Comtarsia Logon Client 2006   
(June 11th, 2008)

Build 4.1.41.x

New Features and/or Functional Changes:

• A Bug in the functon AdminLogon was fixed. The Aminlogon fails in case the user is in a different OU as the admin user.

Comtarsia Logon Client 2006   
(June 5th, 2008)

Build 4.1.40.x

New Features and/or Functional Changes:

• With the new parameter DWORD:HKLM\Software\PCS\Gina\LDAP\ SCardCertificateRemoveMode = 1 (default:0), on each Smart Card insert event all certificates in the computer’s CertificateStore, matching the certificate filter defined in the parameter ScardCertificateFindMode, are deleted. This function ensures that only the certificate on the Smart Card matches the certificate search filter.

Comtarsia Logon Client 2006   
(May 30th, 2008)

Build 4.1.39.x

New Features and/or Functional Changes:

• With the parameter HKLM\Software\PCS\Gina\ScardDefaultContainerName a CSP default container name can be defined, from which location the user certificate is loaded. If an empty string should be used as DefaultContainerName, an underline „_“ must be set.

• With the parameter, HKLM\Software\PCS\Gina\DontOfferCtrlAltDel=1 in PKI Mode and in logged out state, the notification text about the possibility to press Ctrl-Alt-Del is disabled.

• To reduce the logon time, the PIN-Dialog is now displayed during the Smart Card data is read.


Bug Fix:

• By inserting a SmartCard without a chip, an error message is displayed and the user is not requested to enter the PIN. This behavior is now also by unlock the workstation.

• A security problem with smart card authentfication and by a locked workstation was fixed.

Comtarsia SignOn Gate 2006   
(May, 13th, 2008)

Build 1.2.30.x

New Features and/or Functional Changes:

• SOA: An automatic reset of the „ADS User Account Lockout“ is done by the SingOn Agent.

Comtarsia Logon Client 2006   
(April 24th, 2008)

Build 4.1.38.x

Bug Fix:

• On Function LDAPOUSearchListMode=1, in case the LDAP server is not reachable a wrong return value was returned to the Logon Client and therefore the user don’t get the option to perform an offline-logon.

• On function „Offline-logon“ and activated Windows Policy „DisableCAD“ after a Windows error message the Windows logon dialog was remained open.

Comtarsia SignOn Gate 2006   
(March 3rd, 2008)

Build 1.2.29.x

New Features and/or Functional Changes:

- SOA: ExceptGroups are now supporting up to 2047 characters.
- SOA: ExceptGroups now allow wildcards on the end of the string. e.g.: „testgrp*“
- SOP: The Registry value for the „LDAP Server Type“ „ADS LDAP“ was changed from 9 to 10.

Comtarsia SignOn Gate 2006   
(February 29th, 2008)

Build 1.2.28.x

New Features and/or Functional Changes:

- User attributes, which should be synchronized by the SignOn Agent in the ADS, can now be removed or set to empty. These are attributes from LDAP or the SignOn Proxy (function AttributeBasdEnvironment). In former version of the SignOn Agent it was not possible to set an attribute value to empty.
- The SignOn Agent “Proxy Accept-list” was extended to hold up to 200 entries.

Comtarsia Logon Client 2006   
(February 26th, 2008)

Build 4.1.37.x

New Features and/or Functional Changes:

• Internal changes


Comtarsia Logon Client 2006
(January, 22nd 2008)

Build 4.1.36.x

New Features and/or Functional Changes:

• After the workstation was booted and the workstation service is started, by the Parameter HKML\Software\PCS\Gina\ WaitBeforeAllowLogon (DWORD) (default:0) the time in seconds can be defined, how long the Logon Client waits before the logon dialog is released for the first logon.

• With the parameter HKML\Software\PCS\Gina\ DisableClearMSGinaAutoLogonCred (DWORD) = 1 (default:0) the Autoadmin Credentials are not deleted during the boot process.


Comtarsia LDAP Directory Replicator 2006
(December, XXth 2007)

Build 1.2.3.x

New Features and/or Functional Changes:
- Comtarsia LDAP directory replicator now desposes of a configurator.
This configurator is based on DotNet Framework 2.0, wherefore it is installed automatically by the installation program.


Comtarsia Logon Client 2006
(November 29th, 2007)

Build 4.1.35.x

New Features and/or Functional Changes:

• The functionality “No Action” was appended to the parameter Parameter HKML\Software\PCS\Gina\ SCardRemoveAction(DWORD).
0 = User selected, following actions are available:
Remove Card: Lock Screen
Remove Card + left Strg-button: Force Logoff
Remove Card + left-Shift-button: Shutdown-Power-OFF

1 = Lock Screen
2 = Force Logoff
3 = No Action

• With the parameter HKML\Software\PCS\Gina\DisableShutdown(DWORD)=1
the possibilty to perform the shutdown via LogonClient is prevented.

• With the parameter HKML\Software\PCS\Gina\ IgnoreWinPolicies (DWORD)(default:1)=0 Windows Group Policies can change Logon Client settings.
Currently implemented Windows Group Policies:

Windows GPO:Logon Client Setting:

-Shutdown: Allow system to be shut
down without having to log onDisableShutdown
Shut Down command

-Remove and prevent access to theDisableShutdown
Shut Down command

-Intercative logon: Smart cardSCardRemoveAction
removal behavior

Comtarsia Logon Client 2006
(November 23rd, 2007)

Build 4.1.34.x

New Features and/or Functional Changes:

- Support of EffectiveUserPolicy of the IBM/Tivoli Directory Server 6.1.

Comtarsia SignOn Gate 2006
(November 23rd, 2007)

Build 1.2.27.x

New Features and/or Functional Changes:

- Support of EffectiveUserPolicy of the IBM/Tivoli Directory Server 6.1.

Comtarsia Logon Client 2006
(November 19th, 2007)

Build 4.1.33.x

New Features and/or Functional Changes:

• The shutdown button is deactivated in OnSASPanel via parameter HKML\Software\PCS\Gina\DisableShutdown = 1. Furthermore, shutdown in Smart Card mode by pulling Smart Card is not possible any more.
• The new DebugLevel „9“. If this DebugLevel is set, an expanded LDAP-Log is generated.

Comtarsia SignOn Gate 2006
(November 15th, 2007)

Build 1.2.26.x

New Features and/or Functional Changes:

- Support for IBM/ Tivoli Directory Server 6.1

Bug Fix:

- The timeout of Active Directory Replication was in a way adapted, that also in the case of a timeout a response is still be sent to Proxy/Client.
- The measures were taken in the Security Agent so that data base integrity in the case of power failure is still ensured.

Comtarsia Logon Client 2006   
(November 12th, 2007)

Build 4.1.32.x

New Features and/or Functional Changes:

• Support for IBM/Tivoli Directory Server 6.1.

Bug Fix:
• A bug by Smart Card registration in combination with OpenLDAP Server was fixed.

Comtarsia Logon Client 2006   
(November 8th, 2007)

Build 4.1.31.x

New Features and/or Functional Changes:

• The support for the platform Windows X86_64 (Windows Server 2003 and Windows XP). Build 4.1.x.5 must be installed on these platforms.

Bug Fix:

• An error in the synchronization with SignOn Proxy 2006 was fixed. It was responsible for segmentation fault by communication timeout under certain circumstances.

