CA

eTrust SSO r8.1 Readme


1.0 Welcome

2.0 Platform Support

3.0 Active Directory Listener
3.1 Defects Fixed in CR18
3.2 Defects Fixed in CR09
3.3 Defects Fixed in CR08

4.0 Application Wizard
4.1 Known Issues
  4.1.1 Application Wizard fails to find windows and pages issue
  4.1.2 Application Wizard Windows 2000 issue
  4.1.3 Application Wizard control identification issue
4.2 Installation Consideration
4.3 Defects Fixed in CR17

5.0 Certificate Authentication
5.1 Important Information
5.2 Defects Fixed in CR18
5.3 Defects Fixed in CR12
5.4 Defects Fixed in CR11
5.5 Defects Fixed in CR09
5.6 Defects Fixed in CR08
5.7 Defects Fixed in CR07
5.8 Defects Fixed in CR02
5.9 Defects Fixed in CR01

6.0 eTrust SSO Client
6.1 Important Information
6.2 Defects Fixed in CR20
6.3 Defects Fixed in CR19
6.4 Defects Fixed in CR18
6.5 Defects Fixed in CR17
6.6 Defects Fixed in CR16
6.7 Defects Fixed in CR15
6.8 Defects Fixed in CR14
6.9 Defects Fixed in CR13
6.10 Defects Fixed in CR12
6.11 Defects Fixed in CR10
6.12 Defects Fixed in CR08
6.13 Defects Fixed in CR07
6.14 Defects Fixed in CR06
6.15 Defects Fixed in CR05
6.16 Defects Fixed in CR04
6.17 Defects Fixed in CR03
6.18 Defects Fixed in CR02
6.19 Defects Fixed in CR01
6.20 Enhancements
  6.20.1 Event Command Enhancements
  6.20.2 Enhancements to eTrust SSO Interpreter
6.21 Known Issues
  6.21.1 Docked SSO Launchbar covered by Windows toolbar
  6.21.2 Documentation Correction

7.0 eTrust SSO Integration Kit
7.1 Enhancements in CR19
7.2 Known Issue

8.0 LDAP Authentication Agent
8.1 Important Information
8.2 Defects Fixed in CR16
8.3 Defects Fixed in CR15
8.4 Defects Fixed in CR07
8.5 Defects Fixed in CR01

9.0 Policy Manager
9.1 Important Information

10.0 PSLang
10.1 Known Issues
  10.1.1 PSLang-Empty Attributes Default Values
10.2 Defects Fixed in CR15
10.3 Defects Fixed in CR14
10.4 Defects Fixed in CR12
10.5 Defects Fixed in CR11
10.6 Defects Fixed in CR10

11.0 eTrust SSO Server
11.1 Important Information
11.2 Known Issues
  11.2.1 Heartbeat check over UDP does not work
  11.2.2 Silent installation of the SSO Server fails
  11.2.3 SSO client does not enforce Heartbeat Fail Behavior action if UDP protocol is used
  11.2.4 Policy Manager reports error messages while attempting to login
  11.2.5 Documentation Issues
11.3 Defects Fixed in eTrust SSO Server

12.0 Session Administrator
12.1 Defects Fixed in CR03

13.0 Password Synchronization Agent
13.1 Important Information
13.2 Defects Fixed in CR21
13.3 Defects Fixed in CR20
13.4 Defects Fixed in CR12
13.5 Defects Fixed in CR07
13.6 Defects Fixed in CR04
13.7 Defects Fixed in CR02

14.0 Web Agent for IIS 5 and IIS 6
14.1 Important Information
14.2 Support and Documentation Notes
14.3 Known Issues

15.0 Windows Authentication
15.1 Co-existence support for SSO 8.1 and 8.0 WIN Auth Agent for Backward Compatibility
15.2 Defects Fixed in CR17
15.3 Defects Fixed in CR14
15.4 Defects Fixed in CR05
15.5 Defects Fixed in CR01

16.0 Contact Technical Support


1.0 Welcome

Welcome to the eTrust SSO r8.1 readme. This readme contains issues and other information discovered after publication. The known issues, enhancements, and list of fixed defects for each CR are arranged component wise. For a complete list of the known issues for this release and details about how the features and enhancements for this release might affect you, see the eTrust SSO r8.1 Release Notes.


2.0 Platform Support

For latest information about platforms, CA products, and third-party software that eTrust SSO components support, see the Compatibility Matrix on the Technical Support site: http://ca.com/support.


3.0 Active Directory Listener

3.1 Defects Fixed in CR18

The following active directory listener defect is fixed in the build release number 8.1.0.4289:

Problem ID Description Resolution or Comments
908 The maximum length of the Verify Password field for eTrust SSO Server administrator is 14 characters. So, if the eTrust SSO Server administrator password is longer than 14 characters the entries in the Password and Verify Password fields do not match and the installer aborts. The maximum length for the Verify Password field related to eTrust SSO Server administrator is modified to accept long passwords.
884 The maximum length of the Verify Administrator Password field in the Active Directory Listener installer is 14 characters. So, if the administrator password is longer than 14 characters the entries in the Password and Verify Password fields do not match and the installer aborts. The maximum length for the Verify Password field is modified to accept long passwords.

3.2 Defects Fixed in CR09

The following active directory listener defect is fixed in the build release number 8.1.0.4283:

Problem ID Description Resolution or Comments
745 ADS Listener upgrade feature enhancement Active Directory Listener upgrade does not work. Normal in-line upgrade of ADL from GA to CR6 requires removal of previous version. Setup for custom monitoring context during install also added

3.3 Defects Fixed in CR08

The following active directory listener defect is fixed in the build release number 8.1.0.4279b:

Problem ID Description Resolution or Comments
685 ADS Listener memory size increases when users are moved and the memory size does not decrease when the move is completed. The memory leak is fixed.
686 Whenever AD LISTENER receives a notification from AD that relates to COMPUTER objects, it confuses them for user objects.

AD Listener now has an updated default of the value for identifying user class. The default value for UserClass was changed to "user !computer", so there is NO need to add/change any registry key.

If there is a need to force a different class string, the class string as well as the ldap filter for user and group objects can be defined using the following keys (under AD):
UserClass - default: "user !computer"
UserFilter - default: "(&(objectClass=user)(!(objectClass=computer)))"
GroupsClass - default: "group"
GroupFilter - default: "(objectClass=group)"


4.0 Application Wizard

4.1 Known Issues

4.1.1 Application Wizard fails to find windows and pages issue

Your automation script may fail to correctly identify application windows and pages if punctuation characters are used to identify the application window or page. Punctuation characters should not be used to identify application windows and pages.

4.1.2 Application Wizard Windows 2000 issue

When automating a Windows application on Windows 2000, the target application's command line arguments may not be automatically detected by the Application Wizard. On the Select the application to automate wizard page, enter the application's command line arguments in the Command line arguments field.

4.1.3 Application Wizard control identification issue

The Application Wizard may not detect some controls on the window you are automating if the Windows application uses non-standard control types or renders its own GUI elements. If a control does not appear in the table of controls on the bottom of the Automating window dialog:

Note: You can only assign the Click, Click exact point, and Type other text actions to these types of controls.

4.2 Installation Consideration

Scripts generated using the Application Wizard will only function correctly with the SSO Client from SSO r8.1 CR2 or later.

4.3 Defects Fixed in CR17

The following application wizard defect is fixed in the build release number 8.1.0.20742:

Problem ID Description Resolution or Comments
874 Application Wizard generates errors when scripts contain a "\" (backslash). This issue is fixed. Application Wizard now handles scripts containing a "\" (backslash) appropriately and no longer generates errors.


5.0 Certificate Authentication

5.1 Important Information

Note: For interactive installation of SSO 8.1 Cert Auth Agent for co-existence, please select the "Co-existence" option and follow the install wizard. For silent install, please specify the following command line option:

-V IS_COEXISTENCE=true/false

Default: false

5.2 Defects Fixed in CR18

The following authentication agent defect is fixed in the build release number 8.1.0.20755:

Problem ID Description Resolution or Comments
911 During certificate authentication, eTrust SSO truncates all characters after the symbol '@' in the User Principal Name from the smart card, and maps this truncated attribute to the userPrincipalName in Active Directory. So, the mappings do not match and authentication fails. This issue is fixed. eTrust SSO does not truncate the User Principal Name before comparing the attribute with the userPrincipalName in Active Directory.

