Login for Windows release notes

Version 22.06

Release date: June 21, 2022

Compatibility: SecureAuth® Identity Platform release 19.07.01 or later.

What's new
  • Hybrid Azure AD support. Login for Windows now supports hybrid Azure AD domain-joined machines.

  • New properties in the installer configuration. New properties are available to use in the installer config.json file.

    Note: These new properties will be available in a later update to the Identity Platform on the Login for Endpoints installer UI. As a workaround, you can manually add these new properties to the installer config.json file.

    • LDAP request timeout. This new configuration property, ldap_timeout allows you to set the timeout in seconds, that the Login for Windows endpoint waits for the LDAP request to respond before ending the connection.

    • User bypass. This new configuration property, user_bypass allows you to define a local username to bypass multi-factor authentication (MFA).

    For more information about the installer configuration properties, see Configure Identity Platform and Login for Endpoints.

Improvements and fixes
  • CP-1094 – Login for Windows now supports hybrid Azure AD domain-joined machines.

  • CP-1279 – New installer configuration property, ldap_timeout to define a timeout setting for LDAP requests to the Active Directory.

  • CP-1296 – When a user logs in locally on a workstation with a validated password that does not match their password stored in their organization's domain data store, the login screen will prompt the user for their domain password before MFA.

    Note: This issue is resolved only in the Identity Platform release 21.04 and requires at minimum, hotfix 21.04-9.

  • CP-1298 – New installer configuration property, user_bypass to define a local username to bypass MFA.

  • CP-1300 – You can install Login for Windows on the workstation by double-clicking the msi installer file, as long as the config.json file is in the same folder.

  • CP-1314 – Better handling of logins on workstations and servers with Windows local policies enabled on lock screens.

Release date: May 7, 2021

Compatibility
  • SecureAuth IdP 9.3 or later and the SecureAuth Identity Platform 19.07 or later.

  • Biometric fingerprint recognition requires the Identity Platform release 19.07.01 or later, using the 2019 theme.

  • Transactional logging requires the Identity Platform release 20.06 or later, using the /authenticated endpoint.

What's new

All of these features are supported only in the Identity Platform release 21.04 or later.

  • New integrated Login for Endpoint configuration page in Identity Platform. Open the new Login for Endpoint page from the Identity Platform user interface to customize your Login for Endpoints user experience. The easy-to-use pages help you set up your operating system, the multi-factor methods, and even personalize your users' experience during authentication. (Existing customers will recognize the options that were manually set in the config.json file in previous releases.)

    To learn more, see Configure Identity Platform and Login for Endpoints

  • New second-factor authentication methods added. You can now choose the following new 2FA methods: PIN and link-to-accept available for both SMS/text and email.

  • Azure AD support. Login for Windows now supports Azure AD domain-joined machines.

Improvements and fixes
  • CP-924 – Admins can set the Suggests use of an OATH-based method on first login regardless of your Adaptive Policy settings option, which causes a message to display to end users suggesting that they authenticate for the first login by using an OATH-based method. This ensures that they can log in when offline.

  • CP-1000 – Login for Windows supports Azure AD domain-joined machines.

  • CP-1023 – The following error messages have been enhanced to give end users more information about issues: password expired, change password, account locked.

  • CP-1037 – PIN as a second factor works with Login for Mac release 21.04 in the SecureAuth Identity Platform release 21.04.

  • CP-1039 – Link-to-accept as a second factor via SMS/text and email works with Login for Mac release 21.04 in the SecureAuth Identity Platform release 21.04.

  • CP-1167 – After installation where "Suggests use of an OATH-based method on first login regardless of your Adaptive Policy settings" is set and "Bypass interval" is set, when end users first log in, they will no longer automatically see a login page that suggests setting a second factor.

Release dates
  • Version 20.09.01 – 12-Jan-2021

  • Version 20.00.00 – 15-Sep-2020

Compatibility
  • SecureAuth IdP 9.2 or later and the SecureAuth Identity Platform 19.07 or later.

  • Biometric fingerprint recognition and face (iOS only) requires the Identity Platform release 19.07.01 or later, using the 2019 theme.

  • Transactional logging requires the Identity Platform release 20.06 or later, using the /authenticated endpoint.

  • The grace_period option replaces the login_attempts option.

Improvements and fixes
  • CP-507 – Characters in user IDs sent to Login for Windows are handled appropriately.