Comtarsia Logon Client 2006   
(October 24th, 2007)

Build 4.1.30.x

Bug Fix:

- A bug in the „Screen Lock“-function in connection with the Smart Card registration was fixed.

Comtarsia SignOn Gate 2006   
(October 15th, 2007)

Build 1.2.25.x

New Features and/or Functional Changes:

- Customized function expansion

Comtarsia SignOn Gate 2006   
(September 27th, 2007)

Build 1.2.24.x

New Features and/or Functional Changes:

- A new „LDAP-AdminLogon“ Mode
DWORD:“HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\ComtSOP_2006\LDAP\LDAPUseAdminLogon”=1
In this mode SIgnOn Proxy is connected with the system user to LDAP and collects user information. For this purpose credentials of the system user should be stored in the local registry with the tool „SetLDAPAdminPassword.exe“(check parameter-description Build 1.2.23.x).
In this mode is no user password security check carried out in reference to LDAP!
- The functionality of the security agent was expended especially for more active directory domain controllers.
- At present, SignOn Agent in the active directory waits longer by starting of the system for the active directory (5 minutes).
- For active directory users, who have no Comtarsia-description (SERV_TMP_USER), expire-time is set if the option „Activate all User“ is activated.

Bug Fix:

- A problem in data base integrity was fixed, which could block the agent under certain circumstances.
- A bug in SyncAttributes was fixed, which could prevent implementation of the user-attributes under certain circumstances.
- A bug in correlation with an empty groupmapping-list was fixed.
- A bug in SignOn Agent groupmapping-list regarding entries with more than 32 symbols was fixed.

Comtarsia Logon Client 2006   
(September 13th, 2007)

Build 4.1.29.x

Bug Fix:

- A local registration in Terminal Server Mode directly on the Server Console was not possible.

Comtarsia SignOn Gate 2006   
(September 10th, 2007)

Build 1.2.23.x

New Features and/or Functional Changes:

- If OU is already determined from the client, Proxy will use it in „OUSearchList“-Modi instead searching by itself once more for the user in all configured OUs. - A new „OUSearchList“-mode was implemented:

The OUSearchList-functionality of Comtarsia Logon Client 2006 and Comtarsia SignOn Proxy 2006 were in the way expanded, that each user can be searched in LDAP in the future. By now, with each OU one bind-attempt took place.

The old function remains, the new one can be activated via a registry-parameter.

The OUSearchList can also be stored in LDAP. This makes simple extensions/changes possible, without conducting configuration changes on the clients.

The Logon Client requires an own service-user in LDAP to perform the new OUSearchList-functionality. This user should have the necessary rights to read out OUSearchList from LDAP, as well as to search for the logon-user in all configured LDAP-OUs.

The detaillied description of LDAP-user registration with the new OUSearchList-functionality:

1) If the new OUSearchList-mode is active [1], Logon Client/Proxy connects with the credentials of LDAP-service-user deposited in the registry [2] to LDAP.
2) If a LDAP-object is deposited in the registry Attribute inclusive [3], in which contains OUSearchList, it will be read out. Otherwise is the OUSearchList read out from the local registry [4].
3) To check if the user exists in the particular OU, for each entry in the OUSearchList one LDAP-Query is deducted. The entries of the OUSearchList are scanned in the configured order. If the user is found in one OU, further scan is aborted. If the user is in none of the configured OUs found, Logon is aborted and the user gets a value configured in [5] as an error notification.
4) A LDAP-service-user is logged off and the Logon-user with user-DN as determined in 3) registered on LDAP. Here is the new OUSearchList functionality terminated and the existing Logon Client/Proxy LDAP-functionality further performed.

Registry-parameter:
Prefix for mentioned registry-keys valid for SignOn Proxy 2006:
“HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\ComtSOP_2006\LDAP”

[1] DWORD:LDAPOUSearchListMode
Defines the active OUSearchList-Mode
• „0“ or not existing: The previous OUSearchList-Mode is active
• „1“: OUSearchList-Mode described in this specification is active

[2] SZ:LDAPAdminDN and SZ:LDAPAdminPassword
Defined are LDAP-User-DN and the password of the service-user.
LDAPAdminDN has to be an absolute LDAP-DN (i.e.: uid=LogonClient, ou=ServiceUsers, o=Comtarsia), other LDAP-adjustments as for instance UserDNPrefix are here not used.
LDAPAdminPassword is deposited encrypted in the registry. Comtarsia provides a program that applies this encrypted value in the registry. It can be distributed on all computers that require the password.

[3] SZ:LDAPOUSearchListObjectDN and SZ:LDAPOUSearchListAttribute
Defines LDAP-Object-DN and LDAP-Attribute, in which OUSearchList is deposited.
LDAPOUSearchListObjectDN has to be an absolute LDAP-DN.
LDAPOUSearchListAttribute is a single-value string-attribute, the single OUSearchList-entries are separated by „;“.

[4] SZ:LDAPOUSearchList
Defines OUSearchList, if the last is drawn from the local registry. This parameter already exists.

[5] DWORD:LDAPOUSearchListErrorCode
With this registry a value can be configured that the user, if not found in LDAP, gets the error notification „The specified user does not exist“or „Invalid Username/Password “. It is recommended for the security reasons not to inform the user either the username or the password was invalid.

1 = General LDAP error
2 = Invalid username or password (recommended)
6 = User does not exist (default)
Other error codes should not be used, because this can conduct unexpected server performance.

Comtarsia Logon Client 2006   
(August 31st, 2007)

Build 4.1.28.x

New Features and/or Functional Changes:

A new „OUSearchList“-Mode was implemented:

The OUSearchList-functions of Comtarsia Logon Client 2006 and Comtarsia SignOn Proxy 2006 were extended, so that a particular user can be search for in LDAP.

This new mode can be activated via a Registry-Parameter.

An OUSearchList can be placed in LDAP, whereby extensions/changes can be simply performed, without conducting configuration changes on the Client.

In order to carry out the new OUSearchList function, the Logon Client requires its own Service User in LDAP, with the necessary authorization to read out OUSearchList from LDAP, as well as to search for Logon User in all configured LDAP-OUs.

The detailed description of LDAP-User registration with the new OUSearcList function:

1) If the new OUSearchList-Mode is activated [1], Logon Client/Proxy connects with the Credentials [2] of the LDAP User deposited in the Registry to LDAP.
2) If a LDAP Object Attribute [3] is deposited in the registry, which contains OUSearchList, it will be read out. Otherwise, is OUSearchList read out from the local registry [4].
3) For each entry in OUSearchList is LDAP-query deducted to check if the user exists in the respective OU. The entries of the OUSearchList are scanned in configured order. If the user is found in an OU, further scan is interrupted. If the user can not be found in the configured OU, Logon is aborted and the value configured in [5] shown as error to the user.
4) LDAP service user is logged off and Logon user with User-DN as determined in 3) signed in on LDAP. At this point the new OUSearchList function is completed and the existing Logon Client/Proxy LDAP function carried on.