5.3 Defects Fixed in CR12

The following authentication agent defect is fixed in the build release number 8.1.0.20564:

Problem ID Description Resolution or Comments
768 Cert installer grace period. CertAuth installer has been modified with new example and default value changed to "0d0h0m0s". New example provided with installer is: 1d2h30m10s = 1 day 2 hour 10 min 10 sec This modified example supports new time period format and also explains full usage of parameters.

5.4 Defects Fixed in CR11

The following authentication agent defect is fixed in the build release number 8.1.0.20555:

Problem ID Description Resolution or Comments
762 Cert auth agent 8.1 CRL grace period It is observed that the grace period is shown to be expired in the log file even when the grace period did not actually expire.
763 Cert auth agent 8.1 CRL+AIA-OCSP It is observed in the auth agent log that the user is being validated using only the CRL file available in the local folder but not proceeding further to check the OCSP status. According to R12 in Cert Agent DDS, if the status of the certificate shown by CRL is "not revoked" then the agent should check the OCSP status also using the AIA attribute of the certificate.

5.5 Defects Fixed in CR09

The following authentication agent defect is fixed in the build release number 8.1.0.20543:

Problem ID Description Resolution or Comments
743 Certagent-HTTP URL for CRL The Cert Auth agent installer does not accept a HTTP URL for CRL option

5.6 Defects Fixed in CR08

The following authentication agent defect is fixed in the build release number 8.1.0.20542:

Problem ID Description Resolution or Comments
719 Custom name_mapping.dll in 8.1 Sample source code for name mapping dll

5.7 Defects Fixed in CR07

The following authentication agent defect is fixed in the build release number 8.1.0.20517:

Problem ID Description Resolution or Comments
722 Cert Auth Agent Uninstall Error

After performing repeated CERT Auth Agent silent installation and uninstall, at the end of the second uninstall process the following error dialog will pop-up:
Error Occurred during the uninstallation
An error occurred and product uninstallation failed. Look at the log file C:\ Program Files\CA\eTrustSSO\Cert Agent/log.txt for details.

5.8 Defects Fixed in CR02

The following authentication agent defect is fixed in the build release number 8.1.0.20267:

Problem ID Description Resolution or Comments
629 Cert Auth Agent UTF8 certificate file (umlaut characters) Cert Auth Agent was unable to handle UTF8-encoded certificate (umlaut characters).
605 Cert Auth Agent certificate filename with ".cer" extension. Cert Auth Agent did not support DER-encoded certificate filename with ".cer" extension as part the file filters.

5.9 Defects Fixed in CR01

The following authentication agent defect is fixed in the build release number 8.1.0.19991:

Problem ID Description Resolution or Comments
595 Second Auth Agent does not automatically start as a service after install When you install two Auth agents (WINDOWS, RSA, LDAP or CERT auth agents ) on the same machine, after the second auth agent installed, the installation package does not prompt for reboot (which is OK and designed that way) and also does not start up the service.
594 Cert Agent installation failure. The certAuthAgent installer from the supportConnect 8.1 GA iso will randomly fail, reporting an error of not being able to load the engine.jar file.


6.0 eTrust SSO Client

6.1 Important Information

6.2 Defects Fixed in CR20

The following eTrust SSO client defects are fixed in the build release number 8.1.0.20801:

Problem ID Description Resolution or Comments
909 SILENT REAUTH ON TOKEN NOT AVAILABLE ON SERVER Extended the fix in 8.1CR19 to also consider ticket expiration.
942 FOCUS ON PIN/PASSWORD FIELD The GINA Dialog focus during CERT authentication (pkcs#11) is corrected for the customer to input into the password field.
954 SILENT REAUTH W/ WINAUTH

A new configuration parameter in Client.ini is added control the dialog box stating "Please re-authenticate to continue this SSO operation".
[Reauthentication]
SuppressExpirationNotification
Value: [yes|no]
Default: no

955 Error invoking legacy 16-bit application from launchbar Error invoking legacy 16-bit application from launchbar is corrected.
956 HTML_SELECTITEM DOES NOT CLICK Added support to fire Onchange event for html_SelectItem.
958 NO COOKIE IN REMOTE CONNECTION Cookie will now be generated even when SSO Client is operated in Remote Session.
962 Increase in engsvc.exe memory usage Handle leak in engine service is corrected.
965 HTML_BROWSE -grab extenstion

Added a new option "grab" to html_browse command to specify whether to grab the html page. The default value is TRUE i.e the page will be scraped by default if -grab is not specified. Following values can be used
Value: [y|n]
Default: y

966 HTML_BROWSE -size extenstion

A new extension "size" is added to html_browse command to specify how IE should be displayed when launched. Following values can be used
min - Indicates that IE should be opened in minimized state
max - Indicates that IE should be opened in maximized state
same - Indicates that IE should be opened at the same size it was.
open - Indicates that IE should be restored.

967 POP-UP disabled during offline

Added a new entry "DisplayOfflineModeConfirmation" in OfflineOperation section in the client ini file. If it is set to yes, user will be prompted that server is offline and waits for user input to continue or abort the login process. If it is set to no, there will not be any prompt and user will work offline.
[OfflineOperation]
DisplayOfflineModeConfirmation
Value: [yes|no]
Default: yes

6.3 Defects Fixed in CR19

The following eTrust SSO client defects are fixed in the build release number 8.1.0.20774:

Problem ID Description Resolution or Comments
909 SILENT REAUTHENTICATION ON TOKEN NOT AVAILABLE ON SERVER

A configurable entry "DisplayReauthDialog" in new section called [Reauthentication] has been added. If the value is set to "no" and token is not available on server then instead of showing re-authentication dialog, a silent authentication will be performed.
[Reauthentication]
DisplayReauthDialog
Value: [yes|no]
Default: yes
Note: This fix works only with the server build 8.1CR19 (4292) and above.
Possible Issues:
Token deletion by Token cleanup background process on server side will result in TOKEN NOT AVAILABLE error for the clients. We would reccomend setting timeout for the token removal background process to a larger value.

916 ICA CLIENT SUPPORT NOT HONORED DURING SILENT UPGRADE Now Customers can enable features (Gina, ICA Client support) through selection during silent/interactive upgrade scenario.
926 SSO CLIENT NOT DETECTING SMARTCARD SSO Gina now detects smartcard insertion even on normal Windows logoff.
928 START UP APPLICATIONS FAIL TO EXECUTE The SSO application being launched on windows startup will not fail with an error "cannot retrieve variables".
893 WINLOGON CRASHES WHEN SSO CLIENT IS INSTALLED WITH SAFEBOOT PRODUCT SSO CLIENT now works with SAFEBOOT product.

6.4 Defects Fixed in CR18

The following eTrust SSO client defects are fixed in the build release number 8.1.0.20757:

Problem ID Description Resolution or Comments
881 Serverset dialog on top of all the windows

A new attribute is added to [authoptions] section in auth.ini as described below

  • AlwaysOnTop

    When set to yes, serverset dialog will be on top of all the windows on the desktop

    Values: [yes|no]

    Default: no

882 Pkcs11 card removal

eTrust SSO smartcard authentication now supports NetID software. Two new entries are added to [auth.cert] section in auth.ini as described below:

  • VSlotsPerReader

    Specifies the number of virtual slots NetID software configures for a reader. This value must be equal to number of pins you configure.

    Default: 1

  • VSlotForAuth

The virtual slot that is configured for authentication.

