DATE: Thursday, 25 March 2010
-------------------------------------------------------------------------------------------------------------------------
CONTENTS
-------------------------------------------------------------------------------------------------------------------------
This fix pack package contains fixes for problems in Tivoli® Access Manager for Enterprise Single Sign-On AccessAgent software. This fix pack requires that AccessAgent version 8.0.1 is installed and configured successfully.
Because fix packs are cumulative, this fix pack corrects all the problems outlined in the following sections.
Symptom:
User who reset password offline using EnGINA receives a password expired prompt when logging on.
Symptom:
Client machines with transparent screen lock enabled enters an undefined state if any AccessAgent message box is not dismissed by the user before the screen is locked. The only way to recover is to reboot the client machine.
Symptom:
Some applications create the autolearn profile even though ignore profile has been configured. This results to a degraded performance. This fix provides a way to disable auto learning for a specific URL.
Symptom:
This issue affected Private Desktop users using ARFID as second factor. When the user enters a password and ARFID badges are added or removed from the list of users within a certain distance from the ARFID reader, the password field is cleared.
Symptom:
The pid_audit_log_by_aa_enabled machine policy, which is used to turn on audit logging, can be bypassed by local administrators by changing settings in the registry of the machine.
Symptom:
ADGPO logon and logoff scripts and ADGPO administrative templates are not supported for Private Desktop.
Symptom:
Private Desktop users with RFID as second factor are able to use their RFID badge to unlock without password after the screen saver has been activated and dismissed, even though the time period specified in the pid_rfid_only_unlock_timeout_secs policy has passed. The pid_rfid_only_unlock_timeout_secs policy value is not implemented in Private Desktop mode.
Symptom:
In Private Desktop mode, the Userinit registry value (HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon: Userinit) is not allowed to contain spaces. The application specified will not load if there are spaces in the path.
Symptom:
AccessAgent displays a wrong error message when a user logs in to Private Desktop and is required to change AD password at first logon.
Symptom:
When starting many applications simultaneously, single sign-on occasionally fails due to timeouts.
Symptom:
Logon to Citrix servers with many cached Wallets is slow for users that do not already have a cached Wallet. All cached Wallets are scanned in a cleanup activity.
See Known problems and workarounds for the workaround.
Symptom:
Legal notice specified in AD GPO does not appear correctly when Private Desktop is configured.
Symptom:
Any special character (for example, underscore) is captured twice when using keyboard input SSO, even though it is entered once.
Symptom:
Keyboard input (for example, pressing Enter) during SSO sometimes caused the password to be entered in the user name field of a mainframe application.
<action>
<wnd_block_input_action>
<duration>10</duration>
</wnd_block_input_action>
</action>
<action>
<wnd_unblock_input_action />
</action>
Symptom:
For client machines with multiple monitors, the transparent screen lock only took effect on one monitor, leaving the other monitors open.
Symptom:
In a Citrix server environment, published applications will not start if DelayAppLaunch is enabled.
Symptom:
After EnGINA or AATray login dialog times out and returns to the Welcome screen, keyboard shortcuts such as Alt+L and Alt+R no longer works.
Symptom:
Double-byte characters cannot be entered in scenarios such as offline password reset and AD password resynchronization. Double-byte characters cannot be entered in a textbox in password mode (when characters are displayed as ****).
To address this issue, all input text boxes related to secrets now have a check box to let the user choose if they want the characters to be displayed as stars (****) or as clear text.
Symptom:
If the re-encryption of user data took more than a minute on the first logon of a provisioned user, the main dialog reverted to the Welcome screen. Users sometimes encounter Winlogon error or system crash.
Symptom:
Private Desktop users did not receive a prompt to close a single instance application (SIA) when another instance is started. It is possible to have more than one instance of an SIA running on the same client.
Symptom:
If a client machine has IMS connectivity and no AD connectivity, the machine host name is used as machine ID instead of the machine DN. When AccessAgent detects a machine ID change (by comparing the current with the once cached in system Wallet), the machine is registered again with the IMS Server and a new machine policy template is assigned.
