SCardPKCS11Usage=0
WCHAR SCardPKCS11DLL[1024]=""
DWORD SCardPKCS11ContainerType=3


Comtarsia Logon Client 2006   
(April 16th, 2007)

Build 4.1.17.x

New Features and/or Functional Changes:

With the parameter REG_SZ:HKLM\SOFTWARE\PCS\GINA\ DisableLocalLogon=1 the possibility of the logon over local user accounts can be prohibited. The option „Local workstation“ is not available anymore in the selection in the logon dialog.

With the parameter REG_SZ:HKLM\SOFTWARE\PCS\GINA\ NoScriptsByCachedCredLogon=1 (default 0) all scripts, on an offline logon (via CachedCredentials) in the domain logon mode, are not executed.

With the parameter REG_SZ:HKLM\SOFTWARE\PCS\GINA\ "EnableWkstLogonPolicy"= 1 the function Workstation Logon Policy is turned on. The listbox for the selection of the logon workstation OU respectively the local workstation logon gets the label „logon type“
With every buildup of the logon panels the Logon Client tries to read out in the AD domain, in which the Client is joined, the current OU, in which the workstation account is located. The root-OU’s are defined in the parameter REG_SZ:HKLM\SOFTWARE\PCS\GINA\ WkstLogonPolicyRootOUGroups(MULTI_SZ). The sub-OU’s respectively the parallel-OU’s under the defined root-OU are offered the user for selection in the Logon Panel. If the workstation is already located in a sub-OU then this listbox is already preselected.
If this query is not possible, e.g. because the DC for the domain is not accessible, then the selection offline logon (Cached Credentials) supposed to be displayed and selected in the field „logon type“.
All Sub-OU’s under the „.._Group“ OU should be selectable.
If the computer account is located in the „.._Group“ OU, then there is no preselection. If a OU Move is carried out during a logon, then the command „gpupdate.exe“ is executed, so that the policies, which are assigned to the respective sub-OU, are already active for the logon session. This functionality requires the use of the Comtarsia SignOn Gate Build 1.2.15.4 or higher with turned on workstation OU-Move function.

With the Registryparameter REG_SZ:HKLM\SOFTWARE\PCS\GINA\GPUpdate_Mask (DWORD) the point of time of the execution of the command „gpupdate.exe“ can be defined. The bit’s of this mask can be combined arbitrary.

Execution Time of gpupdate.exe on the Workstation Logon Policy Mode
HKLM\Software\PCS\Gina\
GPUpdate_Mask Executed On Systemtoken Usertoken
0x2 before AD Logon, before all scripts x  
0x4 after AD Logon, before all scripts x  
0x8 after AD Logon, before all scripts   x
0x10 after the User Profile was loaded, after PreLogonScript x  
0x20 after the User Profile was loaded, after PreLogonScript   x
0x40 after User Desktop Preparation, after all scripts x  
0x80 after User Desktop Preparation, after all scripts   x
0x100 If this flag is low, gpupdate is only executed if the workstation was moved during the user logon.    
  If this flag is high, gpupdate is executed on each successful logon.    

Example: REG_SZ:HKLM\SOFTWARE\PCS\GINA\GPUpdate_Mask = 0x102. gpupdate.exe is executed at each successful logon, before the Active Directory logon with the system token.

Example: REG_SZ:HKLM\SOFTWARE\PCS\GINA\GPUpdate_Mask = 0x4. gpupdate.exe is executed at a successful logon, after the Active Directory logon with the user token, if due to the user selection a workstation OU Move is executed.


Comtarsia SignOn Gate 2006   
(April 13th, 2007)

Build 1.2.15.x

New Features and/or Functional Changes:

- SOP: New filter rules for the „AttributeBasedOU“ and „AttributeBasedEnvironment“ functions in connection with the LDAP Directory Replicator:
Syntax: >>><<<[([[!]a[,[!]b[,...]]][:DEFAULT_VALUE])]
Bedeutung:
> removes 1 character from the left (can occur repeatedly)
< removes 1 character from the right (can occur repeatedly)
() contains filter rule
(a,b)
If the value begins with “a” or “b”, the cutting operators are active. Otherwise the value is taken over par for par

(!a,!b)
If the value begins neither with “a” nor with “b”, the clipping operators are active

(a,b:DEFAULT_VALUE)
If the value is empty, “DEFAULT_VALUE” is used.