  • CP-949 – After rebooting a machine where passwordless is set up and functioning correctly, passwordless login works correctly at next login.

  • CP-507 – Characters in user IDs sent to Login for Windows are handled appropriately.

  • CP-956 – Passwordless login is available in scenarios where end users' first login was bypassed so they logged in the first time with password-only.

  • CP-959 – End users in a bypass group who must change their password at next login now see the password reset screen when they next log in.

  • CP-962 – On the Login for Windows login screen, the face and fingerprint icons now display the correct tool tips when you hover the cursor over the icons.

  • CP-966 – If Login for Windows is installed and references a realm that does not have the Authentication API enabled, the installation fails. This is the appropriate behavior.

  • CP-970 – Product logging is enabled by default for DEBUG; when troubleshooting product issues, Support might require that you view this log located at C:\ProgramData\SecureAuth

  • CP-971 – Log files are not uninstalled to assist with troubleshooting any issues with the uninstallation.

  • CP-985 – During login, the username is bypassed for end users in a bypass group, even after canceling a login because of an expired password.

  • CP-991 – Message improvements to help the user experience.

  • CP-993 – The credential prompt will be displayed quickly in the following scenario: Install Login for Windows, open a remote desktop connection, and then connect to another machine that has a remote desktop connection enabled and Login for Windows installed.

  • CP-1082 – Push-to-accept works with Login for Windows version 20.09.01 in the SecureAuth Identity Platform version 20.06+ cloud deployment. If you use a load balancer, there is no cloud deployment restriction.

Release date: June 24, 2020

Compatibility
  • SecureAuth IdP 9.2 or later and the SecureAuth Identity Platform 19.07 or later.

  • Biometric fingerprint recognition and face (iOS only) requires the Identity Platform release 19.07.01 or later, using the 2019 theme.

Known issue
  • CP-925– If the Login for Windows saconfig database is deleted or unavailable, end users will not be able to log in.

    Workaround: A message on the UI guides end users to log in with a different method, such as user name and password, and guides administrators to check the Event Viewer.

    After reading the event log, export it so it is available if you need to contact SecureAuth Support for assistance with the issue.

Release date: April 14, 2020

Compatibility
  • SecureAuth IdP 9.2 or later and the SecureAuth Identity Platform 19.07 or later.

  • Biometric fingerprint recognition and face (iOS only) requires the Identity Platform release 19.07.01 or later, using the 2019 theme.

Improvements and fixes
  • CP-106 – If the "login_attempts" attribute is set in conf_version 4 in the config.json file, end users are allowed to log in with a password only for a set number of times. This enables end users to have time to set up their 2FA methods, such as PIN creation and answers to Security Questions, before they must authenticate to access their device.

  • CP-755 – If any settings that determine login are changed, for example, an adaptive rule is changed or users no longer belong to a bypass group, end users automatically receive a 3 minute time period to enter their password.

  • CP-433 – When end users click the "Click to update your password" link on the login screen, they are directed to a Login for Windows SSPR login screen that opens in a modern browser, Chromium version 79.1.36, and not in Internet Explorer.

  • CP-815 – Improvements to login performance were completed.

  • CP-823 – The installation version number now matches the public version release value; for example, if the public product version is 20.03.01, then the installation version number, which is visible if you uninstall Login for Windows manually, is also 20.03.01. (In previous versions of Login for Windows, the versions were different, but now they match.)

  • CP-825 – The error log displays system information, such as the type and version of the operating system, the version of Login for Windows your organization is running, and more.

Known issues
  • CP-816 – End users with external fingerprint readers should not disconnect the reader from their computer before logging out; doing so will cause an error to be displayed: Fingerprint data not found. The error is an "unknown identity" signal that the reader sends to the driver; however, the fingerprint data will be found when the reader is connected to the same computer.

    The fingerprint feature works as designed. When the reader is disconnected and sends the "unknown identity" signal, the code does not differentiate between the signal and an unrecognized finger touch.

  • CP-824 – The error log will have new start lines and threads if connecting through RDP; RDP connections cause new instances of the credential provider to be created, which causes the new start lines and threads.

  • TW-926 – When upgrading to the Identity Platform v19.07 or later, admins must use the 2019 theme and end users who already use the SecureAuth Authenticate app must reconnect their accounts to add the ability to accept biometric push notifications to use face (iOS) or fingerprint recognition through the mobile app.

    Workaround: None