Value: 0 to VSlotsPerReader

Default: 0

888 SSO client GINA in oflline crash SSO GINA crashes when user tries to unlock machine in offline mode.
889 Error evaluating script

The following error is recorded in the eTrust SSO interpreter logs when you use the exit command in a login script:
Error - error evaluating script

893 SSO & Citrix - memory leak

The memory leak happening in engine service on metaframe server, in sso-citrix integration setup, has been fixed. A token cleanup task is also added on the client side to remove the unused tokens in the engine service. By default, it is disabled.
To set the task interval one new entry is added to a new section named [SessionCleanup] in client.ini as described below:

  • SessionCleanupIntervalInMins

    The interval for performing the token cleanup task. When set to 0, task is disabled.

    Values: minutes

    Default: 0

912 Reauthenticate using different reader Users can now reauthenticate with a different reader than the one used first for authentication.

6.5 Defects Fixed in CR17

The following eTrust SSO client defects are fixed in the build release number 8.1.0.20743:

Problem ID Description Resolution or Comments
868 Client install depends on citrix metaframe version Client installation on citrix metaframe server halts if supported version of metaframe server is not present.
870 Signon error on pse SSO interpreter getting crashed with exceptions while connecting to login in citrix environment
871 SSO GINA unavailable in rdp GINAis displayed only in the console of the presentation server but not in any rdp session
873 Displaylogonbutton option in client.ini The value DisplayLogonButton in sso client.ini sso tools section is not being honored.
876 Roaming profiles not deleted Roaming profiles are not getting deleted when using console for login.
878 Problem with customized icons

Icons for Disabled/Offline applications are not greyed out. A configurable entry in launchbar section of client.ini is made to use the default sso application icon to display for disabled applications.
DisplayDefaultIconForDisabledApp
value = yes|no
Default = no

6.6 Defects Fixed in CR16

The following eTrust SSO client defects are fixed in the build release number 8.1.0.20720:

Problem ID Description Resolution or Comments
835 Error installing client on win2k

SSO client now supports installation even under the local system account privileges.
SSO client now uses '/u' option for installing cawin.

836 Problem with cert drivers New error message included for validation of pkcs11librarypath value in auth.cert section in auth.ini
841 Client install depends on ica client version SSO client installer has been modified to allow installation on top of any version of the ICA client (even if a supported version of Citrix ICA client is not found on this machine).
842 Error format in sso extension pwdbox Error message format for password box dialog password verification has been modified to be same as sso 8.0 format
846 Roaming profiles not deleted on sso client install When SSO client is installed in citrix environment, roaming user profiles are not completely deleted, even though setting for "deleting roaming" profiles has been set in group policy
842 SSO launchbar crash during authentication Launchbar crash has been fixed when trying to display large number of applications during Windows authentication.

6.7 Defects Fixed in CR15

The following eTrust SSO client defects are fixed in the build release number 8.1.0.20694:

Problem ID Description Resolution or Comments
809 Session management issue

With session management enabled, after token expiration sso is logging off the user only and not logging off the workstation.
New entry added in client.ini in section [gina/stationlock], based on this value session management will decide whether to logoff the user or workstation.
Logoffwindowsonlogouttimeout
Defines whether you want to logoff from windows or just want to logoff sso user, on logout timeout when session management is enabled.
Value: [yes|no]
Default: no

816 SSO client is offline forever Sso client is still off line even after logging into network with vpn client
822 Client installation fails with null Client abruptly fails with a null due to invalid entries in installshield vpd scipt.
825 Lotus notes script crashes The lotus notes script provided by CA crashes notes when you manually or automatically load sametime instant messaging.
827 Env path length is made appropriate during installation

The sso client installer has been modified to accept a system environment path of up to 2048 characters for:

· WIN XP SP2 or later

· WIN 2k Server SP2 or later

828 Cert authentication through smart cards not working on upgrade During upgrade from 8.0 client to 8.1 client, migration of entries in auth.cert section in auth.ini are done correctly.
831 Installation of client fails on citrix server with patches SSO client installation fails while supporting citrix presentation server when patches are installed.
833 Task manager doesnt load properly with SSO GINA Windows Task Manager does not paint properly on Desktop when SSO GINA is used.

6.8 Defects Fixed in CR14

The following eTrust SSO client defects are fixed in the build release number 8.1.0.20645:

Problem ID Description Resolution or Comments
793 Server set selection dialog Within auth.ini, if the token "serversetselection" is 0, the server set selection dialog should always be displayed first, upon logon as well as re-authentication.
799 Launchbar can freeze Launchbar freeze/hang is eliminated during autonetwork and autologon in win-auth based authentication.
802 Need to automated logoff

To automate few functionalities like logon/logoff through scripts new command prompt options has been added for ssostatus.exe. the new added options are are as below:
"--exit_all" : prompts user before exiting.
"--exit_nopromt : exits all the agents without prompting user"
"--logon : performs logon operation"
"--logoff : logoffs user without prompting user"
"--refresh : refreshes the application list"
"--open_sso_tools : opens sso tools"
"--open_sso_launchbar : opens sso launchbar"
"--lock_workstation : locks workstation"
"--about_sso : displays about sso"
"--help or /? or help : prints information about all command line options"

803 eTrust SSO window - application list The applications are being displayed in random fashion on sso client side. Applications should be sorted in alphabetic order.
805 GINA text wrapping Text in the legal banner dialog is not displayed completely. Gina does not have the ability to wrap the text to corresponding lines beyond the first one.

6.9 Defects Fixed in CR13

The following eTrust SSO client defects are fixed in the build release number 8.1.0.20624:

Problem ID Description Resolution or Comments
785 Legal banner text not displayed in SSO GINA initial logon Sso gina does not display the legal notice text/caption during initial user logon
784 Shutdown button option in SSO GINA The shutdown button option in sso gina logon screen is disabled or greyed out . sso client does not recognize the 'shutdownwithoutlogon' policy setting from hklm/software/microsoft/windows/currentversion/policies/system key
786 Citrix 10.15/10.20 support Fail to install/support sso client on a box with citrix client 10.15/ 10.20. the client installation fails with an error.
787 Re-auth after unlock After session expires authentication boxes are showing up on the desktop for users repeatedly
789 SSO tcl extensions-tablet pc On Windows XP Tablet PC Edition 2005, sso tcl extensions "inputbox" and "pwdbox" do not fully support "tablet pc input panel" application. on windows xp tablet pc edition 2005 ,s if "tablet pc input panel" is in "writing pad" and "character pad" modes then clicking on its "insert" button to send the data to sso will hang the sso application and the whole operating system for about 1 minute
783 SSO icon on windows status bar On Windows XP Tablet PC Edition 2005, SSO icon on windows status bar (system tray) does not handle "right mouse click" event correctly. when a stylus is used to access the sso icon it sometimes causes multiple popup windows to appear on the screen (sso task menu and windows task bar menu with the latter usually overlapping the sso one) which creates difficulties accessing sso options available on sso popup menu.
788 RSA offline authentication The RSA authentication method is modified to support password-based authentication when offline. When the RSA authentication client software detects offline mode, the user will be prompted to enter a user id and password instead of their token pin and code.The entered credentials is verified against a pre-defined application, "__RSA__", in the sso database. This application will hold the user's "offline" credentials for RSA. there is no need for the ldap authentication method to be configured within the sso client to support offline mode. The RSA authentication method itself will directly prompt and verify the user's "offline" password.
782 System info link is not working On windows 2000 when the user clicks on the system information link , the system information is not displayed
781 Truncation appearing Button Log off/Log on on SSO Tools are not displayed properly. Truncation appears.

6.10 Defects Fixed in CR12

The following eTrust SSO client defects are fixed in the build release number 8.1.0.20564:

Problem ID Description Resolution or Comments
776 Eventcommands for online/offline status change

Two new event commands tokens have been added to [eventcommands] section in client.ini. These are described as below:

  • SsoOnline

    Defines the windows command-line program or script to run when sso client detects offline-to-online transition.

    Value: path and script or command name

    Default: [no default]

  • SsoOffline

    Defines the windows command-line program or script to run when sso client detects online-to-offline transition.