Example AttributeBasedEnvironment:
Physicaldeliveryofficename=>(0)pdon
with a value of “123”, it is stored unmodified in pdon
with a value of “0123”, the first character is removed and therefore “123” is stored in pdon

Beispiel AttributeBasedOU:
Physicaldeliveryofficename=>>(01,02:ou=ATQADEF)ou=ATQA%s
If the value begins with “01” or “02”, the first two characters are cut off and “ou=ATQA%s”, whereby %s are replaced by the resulting value, used as OU.
If the value is not set, then “ou=ATQADEF” is used as default.

Physicaldeliveryofficename=>>(!i)ou=ATQA%s
If the value does not begin with “i”, the first two characters are cut off.

- SOA: New SyncPolicy-Flag
“SYNC_POLICY_ADS_WKST_OU_MOVE= 0x100000”. With this flag the workstation OU move functionality is activated.

Bug Fix:
- SignOn Proxy/LDR mode: a problem with the AttributeBasedOUs was fixed
- SignOn Agent/LDR mode: the configuration of the replication control is now correctly evaluated
- SignOn Proxy: false warnings during the loading of the configuration are removed


Comtarsia LDAP Directory Replicator 2006   
(April 13th, 2007)

Build 4.1.16.x

New Features and/or Functional Changes:

- A logfile rotation mechanism was built in and the maximum logfile-size now can be configured.
Parameter Log\maxLogFileSize=DWORD: 26214400
Defines the maximum size per logfile in Bytes
Parameter Log\maxLogFileHistory=DWORD:3
Defines the maximum number of logfiles, which are kept.
- A processor information now is written additionally to the operating system version into the logfile at start of the application
- The password of the system user (LDAPAdminPassword) now has to be stored encoded in the Registry. Therefore the Command Line Utility „SetLDAPAdminPassword.exe“ is available.
- „Job has finished“ now is displayed separately from the „Maximum Runtime“-checking.

Bug Fix:
- A performance problem with the writing of the user data base (LDRDB.dat) was fixed.


Comtarsia SignOn Gate 2006   
(March 23rd, 2007)

Build 1.2.14.x

New Features and/or Functional Changes:

- SOA: Password-Template for the from the LDAP Directory Replicator newly created users REG_SZ:„SYSTEM\pwdTemplate“, Default: „RLU9R9LRR“
- SOA: Active Directory Services replication control for the LDAP Directory Replicator Sync-Requests:
DWORD:“SYSTEM\replicateIfLDR”, Default: 0
If this value is active, the LDR Sync Requests triggers an ADS-replication.
- SOA: ADS Account Expire
DWORD:“SYSTEM\acctExpPercent“, Default 60
Percentage of acct_expires time for the verification if the User Expired Field should be set.
- SOP: AttributeBasedEnvironment
„physicalDeliveryOfficeName=>officeName“ or „ \\server1\%physicalDeliveryOfficeName%\%username%= CLCHomeDirPath”

Comtarsia Logon Client 2006   
(February 23rd, 2007)

Build 4.1.16.x

New Features and/or Functional Changes:

- Internal optimizations of the LDAP Library


Comtarsia SignOn Gate 2006   
(February 23rd, 2007)

Build 1.2.13.x

New Features and/or Functional Changes:

- UTF8 support on all platforms
- Internal optimizations of the LDAP Library


Comtarsia Logon Client 2006   
(February 5th, 2007)

Build 4.1.15.x

New Features and/or Functional Changes:

- Forced logoff with local administrator:
With HKLM\SOFTWARE\PCS\GINA\ForceUnlockTime = 0, the forced logoff is turned off after a certain time period, and a forced logoff with a local administrator is possible.