Symptom:
Auto-Owners Insurance - performance problems with BlueZone (3270 emulator)
Symptom:
SOCIAccess service terminated unexpectedly.
Symptom:
Audit log entries related to Winlogon profile are not stored in the database.
Symptom:
If the Windows Vista Credential Provider login dialog is opened but not completed within 5 minutes and at the same time the system is not idle, after entering the correct user name and password, the Welcome screen is displayed instead of the user being logged in to Windows.
Symptom:
Remote installation of software packages on client PCs where nobody is logged on fails because the Tivoli Access Manager for Enterprise Single Sign-On login screen does not allow the Reboot or Shutdown command.
Symptom:
When AccessAgent and Tivoli Identity ManagerDPRA are installed on the same machine and the screen saver started while EnGINA is displayed, interrupting the screen saver causes the computer to cycle between the screen saver and EnGINA.
Symptom:
An "Unable to create your Windows Desktop" message appears occasionally when Private Desktop users tries to logon to AccessAgent. The problem disappears after reboot.
Symptom:
When the pid_wallet_editable_items_list "Delete credential" option is disabled, users can still delete credentials by highlighting a row in the AccessAgent Wallet Manager and clicking the delete button on the keyboard.
Symptom:
For Web Form (log on or change password) which executes Javascript when the Submit button is clicked, users sometimes encounter erratic behavior (for example, not valid password is captured).
Symptom:
A "Failed to initialize core components" message occasionally appears when starting up a computer in a Private Desktop mode.
Symptom:
The pid_win_screensaver_action, pid_lock_option and pid_unlock_user_name_prefill_option policies are not implemented.
Symptom:
If AD password synchronization is enabled, AccessAgent disables SSO until password synchronization is successful. If there is a delay in the AD password synchronization, it causes SSO to be unavailable when startup applications load.
Symptom:
Symptom:
A deadlock occurs when a script in an access profile did a timeout-based loop, which on each iteration checks an HTML document to see if an element is present.
Symptom:
If a profile uses the wnd_xpath_key_down_acc_data_sso_item or wnd_xpath_ex_key_down_acc_data_sso_item, any empty space in a password is not captured.
Symptom:
An application fails to start because of the way Obsbaseagent creates a sign-in listener thread.
Symptom:
The remote AccessAgent does not load occasionally for users when connecting to Citrix.
Uninstallation of the fix pack is not supported.
Uninstallation or rollback of the fix pack is not supported. If the installation fails, the customer needs to uninstall the base version and install again the same, with the original configuration settings (setuphlp.ini).
There is no need to backup any other data.
Double click 8.0.1-TIV-TAMESSO-AccessAgent-FP0001.msp and follow the instructions provided in the user interface.
Uninstallation of the fix pack is not supported. Uninstalling the base version (version 8.0.1) will also uninstall the fix pack.
Right-click the AccessAgent tray icon in the system tray, and then select About TAM E-SSO AccessAgent.
If you have successfully installed AccessAgent version 8.0.1 fix pack 1, the AccessAgent version is updated to 8.0.1.2901.
The product documentation for Tivoli Access Manager for Enterprise Single Sign-On, version 8.0.1, can be found at the following Web address (entered as one line):http://publib.boulder.ibm.com/infocenter/tivihelp/v2r1/index.jsp?topic=/com.ibm.itamesso.doc_8.0.1/welcome.htm
Focus is on the domain field when the AccessAgent Welcome dialog is launched from the system tray.
The fix pack does not resolve this problem. Click another field to change focus.
A new machine registry policy is introduced to control whether to delete a user Wallet that is not valid, during caching of a new Wallet.
