This section contains the technical notes for the current release of the Oracle Enterprise Single Sign-On Suite.
This section contains the technical notes for the current release of the Enterprise Single Sign-On Suite Administrative Console.
If you are exporting application templates or policies to an .INI file for import into Oracle Access Manager, you must select the Unicode (or Unicode big endian) encoding when saving the .INI file. Other encodings are not supported by Oracle Access Manager.
This section contains the technical notes for the current release of Logon Manager.
Starting with version 11.1.2.1, when deployed on Microsoft Active Directory, Logon Manager configuration policies are now being stored in a repository location consistent with other user configuration objects of the class vGOSecret. Oracle highly recommends that you migrate to this new settings storage schema by enabling the Use secure location for storing user settings option found in the Active Directory synchronizer settings section of the Oracle Enterprise Single Sign-On Administrative Console.
When upgrading from a previous version of Logon Manager, only deploy this override after all instances of Logon Manager have been upgraded to version 11.1.2.1; otherwise, once Logon Manager 11.1.2.1 synchronizes with the repository, all previous versions will no longer be able to synchronize with the repository for that user.
Due to an upgraded keyboard driver that ships with this version of Kiosk Manager, you will be prompted to reboot twice during the installation process - first to remove the old driver, and second to install the new driver.
When the Use default certificate for authentication option (located in the Oracle Enterprise Single Sign-On Administrative Console under Global Agent Settings > Authentication > Smart Card is set to No, users may be prompted to enter their PIN twice during the First Time Use (FTU) enrollment process. This is normal and necessary in order for Logon Manager to generate a keyset for the smart card. Subsequent authentications after FTU will only require a single PIN entry.
Logon Manager may be unable to respond to some applications running with highly elevated privileges. For example, when logged in as the built-in Administrator account, and the local security policy is set to disable Admin Approval Mode for the built-in Administrator account, the resulting privilege elevation prevents Logon Manager, which itself is a medium-privilege application, from hooking into the target applications running with elevated privileges.
The XML log file plug-in continually appends data to the log file, causing it to grow. The log file should be cleaned up periodically (from the user's AppData\Passlogix folder) if it is used as part of a solution.
Conflicts may occur when using Backup/Restore functionality in conjunction with synchronizer usage. It is not suggested that a deployed solution utilize both mechanisms and that Backup/Restore only be used in standalone installations.
You must restore a backup from a local drive. It is not possible to restore from a network drive.
When using SendKeys with Citrix published applications, the SendKeys "Set Focus" feature cannot be used since Citrix application windows are painted and no controls appear in the window. In order for "Set Focus" to function, it needs to reference a window's controls.
When setting up a Citrix published application using regular SendKeys with "Enter" or "Tab" characters in between each field, those characters are not processed correctly. They are processed in a random order.
The issue is that the separator characters submitted between fields (typically "Enter" or "Tab" characters) are not processed by the Citrix application in the correct sequence resulting in inconsistent behavior.
The solution is to modify the application template to add a delay between the fields. For example, if the current application template is configured like this:
[Username] [Tab] [Password] [Tab] [Enter]
delays should be added in between fields:
[Username] [Delay 0.1 sec] [Tab] [Password] [Delay 0.1 sec] [Tab] [Enter]
The NetManage NS/Elite emulator causes Logon Manager to display an "End Program" message when logging off or restarting a machine. This behavior is only seen intermittently.
Note:
Clicking "End program" may result in credentials not being cleaned up (if the "Delete Local Cache" option is enabled).Logon Manager sporadically displays the Password Change dialog box on a Reflection 14 logon screen. If this dialog box displays, click the Cancel button and begin to enter text. The expected logon dialog box displays.
Some MSI versions of the Logon Manager installer exhibit false positives when scanned by anti-virus software during a Repair operation. The scan identifies the Win32/Injector.CFR trojan, although in reality, no such virus is present in the installer.
This section contains technical notes for the current release of Universal Authentication Manager.
When adding or removing a machine that uses Universal Authentication Manager for strong authentication to or from a domain, you must reboot immediately after adding or removing the machine; otherwise, strong authentication will not function until you reboot.
Due to race conditions and variations in polling times, it is possible that users will receive the error message, "Card is either not enrolled or not supported," when using RSA Authentication Client 2.0 Smart Card middleware with some Smart Cards.
There are two possible remedies for this scenario:
The user can click OK and try inserting the card again.
The administrator can add the following registry key and increase the timeout values:
Smart Card Authenticator card and serial timeout settings (PKCS11 race conditions):
Value: CardTimeout = DWORD (0-5000 ms; 2000 ms (default))
Key: HKLM\SOFTWARE\Passlogix\UAM\Authenticators\ {A1B34553-8D40-42A9-8ED5-F70E3497E138}\Settings
Value: SerialTimeout = DWORD (0-5000 ms; 500 ms (default))
Note:
CardTimeout applies to certain PKCS11 modules that might have a race condition with Windows smart card APIs. Increasing the timeout increases reliability but might adversely affect performance.SerialTimeout applies to certain PKCS11 modules that have a race condition when reading the serial number from the card. If the card is supported but its serial number is not read, this might be the issue. Increasing the timeout increases reliability but might adversely affect performance.
If a workstation is locked due to a Remote Desktop session, a user may not be able to unlock the workstation using an enrolled smart card with certain PKCS11 middleware. This is due to the limitations of the smart card middleware.
To unlock the workstation, the user can use Windows Password.
This section contains technical notes for the current release of Anywhere.
The following Logon Manager features are not supported by Anywhere:
Oracle Access Manager integration.Silent authentication to Oracle Access Manager is not supported.
Mozilla Firefox and Google Chrome.Detection and response of Web applications accessed via the Mozilla Firefox and Google Chrome browsers is not supported.
Windows Authenticator v2 GINA. The Windows Authenticator v2 GINA component is not supported. Anywhere does not support installing GINAs.
· Windows Authenticator v2 Network Provider. The Windows Authenticator v2 Network Provider component is not supported. Anywhere does not support installing Windows services.
Note:
Anywhere supports all Windows Authenticator v2 functionality except the GINA and Network Provider. There is no workaround to enable the unsupported Windows Authenticator v2 functionality.Because Anywhere installs into the user's home folder, rather than the Program Files folder, the default security policy on Windows 7 and Windows Server 2008/2008 R2 deployments prevents Anywhere from executing due to insufficient permissions. (By default, the Program Files folder is recognized as a secure location, while the user's home folder is not.)
To solve this issue, do the following:
Modify the Group Policy Object (GPO) and disable the setting User Account Control: Only elevate UIAccess applications that are installed in secure locations. The location of this setting in the GPO is: Computer Configuration\Windows Settings\Security Settings\Local Policies\Security Options\.
Apply the modified policy to the domain using standard group policy practices.
You will still be protected from unauthorized code access since applications must also pass the PKI signature check in order to execute, regardless of the state of the above setting.
For more information on this security setting, see the following Microsoft TechNet article: http://technet.microsoft.com/en-us/library/dd834830.aspx
By default, Microsoft IIS 6.0 does not serve the three files types used by Anywhere (.application, .deploy, and .manifest). Administrators planning to deploy Anywhere using an IIS 6.0 Web Server must run the IisAddMimeTypes.vbs script included in the "Anywhere" folder of the Oracle Enterprise Single Sign-On Suite Plus master archive.
Attempting to deploy Anywhere without running this script results in the error HTTP 404. For a complete discussion of IIS 6.0 and unsupported MIME types, see the Microsoft Web site.