Registry-Parameter:
Prefix that applies for the mentioned Registry-Keys for Logon Client 2006:
“HKEY_LOCAL_MACHINE\SOFTWARE\PCS\GINA\LDAP”

[1] DWORD:LDAPOUSearchListMode
Defines the active OUSearchList-Mode
• „0“ or not existing: The previous OUSearchList-Mode is active
• „1“: OUSearchList-mode described in this specification is active

[2] SZ:LDAPAdminDN and SZ:LDAPAdminPassword
Defines the LDAP-User-DN and the password of the service-user.
LDAPAdminDN has to be an absolute LDAP-DN (i.e.: uid=LogonClient, ou=ServiceUsers, o=Comtarsia), other LDAP-adjustments as for instance UserDNPrefix are not used here.
LDAPAdminPassword is deposited encrypted in the registry. Comtarsia provides a program that applies this encrypted value to the registry. It can be distributed on all computers that require the password.

[3] SZ:LDAPOUSearchListObjectDN and SZ:LDAPOUSearchListAttribute
Defines LDAP-Object-DN and LDAP-Attribute, in which the OUSearchList is being deposited.
LDAPOUSearchListObjectDN has to be an absolute LDAP-DN.
LDAPOUSearchListAttribute is a Single-Value String-Attribute, the single OUSearchList-entries are separated by „;“.

[4] SZ:LDAPOUSearchList
Defines OUSearchList, if it is drawn from the local registry. This parameter already exists.

[5] DWORD:LDAPOUSearchListErrorCode
With this registry-value can be configured that the user, if not found in LDAP, gets the error notification „The specified user does not exist“or „Invalid Username/Password “. It is recommended for security reasons not to inform the user if the username or the password was invalid.

1 = General LDAP Error
2 = Invalid username or password (recommended)
6 = User does not exist (default)
Other error codes should not be used, because this can conduct unexpected server performance.

Comtarsia Logon Client 2006   
(August 21st, 2007)

Build 4.1.27.x

New Features and/or Functional Changes:

- A new parameter SCardCertificateFindMode was implemented. It is used to establish the attributes, used to search the certificate in CertificateStore. This makes only sense when default-mapping provides no correlation.

Parameter: HKLM\Software\PCS\Gina\LDAP
„SCardCertificateFindMode“ DWORD = 0
0 = IssuerSerialMode (Default): Search for corresponding issuer and serial number of the certificate
1 = SimpleMode: The first located certificate is used independently on the correspondence.
2 = SubjectMode: The first certificate, of which the subject corresponds, is used.

Comtarsia SignOn Gate 2006   
(August 16th, 2007)

Build 1.2.22.x

New Features and/or Functional Changes:

- A new parameter LDAPGroupsSearchBase was implemented. Via this parameter a Base-DN for the group search can be specified.

Parameter:
HKLM\SYSTEM\CurrentControlSet\Services\ComtSOP_2006\LDAP
„LDAPGroupsSearchBase“ REG_SZ = „“
If the value does not exist or is empty, LDAPBaseDN is used. If the last value symbol is a „,“, LDAPBaseDN is attached.

Bug Fix:
- SOP Linux: a problem with the Thread-IDs under openSUSE 10.2 was fixed.

Comtarsia Logon Client 2006   
(August 14th, 2007)

Build 4.1.26.x

New Features and/or Functional Changes:

- A new parameter „SCardMappingUseLDAPBaseDN“ was implemented to define if the BaseDN from the Smart Card or the configured LDAPBaseDN is used for LDAP searches. This parameter is useful if the Smart Card DN differs from the LDAP base DN.

Parameter: HKLM\Software\PCS\Gina\LDAP
„SCardMappingUseLDAPBaseDN“ DWORD = 0
0 = SCardBaseDN (Default) The BaseDN of the Smartcard is used.
1 = LDAPBaseDN The configured LDAPBaseDN is used.

Comtarsia Logon Client 2006   
(August 9th, 2007)

Build 4.1.25.x

New Features and/or Functional Changes:

- A new parameter „LDAPGroupsSearchBase“ for defining a Base-DN for the group search was implemented.

Parameter: HKLM\Software\PCS\Gina\LDAP
„LDAPGroupsSearchBase“ REG_SZ = „“
If the value doesn’t exist or is empty, the LDAPBaseDN is used as base for the group search. If the last character is a „,“, the LDAPBaseDN is appended.

Bug Fixes:
- A problem with the logon scripts was solved.

Comtarsia SignOn Gate 2006   
(July 12th, 2007)

Build 1.2.21.x

New Features and/or Functional Changes:

- SOP: LDAPOUSearchList supports now up to 64 entries.
- SOP: the function LDAPGroupTypes was expanded for „ibm-allGroups“. If „ibm-allGroups“-bit is settled, user groups are determined on the basis of ibm-allGroups-Attribute from the LDAP-user object. The value „LDAPGroupTypes“ is a bit field.

The parameter HKLM\SYSTEM\CurrentControlSet\Services\ComtSOP_2006\LDAP
„LDAPGroupTypes“:DWORD (Default = 3)
groupOfNames 0x1
groupOfUniqueNames 0x2
posixGroup 0x4
ibm-allGroups 0x8

- SOA: a new parameter „LDRFilter“ was added. The performance of SignOnAgent by LDR-SyncRequest can be operated via this parameter. The value „LDRFilter“ is a bit field. „Deny ADS Replication“-bit of LDRFilter replaces the value „ReplicateIfLDR“. SOA does not load the value „ReplicateIfLDR“ any more.

The parameter HKLM\SYSTEM\CurrentControlSet\Services\ComtSOA_SYS_2006\SYSTEM
„LDRFilter“:DWORD (Default = 1)
Deny ADS Replication 0x1
Deny Set Expire Time 0x2
Deny Set Last Logon Time on create 0x4
Deny Set Last Logon Time on update 0x8

- SOA: „Account Expire Time“ of the ADS-user object is settled also if it is longer than that, which is configured via „usrInactiveDisable“.
- SOA: the default parameter value „acctExpPercent“ was changed to 100 (expire time has to be set each time) to preserve the initial performance.
- SOA: If „Threshold User Time to Live“ changed, SOA-service will be also new started.
- SOA: A new variable „SOAHomeDirPath“, which can be settled on SOP via AttributeBasedEnvironment, is now supported. When this variable is settled and the word „CLIENT“ as homeDirPath on SOA configured, variable SOAHomeDirPath is used to lay out and settle ACL of HomeDir and CLCHomeDirPath is entered as homeDir in the user object.
If SOAHomeDirPath is not settled, CLCHomeDirPath is used, as originally, to generate as well as to settle ACL.

Comtarsia Logon Client 2006   
(July 11th, 2007)

Build 4.1.24.x

New Features and/or Functional Changes:

- The password change dialog of the function “ForcePasswordChange”, which is being triggered by the LDAP attribute „clcforcepasswordchange“ was changed to support a user exit. With the Registry Parameter HKLM\Software\PCS\Gina „DenyCancleForcePWDChangeDlg“ DWORD = 1 the user exit can be disabled.

- The function LDAPGroupTypes expanded with the value „ibm-allGroups“. If the „ibm-allGroups“-bit is set, the user group are read out from the “ibm-allGroups-Attributs” of the LDAP users object. The Registry entry „LDAPGroupTypes“ is a bit mask.

