Interested in previous years' release notes? See last year's ADI Release Notes 2023. Alternately, see 黑料海角91入口's Feature Release Notes.
2024-12-11 ADI Release Notes
AD Import Agent v3.10.0
Bug Fix
- The ADI import agent no longer queries AD for the additional attributes if the SyncAdditionalAttributes setting is false.
- The ADI import agent was querying AD for the additional attributes even though it was not syncing those attributes to JC when the the SyncAdditionalAttributes setting is false.
2024-12-10 ADI Release Notes
AD Import Agent v3.9.0
Bug Fix
- The ADI import agent jspasswordfilter.dll no longer causes the DC to crash when a password with the maximum characters supported by Windows is set in AD.聽
Note: Maximum password length supported in 黑料海角91入口 is 64 characters. Any password longer than 64 characters will result in a password update failure.
2024-11-19 ADI Release Notes
AD Sync Agent v4.20.0
Rollback of v4.19.0 changes
Bug Fix
- The AD sync agent logs no longer include the 502 unexpected content-type error 鈥渆rror: code = Unavailable desc = unexpected HTTP status code received from server: 502 (Bad Gateway); transport: received unexpected content-type鈥
2024-11-11 ADI Release Notes
Re-release of AD Sync Agent v4.17.0
Bug Fixes
- In the Manage users and passwords in 黑料海角91入口, AD or both (bi-directional sync) and Manage users and passwords in 黑料海角91入口 (one-way sync from 黑料海角91入口 to AD) deployment configurations, users that are in a nested OU can now be added to security groups in AD from 黑料海角91入口. These users can only be removed from an ADI specific security group named 鈥満诹虾=91入口鈥 and security groups nested underneath that security group.
2024-11-07 ADI Release Notes
Rollback of ADI Sync Agent v4.19.0
The Active Directory Integration (ADI) sync agent v4.19.0 was rolled back and v4.15.0 was re-released. The roll back is due to users being removed from all groups in AD that are not associated (bound) to the ADI integration in 黑料海角91入口. This behavior can cause these users to lose access to some AD managed resources.
We rolled back to 4.15.0 to remove all group syncing related changes. We did this out of an abundance of caution.
If you are using v4.17.0 and are not experiencing issues, you do not need to roll back. We will re-verify v4.17.0 and release it again, as long as the behavior that resulted in this rollback does not exist.
To downgrade from v4.19.0 to 4.15.0 do the following:
- Log in to the 黑料海角91入口 admin portal and navigate to the ADI configuration for your AD domain.
- From the Download section, select Install New Agent in the sync agent row and click Download Sync Agent.
- Either leave the window with the connect key open or copy and store the connect key.
- Log in to the AD server where the sync agent is installed
- Upload the sync agent you downloaded
- Stop the AD sync service, 鈥満诹虾=91入口 AD Integration Sync Agent鈥
- Uninstall the AD sync agent
- Run the 4.15.0 sync agent installer
- Paste in the connect key
- Repeat this on all servers where the 4.19.0 sync agent is installed
2024-10-29 ADI Release Notes
AD Import Agent v3.7.0
New configuration setting, SyncAdditionalAttributes, enables the syncing of additional user attributes from AD to 黑料海角91入口:
The new setting, SyncAdditionalAttributes, has been added to the jcadimportagent.config file which controls whether or not additional user attributes sync from AD to 黑料海角91入口.
- The additional attributes that can now optionally sync from AD to 黑料海角91入口 are:
- Display Name
- Description
- JobTitle
- Department
- Company
- Location
- EmployeeType
- PhoneNumbers
- Addresses
- Manager
- This setting is automatically added to the jcadimportagent.config file for both net new ADI import agent installations and upgrades of existing ADI import agents
- For net new ADI import agent installations, the default value for this setting is true, meaning the additional attributes will sync
If you are adding a new AD server to an existing AD environment with 黑料海角91入口 ADI installed, you will need to make sure this setting matches across your existing servers and this new server.
- For existing ADI import agent installations, the default value for this setting is false, meaning the additional attributes will not sync
- This default value ensures there is no unexpected change in behavior for existing installations
- If the setting is not present in the jcadimportagent.config file, the value will be considered false
- If you have existing ADI import agent installations and want to sync these additional attributes, you will need to edit the jcadimportagent.config file and manually set the value to true
- When SyncAdditionalAttributes is set to true, any values that exist in 黑料海角91入口 for these additional attributes will be overwritten
To avoid any access disruption when SyncAdditionalAttributes is set to true, update your dynamic group rules to include values that will come from AD.