- UTF8 support for LDAP


Comtarsia Web Client 2006  
(November 15th, 2006)

Build 1.2.5.x

New Features and/or Functional Changes:

- The graphics on the Login- and on the Response site were updated
- By using the WebClient SOAP-API sending a XML declaration is not mandatory anymore.


Comtarsia Logon Client 2006  
(July 21st, 2006)

4.1.14.x

New Features and/or Functional Changes:

- A few internal routines of the installation program were changed.



Comtarsia SignOn Gate 2006  
(July 21st, 2006)

Build 1.2.12.x

Bug Fix:

- SignOn Proxy/Agent System Windows: An internal Timer-Bug was fixed.


New Features and/or Functional Changes:

- The functions “DomainServers“ and „SyncAttributes“ were added to the SignOn Gate Configurators.



Comtarsia SignOn Gate 2006  
(June 22nd, 2006)

Build 1.2.11.x

New Features and/or Functional Changes:

- SignOn Agent System Windows: New installation program
- SignOn Agent System Windows: In log outputs the according error text to the error number shown.
- SignOn Agent System Windows: For the user of the SignOn Agent the options „Add/Remove from group“ are ignored, so the accurate automatic administration of this user is granted.
- SignOn Agent System Windows: The local on the Agent configured „Homedir drive“ is only used, if no drive letter is defined in the LDAP respectively on the Client.
- SignOn Agent System Windows: At the function „Remove from group“ a bug was fixed, which partly led to wrong log outputs.
- SignOn Agent System Windows: New function „DomainServers“

HKLM\SYSTEM\CurrentControlSet\Services\ComtSOA_SYS_2006\SYSTEM\enableDomainServers:DWORD=0/1 (Default 0)

Herewith the whole functionality can be activated or deactivated.

HKLM\SYSTEM\CurrentControlSet\Services\ComtSOA_SYS_2006\SYSTEM\SYSTEM\domainServersListType:DWORD=0/1 (Default 0)

Defines the type of the Domain Server list:
0 = „Deny list“, All Server which are in this list are not allowed, all others are allowed.
1 = „Allow list“, All Server which are in this list are allowed, all others are prohibited.

HKLM\SYSTEM\CurrentControlSet\Services\ComtSOA_SYS_2006\SYSTEM\SYSTEM\domainServersAutoDiscover:DWORD=0/1 (Default 0)

Here it is defined, if all Domain Members should automatically be accepted in the DomainServer list.

HKLM\SYSTEM\CurrentControlSet\Services\ComtSOA_SYS_2006\DOMAINSERVERS

Under this Registry Key each Server is defined as REG_SZ. The name of the value contains the Server, the value itself is not used.


Comtarsia Logon Client 2006  
(May 29th, 2006)

Build 4.1.13.x

Bug Fix:

At a “Citrix Anonymous Logon” the local computer name of the Terminal Servers is used as a logon domain for the logon, instead of the domain name (HKLM\SOFTWARE\PCS\GINA\strLocalDomain). (The Anonxx user are always situated locally)


New Features and/or Functional Changes:

- An installation of the Logon Client on a Terminal Server is now also possible without the server setting to „Install-Mode“.
- An already existing Citrix installation is going to be recognized by the installer and a correct GINA cascading with the Citrix-GINA is carried out.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
"CtxGinaDLL"="pcs_gina.dll"
"GinaDLL"="ctxgina.dll"

- With the parameter „REG_SZ:HKLM\SOFTWARE\PCS\GINA\ WTSLdapLogonDomain“ the LDAP Domain Logon String, that should be used at a LDAP WTS logon, can be defined. In the Remote Desktop Client additionally to the user name and the password as domain the string „ldap“ respectively. „LDAP LOGON“ has to be defined.