Parameter HKML\Software\PCS\Gina\LDAP
„LDAPGroupTypes“:DWORD (Default = 3)
groupOfNames 1
groupOfUniqueNames 2
posixGroup 4
ibm-allGroups 8

Comtarsia Logon Client 2006   
(July 3rd, 2007)

Build 4.1.23.x

New Features and/or Functional Changes:

- The LDAPOUSearchList now supports up to 64 entries.

- Additional to the HWAdmin function a HWAdminTemp function was implemented to assign temporary Administrator rights to a user.

Parameter: HKLM\Software\PCS\Gina
„HWAdminTempGroup“:REG_SZ
Defines the name of the LDAP group in which the user has to be a member of, to get temporary Administrator rights.

„HWAdminAttribute“:REG_SZ
Specifies an attribute in the LDAP users object which contains names of workstations for which the user is allowed to become HWAdmin.

„HWAdminTempExpireDateAttribute“:REG_SZ
Specifies a LDAP attribute, which defines the exact date in the format „JJJJMMTThhmmss“ when the temporary Administrator rights will expire.

At the time of logon the Logon Client reads these parameters from the LDAP server and determines based on the local workstation time, how long the user gets the temporary Administrator right.

„HWAdminTempMaxAllowedExpireTimeOffset”:DWORD
Specifies the maximum allow offset between the local workstation time and the time defined in the LDAP attribute „HWAdminTempExpireDateAttribute“.

„HWAdminTempForceLogoffNotify1“:DWORD
Sepcifies the number of seconds, how long before the forced logoff the user will be informed as a popup notice. (This notice can be closed by the user)

„HWAdminTempForceLogoffNotify2“:DWORD
Sepcifies the number of seconds, how long before the end of the HWAdmin session a dialog will popup which will inform the user with an count down displaying the remaining time.

The Logon Client maintains an timestamp to prevent manipulations with changing the system time.

If the user gets Administrator rigths with „HwAdminGroup“, the HWAdminTemp function is disabled.

The user will be logged off even when the screen is locked; which can cause data loss.

Comtarsia SignOn Gate 2006   
(June 28th, 2007)

Build 1.2.20.x

New Features and/or Functional Changes:

- AttributeBasedEnvironment supports now up to 30 entries.

Bug Fix:

- SOP: a bug with LDAP-groups was fixed.
- SOA: The password was overwritten by the Web-Client Sync. This bug was fixed.

Comtarsia SignOn Gate 2006   
(June 11th, 2007)

Build 1.2.19.x

Bug Fix:

- SOP: LDAP-Attribute for AttributeBasedEnvironement is now correctly selected also for UID-user.
- SOP: If in AttributeBasedEnvironment more symbols are cut off than available, an empty value will be provided.

Comtarsia SignOn Gate 2006   
(June 6th, 2007)

Build 1.2.18.x

Bug Fix:

- SOP: a bug in AttributeBasedEnvironment in correlation with empty LDAP-Attributes and cutoff-operators was fixed.

Comtarsia Logon Client 2006   
(June 4th, 2007)

Build 4.1.22.x

New Features and/or Functional Changes:

- The LDAPOUSearchList now supports up to 30 entries.

Comtarsia SignOn Gate 2006   
(June 4th, 2007)

Build 1.2.17.x

New Features and/or Functional Changes:
- The LDAPOUSearchList supports now up to 30 entries.
- Change of AttributeBased*-functions:
The Filter rules are for the purpose of more clearness applied on AttributeBasedEnvironment. Exclusively AttributeBasedEnvironment-entries are applied for the AttributeBasedOUs/Groups.
- Presently, the syntax of AttributeBasedEnvironment and AttributeBasedOU is:
Symbolchain%Variable% Symbolchain [%Variable%[ Symbolchain]]
%Variable% is replaced by the value set in AttributeBasedEnvironment.

Comtarsia Logon Client 2006   
(May 23rd, 2007)

Build 4.1.21.x

New Features and/or Functional Changes:

- The function „Workstation Logon Policy“ was changed, so that if the local workstation is not a member of an Sub-OU, the text “Please select…” is being displayed in the domain field. If only one Sub-OU is con`tained in the list, it is automatically pre-selected.

Comtarsia Logon Client 2006   
(May 16th, 2007)

Build 4.1.20.x

New Features and/or Functional Changes:

- The function „Workstation Logon Policy“ ,in case the Domain Comtroller is not reachable, performs a second attempt to retrieve the data from another DC’s (if another DC’s are available). This make sure that a short down time of a DC do not cause a empty list on the logon panel.

Comtarsia SignOn Gate 2006   
(May 11th, 2007)

Build 1.2.16.x

Bug Fix:
- SOA: a bug with ADS sub-domains was fixed.

Comtarsia Logon Client 2006   
(May 7th, 2007)

4.1.19.x

New Features and/or Functional Changes:

- With the parameter REG_SZ:HKLM\SOFTWARE\PCS\GINA\ WM_LDAP_OPT_REFERRALS = 1 (default = 0) automatic following of LDAP referral for the function „Workstation Logon Policy“ can be enabled. With Build 4.1.18.x the following of referral is always enabled.

Comtarsia Logon Client 2006   
(April 25th, 2007)

Build 4.1.18.x

New Features and/or Functional Changes:

With the parameter REG_SZ:HKLM\SOFTWARE\PCS\GINA\ " GPUpdate_CMD= 1 the command for the GroupPolicy activation for the function can be configured freely. Default: „gpupdate.exe“
Example-configuration for Windows 2000:
GPUpdate_CMD = „secedit /refreshpolicy machine_policy /enforce“

PKCS11 Support:
DWORD SCardPKCS11Usage=0
WCHAR SCardPKCS11DLL[1024]=""
DWORD SCardPKCS11ContainerType=3

Comtarsia Logon Client 2006   
(April 16th, 2007)

Build 4.1.17.x

New Features and/or Functional Changes:

With the parameter REG_SZ:HKLM\SOFTWARE\PCS\GINA\ DisableLocalLogon=1 the possibility of the logon over local user accounts can be prohibited. The option „Local workstation“ is not available anymore in the selection in the logon dialog.

With the parameter REG_SZ:HKLM\SOFTWARE\PCS\GINA\ NoScriptsByCachedCredLogon=1 (default 0) all scripts, on an offline logon (via CachedCredentials) in the domain logon mode, are not executed.

With the parameter REG_SZ:HKLM\SOFTWARE\PCS\GINA\ "EnableWkstLogonPolicy"= 1 the function Workstation Logon Policy is turned on. The listbox for the selection of the logon workstation OU respectively the local workstation logon gets the label „logon type“
With every buildup of the logon panels the Logon Client tries to read out in the AD domain, in which the Client is joined, the current OU, in which the workstation account is located. The root-OU’s are defined in the parameter REG_SZ:HKLM\SOFTWARE\PCS\GINA\ WkstLogonPolicyRootOUGroups(MULTI_SZ). The sub-OU’s respectively the parallel-OU’s under the defined root-OU are offered the user for selection in the Logon Panel. If the workstation is already located in a sub-OU then this listbox is already preselected.
If this query is not possible, e.g. because the DC for the domain is not accessible, then the selection offline logon (Cached Credentials) supposed to be displayed and selected in the field „logon type“.
All Sub-OU’s under the „.._Group“ OU should be selectable.
If the computer account is located in the „.._Group“ OU, then there is no preselection. If a OU Move is carried out during a logon, then the command „gpupdate.exe“ is executed, so that the policies, which are assigned to the respective sub-OU, are already active for the logon session. This functionality requires the use of the Comtarsia SignOn Gate Build 1.2.15.4 or higher with turned on workstation OU-Move function.