    Value: path and script or command name

    Default: [no default]

769 Editable tool tip information

Two new parameters are added in client.ini->[launchbar] section as below:

DisplayAppSensitive=yes

DisplayAppSynchronized=yes
Depending upon the values of these two parameters the tooltip text will be adjusted. If the setting on policy server for "Password Synchronized" and "Sensitive" is enabled but corresponding value in client.ini is set to "no" then tooltip will not contain related text like "Password is Sychronized" or "Sensitive".

  • DisplayAppSensitive

    Defines whether the information about application is sensitive should appear in the tool tip.

    Value: [yes|no]

    • Default: yes
  • DisplayAppSynchronized

    Defines whether the information about application is synchronized should appear in the tool tip.

    Value: [yes|no]

    Default: yes

767 Waittext crash on customer app Customer application is getting crashed when user tries to invoke sso waittext function.

6.11 Defects Fixed in CR10

The following eTrust SSO client defects are fixed in the build release number 8.1.0.20551:

Problem ID Description Resolution or Comments
759 Tool tips not working Balloon tool tips do not consistently work for applications in the sso lauchbar.
758 SSO Client 8.1 pwdbox Tcl The function "pwdbox" causes a crash in the Windows xp environment if the theme is set to Windows XP

6.12 Defects Fixed in CR08

The following eTrust SSO client defects are fixed in the build release number 8.1.0.20542:

Problem ID Description Resolution or Comments
735 EVENTCOMMAND DOES NOT RUN ON TS/CITRIX SESSION Does not work with CITRIX/TERMINAL Services

6.13 Defects Fixed in CR07

The following eTrust SSO client defects are fixed in the build release number 8.1.0.20517:

Problem ID Description Resolution or Comments
687 Start Menu not updated after status icon App List Refresh

When a User is un-authorized for an Application and then Refresh Application List is run from the Status Icon, the Application Link is not removed from the SSO Programs group in the Start Menu.

Note: The Application is removed from the Launch Bar and Status Icon and this problem only occurs when Refresh Application List is run from the Status Icon. Therefore if Refresh Application List is run from the Launch Bar everything behaves as expected.

664 SSOINTERP logs errors when when using waittext + IE When using the SSO Interpreter Waittext extension with Internet Explorer, a large number of unnecessary errors are logged in the ssointerp.log file.

6.14 Defects Fixed in CR06

The following eTrust SSO client defects are fixed in the build release number 8.1.0.20513:

Problem ID Description Resolution or Comments
678 CloseAgentOnExit functionality is no longer available in SSO 8.1 A new configuration token called "SsoSignOffOnExit"; has been added to the [ScriptInterpreter] section in Client.ini. This token takes a Boolean expression value of "yes"; or "no". With a value of "yes", SSO will perform a signoff when ssointerp has finished. Otherwise, no action will be taken.
668

1. Delay during unlock and failure of the SsoSignOff command and;

2. Sequence of command executions that run concurrently with the Winlogon process during unlock causing undesirable behavior that is inconsistent with SSO 8.0.

Distribution of the unlock message to other SSO agents are now done in a separate thread so ssoevents::WLEventUnlock can return quickly and;

2. Event Commands now allow multiple tokens with each separated by a ';' character. Two options are defined at the moment: -nowait and -retnow. -nowait will not wait for command completion. -retnow will return the control to Winlogon and effectively returning to the desktop. -retnow is only applicable to the SsoSignOff? event command as this command is typically used for closing applications that belong to the previous SSO user in a shared desktop configuration.

Please refer to the "EventCommands Enhancement" section for more details.

6.15 Defects Fixed in CR05

The following eTrust SSO client defects are fixed in the build release number 8.1.0.20442:

Problem ID Description Resolution or Comments
656 SSO Client 8.1 does not work when PATH environment var > 1024 characters

SSO Client 8.1 service failed to work when installed on a system that has PATH environment variable longer than 1024 characters post installation. Microsoft Windows PATH environment variable has the limitation of 1024 chars.
When installing SSO Client 8.1, if the system PATH environment variable will exceed 1024 characters once the installation is completed, a warning message will be displayed with the options to proceed with the installation or abort it. For silent install mode, the installation will abort with the error message written to the log file.

654 Docked Launchbar does not restore position after signoff According to the user manual, if RestorePosition has been set to yes the LaunchBar will restore itself to its starting position after signoff. This does not work if the LaunchBar has been docked.
651 Port LockWorkstation.exe from 8.0 to 8.1 SSO 8.1 Client GA release does not come with the lockworkstation.exe tool. Port LockWorkstation.exe from 8.0 to 8.1.
647 SSOGina not loading AD profiles in Passthrough mode Windows/Domain logon script does not run if the GinaPassthrough=yes.

6.16 Defects Fixed in CR04

The following eTrust SSO client defects are fixed in the build release number 8.1.0.20329:

Problem ID Description Resolution or Comments
630 SSO application shortcut does not create on desktop located on a remote UNC share "Keep a shortcut on my Desktop" on SSO Client launchbar or SSO tools works only for a local desktop. It does not work if the Desktop is located in a remote UNC share.
603 Uninstall SSO Client 8.1 deletes all files and folders in its installation folder that do not belong to it When choosing to install SSO 8.1 Client to \ca directory where other product(s) are also installed to, uninstalling SSO Client 8.1 and rebooting the system will cause files and directories belonging to other products within \ca directory to be deleted.

6.17 Defects Fixed in CR03

The following eTrust SSO client defects are fixed in the build release number 8.1.0.20302:

Problem ID Description Resolution or Comments
637 Button class not using -pos argument correctly

SSO Interpreter - Misinterpreted label when used in conjunction with –pos switch:
Using the Windows XP calculator, the following script should press the control of class Button to the left of the 9 button, ie- the 8 button. This does not happen, instead the 9 button is pressed.
sso window -title Calculator
sso push -class Button -pos left -label 9

636 SSO Interpreter, sso run command fails to launch the .cmd file directly

SSO Interpreter, sso run command fails to launch the .cmd file directly and no error message is return.
sso run -path "C:\\test2.cmd"
This script can execute the test.cmd script in SSO Client 7.0 and 8.0. Note that the correct syntax for execution of .cmd script file is to pass it as an argument to cmd.exe.
sso run -path "cmd.exe" -args "C:\\test2.cmd"

624 Sensitive application does not force Re-Authentication

Using Sensitive applications with WIN Auth method in SSO 8.1 and with the following settings in auth.ini file:
[auth.win]
AutoNetworkAuth=Yes
When the sensitive timeout expired, if user try to run the Sensitive application it does not prompt for a re-authentication.

It does not behave the same as in SSO 8.0.

The fix for this problem involves both SSO Server and Client. To resolve this problem, SSO 8.1 CR3 and later SSO Server must be applied along with SSO 8.1 CR3 Client and later.

619 Pwdbox password length truncated The PWDBOX SSO TCL command dialog only allows a 21 character password to be entered while SSO 8.1 is supposed to support up to 256 character password.

6.18 Defects Fixed in CR02

The following eTrust SSO client defects are fixed in the build release number 8.1.0.20279:

Problem ID Description Resolution or Comments
607 Smartcard removal does not support Pkcs11TokenAbsenceBehavior

SSO r8.1 does not handle removal of smartcards without the presence of SSO GINA. In 8.0 this was handled by PKCS11TOKENABSENCEBEHAVIOR.

The following new token in SSO Client auth.ini is introduced in this build:
[Auth.CERT]
Pkcs11TokenAbsenceBehavior=

The value of this token can be:
0: Do nothing
1: Workstation lock
2: SSO logoff

6.19 Defects Fixed in CR01

The following eTrust SSO client defects are fixed in the build release number 8.1.0.19991:

Problem ID Description Resolution or Comments
612 Cross-domain scripting security problems with html extensions When SSO Interpreter's HTML extensions interact with web pages that require access to frames and iframes loaded from a domain different from that of a page running the script, an error can occur during the parsing of the HTML contents. This results in the 'hResult = pIHTMLWindow2->get_document (&pIHTMLDocument2);' line (in HtmlExtDocument::loadFrames method in htmldocument.cpp) returning E_ACCESSDENIED error, with the consequence being that none of the HTML elements from the given frame are loaded, parsed and available for interaction with.
611 SSO Client with SSOGina upgrade from 7.0 to 8.1 failed After upgrading SSO 7 latest Client (with GINA) to SSO 8.1 Client, the client cannot start.
596 Support for HTML elements in HTML extensions

The html_push SSO extension does not support an input of type "image" when running web-based applications. When the input type is defined as "image", the sso html_push extension has no effect.
For example,
INPUT name="OK" valign="bottom" type="image" src="image_button.gif" onclick { more commands }
does not work. The problem does not occur when the input type is "button" or "submit".