- A WTS PassTrough logon is achieved, when you specify additionally to the user name and password as logon domain the in the Logon Client defined logon domain (REG_SZ: HKLM\SOFTWARE\PCS\GINA\strLocalDomain) on the RemoteDesktopClient respectively on the Citrix Client. In this case no primary LDAP logon is carried out, but a Windows logon with the forwarded logon credentials is executed. The WTS PassTrough logon is activated via the parameter DWORD:HKLM\SOFTWARE\PCS\GINA\WTSPassThroughMode > 0. (default = 3)

With the switch DWORD:HKLM\SOFTWARE\PCS\GINA\SyncOnWTSPassThroughLogon = 1 (default = 0), at a PassThrough logon a synchronization request can be sent to the SignOn Gate Proxy. Because of security reasons the SignOn Request is accepted by the ProxyServer only when Counter Check is active. If an other domain string than „LDAP LOGON“ should be used for the LDAP logon respectively the counter check on the Proxy, then it can be defined via the parameter „REG_SZ: HKLM\SOFTWARE\PCS\GINA\ WTSLdapLogonDomain“.
An exception is the Citrix Anonymous Logon, which the Logon Client recognizes through the user name Anonxx user. With a Citrix Anonymous Logon User always a local logon is executed and no synchronization request is sent to the SignOn Proxy.
A Citrix Anonymous Logon can be activated via the parameter DWORD:HKLM\SOFTWARE\PCS\GINA\WTSPassThroughMode > 1. (default = 3)


Comtarsia Logon Client 2006  
(April 19th, 2006)

Build 4.1.12.4

New Features and/or Functional Changes:
The Logon Client Configurator was extended by the new function “Trust Options“.


Comtarsia SignOn Gate 2006  
(April 19th, 2006)

Build 1.2.10.x

New Features and/or Functional Changes:
The SignOn Gate Configurators were extended by the new functions “Trust Options“ und “Sync Attributes”.


Comtarsia Logon Client 2006  
(April 10th, 2006)

Build 4.1.11.4

New Features and/or Functional Changes:

- Location-Mode: New Environment Variable %VALID_LOCATION%
This variable is set always when a locations check is taking place. If the current user is allowed for the location, then the variable has to value „1“, otherwise the value „0“. If no locations check is executed, for example because the user did not execute a LDAP logon, then this variable is not set.

- New feature „Trust Options“:
This feature was added to all products of the Comtarsia SignOn Solutions and enables the definition of requirements for a position of trust between the particular components.

The following options are possible:
• No check (NO_CHECK = 0)
• Position of trust according to the IP based „Accept List“ (ACCEPT_LIST = 1) [only option until now]
• Position of trust according to the certificate OIDs (CERT_OIDS = 2)
• Check, if the used certificate matches the hostname (CERT_FQDN = 0x100).

„DWORD:HKLM\SOFTWARE\PCS\GINA\ComtSyncClient\ trustOptionsClient“

This parameter defines which requirements a SignOn Proxy, to which a Logon Client connects in order to establish a position of trust, has to achieve.

Possible values: NO_CHECK and/or CERT_OIDS
Additionally optional CERT_FQDN


Comtarsia SignOn Gate 2006  
(April 6th, 2006)

Build 1.2.9.x

Bug Fix:

- Sign On Agent System Windows ADS: A bug was fixed, whereby at an existing user with a non-synchronous password on the resource system a few user attributes (Principal name, sur name, given name) were not synchronised.


New Features and/or Functional Changes:

- SignOn Agent System Windows ADS:
At the start of the domain controller, the agent now tries longer to establish a connection to the Active Directory. The previous value of 30 seconds was extended to 2 minutes.

- SignOn Agent System Windows ADS:
An Automatic Restore of „Account expire“.
If user accounts which are automatically managed through the agent, have set an „Account expire“ and if the option „User Account Expire Time“ is not active, then the „Account expire“ is automatically restored through the agent.