With the Registryparameter REG_SZ:HKLM\SOFTWARE\PCS\GINA\GPUpdate_Mask (DWORD) the point of time of the execution of the command „gpupdate.exe“ can be defined. The bit’s of this mask can be combined arbitrary.

Example: REG_SZ:HKLM\SOFTWARE\PCS\GINA\GPUpdate_Mask = 0x102. gpupdate.exe is executed at each successful logon, before the Active Directory logon with the system token.

Example: REG_SZ:HKLM\SOFTWARE\PCS\GINA\GPUpdate_Mask = 0x4. gpupdate.exe is executed at a successful logon, after the Active Directory logon with the user token, if due to the user selection a workstation OU Move is executed.

Comtarsia SignOn Gate 2006   
(April 13th, 2007)

Build 1.2.15.x

New Features and/or Functional Changes:

- SOP: New filter rules for the „AttributeBasedOU“ and „AttributeBasedEnvironment“ functions in connection with the LDAP Directory Replicator:
Syntax: >>><<<[([[!]a[,[!]b[,...]]][:DEFAULT_VALUE])]
Bedeutung:
> removes 1 character from the left (can occur repeatedly)
< removes 1 character from the right (can occur repeatedly)
() contains filter rule
(a,b)
If the value begins with “a” or “b”, the cutting operators are active. Otherwise the value is taken over par for par

(!a,!b)
If the value begins neither with “a” nor with “b”, the clipping operators are active

(a,b:DEFAULT_VALUE)
If the value is empty, “DEFAULT_VALUE” is used.

Example AttributeBasedEnvironment:
Physicaldeliveryofficename=>(0)pdon
with a value of “123”, it is stored unmodified in pdon
with a value of “0123”, the first character is removed and therefore “123” is stored in pdon

Beispiel AttributeBasedOU:
Physicaldeliveryofficename=>>(01,02:ou=ATQADEF)ou=ATQA%s
If the value begins with “01” or “02”, the first two characters are cut off and “ou=ATQA%s”, whereby %s are replaced by the resulting value, used as OU.
If the value is not set, then “ou=ATQADEF” is used as default.

Physicaldeliveryofficename=>>(!i)ou=ATQA%s
If the value does not begin with “i”, the first two characters are cut off.

- SOA: New SyncPolicy-Flag
“SYNC_POLICY_ADS_WKST_OU_MOVE= 0x100000”. With this flag the workstation OU move functionality is activated.

Bug Fix:
- SignOn Proxy/LDR mode: a problem with the AttributeBasedOUs was fixed
- SignOn Agent/LDR mode: the configuration of the replication control is now correctly evaluated
- SignOn Proxy: false warnings during the loading of the configuration are removed


Comtarsia LDAP Directory Replicator 2006   
(April 13th, 2007)

Build 4.1.16.x

New Features and/or Functional Changes:

- A logfile rotation mechanism was built in and the maximum logfile-size now can be configured.
Parameter Log\maxLogFileSize=DWORD: 26214400
Defines the maximum size per logfile in Bytes
Parameter Log\maxLogFileHistory=DWORD:3
Defines the maximum number of logfiles, which are kept.
- A processor information now is written additionally to the operating system version into the logfile at start of the application
- The password of the system user (LDAPAdminPassword) now has to be stored encoded in the Registry. Therefore the Command Line Utility „SetLDAPAdminPassword.exe“ is available.
- „Job has finished“ now is displayed separately from the „Maximum Runtime“-checking.

Bug Fix:
- A performance problem with the writing of the user data base (LDRDB.dat) was fixed.


Comtarsia SignOn Gate 2006   
(March 23rd, 2007)

Build 1.2.14.x

New Features and/or Functional Changes:

- SOA: Password-Template for the from the LDAP Directory Replicator newly created users REG_SZ:„SYSTEM\pwdTemplate“, Default: „RLU9R9LRR“
- SOA: Active Directory Services replication control for the LDAP Directory Replicator Sync-Requests:
DWORD:“SYSTEM\replicateIfLDR”, Default: 0
If this value is active, the LDR Sync Requests triggers an ADS-replication.
- SOA: ADS Account Expire
DWORD:“SYSTEM\acctExpPercent“, Default 60
Percentage of acct_expires time for the verification if the User Expired Field should be set.
- SOP: AttributeBasedEnvironment
„physicalDeliveryOfficeName=>officeName“ or „ \\server1\%physicalDeliveryOfficeName%\%username%= CLCHomeDirPath”

Comtarsia Logon Client 2006   
(February 23rd, 2007)

Build 4.1.16.x

New Features and/or Functional Changes:

- Internal optimizations of the LDAP Library

Comtarsia SignOn Gate 2006   
(February 23rd, 2007)

Build 1.2.13.x

New Features and/or Functional Changes:

- UTF8 support on all platforms
- Internal optimizations of the LDAP Library

Comtarsia Logon Client 2006   
(February 5th, 2007)

Build 4.1.15.x

New Features and/or Functional Changes:

- Forced logoff with local administrator:
With HKLM\SOFTWARE\PCS\GINA\ForceUnlockTime = 0, the forced logoff is turned off after a certain time period, and a forced logoff with a local administrator is possible.

- UTF8 support for LDAP

Comtarsia Web Client 2006  
(November 15th, 2006)

Build 1.2.5.x

New Features and/or Functional Changes:

- The graphics on the Login- and on the Response site were updated
- By using the WebClient SOAP-API sending a XML declaration is not mandatory anymore.

Comtarsia Logon Client 2006  
(July 21st, 2006)

4.1.14.x

New Features and/or Functional Changes:

- A few internal routines of the installation program were changed.

Comtarsia SignOn Gate 2006  
(July 21st, 2006)

Build 1.2.12.x

Bug Fix:

- SignOn Proxy/Agent System Windows: An internal Timer-Bug was fixed.


New Features and/or Functional Changes:

- The functions “DomainServers“ and „SyncAttributes“ were added to the SignOn Gate Configurators.

Comtarsia SignOn Gate 2006  
(June 22nd, 2006)

Build 1.2.11.x

New Features and/or Functional Changes:

- SignOn Agent System Windows: New installation program
- SignOn Agent System Windows: In log outputs the according error text to the error number shown.
- SignOn Agent System Windows: For the user of the SignOn Agent the options „Add/Remove from group“ are ignored, so the accurate automatic administration of this user is granted.
- SignOn Agent System Windows: The local on the Agent configured „Homedir drive“ is only used, if no drive letter is defined in the LDAP respectively on the Client.
- SignOn Agent System Windows: At the function „Remove from group“ a bug was fixed, which partly led to wrong log outputs.
- SignOn Agent System Windows: New function „DomainServers“

HKLM\SYSTEM\CurrentControlSet\Services\ComtSOA_SYS_2006\SYSTEM\enableDomainServers:DWORD=0/1 (Default 0)

Herewith the whole functionality can be activated or deactivated.