This information was developed for products and services offered in the U.S.A. IBM may not offer the products, services, or features discussed in this document in other countries. Consult your local IBM representative for information on the products and services currently available in your area. Any reference to an IBM product, program, or service is not intended to state or imply that only that IBM product, program, or service may be used. Any functionally equivalent product, program, or service that does not infringe any IBM intellectual property right may be used instead. However, it is the user's responsibility to evaluate and verify the operation of any non-IBM product, program, or service. IBM may have patents or pending patent applications covering subject matter described in this document. The furnishing of this document does not give you any license to these patents. You can send license inquiries, in writing, to:
IBM Director of Licensing IBM Corporation North Castle Drive Armonk, NY 10504-1785 U.S.A.
For license inquiries regarding double-byte (DBCS) information, contact the IBM Intellectual Property Department in your country or send inquiries, in writing, to:
IBM World Trade Asia Corporation Licensing 2-31 Roppongi 3-chome, Minato-ku Tokyo 106, Japan
The following paragraph does not apply to the United Kingdom or any other country where such provisions are inconsistent with local law: INTERNATIONAL BUSINESS MACHINES CORPORATION PROVIDES THIS PUBLICATION "AS IS" WITHOUT WARRANTY OF ANY KIND, EITHER EXPRESS OR IMPLIED, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF NON-INFRINGEMENT, MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE. Some states do not allow disclaimer of express or implied warranties in certain transactions; therefore, this statement may not apply to you.
This information could include technical inaccuracies or typographical errors. Changes are periodically made to the information herein; these changes will be incorporated in new editions of the publication. IBM may make improvements and/or changes in the product(s) and/or the program(s) described in this publication at any time without notice.
Any references in this information to non-IBM Web sites are provided for convenience only and do not in any manner serve as an endorsement of those Web sites. The materials at those Web sites are not part of the materials for this IBM product and use of those Web sites is at your own risk.
IBM may use or distribute any of the information you supply in any way it believes appropriate without incurring any obligation to you.
Licensees of this program who wish to have information about it for the purpose of enabling: (i) the exchange of information between independently created programs and other programs (including this one) and (ii) the mutual use of the information that has been exchanged, should contact:
IBM Corporation 2Z4A/101 11400 Burnet Road Austin, TX 78758 U.S.A.
Such information may be available, subject to appropriate terms and conditions, including in some cases, payment of a fee.
The licensed program described in this document and all licensed material available for it are provided by IBM under terms of the IBM Customer Agreement, IBM International Program License Agreement or any equivalent agreement between us.
Any performance data contained herein was determined in a controlled environment. Therefore, the results obtained in other operating environments may vary significantly. Some measurements may have been made on development-level systems and there is no guarantee that these measurements will be the same on generally available systems. Furthermore, some measurement may have been estimated through extrapolation. Actual results may vary. Users of this document should verify the applicable data for their specific environment.
Information concerning non-IBM products was obtained from the suppliers of those products, their published announcements or other publicly available sources. IBM has not tested those products and cannot confirm the accuracy of performance, compatibility or any other claims related to non-IBM products. Questions on the capabilities of non-IBM products should be addressed to the suppliers of those products.
All statements regarding IBM's future direction or intent are subject to change or withdrawal without notice, and represent goals and objectives only.
This information contains examples of data and reports used in daily business operations. To illustrate them as completely as possible, the examples include the names of individuals, companies, brands, and products. All of these names are fictitious and any similarity to the names and addresses used by an actual business enterprise is entirely coincidental.
The following terms are trademarks or registered trademarks of International Business Machines Corporation in the United States, other countries, or both:
IBM IBM logo Tivoli Tivoli logo
Java™ and all Java-E-SSOd trademarks and logos are trademarks of Sun Microsystems, Inc. in the United States, other countries, or both.
Microsoft, Windows, Windows NT®, and the Windows logo are trademarks of Microsoft Corporation in the United States, other countries, or both.
UNIX® is a registered trademark of The Open Group in the United States and other countries.
Other company, product, and service names may be trademarks or service marks of others.
End of IBM Tivoli Access Manager for Enterprise Single Sign-On, fix pack 8.0.1-TIV-TAMESSO-AA-FP0001 readme file.