PortalGuard v3 Change Log

PortalGuard Version 3.x

2014-03-27 - v3.5.3.3

1. More flexible SQL authentication:
2. Hash encoding: base64 (default), hex UPPER, hex lower
3. Prepend (default) or append salt
4. Use chars instead of bits
5. Salt encoding

2014-03-07 - v3.5.3.2

1. New options for self-service utilization of mandatory answers.

2014-03-05 - v3.5.3.2

1. Now showing remembered sessions in Acct Mgmt if KBA is used

2014-03-04 - v3.5.3.2

1. Allowing batch import to set mandatory answers alone (which will clear optional challenge answers if they are not submitted)

2014-02-24 - v3.5.3.1

1. Changed default type-ahead filter for global HD for OpenLDAP (via "Oracle/Sun" LDAP type) to NOT use the "(!objectclass=computer)" clause.

2014-02-18 - v3.5.3.1

1. Add configurable PG_SIP "wait" param in milliseconds ("-w XXXX" on command line)
2. Support for pre-hashing OpenLDAP password changes (SunONE type only)

2014-02-16 - v3.5.3.0

1. Scheduled email expiration reminders for SQL-based PG profiles

2014-02-13 - v3.5.3.0

1. Configurable YubiKey OTP validation server URL

2014-02-10 - v3.5.3.0

1. Support for validating multiple phone formats in _PG_Countries.xml (NOTE: ALL formats are currently returned as a single XML value)
2. Scheduled email expiration reminders for file-based PG profiles only

2014-02-05 - v3.5.3.0

1. Changes to CPSLog class so TTTEnrollment.exe will NOT use CPSGlobalConfig but will still use CPSFileAccessor.
2. Fixes to allow SSPR with Mandatory only vs. Optional only settings

2014-01-28 - v3.5.3.0

1. "Remember browser" for KBA
2. Require multiple challenge answers for KBA

2014-01-17 - v3.5.3.0

1. Fix for allowing email changes from Acct Mgmt page (regression from v3.5.2.8)

2014-01-14 - v3.5.3.0

1. for email confirmation

2014-01-14 - v3.5.3.0

1. Support for sending account lockout notifications to user & extra accounts

2014-01-09 - v3.5.3.0

1. Support for sending SSPM notifications to extra accounts

2014-01-09 - v3.5.2.11

1. Support for 2FA via TMG's "RADIUS OTP" auth method that only performs a single RADIUS request. We're ensuring the pw field that comes over contains the pw & OTP delimited by "||||||" currently.

2014-01-03 - v3.5.2.10

1. Fix to prevent resending OTPs that are expired (or about to). New OTPs are now generated when less than half an existing OTP's life exists.

2013-12-09 - v3.5.2.9

1. Normalizing user and domain values for actions performed under Native Windows Authentication (UPNs are resolved to AD domain and sAMAccountName!)

2013-12-04 - v3.5.2.8

1. Preventing email enrollment during login if already enrolled

2013-11-12 - v3.5.2.7

1. Added ability to unlock accounts in Oracle Internet Directory
2. Supporting groups for Oracle LDAP [filter was already correct: (&(uniqueMember=%s)(objectclass=groupOfUniqueNames))]

2013-10-31 - v3.5.2.6

1. Preventing phone enrollment during login if already enrolled
2. New option for completely preventing phone enrollment during login (done from Acct Mgmt)

2013-10-28 - v3.5.2.5

1. Updated CPSLDAPAttribs to handle base64 encoded binary results and GUIDs as string

2013-10-23 - v3.5.2.4

1. Account Management now displays linked accounts
2. Better data returned in Admin Dashboard user lookup:

2013-10-19 - v3.5.2.3

1. Checking OTP in AgentLogin if provided (prevents redundant OTP entry after SS enrollment)
2. Support for SASL/Kerberos login for AD-based LDAP (satisfies LDAP signing security requirement if enabled in DC GPO)

2013-10-16 - v3.5.2.2

1. Fix for native windows login using UPN

2013-09-23 - v3.5.2.1

1. Now doing case-insensitive username checking during regional HelpDesk authorization

2013-09-19 - v3.5.2.1

1. SQL repository support for SHA256, SHA384 and SHA512

2013-09-19 - v3.5.2.0

1. Google Authenticator support

2013-09-17 - v3.5.1.9

1. New repository option to perform account unlock against PDC (Native_UnlockOnPDC=1)

2013-09-16 - v3.5.1.8

1. Made RBA/SQL event logging no longer dependent on file paths! (customer separated the log and policy folders to different parent dirs so it was throwing an error)

2013-09-16 - v3.5.1.7

1. Support for SQL Native Client driver (XML columns weren't properly accessed previously)

2013-09-11 - v3.5.1.7

1. Fix in CPSDate::set(tstring) for "date only" values. Now passwords expire on the proper day (instead of the day after) and grace periods are correctly enforced

2013-09-06 - v3.5.1.6

1. Added optional proxy configuration (server, exceptions, user, password) to HTTP client class

2013-08-29 - v3.5.1.5

1. Added 2FA option to PassiveKey enrollment

2013-08-26 - v3.5.1.5

1. Leading/trailing and contiguous spaces were being removed automatically, preventing validation through checkAllCreds (would've been a problem in RADIUS login too).

2013-08-20 - v3.5.1.4

1. New option in PG HelpDesk pw reset to expire the new password (checked by default)

2013-08-13 - v3.5.1.3

1. Allowing change of challenge answers even when ERB is to be built (requesting and validating password)

2013-08-12 - v3.5.1.2

1. Allowing user override of default OTP type for VPN
2. Added custom text/prompt when PK is default VPN OTP

2013-08-07 - v3.5.1.1

1. Support for PassiveKey TOTPs via VPN

2013-08-02 - v3.5.0.7

1. Checking for duplicate emails on email registration/change

2013-07-30 - v3.5.1.0

1. Support for Desktop 2FA auth types

2013-07-29 - v3.5.0.6

1. Support for hex encoding in {RANDSTR()} function: HEX_UPPER and HEX_LOWER

2013-07-25 - v3.5.0.5

1. Option for updating email address in LDAP when changed through PG
2. New "AgentGeneral" subclasses

2013-07-24 - v3.5.0.4

1. Adding self-registration for SQL repositories

2013-07-19 - v3.5.0.3

1. Returning original self registration POST data for SelfReg email confirmation for any custom .NET uses

2013-07-05 - v3.5.0.2

1. Adding self-registration
2. Fix for ensuring "email enrollment" template is used for periodic email confirmation

2013-07-01 - v3.5.0.1

1. Now setting PGAnonSess, PGSession cookies as "secure" if request was made over SSL
2. Adding support for detecting when SSL proxies are in front of PG server with non-standard MS header, "Front-End-Https: on"

2013-06-27 - v3.5.0.0

1. OTP dialog error for SSPM w/ 2FA when printed OTP was default (did not occur for phone or email)

2013-06-25 - v3.5.0.0

1. Adding event record elements for SSPM redesign, Account Management actions & 2FA enrollment and use
2. No longer ignoring/dropping HTTP cookie creation/deletion if we have a same-named cookie - newer one wins.

2013-06-19 - v3.5.0.0

1. Allowing account linking (pw sync) to secondary SQL repositories

2013-06-13 - v3.5.0.0

1. Allowing account linking (pw sync) to secondary SQL repositories
2. Multiple primary repository support
3. Tweaked HD user type-ahead to work regardless of repository type