The following extensions have been enhanced/added:

html_push (enhanced)

Syntax: sso html_push -label labelText [-ord filedIndex]

Syntax: sso html_push -name nameText


Support for buttons defined by the following html tag has been added:

<input type=image >
> If using the -name parameter with this extension, the value is the ALT attribute of the html tag
<input type=file >
If using the -name parameter with this extension, the value is "Browse..."
<input type=submit >
> If using the -name parameter with this extension, the value is the ALT attribute of the html tag. If ALT attribute is not defined, the default is "Submit Query"
<input type=reset >
If using the -name parameter with this extension, the value is the ALT attribute of the html tag. If ALT attribute is not defined, the default is "Reset"
<button type=button> button label </button>
<button type=submit> button label </button>
<button type=reset> button label </button>
> For the <button> html tag, the -name parameter should refer to the text in between the opening and closing tags, e.g.. <button type=submit>text</button>.

-label and -ord parameters are also supported for the new html tags above as before

html_check (new)

Syntax: sso html_check -label labelText [-ord filedIndex]

This is a new extension. It operates on the html checkboxes and radio buttons defined by the following html tag:


<input type=checkbox >
<input type=radio >

It will select the radio button or checkbox when it is not selected; it will deselect the radio button or checkbox when it is selected. It will do nothing when the radio button or checkbox is disabled.

-name parameter is not supported for this extension


html_getbtnstate (new)

Syntax: sso html_getbtnstate -label labelText [-ord filedIndex]

This is a new extension. It operates on the html checkboxes and radio buttons defined by the following html tag:

<input type=checkbox >
<input type=radio >

It returns the state of the radio button or checkbox: 1 when selected 0 when not selected. It works even when the button is disabled.

-name parameter is not supported for this extension

 

590 SSO Script CSCRAPE timeout Error

While running Application Logon SSO script against Terminal Emulator, it sporadically fails on random boxes with "Error in CScrapeManager"
Can't create Scrape manager thread
Timeout error
Can't open event MsgHandleEventName_0

565 SSO Script WAITTEXT does not work on non-English Windows XP

The "sso waittext" command does not work on non-English versions of Windows XP.
The following error message was displayed:
"Script execution error: Failure beginning the text copying in command: sso waittext -text login:"
The problem does not occur on the English version of Windows XP.

558 SSO script waittext conflict with Carefx Context Manager Starting the SSO application script it needs to scrape the window and login at the correct moment when the login prompt comes up. If the Carefx extensions are running this process does not work. If you shutdown the Carefx extensions it works properly.

6.20 Enhancements

6.20.1 Event Command Enhancements

The EventsCommand settings have been enhanced to add the following execution modifiers:

Note: For more information about the EventCommands, see the Client.ini file topic in the Administration Guide.

6.20.2 Enhancements to eTrust SSO Interpreter

Two new extensions— html_link and html_push are added to the eTrust SSO interpreter. For more information about these new extensions, see the TCL Scripting Reference Guide.

6.21 Known Issues

6.21.1 Docked SSO Launchbar covered by Windows toolbar

When the Windows Toolbar re-appears (autohide enabled), the Windows Toolbar covers the docked SSO Toolbar. The SSO Toolbar may be completely covered by the Windows Toolbar and cannot be used.

6.21.2 Documentation Correction

The SSO 8.1 Administration Guide "Appendix A: Configuring the SSO Client" includes information on usage of the "MaxWait" parameter available for use in the "[EventCommands]"category of the Client.ini.

Please note that when this parameter is set as "MaxWait=0", the system will not wait indefinitely for the command to finish, instead it will return immediately.


7.0 eTrust SSO Integration Kit

7.1 Enhancements in CR19

The eTrust SSO Integration Kit consists of the following components:

The eTrust SSO integration kit, build release no 8.1.0.20772 on Windows and 8.1.0.20516 on Unix is enhanced to include the following documentation:

7.2 Known Issue

Valid on HP-UX

When you install the SDK on a computer that has a previous installation of the eTrust SSO Server r8.1, the SDK installs to an incorrect location. The SDK is not installed in the destination folder specified in the installation wizard; the SDK is installed in the eTrust SSO Server install directory.


8.0 LDAP Authentication Agent

8.1 Important Information

To generate the password use following steps:

8.2 Defects Fixed in CR16

The following LDAP authentication agent defect is fixed in the build release number 8.1.0.20720:

Problem ID Description Resolution or Comments
851 Support for namemapping from root of ad LDAP authentication agent to be able to read user namemappings from the top level of the Active Directory structure. (example basedn=dc=domain,dc=com scope=subtree).

8.3 Defects Fixed in CR15

The following LDAP authentication agent defect is fixed in the build release number 8.1.0.20680:

Problem ID Description Resolution or Comments
824 Support for LDAP over SSL

The new parameter is added in ldapPolicy.ini as described below:

  • EnableLdapOverSSL

    This token defines if LDAP over SSL is to be enabled for direct connection to AD

    Values: [0|1]

    Default: 0

  • For the LDAP over SSL functionality following values
  • are required in ldapPolicy.ini:
  • LoginName
  • Password
  • Keystore
  • EnableLdapOverSSL -> This value should be set to 1.

8.4 Defects Fixed in CR07

The following LDAP authentication agent defect is fixed in the build release number 8.1.0.20517:

Problem ID Description Resolution or Comments
683 LDAP Auth Agent Down LDAP agent not accepting client requests after a user password reset is stalled or incomplete.

8.5 Defects Fixed in CR01

The following LDAP authentication agent defect is fixed in the build release number 8.1.0.19991:

Problem ID Description Resolution or Comments
595 Second Auth Agent does not automatically start as a service after install When you install two Auth agents (WINDOWS, RSA, LDAP or CERT auth agents) on the same machine, after the second auth agent installed, the installation package does not prompt for reboot (which is OK and designed that way) and also does not start up the service.


9.0 Policy Manager

9.1 Important Information

This eTrust Policy Manager from SSO 8.1 GA DVD media is made available as a separate component on SupportConnect or CA Support Online because of the following reasons:

When upgrading to SSO Server version 8.1.0.4275 (CR4, QO89643) from previous SSO 8.1 releases (GA, CR1-CR3) or any SSO 8.0 releases, eTrust Policy Manager files may be deleted if eTrust Policy Manager was installed on the same machine. When this occurs eTrust Policy Manager will no longer be available for use. This issue does not apply to eTrust Policy Manager installed on separate machine from SSO Server.

To resolve this issue apply the following steps:

  1. Obtain a copy of eTrust Policy Manager version 8.0.1088, either from a SSO 8.1 GA DVD media or from CA's SupportConnect or CA Support Online.
  2. Install eTrust Policy Manager.
  3. Depending on which version of Policy Manager you had installed on the system, you may see one of the following. (i) If you see the "Program Maintenance" dialog with the choice of "Modify", "Repair" and "Remove". Select the "Repair" option and follow the install wizard instruction to repair eTrust Policy Manager. (ii) If you see the upgrade message "This setup will perform an upgrade of "CA eTrust Policy Manager". Do you want to continue?". Select the "Yes" option and follow the install wizard instruction to upgrade eTrust Policy Manager.
  4. Retart SSO Server service.

    eTrust Policy Manager will now be available for use.


10.0 PSLang

10.1 Known Issues

10.1.1 PSLang-Empty Attributes Default Values

For an empty attribute provided on the command line, the value for that attribute is being taken as TRUE.