- SignOn Agent System Windows ADS: New Policy Flags, with which the executing Active Directory synchronisations operations can controlled more precisely.
("HKLM\SYSTEM\CurrentControlSet\Services\ComtSOA_Sys_2006\SYSTEM\syncPolicy(DWORD)"
o Bit: Set ADS Principal name = 0x10000
The Principal name is created out of the short name of the user + the name of the Active Directory Domain (e.g.: UID@adsdom1.comtarsia.com)
o Bit: Set given and sur name = 0x20000
These attributes are filled according to the information in the LDAP user object. (givenName und sn)
o Bit: Enable OU Move = 0x40000
If this policy is active, the user is moved to another OU if required. The OU-move functionality can be controlled via the OU Mapping in the agent configurator. The information, which OU the user is member of, is determined on the proxy out of the LDAP Directory according to the setting AttributeBasedOU.
o Bit: Enable Sync Attributes = 0x80000
This policy-bit activates the “Sync Attributes” functionality. For details please see below

- SignOn Proxy Failover Logic
The behaviour of the SignOn Proxy Agent-Failover was been changed.
If an agent does not send an answer within a configured timeout, then this agent is not classified as „flawed“ as done previously, so also no failover is executed on the second agent.

- SignOn Proxy / SignOn Agent Log
New registry value “Log\logCertInfo(DWORD)”: If this value is set to “1”, then in the log information of the used SSL-certificates is released.

- SignOn Agent System Windows ADS: Sync Attributes
Via this new function LDAP attributes of the user object can be mapped on free definable attributes of the Active Directory user object.
The configuration of the SyncAttributes takes place on two locations:
On the SignOn Proxy in the registry value „LDAP\SyncAttributes(REG_SZ)“ all attributes are listed, which are read out of the LDAP user object and are going to be forwarded to the resource systems. There can be specified up to twenty attributes, which are separated with a comma or a semicolon, e.g. SyncAttributes=“telephoneNumber, physicalDeliveryOfficeName“
Additionally „LDAP\enableSyncAttributes(DWORD)“ has to be set to “1”.

A mapping of these LDAP attributes to Active Directory attributes now can take place on the SignOn agents.
Therefore a new registry key „SyncAttributes“ has to be created under „Comtsoa_sys_2006“, in which the mapping is configurated via the registry string (REG_SZ).
The name refers to the name of the LDAP attribute, the value stands for the name of the Active Directory attribute. e.g:
„ou“=„department“
„street“=„streetAddress“
„l“=„l“

- New feature „Trust Options“:
This feature was added to all products of the Comtarsia SignOn Solutions and enables the definition of requirements for a position of trust between the particular components.

The following options are possible:
• No check (NO_CHECK = 0)
• Position of trust according to the IP based „Accept List“ (ACCEPT_LIST = 1) [only option until now]
• Position of trust according to the certificate OIDs (CERT_OIDS = 2)
• Check, if the used certificate matches the hostname (CERT_FQDN = 0x100).

SignOn Agent:
„DWORD:HKLM\SYSTEM\CurrentControlSet\Services\ComtSOA_SYS_2006\ CORE\trustOptionsServer“

This parameter defines which requirements a SignOn Proxy, which is connecting to the SignOn Agent, has to achieve, to establish a position of trust.
Possible values: ACCEPT_LIST and/or CERT_OIDS
Additionally optional CERT_FQDN

SignOn Proxy:
„DWORD:HKLM\SYSTEM\CurrentControlSet\Services\ComtSOP_2006\ Parameter\trustOptionsServer“

This parameter defines which requirements a SignOn Agent, to which the SignOn Proxy connects in order to establish a position of trust, has to achieve.

Possible values: NO_CHECK and/or CERT_OIDS
Additionally optional CERT_FQDN

„DWORD:HKLM\SYSTEM\CurrentControlSet\Services\ComtSOP_2006\ Parameter\trustOptionsClient“

This parameter defines, which requirements a client, which is connecting to a SignOn Proxy(Logon Client or Web Client) has to achieve to establish a position of trust.

Possible values: NO_CHECK and/or CERT_OIDS
Additionally optional CERT_FQDN

Web Client:
„DWORD:HKLM\SOFTWARE\Comtarsia\ComtSyncClientHttp\ trustOptionsClient“

This parameter defines, which requirements a SignOn Proxy, to which a Web Client connects, in order to establish a position of trust, has to achieve.