2024-10-03 ADI Release Notes
AD Sync Agent v4.19.0
Bug Fix
- In the Manage users and passwords in 黑料海角91入口, AD or both (bi-directional sync) and Manage users and passwords in 黑料海角91入口 (one-way sync from 黑料海角91入口 to AD) deployment configurations, users can now be removed from any security group except the main ADI group (e.g., 鈥満诹虾=91入口鈥 or 鈥満诹虾=91入口 (mydomain1)鈥)
2024-09-20 ADI Release Notes
Admin Portal
Users page
- Password status is 鈥淒elegated鈥 with sub-text 鈥淢anaged by AD鈥 when the user鈥檚 delegated authority is set to Active Directory
2024-09-04 ADI Release Notes
Admin Portal
Bug Fixes
- Delete confirmation is shown after clicking the delete button for an ADI domain configuration:
- Delete button on the ADI domain configuration screen was updated to have a red outline
- Users page More Actions menu option for setting the delegated authority on a user record was renamed to Set Delegated Authority
ADI Service
- User login no longer fails once the user is disassociated (unbound) all but one delegation-enabled ADI domain
AD Sync Agent v4.17.0
Bug Fixes
- In the Manage users and passwords in 黑料海角91入口, AD or both (bi-directional sync) and Manage users and passwords in 黑料海角91入口 (one-way sync from 黑料海角91入口 to AD) deployment configurations, users that are in a nested OU can now be added to security groups in AD from 黑料海角91入口. These users can only be removed from an ADI specific security group named 鈥満诹虾=91入口鈥 and security groups nested underneath that security group
2024-08-19 ADI Release Notes
Admin Portal
- New UI and experience for adding, managing, and using the ADI:
- Provides guidance through the installation process, better visibility into the configuration settings, and greater prominence of the information needed to monitor and manage the integration
- New ADI configuration settings:
- Delegated Password Validation - default setting for enabling and disabling delegated authentication to AD for users imported from AD to 黑料海角91入口 (applicable in the Manage users and passwords in either system or both and Manage users and passwords in Active Directory deployment configurations)
- Externally Managed Password and Attributes - default setting for restricting and unrestricting changes to ADI synced user attributes and user password within the 黑料海角91入口 Admin Portal and the 黑料海角91入口 User Portal. This is a read-only setting
- Enable groups and memberships management - default setting controlling whether a groups and group memberships are synced from 黑料海角91入口 to AD when a sync agent is installed on an AD server (applicable in the Manage users and passwords in either system or both and Manage users and passwords in 黑料海角91入口 deployment configurations). This is a read-only setting
- Provision Staged Users - default setting controlling whether a staged user is synced from 黑料海角91入口 to AD when a sync agent is installed on an AD server (applicable in the Manage users and passwords in either system or both and Manage users and passwords in 黑料海角91入口 deployment configurations). This is a read-only setting
- Option to automatically update the delegated authority setting for user(s).
- This option is presented when the following actions are taken and includes a list of important factors to consider when making your selection:
- on save after delegated authentication is enabled or disabled in the ADI configuration
- when an ADI AD domain is deleted
- when a user has direct access granted to or removed from a delegation-enabled AD domain
- when a user has access granted to or removed from a user group that has access to a delegation-enabled AD domain
- when a user group has access granted to or removed from a delegation-enabled AD domain
- This option is presented when the following actions are taken and includes a list of important factors to consider when making your selection:
- Agent download options in the ADI Configuration:
- Update Existing Agent downloads the agent installer without generating a new agent connect key
- Install New Agent downloads the agent installer and provides a new connect key which must be used within 7 days
- Ability to set a delegated authentication Delegated Authority for an individual user.
- New Delegated Authentication section with a Delegated Authority setting in the User Security Settings and Permissions section on the Details tab of the User page
- Confirmation modal explaining the implication of the change shows when the Delegated Authority is changed.