10.2 Defects Fixed in CR15

The following PSLang defect is fixed in the build release number 8.1.0.20680:

Problem ID Description Resolution or Comments
823 PSLANG supports special characters Pslang now uses double quotes for strings in command-line arguments rather than single quotes. Eg. su "user-name"

10.3 Defects Fixed in CR14

The following PSLang defect is fixed in the build release number 8.1.0.20645:

Problem ID Description Resolution or Comments
798 PSLANG - performance issue PSLANG Command: su command in PSLang 8.1.0.20442 CR5 (the original release for 8.1), the above takes 4 seconds to execute. With PSLang 8.1.0.20551 CR10, the above (CR12) takes 43 seconds to execute. You can see a noticeable pause as PSLang displays each app detail.

10.4 Defects Fixed in CR12

The following PSLang defect is fixed in the build release number 8.1.0.20564:

Problem ID Description Resolution or Comments
772 PSLANG current password checks policy The Current password field in the el command is now not checked against the password policies of the application

10.5 Defects Fixed in CR11

The following PSLang defect is fixed in the build release number 8.1.0.20555:

Problem ID Description Resolution or Comments
765 PSLANG-MSVCR71.DLL MISSING The pslang MS dependency libraries are included along with the installer

10.6 Defects Fixed in CR10

The following PSLang defect is fixed in the build release number 8.1.0.20551:

Problem ID Description Resolution or Comments
757 PSLANG EL IGNORE OPTION The PSLang tool provides the 'el' command to edit Login infos of the applications. The 'el' command is now enhanced to include two more OPTIONAL flags – ignore and checkonly. The 'el' command updates the application NEXTPASSWORD of the user constrained by the password policy that is set. Now with the new ignore flag, you can update it by-passing (ignoring) the policy. The checkonly flag ONLY checks for the password policy but doesn't update the NEXTPASSWORD. Remember the flags are meant only for the NEXTPASSWORD field and not for the CURRENTPASSWORD field.


11.0 eTrust SSO Server

11.1 Important Information

Description Comments
SEOSD.EXE MEMORY LEAK/GROWTH There is a ACEEH memory leak happening every time you start selang (every time it connects to the seosagent), also it happens whenever you call the host command.
MEMORY LEAK ON FAILED HOST CMD Sending an LCA host command, if the command fails (i.e. sending empty password) LCA API leaks memory.
SEADMAPI UTF8 - GETEXENTITY A problem in the seadmapi code for converting object values to UTF8 encoding.
ADDING MORE UTF8 SUPPORT Adding support for the resnopse tab calss to accept utf8 values and convert them properly.

11.2 Known Issues

11.2.1 Heartbeat check over UDP does not work

Symptom:

In a backward compatability implementation with SSO 8.1 Server and SSO 8.0 Client, the heartbeat check over UDP does not work.

Cause:

SSO 8.0 does not support UDP for the heartbeat check. So, the SSO 8.1 Server and SSO 8.0 Client backward compatibility feature does not support heartbeat check over UDP.

Solution:

For SSO 8.1 Server and SSO 8.0 Client in a backward compatible implementation, use TCP protocol for the heartbeat check. Set the Session Management option as follows: "[r8]HeartbeatProtocol=TCP".

11.2.2 Silent installation of the SSO Server fails

Symptom:

Silent installation of the SSO Server fails with "ERROR: License Panel was not accepted" error message.

Cause:

Silent installation of the SSO Server does not accept license agreement parameter in "-W license.selection=1" format as specified in the SSO Implementation Guide.

Solution:

Pass license agreement parameter to the installer in the following format: "-W license_win.selection=1".

11.2.3 SSO client does not enforce Heartbeat Fail Behavior action if UDP protocol is used

Symptom:

SSO client does not enforce Heartbeat Fail Behavior action if UDP protocol is used for Session Management heartbeats.

Solution:

Switch communication protocol for Session Management Heartbeat messages to TCP.

11.2.4 Policy Manager reports error messages while attempting to login

Symptom:

After manual addition of new SSO Server to a server farm, when a user logs onto the new server via Policy Manager error messages are thrown.

Cause:

The following command dbmgr -e -r -f acdump.txt exports Access Control data in incorrect format. If resulting selang script is used to import data into a new server this will cause errors to be reported upon logging into this server from the Policy Manager. If this script is used to import data back into the database, error messages will be encountered upon logging into the Policy Manager.

Solution:

Manually modify gen_flag parameter in all chres AUTHMETHOD ("LDAP") commands in the selang script file produced by dbmgr utility before loading it into a new server.

For example,

chres AUTHMETHOD ("LDAP") gen_prop(AUTHPROVIDER_AUTH_METHOD) gen_flag(FLAG_ADD) gen_val('AUTHPROVIDER.LDAP')

command should be changed to

chres AUTHMETHOD ("LDAP") gen_prop(AUTHPROVIDER_AUTH_METHOD) gen_flag(ADD) gen_val('AUTHPROVIDER.LDAP')

11.2.5 Documentation Issues

Instructions provided on page 102 of the SSO Implementation Guide(Post Installation Configuration Options->Add a NewServer Farm Member(Windows)->Add New Server Details to the Existing eTrust Access ControlServer Farm->To add new server details to Server1 andServer2->step 10) are incorrect.

On step d the correct command syntax is as follows: seosd -start

On step h the correct command syntax is as follows: selang -l -f C:\ACdata.txt

SSO Server CR8 cannot upgrade from SSO Server GA version.

11.3 Defects Fixed in eTrust SSO Server

8.1.0.4294

The following eTrust SSO Server defects are fixed in the build release number 8.1.0.4293 on Windows, 8.1.0.4293a on UNIX operating systems:

Problem ID Description Resolution or Comments

Windows

CR no./Build no.

UNIX/Linux

CR no./Build no.

1021 eTrust SSO Server generates core under heavy load such as 5000 user with each attached to 100 applications and when psbgc is running. This issue is fixed. CR21/ 8.1.0.4294 CR21/ 8.1.0.4294 on HP-UX
964 HP-UX makefile change for C++ RT consistency Avoided multiple runtime linkage CR20 / 8.1.0.4293 CR20 / 8.1.0.4293a
963 Upgrade breaks unique wd

Watchdog Service is now installed with a unique account ID in server farm setup.
Note: Copying Access Control Databases from one server to another server in a farm setup will need the Watchdog credentials reset for authentication to SSO server. Please consult CA Support for resetting Watchdog credentials.

CR20 / 8.1.0.4293 CR 20 / 8.1.0.4293a
909 Silent reauthentication on token not available on server Supporting Silent Reauthentication on Client when token is not available on server. CR19 / 8.1.0.4292 Not applicable
910 Watchdog service abends Watchdog crash with an authentication error resolved. Watchdog recovers from crash on authentication error by retry. In order to avoid authentication errors still happening, run watchdog service under different accounts. CR18 / 8.1.0.4288

CR18 / 8.1.0.4289 on HP-UX and

CR18 / 8.1.0.4289 on Linux

865 Ms perfmon doesn't work with sso performance counters sso perfmon counters are unavailable for ms perfmon. CR17 / 8.1.0.4288 Not applicable
872 Policy manager fails to connect with server installed on unsupported locale environment Locale is defaulted to ENU when Server is installed on unsupported Locale environment CR17 / 8.1.0.4288 Not applicable
845 Password policy not getting ingnored Password Policy is being applied even if Ignore password policy is selected in PolicyManager while updating a user password. CR16 / 8.1.0.4287 CR16 / 8.1.0.4287
810 Server hangs if audit router is down

Requests of client are processed even if audit router is down. server re-tries for audit logging after a retrytimeout value (configurable setting in pslog.ini file).
New entry in etaudit parameters section in pslog.ini

  • Retrytimeout - (optional)

    The retry time out for the logger to contact the audit router in case it is down.