Possible values: NO_CHECK and/or CERT_OIDS
Additionally optional CERT_FQDN

Comtarsia Logon Client 2006  
(March 4th, 2006)

Build 4.1.10.4

Bug Fix:
- A bug at MinPWDLen = 0 and password change was fixed.
- The version number of the Logon Client Installers now is set correctly.
- The Shortcut-names created by the Installer are revised.
- A bug in the Terminal Server mode under Windows 2000 Server was fixed.

New Features and/or Functional Changes:
- Previously the UserLogonScript was executed at LDAP and local logon, now it is only executed at a LDAP (Online-) logon. A new script „LocalUserLogonScript“ is executed at a local (Offline-) logon.
- The Shutdown dialog is revised and now also offers the options Standby and Hibernate


Comtarsia Logon Client 2006  
(March 1st, 2006)

Build 4.1.9.4

Bug Fix:
- Bugs in the Logon Client Installer were fixed as well as the Output messages were updated.
- In the Smart Card mode problems with Standby respectively Hibernate were fixed.

New Features and/or Functional Changes:
- The error messages when unlocking the screen with a Smart Card were updated.
- New Smart Card Mapping mode: With the registry key DWORD:PCS\GINA\LDAP\SCardMappingMode=1 a new mapping mode can be activated, whereby:
1) The UserDNPrefix, which is set in the registry, is used instead of the default prefix on the Smart Card.
2) After the logon through the Logon Client the full user DN is determined by the LDAP Server and is used for inquiries of further information from the LDAP directory.
- The log outputs during the LDAP logon were updated.
- In the LDAP Logon Smart Card mode the SessionPassword encoded with the user certificate is stored in the user profile, so that an offline logon with the local saved profile with the Smart Card is possible.


Comtarsia SignOn Gate 2006  
(February 20th, 2006)

Build 1.2.8.x

New Features and/or Functional Changes:

- SOA System Windows: New parameter HKLM\CurrentControlSet\Services\ComtSOA_SYS_2006\SYSTEM\ alwaysCheckACL:DWORD=0/1 (Default 1)
If this parameter is set to „0“, the Homedir/Profile Path ACL only is checked when a new user respectively a new Homedir/ or Profile Path was created.
If this parameter is set to „1“, the Homedir/Profile Path ACL is checked at each SyncRequest.

- SOP Windows: The timeout behaviour at the start of the LDAP Verify process was changed, so that now it is always waited upon the expiration of the timeout.

- The default starting time of the Security Agent/Windows is changed to 01:00.

- SOA System Windows (ADS): The Administrator Token, which is required from the SignOn Agent, now is newly created automatically every 24 hours. A Kerberos Ticket can be renewed max. 7 days in the Active Directory standard configuration. Problems concerning the remote access (e.g. setting ACL or creating user directories), therefore have been fixed.

- Security Agent Windows: Now the „User Description mode“ is available in the Active Directory mode in case of more than one Domain Controller and SignOn Agent for one domain. In this mode the Logon time of the last successful SignOn requests of the SignOn Agent is entered into the user description field (Example: SERV_TMP_USER_2006_02_15_12_16). Through the Active Directory domain replication every Security Agent is then provided with current and full information. In the database mode the local database is currently not replicated between the SignOn Agents, and consequently the Security Agent is not provided with the logon times, which another SignOn Agent has made for a certain user. Therefore on using an Active Directory we recommend to choose the „User Description mode”.

- SOA System Windows (ADS): A new security switch enables to set the „User Account Expire Time“ of the Active Directory User Accounts automatically according to the SignOn Agent TTL settings. Optional after a further inactive period the Security Agent can be used additionally for the automatic removal of user accounts.


Comtarsia Logon Client 2006  
(February 13th, 2006)

Build 4.1.8.4

Bug Fix:

- LocationMode: The current user location is going to be determined in course of the logon, at the same time a bug was fixed, which caused a wrong error message at a PC without a network connection.


