1.0.7925

Release Summary

This is a minor servicing release of Lithnet Access Manager.

Editions

Access Manager comes in two editions. Standard edition is free for all organizations to use. It provides the core capability to defend against ransomware attacks, and support is provided by the GitHub Access Manager community. Enterprise edition is our paid offering that includes additional features such as high availability, advanced authorization scripting, and comes with full support by Lithnet. See our comparison guide for more details.

To get a free 90-day enterprise edition trial license, or to enquire about Enterprise edition pricing, please fill out the request form

New features

• None

Issues fixed

• Fixes an issue where computers that have a samAccountName different to their cn could not be JIT'd into #95
• Adds support for searching for computers by their cn value #95

1.0.7920

Release Summary

This is the first production release of Lithnet Access Manager.

Editions

Access Manager comes in two editions. Standard edition is free for all organizations to use. It provides the core capability to defend against ransomware attacks, and support is provided by the GitHub Access Manager community. Enterprise edition is our paid offering that includes additional features such as high availability, advanced authorization scripting, and comes with full support by Lithnet. See our comparison guide for more details.

To get a free enterprise edition trial license, or to enquire about Enterprise edition pricing, please email [email protected].

New features

• Installer binaries are signed with the Lithnet EV code signing certificate

Issues fixed

• Fixes a button rendering issue with Safari mobile browsers
• Adds an about screen

1.0.7888.0-rc2

Release Summary

This release is mainly a servicing release, addressing bug fixes before the release of the final version.

This release contains a built-in enterprise edition license, that will expire on 13th July 2021. On this date, enterprise edition features will be deactivated, and the application will continue to run in standard edition. Organizations that are not using any enterprise edition features will be able to continue using the application after this date. Organizations can obtain longer-length enterprise edition trial licenses by emailing [email protected]. Enterprise edition licenses are not yet available for purchase, but will be provided for free during the beta phase.

To learn more about the differences between standard and enterprise edition, as well as the upcoming enterprise edition features, see the edition comparison in the wiki

Installation Notes

As of beta 4, PowerShell 5.0 has been a prerequisite
As of beta 4, Microsoft SQL Local DB 2017 has been a prerequisite

New features

• Improves accessibility of password fields by offering options for monochrome, increased size, and increased letter spacing

Issues fixed

• DCLocator does not fall back as expected #83

1.0.7872.0-rc1

Release Summary

This release is mainly a servicing release, addressing bug fixes before the release of the final version.

This release contains a built-in enterprise edition license, that will expire on 15th May 2021. On this date, enterprise edition features will be deactivated, and the application will continue to run in standard edition. Organizations that are not using any enterprise edition features will be able to continue using the application after this date. Organizations can obtain longer-length enterprise edition trial licenses by emailing [email protected]. Enterprise edition licenses are not yet available for purchase, but will be provided for free during the beta phase.

To learn more about the differences between standard and enterprise edition, as well as the upcoming enterprise edition features, see the edition comparison in the wiki

Installation Notes

As of beta 4, PowerShell 5.0 has been a prerequisite
As of beta 4, Microsoft SQL Local DB 2017 has been a prerequisite

New features

Adds fields to authorization rules to record who created and last modified authorization rules
Adds a notes field to authorization rules
Adds new form layout to authorization rule editor

Issues fixed

Fixes an issue were imported permissions were not processed correctly
Fixes an issue where the UI might crash when searching authorization rules
Fixes an issue where the UI would show an incorrect error and not allow you to save when a certificate was not selected
Fixes an issue where the enterprise edition badge was shown incorrectly on the security descriptor target page during an import
Fixes an issue where allow host settings were duplicated each save
Fixes issue #66 - HSTS max-age too short
Fixes issue #65 - Negotiate authentication is incorrectly allowed over HTTP
Fixes issue #68 - Secure/httponly flags missing on cookies
Fixes issue #61 - UI would crash when sorting authorization rules by an empty column
Fixes an issue where OIDC/WsFed correlation cookies did not specify samesite=none

Other changes

The UI now shows a warning if the config file was edited outside of the application #60
Adds support for locking the UI when the clustered resource moves off the current node #59
Improves trace logging for the authorization rule import process
Removes obsolete references to JIT from the ADMX files for the access manager agent

1.0.7846.0-beta.4

Release Summary

This release introduces many bug fixes and new features. Most notably, this version introduces support for high availability, by running AMS in a Microsoft failover cluster. This introduces the first major Enterprise edition feature to Lithnet Access Manager.

This release contains a built-in enterprise edition license, that will expire on 26th February 2021. On this date, enterprise edition features will be deactivated, and the application will continue to run in standard edition. Organizations that are not using any enterprise edition features will be able to continue using the application after this date. A new beta version will be released in December 2020, which will include a new built-in license with an extended date. Organizations can obtain longer-length enterprise edition licenses by emailing [email protected]. Enterprise edition licenses are not yet available for purchase, but will be provided for free during the beta phase.

