What's New in Adaxes 2019.2

---

We are constantly working to improve Adaxes, and here is an overview of what we have added in version 2019.2. This time we mainly focused on security-relevant aspects and have introduced another authentication factor for self-service password reset, two-factor authentication for Web Interface, auditing of sign-in activities and new notification capabilities for approval-based workflows.

Here’s more about what’s new in Adaxes 2019.2.

Authenticator app verification for self-password reset

We've added the option to use a mobile authenticator app as a verification method for self-service password reset. With this option enabled, users will be required to open the app on their mobile phone (or any other device) and enter the code displayed in the app to verify their identity.

Unlike SMS messages, authenticator apps run locally on the user's device which means that verification codes can't be intercepted on the phone network, code generation is instant and does not require an Internet connection or mobile service.

Adaxes supports the following authenticator apps:

•   Google Authenticator
•   Microsoft Authenticator
•   Okta Verify
•   OneLogin Protect
•   Authy
•   Auth0 Guardian
•   Duo Mobile

When the new authentication method is enabled, users will be prompted to enroll for password self-service and setup the authenticator app. The process is simple and will only require the user to install the app on their device and then activate it by scanning a QR code.

If a user loses their mobile device or gets a new one, they will need to re-activate the authenticator app on the new device. This can be done one of three ways: transfer the activation to the new device by means of the app itself (provided it supports that), reset the app activation using the Reset multifactor authentication operation in Adaxes, or use the Change device option in the Web Interface for self-service. For more details, see Reset authenticator app.

The Change Device option

Password self-service enrollment

We have also improved the user experience during enrollment for password self-service. We have made it a step-by-step process with clear and simple instructions that are easy to follow. To make sure mobile phone numbers are entered correctly, we have added an SMS verification step to it.

And now you have the option to remove the Disenroll link from the Password Self-Service card.

Two-factor authentication for Web Interface

We've added the ability to use time-based one-time password verification (via Google Authenticator and other similar apps) as an authentication factor for the Username/Password authentication type in the Web Interface. If enabled, the user will need to install the app on their device and activate it upon the first login. During subsequent logins, after entering their credentials, the user will be asked to enter a code generated by the authenticator app to sign in to the Web Interface.

Monitoring sign-in activity

Starting from the new version, Adaxes will log all user logins to the Web Interface and Web Interface Configurator. It will allow you to track who logs in, who fails to log in, from which host, to which Web Interface, when, etc.

Notification about operations that failed after approval

Now Adaxes will send an email notification to the user who initiated an operation that was submitted for approval, approved but executed with errors.

The subject, header and footer of the email notification can be customized according to your needs.

Sending emails to mailboxes that are being created

It is now possible to send email messages to mailboxes that are currently being created in Exchange Online. For example, you can now send a welcome email to a user right after assigning an Exchange Online license. Adaxes will wait until a mailbox is created in the cloud and only after that it will send the email message to the mailbox.

New reports

We've added two new reports for the features introduced in this release:

• Web Interface sign-ins - contains information about all user sign-in activities to Adaxes Web Interface.
• Authenticator app activation - shows which mobile authenticator apps have been activated by users.

Update 1

---

• Fixed the issue with restoring Web Interface column settings from a backup.
• Now enrollment prompt is not displayed when the Password Self-Service policy is disabled.
• Fixed the issue with field focusing in Web Interface.

Update 2

---

• Fixed the issue with displaying the unlock account step before questions and answers verification when using Password Self-Service for locked out accounts.
• Fixed the Index (zero based) must be greater than or equal to zero and less than the size of the argument list error that occurred when generating reports in German language.
• Fixed the Object reference not set to an instance of an object error that occurred when a Custom Command had a drop-down list parameter without items.

Update 3

---

This update brings several important security and performance improvements as well as fixes to known issues.

Exchange Online authentication

From now on Adaxes doesn’t use basic authentication to access Exchange Online. Now passwords aren’t transmitted over the network with every request, which means the new authentication mechanism is more secure and reliable. Basic authentication will no longer be supported by Microsoft from October 2020, and we are ahead of the game – all Adaxes features for Exchange Online will work without issues.

Other improvements

• Added 4K support to the Self-Service Password Reset Client and enhanced its user interface.
• Improved how Adaxes checks the permissions granted by Security Roles, which in turn improved overall performance.
• Adaxes Offline Password Self-Service URLs are now entirely case insensitive, which makes them easier to type in manually.
• The Distinguished Name property now displays the object’s DN in the Web Interface.
• It is now possible to send multi-line SMS messages using Adaxes.
• Unsuccessful Web Interface sign-in attempts caused by insufficient permissions are now logged as an Access Denied error.

Bug fixes

• Fixed the issue where changes to Security Roles weren’t reflected in the Web Interface until service restart if there is a large number of Security Roles and assignments.
• Fixed An error occurred while processing value references: Object does not exist error that occurred when email notifications were sent by Business Rules that trigger after deleting a user.
• Fixed the You are not allowed to read 'objectClass' or 'objectGuid' properties error that occurred when viewing group members if the domain service account had no native AD permissions to view some of the members.
• Fixed the Object does not exist error that could occur when users moved their account to another Organizational Unit and then switched to a different Web Interface.
• Fixed the scrolling issue on the Overview page if the display scaling settings are set to 200% or more.

Update 4

---

This update fixes the error that occurs when attempting to modify properties of Exchange Online mailboxes in a hybrid environment. It occurs only if Microsoft has rolled out the dual-write change to your Microsoft 365 tenant.

Detailed error message

An Azure Active Directory call was made to keep object in sync between Azure Active Directory and Exchange Online. However, it failed.

Unable to update the specified properties for on-premises mastered Directory Sync objects or objects currently undergoing migration.
The issue may be transient and please retry a couple of minutes later. If issue persists, please see exception members for more information.

Update 5

---

Fixed the vulnerability that resulted from special characters not being escaped when value references are resolved. For example, the vulnerability made it possible to inject PowerShell scripts in custom command parameter input fields if value references were used to get the parameter values.

Update 6

---

This update extends the previous security update and addresses the same vulnerability. The previous fix can be bypassed, which was discovered recently. As a result, we've reinforced the fix by escaping all possible double quote characters ("„“”) when value references are resolved.

Update 7

---

In this update, we have mainly focused on improving the security of Adaxes and fixing recently discovered vulnerabilities.

• Fixed the vulnerability that made it possible to force the computer where the Adaxes service is installed to send an SMB request to an arbitrary IP address, obtaining the password hash of the said computer (server-side request forgery). The attack required the malicious actor to possess valid credentials of a user account that can sign in to the Adaxes Web interface or send requests to the REST API.
• Fixed the vulnerability that made it possible to execute arbitrary JavaScript code on the client-side of Adaxes Web interface if a Web interface page was visited using a specifically crafted link (cross-site scripting). The vulnerability allowed the malicious actor to obtain the information from the visited page. The attack required a legitimately signed-in user to actually visit the malicious link.
• Now, Adaxes sanitizes all HTML code encountered in directory object names. This fixed the issue where the Web interface would process HTML code in object names and apply formatting when displaying information about those objects.
• Now, Adaxes correctly creates a remote mailbox for a user when a Microsoft 365 license with the Exchange Online service is assigned, but the Exchange Online Archiving for Exchange Online service is disabled.