New Features and/or Functional Changes:

- New parameter for the Logon Client Installer for unpacking all files without installation. This replaces the previous software distribution ZIP.
Call the installer with the parameter /MODE=UNPACK.
This creates a directory named „CLC_2006-VERSION“, in which all files necessary for a software distribution are contained.


Comtarsia Logon Client 2006  
(February 9th, 2006)

Build 4.1.7.4

Bug Fix:

- A bug in ComtMSSO was fixed, which on certain occasions caused a non-reaction of the Internet Explorer
- A bug was fixed concerning the user credentials in ComtMSSO.
- LDAPSetSessionPassword prevents in cause of an error the user logon.
- Until now UserLogonScript and AdminUserLogon Script inherited the System Environmentblock, from this version on they inherit the User Environmentblock.


New Features and/or Functional Changes:

- In LDAP Logon PWD mode (at HKLM\software\pcs\gina\EnableSessionPassword = 1) the SessionPassword, encoded with the user password, is stored in the user profile, therefore an offline logon with the local stored profile with the user known LDAP password is possible.
- New registry key DWORD PCS\GINA\LDAP\LDAPDontSendOldPasswordOnChange=0/1
If this registry key is set to “1”, then just the new password is set always at a password change.
If this registry key is set to “0” respectively Not Available, then the old password and the new password are sent to the LDAP server at a password change.
- New installer
The installation program of the Comtarsia Logon Client is completely revised. Now an update of an existing installation is possible too, the configuration is preserved.


Comtarsia SignOn Gate 2006  
(January 19th, 2006)

Build 1.2.7.x

New Features and/or Functional Changes:

The Comtarsia SignOn agent now supports Proxy Accept lists with up to 100 entries.


Comtarsia Logon Client 2006   
(January 17th, 2006)

Build 4.1.6.4

Bug Fix:

- A Bug at the LDAP logon was fixed, which appeared at LDAPSearchForUser=1 in combination with another non-reachable LDAP Server.

- A problem concerning the XP Remote Desktop was fixed.

- If there are space characters before and after the user name, which may be typed accidentally into the field "user name" in the logon panel, they are going to be cut off and are not taken over for the LDAP logon.

- Citrix Presentation Server Support
Citrix Pass-through Authentication and Citrix Anonymous User Applications are identified and a Windows logon is performed immediately. (The LDAP Logon Dialog appears only if there is no valid Windows logon information available in the Autologon information)

In order to guarantee this functionality, a Gina cascading with the Citrix Gina „ctxgina.dll“ has to be carried out. This is achieved by the following settings:

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon] "CtxGinaDLL"="pcs_gina.dll"
"GinaDLL"="ctxgina.dll"


New Features and/or Functional Changes:

- Updated support for LDAP Smart Card Logon in OpenLDAP
- Updated support for LDAP password policy controls according to IETF draft-behera-ldap-password-policy-09.txt
- Citrix Passthrough and Citrix Anonymous Logon with Citrix Metaframe Server was realised.
- New parameter “DWORD:LDAPSetSessionPassword=1”. Hereby the at a Smartcard logon generated Session password is rewritten, so a check of the clients by the SignOnProxy is also possible in a mixed mode.


Comtarsia SignOn Gate 2006   
(January 17th, 2006)

Build 1.2.6.x

New Features and/or Functional Changes:

Updated support for LDAP password policy controls according to IETF draft-behera-ldap-password-policy-09.txt


Comtarsia Logon Client 2003   
(January 13th, 2006)

Build 3.1.39.4

Bug Fix:

Space characters in field "user name"

If there are space characters before and after the user name, which may be typed accidentally into the field "user name" in the logon panel, they are going to be cut off and are not taken over for the LDAP logon.


Comtarsia Logon Client 2006   
(December 5th, 2005)

Build 4.1.5.4

Bug Fix:
Problem concering screen locks with screen savers was fixed.