- Delegated Authentication shows under Security status in the left pane of the User panel when the Delegated Authority setting is Active Directory
- Ability to set a delegated authentication Delegated Authority for multiple users at once:
- New Set Delegated Password Authority option in the More Actions menu on the Users Page
- Visibility into which users have delegated authentication enabled from the Users page:
- Password status shows 鈥淒elegated鈥 for users that have a Delegated Authority set to Active Directory
- New Delegation ENABLED label added when delegation is enabled and active for an ADI AD Domain:
- Directories List - Label added to the AD domain name in Directories lists
- User groups - Resources list in the User group drop down in Users page
- Staged user - resources section showing AD delegation enabled label
- New and updated DI events
Event | Description | Change |
---|---|---|
user_login_attempt | Logs every time a user tries to log in to a 黑料海角91入口 managed resources | JSON includes a new field 鈥減assword_delegated_authority鈥 in the auth_context when the user鈥檚 login is delegated to AD for authentication |
"auth_context": { "auth_methods": { "password": { "success": true } }, "password_delegated_authority": "ActiveDirectory"
}, |
||
association_change | Logs every time two resources are associated (bound) or disassociated (unbound). | Logged when a user is associated (bound) to or disassociated (unbound) from a delegation-enabled AD domain. |
Logged when a user group is associated (bound) to or disassociated (unbound) from a delegation-enabled AD domain. | ||
user_delegated_authority_update | Logs when a change is made to the Delegated Authority setting on the User record. | New DI event |
activedirectory_domain_delegated_password_change | Logs when the delegated authentication setting Delegated Password Validation in the ADI configuration is changed | New DI event |
End User experience
- Existing AD users imported from AD to 黑料海角91入口 no longer have to reset their password in AD to log in to 黑料海角91入口 managed resources when delegated authentication is enabled for them:
- If the import agent is installed on DCs, the password is stored in 黑料海角91入口 after the initial log in. The stored password is synced to other resources and can be used to log in to resources that don鈥檛 support delegated authentication to AD, such as Cloud RADIUS and Cloud LDAP, and
- If the import agent is installed on AD member servers, the password is never stored in 黑料海角91入口
- User associated with a delegation-enabled ADI AD domain and their Delegated Authority set to Active Directory will receive the a new AD welcome email
ADI Service
- When multiple AD import agents are installed, one is designated as the primary agent by the ADI service. All delegated authentication requests are sent to that agent. If that agent becomes unavailable, another active import agent is automatically designated as the primary agent by the ADI service
黑料海角91入口 v2 API
- Updated the /activedirectories endpoint to support setting and unsetting delegated authentication as well as setting and changing the deployment configuration in the ADI configuration for a specific AD domain. The newly added parameters are:
- delegationState
- useCase
- Updated the /activedirectories/{id} endpoint to support setting and unsetting delegated authentication as well as setting and changing the deployment configuration in the ADI configuration for a specific AD domain. The newly added parameters are:
- delegationState
- useCase
End user schema model
- Added delegated_authority to the
- Delegated authentication set on the user: delegatedAuthority":{"name": "ActiveDirectory"}
- Delegated authentication unset on the user: "delegatedAuthority" : null
AD Import Agent v3.0
Installer changes
- Reordered the installer screens
- Added support for new format of the API key
- Added a new step for entering the import agent connect key
- An import agent connect key is now required when installing the import agent on a new AD server.
- Upgrades to import agent v3.0 and higher upgrades will not prompt for the connect key. The stored connect key will be used.
- A connect key is required when upgrading from import agent v2.6.0 or lower
Logs
- New delegated authentication specific log file 黑料海角91入口_AD_Import_Grpc.log. The log file is located in the AD import agent installer folder that was specified during installation. The default location for the installer folder is 黑料海角91入口\AD Integration\黑料海角91入口 AD Import
Functionality
- Added support for delegated authentication from 黑料海角91入口 to AD using mTLS
- Connect key is stored in the registry Computer\HKEY_LOCAL_MACHINE\SOFTWARE\黑料海角91入口\AD Integration Import Agent\connect_key
AD Sync Agent v4.15.0
- No functionality changes
- Minor changes related to the agent deployment process
2024-03-21 ADI Release Notes
AD Sync Agent v4.11.1
Bug fix
- AD Sync Agent replaced sAMAccountName (SAM) with UserPrincipalName (UPN) even when the AD Import Agent was configured to use the UPN instead of the SAM for the username value
Installer changes
- Logo update
2024-02-06 ADI Release Notes
Admin Portal
New ADI Directory Insights (DI) Events
DI Event | Description | Notes |
---|---|---|
activedirectory_agent_inactive | Logged when an agent is marked as inactive. This occurs when the agent stops responding to the heartbeat check or the agent service being stopped on the server. | New event |
activedirectory_agent_active | Logged when an agent successfully registers for the first time. | New event |
activedirectory_primary_agent_switch | Logged when an agent is marked as the primary agent if a primary doesn鈥檛 exist or the agent that was primary聽 becomes inactive. | Updated to include hostname, version, source_ip, host_type, host_os_version |
activedirectory_agent_activate | Logged when an agent becomes active from an inactive state. | Updated to include hostname, version, source_ip, host_type, host_os_version |
Additional information captured in ADI Directory Insights (DI) Events
- host_type and host_os_version logged in all ADI import and sync agent DI events
AD Import Agent v2.6.0
Installer changes
- The installation wizard no longer prompts for selecting LDAPS or LDAP when installing the agent on a domain controller (DC)
Logging changes
- LDAPS error suppressed in event log when LDAP allowed
AD Sync Agent v4.10.0
Installer changes
- The installation wizard no longer prompts for selecting LDAPS or LDAP when installing the agent on a domain controller (DC)
Logging changes
- Email and username added back to the sync agent logs
- LDAPS error suppressed in event log when LDAP allowed