HKLM\SYSTEM\CurrentControlSet\Services\ComtSOA_SYS_2006\SYSTEM\SYSTEM\domainServersListType:DWORD=0/1 (Default 0)

Defines the type of the Domain Server list:
0 = „Deny list“, All Server which are in this list are not allowed, all others are allowed.
1 = „Allow list“, All Server which are in this list are allowed, all others are prohibited.

HKLM\SYSTEM\CurrentControlSet\Services\ComtSOA_SYS_2006\SYSTEM\SYSTEM\domainServersAutoDiscover:DWORD=0/1 (Default 0)

Here it is defined, if all Domain Members should automatically be accepted in the DomainServer list.

HKLM\SYSTEM\CurrentControlSet\Services\ComtSOA_SYS_2006\DOMAINSERVERS

Under this Registry Key each Server is defined as REG_SZ. The name of the value contains the Server, the value itself is not used.

Comtarsia Logon Client 2006  
(May 29th, 2006)

Build 4.1.13.x

Bug Fix:

At a “Citrix Anonymous Logon” the local computer name of the Terminal Servers is used as a logon domain for the logon, instead of the domain name (HKLM\SOFTWARE\PCS\GINA\strLocalDomain). (The Anonxx user are always situated locally)


New Features and/or Functional Changes:

- An installation of the Logon Client on a Terminal Server is now also possible without the server setting to „Install-Mode“.
- An already existing Citrix installation is going to be recognized by the installer and a correct GINA cascading with the Citrix-GINA is carried out.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
"CtxGinaDLL"="pcs_gina.dll"
"GinaDLL"="ctxgina.dll"

- With the parameter „REG_SZ:HKLM\SOFTWARE\PCS\GINA\ WTSLdapLogonDomain“ the LDAP Domain Logon String, that should be used at a LDAP WTS logon, can be defined. In the Remote Desktop Client additionally to the user name and the password as domain the string „ldap“ respectively. „LDAP LOGON“ has to be defined.

- A WTS PassTrough logon is achieved, when you specify additionally to the user name and password as logon domain the in the Logon Client defined logon domain (REG_SZ: HKLM\SOFTWARE\PCS\GINA\strLocalDomain) on the RemoteDesktopClient respectively on the Citrix Client. In this case no primary LDAP logon is carried out, but a Windows logon with the forwarded logon credentials is executed. The WTS PassTrough logon is activated via the parameter DWORD:HKLM\SOFTWARE\PCS\GINA\WTSPassThroughMode > 0. (default = 3)

With the switch DWORD:HKLM\SOFTWARE\PCS\GINA\SyncOnWTSPassThroughLogon = 1 (default = 0), at a PassThrough logon a synchronization request can be sent to the SignOn Gate Proxy. Because of security reasons the SignOn Request is accepted by the ProxyServer only when Counter Check is active. If an other domain string than „LDAP LOGON“ should be used for the LDAP logon respectively the counter check on the Proxy, then it can be defined via the parameter „REG_SZ: HKLM\SOFTWARE\PCS\GINA\ WTSLdapLogonDomain“.
An exception is the Citrix Anonymous Logon, which the Logon Client recognizes through the user name Anonxx user. With a Citrix Anonymous Logon User always a local logon is executed and no synchronization request is sent to the SignOn Proxy.
A Citrix Anonymous Logon can be activated via the parameter DWORD:HKLM\SOFTWARE\PCS\GINA\WTSPassThroughMode > 1. (default = 3)

Comtarsia Logon Client 2006  
(April 19th, 2006)

Build 4.1.12.4

New Features and/or Functional Changes:
The Logon Client Configurator was extended by the new function “Trust Options“.

Comtarsia SignOn Gate 2006  
(April 19th, 2006)

Build 1.2.10.x

New Features and/or Functional Changes:
The SignOn Gate Configurators were extended by the new functions “Trust Options“ und “Sync Attributes”.

Comtarsia Logon Client 2006  
(April 10th, 2006)

Build 4.1.11.4

New Features and/or Functional Changes:

- Location-Mode: New Environment Variable %VALID_LOCATION%
This variable is set always when a locations check is taking place. If the current user is allowed for the location, then the variable has to value „1“, otherwise the value „0“. If no locations check is executed, for example because the user did not execute a LDAP logon, then this variable is not set.

- New feature „Trust Options“:
This feature was added to all products of the Comtarsia SignOn Solutions and enables the definition of requirements for a position of trust between the particular components.

The following options are possible:
• No check (NO_CHECK = 0)
• Position of trust according to the IP based „Accept List“ (ACCEPT_LIST = 1) [only option until now]
• Position of trust according to the certificate OIDs (CERT_OIDS = 2)
• Check, if the used certificate matches the hostname (CERT_FQDN = 0x100).

„DWORD:HKLM\SOFTWARE\PCS\GINA\ComtSyncClient\ trustOptionsClient“

This parameter defines which requirements a SignOn Proxy, to which a Logon Client connects in order to establish a position of trust, has to achieve.

Possible values: NO_CHECK and/or CERT_OIDS
Additionally optional CERT_FQDN

Comtarsia SignOn Gate 2006  
(April 6th, 2006)

Build 1.2.9.x

Bug Fix:

- Sign On Agent System Windows ADS: A bug was fixed, whereby at an existing user with a non-synchronous password on the resource system a few user attributes (Principal name, sur name, given name) were not synchronised.


New Features and/or Functional Changes:

- SignOn Agent System Windows ADS:
At the start of the domain controller, the agent now tries longer to establish a connection to the Active Directory. The previous value of 30 seconds was extended to 2 minutes.

- SignOn Agent System Windows ADS:
An Automatic Restore of „Account expire“.
If user accounts which are automatically managed through the agent, have set an „Account expire“ and if the option „User Account Expire Time“ is not active, then the „Account expire“ is automatically restored through the agent.

- SignOn Agent System Windows ADS: New Policy Flags, with which the executing Active Directory synchronisations operations can controlled more precisely.
("HKLM\SYSTEM\CurrentControlSet\Services\ComtSOA_Sys_2006\SYSTEM\syncPolicy(DWORD)"
o Bit: Set ADS Principal name = 0x10000
The Principal name is created out of the short name of the user + the name of the Active Directory Domain (e.g.: UID@adsdom1.comtarsia.com)
o Bit: Set given and sur name = 0x20000
These attributes are filled according to the information in the LDAP user object. (givenName und sn)
o Bit: Enable OU Move = 0x40000
If this policy is active, the user is moved to another OU if required. The OU-move functionality can be controlled via the OU Mapping in the agent configurator. The information, which OU the user is member of, is determined on the proxy out of the LDAP Directory according to the setting AttributeBasedOU.
o Bit: Enable Sync Attributes = 0x80000
This policy-bit activates the “Sync Attributes” functionality. For details please see below

- SignOn Proxy Failover Logic
The behaviour of the SignOn Proxy Agent-Failover was been changed.
If an agent does not send an answer within a configured timeout, then this agent is not classified as „flawed“ as done previously, so also no failover is executed on the second agent.

- SignOn Proxy / SignOn Agent Log
New registry value “Log\logCertInfo(DWORD)”: If this value is set to “1”, then in the log information of the used SSL-certificates is released.