    Value:[time in seconds]

    Default:1200

CR15 / 8.1.0.4286 Not applicable
815 No info available to client when applications with missing scripts are accessed Information prompted to client in case an application with non-existant-script is run CR15 / 8.1.0.4286 Not applicable
829 Server supports special char set The application password is now checked against the set of Special Characters as PWDPOLICY in Access Control. CR15 / 8.1.0.4286 Not applicable
798 Pslang - performance issue PSLANG Command: su command in PSLang 8.1.0.20442 CR5 (the original release for 8.1), the above takes 4 secs to execute. With PSLang 8.1.0.20551 CR10, the above (CR12) takes 43 secs to execute. You can see a noticeable pause as PSLang displays each app detail. CR14 / 8.1.0.4285 CR14 / 8.1.0.4285 on Linux
720 SSO DATA MIGRATION FROM 7.0 TO 8.1

The MigrateLoginInfo tool has the following new options:
MigrateLoginInfo [options]

Where options are:

  • -in

    Input LDIF file

  • -ver

    SSO version of input selang

  • -file

    acceptable values are 7.0 or 8.0 (default: 8.0)

  • -out

    Output LDIF file

    Default: MigrateLoginInfo.ldif

  • -ds

    The name of the LDAP datastore

    default: ps-ldap

  • -dsbase

    Base Path of the LDAP datastore

    default: o=PS

  • -liroot

    The DN where the'LoginInfos' container should be created default: o=PS

Example syntax:

java -classpath . MigrateLoginInfo -in d:\xfer\psdump70.ldif -out d:\xfer\out.txt -ver 7.0 -ds AD_ETRUST -dsbase cn=Users,dc=sso,dc=ca,dc=local

or

java -classpath . MigrateLoginInfo -in d:\xfer\psdump70.ldif -out d:\xfer\out.txt -ver 7.0 -ds AD_ETRUST -dsbase cn=Users,dc=sso,dc=ca,dc=local -liroot O=OtherPS

CR12 / 8.1.0.4281e Not applicable
736 PM new user attributes New users created in esso 8.1 always get the attributes Password Synchronization Enabled and Passwords Generation Enabled checked. if a new user is created in the ps-ldap user store through the policy manager gui and those two attributes are un-checked still the user will be created with those 2 attributes checked. CR08 / 8.1.0.4281 CR12 / 8.1.0.4281c
737 SSO Server 8.1 auditing SSO server 8.1 sp1 cr6 + audit 8.0 cr2messages incorrectly displayed in nteventlog:the description for event id ( 4096 ) in source ( etrust sso server ) cannot be found. CR08 / 8.1.0.4281 Not applicable
738 Watchdog svc has invalid http Firefox is not showing output from the watchdog http port.According to the RFC there must be an extra CRLF there. Another possible incompatibility issue is the "Content-Type" field which is always set to 198 bytesregardless to whether the watchdog uses default response strings or customized values from registry CR08 / 8.1.0.4281 CR12 / 8.1.0.4281c
740

PSBGC: KeyFile not created

 

Edit PsBgc.ini:
[PsBgc] KeyFileName = C:\PolSrv.key (or /PolSrv.key on unix)
Run:
psbgc -a ps-bgc -p
Error message indicates incorrect password.
A key file should be created at the specified location.
Whether the psbgc utility succeeds in connecting and caching the application lists or not, the KeyFile is not created.

Not applicable CR07 / 8.1.0.4279e
391 Memory leaks in embedded CA Access Control SSO Server Watchdog logins to the SSO Server cause Access Control ACEEH handles to grow continually. CR06 / 8.1.0.4279a Not applicable
691 Server Farm replication fails with fresh 8.1.0.4278A (CR5) Fresh installation of SSO Server 8.1.0.4278a (CR5) in a homogeneous server farm scenario failed to replicate application within the server farm. This does not happen in upgrade from previous SSO Server versions scenario. CR06 / 8.1.0.4279a Not applicable
660 Password with "#" for ps-admin during SSO Server install does not work During the PS install if the input ps-admin password contain "#" character, the password can not be record correctly in the eAC database. If user try to use the password to login to PS, it will fail. CR05 / 8.1.0.4278a CR05 / 8.1.0.4278a
657 PM does not work after SSO 8.1CR4 Server upgrade If PM was installed on the same machine as SSO Server, upgrading the SSO 8.1 Server from SSO 8.1 previous releases(GA, CR1 and CR2) or any SSO 8.0 releases to SSO 8.1 CR4 Server (8.1.0.4275) will cause the SeAm.exe (Policy Manager) been removed from the system. CR05 / 8.1.0.4278a Not applicable
650 MigrateUsers.class can not deal with LOGONNAME contain space If an user has an application loginname that contains a space character then the eTssoLoginID will disappear from the MigrateUsers.ldif file after running the MigrateUser tool. CR05 / 8.1.0.4278a CR05 / 8.1.0.4278a
675 MsgFileName case sensitive on UNIX causes error

A fresh (not upgrade) installed SSO Server on UNIX will not be able to retrieve error message description, only the numeric error code will display. User will also get the "Error message could not be retrieved" message instead of the real error message descriptions.

Cause of the problem is the ENU.msg filename on UNIX is "enu.msg" in lowercase. If in Psbgc.ini file, the following token is set to:
MsgFileName = ENU.msg
UNIX platforms will not be able to find the ENU.msg.

Not applicable CR05 / 8.1.0.4278a
674 Non-ASCII character set in application "caption" cause error Using non-ASCII character set in application "caption" property generates errors. Not applicable CR05 / 8.1.0.4278a
653 Large SSO Script fails on SSO 8.1 CR3 Server Running a large size SSO Script fails on SSO 8.1CR3 Server b8.1.0.4268. CR04 / 8.1.0.4275 Not applicable
609 Non-ASCII characters are not displayed in the client application list The SSO application list does not display applications that contain non-ASCII characters in the name. This occurs after an application refresh is conducted on the user's application list. CR04 / 8.1.0.4275 CR04 / 8.1.0.4273
624 Sensitive Application not force Re-Authentication

Using Sensitive applications with WIN Auth method in SSO 8.1 and with the following settings in auth.ini file:
[auth.win]
AutoNetworkAuth=Yes
When the sensitive timeout expired, if user try to run the Sensitive application it does not prompt for a re-authentication.

It does not behave the same as in SSO 8.0.

The fix for this problem involves both SSO Server and Client. To resolve this problem, SSO 8.1 CR3 or later Client must be applied along with SSO 8.1 CR3 SSO Server or later.

CR03 / 8.1.0.4268 CR04 / 8.1.0.4273
631 Change Password Error The password of the user missing on the SSO 6.5 side of the MVSF cannot be changed using the (8.1) client. An error message is displayed. CR02 / 8.1.0.4265 Not applicable
632 MVSF Kills 8.1 Server Using MVSF functionality to send cross data-store (different data-store type) requests results in SSO 8.1 server process termination. CR02 / 8.1.0.4265 Not applicable
633 MSVF Error Message on Password Change notify fail "unable to fetch error description" error message pop-up when password change notify fails. CR02 / 8.1.0.4265 Not applicable


12.0 Session Administrator

12.1 Defects Fixed in CR03

The following application wizard defect is fixed in the build release number 8.1.0.20302:

Problem ID Description Resolution or Comments
604 Installation Failure on Non-English OS The SSO Session Administrator installation fails on non-English versions of Windows 2003. This problem has been reproduced on the German and Portuguese versions of Windows 2003.


13.0 Password Synchronization Agent

13.1 Important Information

13.2 Defects Fixed in CR21

The following password synchronization agent defect is fixed in the build release number 8.1.0.20807:

Problem ID Description Resolution or Comments
1022 The PSA caches the eTrust SSO Server hostname-IP address binding. So, if there is change to the IP address or to the hostname mappings, the synchronization fails. Reboot the Active Directory computer for the PSA to pick up the changes to the hostname or IP address of the eTrust SSO Server.

This issue is fixed. To communicate the changes in the hostname or IP address changes of the eTrust SSO Server to the PSA, do the following:

Set the registry key CacheServerInfo to No. The CacheServerInfo key is found at the following path:

HKEY_LOCAL_MACHINE\SOFTWARE\ComputerAssociates\eTrustSSO\PSA\PolicyServer

When you set this key to No, and a password change occurs in the Active Directory, the PSA gets the latest IP address binding and updates the password change to the eTrust SSO Server with the latest IP address binding without having to reboot the Active Directory server.