New Features and/or Functional Changes:
- Managed Single SignOn
- Wildcard for the „Location“ mode (LocationWildcard)

Space characters in field "user name"

If there are space characters before and after the user name, which may be typed accidentally into the field "user name" in the logon panel, they are going to be cut off and are not taken over for the LDAP logon.

The password change dialog, which appears automatically during the LDAP logon in the Grace Login Period, can not be bypassed. (Cancel is deactivated.).

Extensions of the Smart Card mode
PKI-PWD-Dual Mode SCardEnable 2


Comtarsia SignOn Gate 2006   
(December 5th, 2006)

Build 1.2.5.x

Bug Fix:

SignOn Proxy UNIX (Modul comt_ldap):
- Bug in the Logoutput was fixed.
- The log file is now written under „log“ instead of „/var/log“.
- The log level is evaluated correctly.

SignOn Agent Windows:
- If the ADS was not fully initiated there could have been a SignOn Agent initialising bug when starting the SignOn Agent Services in ADS mode.

WebClient Windows:
- The version number is read out and transferred to the SignOn Proxy.

New Features and/or Functional Changes:

SignOn Agent Windows:
- The SignOn Agent Policy Options were extended of more flags.
("HKLM\SYSTEM\CurrentControlSet\Services\ComtSOA_Sys_2006\SYSTEM\syncPolicy(DWORD)"
o Bit: Set User Account expire time = 0x80
If this bit is set, the Account Expired field in the user object is set at every user logon. The value is calculated in dependency of the Security Agent parameter "HKLM\SYSTEM\CurrentControlSet\Services\ComtSECA_Sys_2006\CORE\usrInactiveDisable(DWORD)".
o Bit: Set User Last Logon Time = 0x100
If this bit is set, the Description field in the user object is set to last logon time at every user logon. This field is evaluated by the Security Agent in the ADS mode.

Security Agent:

- New mode of the Security Agent in which via the ADS replicated user can be deactivated or erased.
- Delete User Objekt Policy
If this policy is activated, the user is going to be erased after the parameter "usrInactiveDelete" is executed.
- New parameter "HKLM\SYSTEM\CurrentControlSet\Services\ComtSECA_Sys_2006\CORE\secPolicy(DWORD)"
ADS Modus = 0x2
Delete User Object = 0x4


Comtarsia Logon Client 2006   
(November 9th, 2005)

Build 4.1.4.4

Bug Fix:
A bug concerning the ADS Offline logon was fixed.


Comtarsia SignOn Gate 2006   
(November 9th, 2005)

Build 1.2.4.x

Bug Fix:
Bug on generating a user under ADS in the Default OU


Comtarsia Logon Client 2006   
(November 8th, 2005)

Build 4.1.3.4

Bug Fix:
A bug concerning the ADS Offline logon was fixed. (Prefix)


Comtarsia SignOn Gate 2006   
(November 8th, 2005)

Build 1.2.3.x

Bug Fix:
A installer-bug was fixed, which prohibited the parallel installation with the SignOn Gate 2003.


Comtarsia Logon Client 2006   
(October 31st, 2005)

Build 4.1.2.4

Bug Fix:
Wrong bug return value at a LDAP user logon with SSL and IBM Directory Server 5.x, if the LDAP Server is not reachable through the network. This prohibits an Active Directory “Cached Credentials” logon.

In rare cases there was a „Undefined LDAP Error“ at a LDAP SSL logon during the connection build up to the LDAP Server

A shortcut with „2003“ was created in the English Installshield.


Comtarsia SignOn Gate 2006   
(October 31st, 2005)

Build 1.2.2.x

Bug Fix:
On generating the SignOn Agent user the group mapping list and the „Except groups“ list were considered. Therefore the user could not be generated with the correct group memberships.

On the SignOn Proxy the extended IBM DS 5.1 Password Policy was not interpreted correctly at a web client logon.

Bug on checking the licence of the SignOn Agent under Linux.





All product and company names mentioned herein are the trademarks of their respective owners. (c) 2001-2018 Comtarsia IT Services GmbH. |  Print  |  Impressum