- SignOn Agent System Windows ADS: Sync Attributes
Via this new function LDAP attributes of the user object can be mapped on free definable attributes of the Active Directory user object.
The configuration of the SyncAttributes takes place on two locations:
On the SignOn Proxy in the registry value „LDAP\SyncAttributes(REG_SZ)“ all attributes are listed, which are read out of the LDAP user object and are going to be forwarded to the resource systems. There can be specified up to twenty attributes, which are separated with a comma or a semicolon, e.g. SyncAttributes=“telephoneNumber, physicalDeliveryOfficeName“
Additionally „LDAP\enableSyncAttributes(DWORD)“ has to be set to “1”.

A mapping of these LDAP attributes to Active Directory attributes now can take place on the SignOn agents.
Therefore a new registry key „SyncAttributes“ has to be created under „Comtsoa_sys_2006“, in which the mapping is configurated via the registry string (REG_SZ).
The name refers to the name of the LDAP attribute, the value stands for the name of the Active Directory attribute. e.g:
„ou“=„department“
„street“=„streetAddress“
„l“=„l“

- New feature „Trust Options“:
This feature was added to all products of the Comtarsia SignOn Solutions and enables the definition of requirements for a position of trust between the particular components.

The following options are possible:
• No check (NO_CHECK = 0)
• Position of trust according to the IP based „Accept List“ (ACCEPT_LIST = 1) [only option until now]
• Position of trust according to the certificate OIDs (CERT_OIDS = 2)
• Check, if the used certificate matches the hostname (CERT_FQDN = 0x100).

SignOn Agent:
„DWORD:HKLM\SYSTEM\CurrentControlSet\Services\ComtSOA_SYS_2006\ CORE\trustOptionsServer“

This parameter defines which requirements a SignOn Proxy, which is connecting to the SignOn Agent, has to achieve, to establish a position of trust.
Possible values: ACCEPT_LIST and/or CERT_OIDS
Additionally optional CERT_FQDN

SignOn Proxy:
„DWORD:HKLM\SYSTEM\CurrentControlSet\Services\ComtSOP_2006\ Parameter\trustOptionsServer“

This parameter defines which requirements a SignOn Agent, to which the SignOn Proxy connects in order to establish a position of trust, has to achieve.

Possible values: NO_CHECK and/or CERT_OIDS
Additionally optional CERT_FQDN

„DWORD:HKLM\SYSTEM\CurrentControlSet\Services\ComtSOP_2006\ Parameter\trustOptionsClient“

This parameter defines, which requirements a client, which is connecting to a SignOn Proxy(Logon Client or Web Client) has to achieve to establish a position of trust.

Possible values: NO_CHECK and/or CERT_OIDS
Additionally optional CERT_FQDN

Web Client:
„DWORD:HKLM\SOFTWARE\Comtarsia\ComtSyncClientHttp\ trustOptionsClient“

This parameter defines, which requirements a SignOn Proxy, to which a Web Client connects, in order to establish a position of trust, has to achieve.

Possible values: NO_CHECK and/or CERT_OIDS
Additionally optional CERT_FQDN

Comtarsia Logon Client 2006  
(March 4th, 2006)

Build 4.1.10.4

Bug Fix:
- A bug at MinPWDLen = 0 and password change was fixed.
- The version number of the Logon Client Installers now is set correctly.
- The Shortcut-names created by the Installer are revised.
- A bug in the Terminal Server mode under Windows 2000 Server was fixed.

New Features and/or Functional Changes:
- Previously the UserLogonScript was executed at LDAP and local logon, now it is only executed at a LDAP (Online-) logon. A new script „LocalUserLogonScript“ is executed at a local (Offline-) logon.
- The Shutdown dialog is revised and now also offers the options Standby and Hibernate

Comtarsia Logon Client 2006  
(March 1st, 2006)

Build 4.1.9.4

Bug Fix:
- Bugs in the Logon Client Installer were fixed as well as the Output messages were updated.
- In the Smart Card mode problems with Standby respectively Hibernate were fixed.

New Features and/or Functional Changes:
- The error messages when unlocking the screen with a Smart Card were updated.
- New Smart Card Mapping mode: With the registry key DWORD:PCS\GINA\LDAP\SCardMappingMode=1 a new mapping mode can be activated, whereby:
1) The UserDNPrefix, which is set in the registry, is used instead of the default prefix on the Smart Card.
2) After the logon through the Logon Client the full user DN is determined by the LDAP Server and is used for inquiries of further information from the LDAP directory.
- The log outputs during the LDAP logon were updated.
- In the LDAP Logon Smart Card mode the SessionPassword encoded with the user certificate is stored in the user profile, so that an offline logon with the local saved profile with the Smart Card is possible.

Comtarsia SignOn Gate 2006  
(February 20th, 2006)

Build 1.2.8.x

New Features and/or Functional Changes:

- SOA System Windows: New parameter HKLM\CurrentControlSet\Services\ComtSOA_SYS_2006\SYSTEM\ alwaysCheckACL:DWORD=0/1 (Default 1)
If this parameter is set to „0“, the Homedir/Profile Path ACL only is checked when a new user respectively a new Homedir/ or Profile Path was created.
If this parameter is set to „1“, the Homedir/Profile Path ACL is checked at each SyncRequest.

- SOP Windows: The timeout behaviour at the start of the LDAP Verify process was changed, so that now it is always waited upon the expiration of the timeout.

- The default starting time of the Security Agent/Windows is changed to 01:00.

- SOA System Windows (ADS): The Administrator Token, which is required from the SignOn Agent, now is newly created automatically every 24 hours. A Kerberos Ticket can be renewed max. 7 days in the Active Directory standard configuration. Problems concerning the remote access (e.g. setting ACL or creating user directories), therefore have been fixed.

- Security Agent Windows: Now the „User Description mode“ is available in the Active Directory mode in case of more than one Domain Controller and SignOn Agent for one domain. In this mode the Logon time of the last successful SignOn requests of the SignOn Agent is entered into the user description field (Example: SERV_TMP_USER_2006_02_15_12_16). Through the Active Directory domain replication every Security Agent is then provided with current and full information. In the database mode the local database is currently not replicated between the SignOn Agents, and consequently the Security Agent is not provided with the logon times, which another SignOn Agent has made for a certain user. Therefore on using an Active Directory we recommend to choose the „User Description mode”.

- SOA System Windows (ADS): A new security switch enables to set the „User Account Expire Time“ of the Active Directory User Accounts automatically according to the SignOn Agent TTL settings. Optional after a further inactive period the Security Agent can be used additionally for the automatic removal of user accounts.

Comtarsia Logon Client 2006  
(February 13th, 2006)

Build 4.1.8.4

Bug Fix:

- LocationMode: The current user location is going to be determined in course of the logon, at the same time a bug was fixed, which caused a wrong error message at a PC without a network connection.


New Features and/or Functional Changes:

- New parameter for the Logon Client Installer for unpacking all files without installation. This replaces the previous software distribution ZIP.
Call the installer with the parameter /MODE=UNPACK.
This creates a directory named „CLC_2006-VERSION“, in which all files necessary for a software distribution are contained.