If you have set the PollConfiguration registry key to Yes and CacheServerInfo to No, the PSA gets the latest eTrust SSO Server IP address mapping once every poll interval. Any password changes between two poll intervals are updated to the eTrust SSO Server at the IP address retrieved during the first poll.

Note: The PollInterval and PollConfiguration registry keys are found at the same path as the CacheServerInfo key.

13.3 Defects Fixed in CR20

The following password synchronization agent defect is fixed in the build release number 8.1.0.20799:

Problem ID Description Resolution or Comments
832 Password filter blocks password changes to the Directory Services Restore Mode (DSRM) administrator account using ntdsutil command. This issue is fixed. The password filter no longer blocks password changes for the DSRM administrator account.

13.4 Defects Fixed in CR12

The following password synchronization agent defect is fixed in the build release number 8.1.0.20564:

Problem ID Description Resolution or Comments
771 Windows Password Sync Agent raises an exception error in the log file. Exceptions generated in the log file while re-initialization within pollinterval are avoided. It will prevent AD to perform. Machine need to be rebooted.

13.5 Defects Fixed in CR07

The following password synchronization agent defect is fixed in the build release number 8.1.0.20517:

Problem ID Description Resolution or Comments
723 Win PSA filter cannot change windows user passwords with no access to domain sync app. Changes made in PSA filter so that the AD user password change is allowed to proceed in the event of a user being found in the SSO Server doesn't have a sync application assigned (but also logs a warning).

13.6 Defects Fixed in CR04

The following password synchronization agent defect is fixed in the build release number 8.1.0.20329:

Problem ID Description Resolution or Comments
658 PSA Installation failed with Communication Exception messages displayed in the install wizard while the install log file contains a Null Pointer Exception message but not the Communication Exception messages. The Null Pointer Exception is ambiguous and misleading. The actual problem is PSA Installation failed to communication (using SSL) with AD due to incorrect install parameters provided. The correct installation failure messages, Communication Exception should be written to the install log file.

13.7 Defects Fixed in CR02

The following password synchronization agent defect is fixed in the build release number 8.1.0.20267:

Problem ID Description Resolution or Comments
606 Password Synchronization Agent blocks Active Directory password change if the SSO Server is down.

A new configuration option AllowPwdChangeOnServerDown has been added to the PolicyServer section. If an SSO environment has the windows Password Synchronization Agent installed between Active Directory and the SSO Server and the SSO Server goes down, the Active Directory administrator can no longer:

  • Change an existing users password
  • Add any new users

By adding the registry value above (type DWORD, value must be 1), this behaviour can be overridden. Active Directory will be allowed to change the password/add the user, and the SSO Server will not be updated (it is down).
In such a situation, an error will be reported and can be viewed by the Windows Event Viewer. It's source will be WinPSAFilter and read Password change for user (username) cannot be written to SSO Server. Active Directory has been updated and is now out of sync with SSO Server. Reason: Cannot communicate with SSO Server.
The behaviour will be unaffected if the registry value is missing, set to 0 or any value other than 1.


14.0 Web Agent for IIS 5 and IIS 6

14.1 Important Information

This r8.0 IIS SSO Web Agent(8.0.0.4203) SSO Web Agent is certified for use only with the eTrust SSO r8.1 Server and IIS 5 and 6 web servers.
This release supports Internet Explorer 6 and 7. The Firefox web browser is not supported. This release supports the following authentication methods only: LDAP, NT, NTLM, SSO.

14.2 Support and Documentation Notes

eTrust Siteminder is the product to use if you are looking to implement web server resource protection.

This eTrust SSO IIS Web Agent is the component to use if you are looking to implement forms-based authentication with the IIS Web Server.

eTrust Single Sign-On r8 should not be used to provide web server resource-protection. Previous releases of the eTrust Single Sign-On (and Web Access Control) products provided Web Agents that provided both resource protection and forms-based authentication. The eTrust Single Sign-On r8 Web Agents should not be used for web server resource protection - web server resource protection functionality has been deprecated in the r8 version of the SSO product.

The SSO Web Agent r8 Implementation and Administrator Guides have been provided with this Cumulative Release - only information specifically pertinent to the Web Agent is relevant. This documentation is being provided to assist the implementation and configuration of the Web Agent only. The r8 SSO Web Agent was not released as a GA product but the documentation relating to the Web Agents in Ch7 of the Implementation Guide and Ch9 of the Administrator Guide should be read before deploying this Web Agent.

14.3 Known Issues


15.0 Windows Authentication

15.1 Co-existence support for SSO 8.1 and 8.0 WIN Auth Agent for Backward Compatibility

If you are using SSO r8 clients working in backward compatible mode with SSO 8.1 server as well as 8.1 clients working against the same server, you must deploy both 8.0 and 8.1 Windows auth agents in your SSO environment.

For backward compatibility involving Windows Authentication Agents, it may be necessary to install the SSO r8 Windows Auth Agent and the SSO r8.1 Windows Auth Agent on the same machine. If you want to do

you will need to use SSO 8.1 CR5 Windows Auth Agent or later. Changes have been made to the SSO 8.1 Windows Auth Agent to allow it to co-exist with SSO 8.0 Windows Auth Agent.

Note that for interactive installation of SSO 8.1 Windows Auth Agent for co-existence, select the Co-existence option and follow the install wizard. For silent install, specify the following command line option:

-V IS_COEXISTENCE=true/false

Default: false

15.2 Defects Fixed in CR17

The following authentication agent defect is fixed in the build release number 8.1.0.20742:

Problem ID Description Resolution or Comments
877 Unable to authenticate using Windows Authentication agents due to named pipe timeouts.

This issue is fixed. A new entry, NamedPipeTimeout is added to Connection section of CA_wintga.ini file of the WinAuth Agent.

  • NamedPipeTimeout

    Specifies the time in seconds when a named pipe connection times out.

    Default: 1 second

    Note: The value for NamePipeTimeout must be the same as the ConnectionTimeout value in the Auth.ini file on eTrust SSO Client.

 

15.3 Defects Fixed in CR14

The following authentication agent defect is fixed in the build release number 8.1.0.20645:

Problem ID Description Resolution or Comments
800 Error with auth agent

During heavy load, namedpipe breaks due to which request going from client fails. And user can not authenticate hence cannot login to SSO. The fix includes recreation of namedpipe if any error with error-code between 20 to 29 or error-code 61 occurs, which are errors due to problem with namedpipe.

 

15.4 Defects Fixed in CR05

The following authentication agent defect is fixed in the build release number 8.1.0.20442:

Problem ID Description Resolution or Comments
N/A Co-existence support for SSO 8.1 and 8.0 WIN Auth Agent for Backward Compatibility Implementation of the Co-existence support for SSO 8.1 and 8.0 WIN Auth Agent for Backward Compatible implementation for SSO 8.1 Server (CR5 build 8.1.0.4278a or later) and SSO 8.0 Client (build 8.0.0.629 or later).

15.5 Defects Fixed in CR01

The following authentication agent defect is fixed in the build release number 8.1.0.19991:

Problem ID Description Resolution or Comments
595 Second Auth Agent does not automatically start as a service after install

When you install two Auth agents (WINDOWS, RSA, LDAP or CERT auth agents) on the same machine, after the second auth agent installed, the installation package does not prompt for reboot (which is OK and designed that way) and also does not start up the service.

 


16.0 Contact Technical Support

Contact Technical Support

For your convenience, CA provides one site where you can access the information you need for your Home Office, Small Business, and Enterprise CA products. At http://ca.com/support, you can access the following:

Provide Feedback

If you have comments or questions about CA product documentation, you can send a message to techpubs@ca.com.

If you would like to provide feedback about CA product documentation, complete our short customer survey, which is also available on the CA Support website, found at http://ca.com/docs.


Copyright © 2010 CA. All rights reserved.