To learn more about the differences between standard and enterprise edition, as well as the upcoming enterprise edition features, see the edition comparison in the wiki

Installation Notes

• PowerShell 5.0 is now a prerequisite
• Microsoft SQL Local DB 2017 is now a prerequisite

New features

• Adds support for running Access Manager in a Windows failover cluster (Enterprise edition feature)
• Adds support for automatically synchronizing certificates between nodes (Enterprise edition feature)
• Adds support for encrypting secrets using cluster-compatible DPAPI-NG (Enterprise edition feature)
• Adds certificate export and import options to the local admin password page in the UI
• Request limiting now uses a persistent SQL back-end, allowing enforcement of limits that survives reboots, outages, and node failovers
• Adds support for disabling authorization rules
• Adds support for expiring authorization rules
• Adds a new PowerShell module for getting Lithnet local admin passwords and history from the AMS server (Get-LithnetLocalAdminPassword and Get-LithnetLocalAdminPasswordHistory)
• Adds support for exporting a list of CSV permissions from the authorization rules

Issues fixed

• Fixes an issue where password text boxes delete contents on focus (#39)
• Fixes an issue where imported authorization rules were not being saved (#45)
• Fixes an issue where the access expiry reported in audit events was not in the system date time format
• Fixes an issue where the log out link was missing when using a logout-capable identity provider (#49)
• Fixes an issue where IDP signing was not working with Okta
• Fixes an issue where users who are members of a large number of groups cannot log into the system (#44)
• Fixes an issue where the user gets an unexpected error message when searching a computer by a non-AD DNS hostname (#54)
• Fixes an issue where a user who is not granted sign in permission sees a 404 error instead of an access denied message (#52)
• Fixes an issue where Google chrome may offer to translate a page containing a password it thinks is in a different language (#51)
• Fixes an issue where the service cannot write to the log folder when the service account is changed
• Fixes an issue where the UI required a save immediately after saving the initial config
• Fixes an issue where the config app would silently crash when the appsettings and apphost config files cant be found
• Fixes an issue where the JIT group worker creates groups for conflict objects (#56)
• Fixes an issue with the domain group membership permission script
• Fixes an issue where some files would be missing after an upgrade (#43)
• Fixes an issue where the schema status in the UI did not update after schema changes were deployed
• Fixes an issue where UI trace events could not be logged
• Fixes an issue where the JIT mode indicator did not update correctly when the AD PAM feature was enabled

Other changes

• Accessing the local admin password history via the web is now an enterprise edition feature. However, the new PowerShell cmdlets allow an AMS administrator to retrieve the local admin password history via PowerShell from the AMS service itself
• PowerShell based authorization rules are now an enterprise-edition feature
• Service account details are no longer required to be entered on installations after beta 4.
• Installation paths can no longer be changed during an upgrade. The application must be uninstalled and reinstalled to change any paths.
• Custom logo is now stored in the configuration folder
• The application now uses NT Service\lithnetams as the principal when assigning permission to local ACLs to avoid issues when assigning a new service account to run the service
• Adds progress bar to service stop and start operations
• Adds check for GMSA permissions when changing service account
• Grants logon as a service to selected service account
• Adds password validation for non-GMSAs when changing service account
• Adds logon as a service permission check when changing service account
• Replaces login dialog with user selector when changing service account
• Claims in the log file are now grouped by name to reduce verbosity
• Adds a message to remind the user to back up the encryption certificate when generating a new one
• Adds additional help information to the delegation warning that appears in the UI when the service account is not protected from delegation
• Adds a splash screen to the UI app on startup
• Updates event log messages to contain information about the specific request type made by the user
• Adds support for encrypting cookies with cluster-compatible keys

1.0.7630.0-beta.3.1

• Fixes an issue where schema detection fails when defunct attributes are present
• Fixes an issue with the OpenID Connector provider. The provider now uses the authorization code flow, rather than implicit flow. The setup guides for AzureAD and Okta have been updated to include the provision of the client secret
  • Azure AD
  • Okta

Beta users of the OIDC provider should delete the following lines from the Authentication:Oidc section of their appsettings.json file
"ResponseType": "code id_token",
"ClaimName": "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/upn",
"Scopes": [ "profile", "openid" ]

1.0.7624.0-beta.3

• Adds functionality to import authorization rules from LAPS Web App

• Adds functionality to import authorization rules from a CSV file (#29)

• Adds functionality to import authorization rules by scanning AD for users assigned Microsoft LAPS read permissions

• Adds functionality to import authorization rules by scanning AD for users assigned BitLocker recovery password read permissions

• Adds functionality to import authorization rules by importing the local admin group members from remote computers

• Adds the ability to search authorization rules for matching computers

• Adds the ability to determine the effective access of a user

• Adds support for searching computers by DNS host name (#3)

• Fixes display name of the product in the UAC prompt that appears when running the configuration tool

• Fixes an issue where you could not update the AMS GMSA service account after installation (#32)

• Fixes an issue where altSecurityIdentifers were incorrectly constructed (#28)

• Fixes an issue where too many authorization rules will cause the list to expand off the screen

• Fixes an issue where the authorization rules list shows an incorrect column header (#35)

• Fixes an issue where the 'submitting request' overlay was shown in the web app incorrectly when there was a form validation error (#34)

• Fixes an issue where the UI would close without any error messages on an unhandled exception. A message box now appears, and gives you the option to try saving the config file.

1.0.7615.0-beta.2.1

Adds support for importing JIT admins from a remote computer
Adds support for showing an error when the UI encounters an unhandled exception #20
Replaces {computername} placeholders with %computername%
Deprecates JIT agent
Removes JIT agent GPOs
Adds additional logging for certificate authentication

1.0.7608-beta.2

Beta 2 release

Fixes an issue where the firewall rules are not created with the correct process name #27
Fixes an issue where the Microsoft LAPS schema check in the configuration app incorrectly showed that the schema was not deployed #18
Fixes an issue where the installer incorrectly demands version 3.1.4 of the .NET core desktop, even if a later version was installed #16
Fixes an issue where JIT access requests fail due to the application processing requests against different domain controllers in a short period of time #15
Updates the GSMA script to be more robust and include the 10 hour wait time #14
Adds support for smart card authentication without UPN ultilizing altSecurityIdentities #26
Adds support for HTTP client proxies #25
Shows a 'loading' message when requesting access to a computer in the web UI #22

1.0.7596-beta.1

Initial beta release of Lithnet Access Manager