Comtarsia Logon Client 2006  
(February 9th, 2006)

Build 4.1.7.4

Bug Fix:

- A bug in ComtMSSO was fixed, which on certain occasions caused a non-reaction of the Internet Explorer
- A bug was fixed concerning the user credentials in ComtMSSO.
- LDAPSetSessionPassword prevents in cause of an error the user logon.
- Until now UserLogonScript and AdminUserLogon Script inherited the System Environmentblock, from this version on they inherit the User Environmentblock.


New Features and/or Functional Changes:

- In LDAP Logon PWD mode (at HKLM\software\pcs\gina\EnableSessionPassword = 1) the SessionPassword, encoded with the user password, is stored in the user profile, therefore an offline logon with the local stored profile with the user known LDAP password is possible.
- New registry key DWORD PCS\GINA\LDAP\LDAPDontSendOldPasswordOnChange=0/1
If this registry key is set to “1”, then just the new password is set always at a password change.
If this registry key is set to “0” respectively Not Available, then the old password and the new password are sent to the LDAP server at a password change.
- New installer
The installation program of the Comtarsia Logon Client is completely revised. Now an update of an existing installation is possible too, the configuration is preserved.

Comtarsia SignOn Gate 2006  
(January 19th, 2006)

Build 1.2.7.x

New Features and/or Functional Changes:
The Comtarsia SignOn agent now supports Proxy Accept lists with up to 100 entries.

Comtarsia Logon Client 2006   
(January 17th, 2006)

Build 4.1.6.4

Bug Fix:

- A Bug at the LDAP logon was fixed, which appeared at LDAPSearchForUser=1 in combination with another non-reachable LDAP Server.

- A problem concerning the XP Remote Desktop was fixed.

- If there are space characters before and after the user name, which may be typed accidentally into the field "user name" in the logon panel, they are going to be cut off and are not taken over for the LDAP logon.

- Citrix Presentation Server Support
Citrix Pass-through Authentication and Citrix Anonymous User Applications are identified and a Windows logon is performed immediately. (The LDAP Logon Dialog appears only if there is no valid Windows logon information available in the Autologon information)

In order to guarantee this functionality, a Gina cascading with the Citrix Gina „ctxgina.dll“ has to be carried out. This is achieved by the following settings:

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon] "CtxGinaDLL"="pcs_gina.dll"
"GinaDLL"="ctxgina.dll"


New Features and/or Functional Changes:

- Updated support for LDAP Smart Card Logon in OpenLDAP
- Updated support for LDAP password policy controls according to IETF draft-behera-ldap-password-policy-09.txt
- Citrix Passthrough and Citrix Anonymous Logon with Citrix Metaframe Server was realised.
- New parameter “DWORD:LDAPSetSessionPassword=1”. Hereby the at a Smartcard logon generated Session password is rewritten, so a check of the clients by the SignOnProxy is also possible in a mixed mode.

Comtarsia SignOn Gate 2006   
(January 17th, 2006)

Build 1.2.6.x

New Features and/or Functional Changes:

Updated support for LDAP password policy controls according to IETF draft-behera-ldap-password-policy-09.txt

Comtarsia Logon Client 2003   
(January 13th, 2006)

Build 3.1.39.4

Bug Fix:

Space characters in field "user name"

If there are space characters before and after the user name, which may be typed accidentally into the field "user name" in the logon panel, they are going to be cut off and are not taken over for the LDAP logon.

Comtarsia Logon Client 2006   
(December 5th, 2005)

Build 4.1.5.4

Bug Fix:
Problem concering screen locks with screen savers was fixed.

New Features and/or Functional Changes:
- Managed Single SignOn
- Wildcard for the „Location“ mode (LocationWildcard)

Space characters in field "user name"

If there are space characters before and after the user name, which may be typed accidentally into the field "user name" in the logon panel, they are going to be cut off and are not taken over for the LDAP logon.

The password change dialog, which appears automatically during the LDAP logon in the Grace Login Period, can not be bypassed. (Cancel is deactivated.).

Extensions of the Smart Card mode
PKI-PWD-Dual Mode SCardEnable 2

Comtarsia SignOn Gate 2006   
(December 5th, 2006)

Build 1.2.5.x

Bug Fix:

SignOn Proxy UNIX (Modul comt_ldap):
- Bug in the Logoutput was fixed.
- The log file is now written under „log“ instead of „/var/log“.
- The log level is evaluated correctly.

SignOn Agent Windows:
- If the ADS was not fully initiated there could have been a SignOn Agent initialising bug when starting the SignOn Agent Services in ADS mode.

WebClient Windows:
- The version number is read out and transferred to the SignOn Proxy.

New Features and/or Functional Changes:

SignOn Agent Windows:
- The SignOn Agent Policy Options were extended of more flags.
("HKLM\SYSTEM\CurrentControlSet\Services\ComtSOA_Sys_2006\SYSTEM\syncPolicy(DWORD)"
o Bit: Set User Account expire time = 0x80
If this bit is set, the Account Expired field in the user object is set at every user logon. The value is calculated in dependency of the Security Agent parameter "HKLM\SYSTEM\CurrentControlSet\Services\ComtSECA_Sys_2006\CORE\usrInactiveDisable(DWORD)".
o Bit: Set User Last Logon Time = 0x100
If this bit is set, the Description field in the user object is set to last logon time at every user logon. This field is evaluated by the Security Agent in the ADS mode.

Security Agent:

- New mode of the Security Agent in which via the ADS replicated user can be deactivated or erased.
- Delete User Objekt Policy
If this policy is activated, the user is going to be erased after the parameter "usrInactiveDelete" is executed.
- New parameter "HKLM\SYSTEM\CurrentControlSet\Services\ComtSECA_Sys_2006\CORE\secPolicy(DWORD)"
ADS Modus = 0x2
Delete User Object = 0x4

Comtarsia Logon Client 2006   
(November 9th, 2005)

Build 4.1.4.4

Bug Fix:
A bug concerning the ADS Offline logon was fixed.

Comtarsia SignOn Gate 2006   
(November 9th, 2005)

Build 1.2.4.x

Bug Fix:
Bug on generating a user under ADS in the Default OU

Comtarsia Logon Client 2006   
(November 8th, 2005)

Build 4.1.3.4

Bug Fix:
A bug concerning the ADS Offline logon was fixed. (Prefix)

Comtarsia SignOn Gate 2006   
(November 8th, 2005)

Build 1.2.3.x

Bug Fix:
A installer-bug was fixed, which prohibited the parallel installation with the SignOn Gate 2003.

Comtarsia Logon Client 2006   
(October 31st, 2005)

Build 4.1.2.4

Bug Fix:
Wrong bug return value at a LDAP user logon with SSL and IBM Directory Server 5.x, if the LDAP Server is not reachable through the network. This prohibits an Active Directory “Cached Credentials” logon.

In rare cases there was a „Undefined LDAP Error“ at a LDAP SSL logon during the connection build up to the LDAP Server

A shortcut with „2003“ was created in the English Installshield.

Comtarsia SignOn Gate 2006   
(October 31st, 2005)

Build 1.2.2.x

Bug Fix:
On generating the SignOn Agent user the group mapping list and the „Except groups“ list were considered. Therefore the user could not be generated with the correct group memberships.

On the SignOn Proxy the extended IBM DS 5.1 Password Policy was not interpreted correctly at a web client logon.

Bug on checking the licence of the SignOn Agent under Linux.