ANIXIS Password Reset

What's new in APR V3.2

APR Server

  • Compatible with Microsoft security updates KB3167679 and KB3177108. Password changes would sometimes fail with a system error when these updates were installed.
  • Compatible with SQL Server 2016.
  • Automatically restores connections to SQL Server if the SQL Server is restarted.
  • Additional checks on incoming requests to detect attacks using malformed requests.
  • Added the [AD_DOMAIN] and [AD_USER] macros to the body of E-mail alerts.
  • Queries to Password Policy Enforcer use a new communications library with better performance and more options.
  • Inactivity timeout is now enforced when waiting for a verification code.

Web Interface

  • Added X-Frame-Options response header to protect against clickjacking attacks.
  • Added X-XSS-Protection response header to enable the cross-site scripting filter on supported web browsers.

Password Reset Client

  • Improved handling of the default credential provider on Windows 8 and later when the "Interactive logon: Do not display last user name" GPO is enabled.

Data Console

  • No longer reads verification codes and enrollment records from the database. SQL Server administrators can now deny access to these two columns and still allow authorized users to use the Data Console.
  • Improved some column display labels and audit event descriptions.

Configuration Console

  • Added an option to show partial e-mail addresses and phone numbers when sending verification codes. If this option is enabled and an attacker is able to get to the point where a verification code is sent, then they will no longer see the user's full e-mail address or phone number. Enable this option to protect user information and reduce the likelihood of users being targeted with social engineering attacks.

Installer

  • Sets up the required MIME types for the Web Interface.

Bug Fixes

  • Changed the default PPE Server timeout to avoid "The server could not handle your request" errors.
  • Users auto-enrolling with a UPN or DNS domain name no longer get a "Your verification code expired" or "The verification code is incorrect" error.
  • User records are no longer added to the database when users auto-enroll with an invalid domain name.
  • Users can still reset their password if "allow users to continue without a verification code if a code cannot be sent" is enabled, and a verification code cannot be sent due to an intermittent problem.
  • The PPE Minimum Age rule is no longer enforced for password resets when PPE Integration is enabled. The Minimum Age rule is still enforced for password changes.
  • The PPE Password Policy message is always shown when users are prompted for a new password.
  • Fixed formatting error for Event ID 2053.

What's new in APR V3.0

APR Server

  • Two-factor authentication for password resets and account unlocks. APR can send a random verification code by e‑mail and SMS. Users must enter the verification code to continue.
  • The database can be moved to SQL Server for better security, fault tolerance, and accessibility.
  • Users are deleted from the database approximately one week after they are deleted from Active Directory.
  • Can enforce the Active Directory password history and minimum age policies for password resets.
  • Improved handling of password changes across domains and forests.
  • More secure enrollment record format. APR V2 records are upgraded to the new format when the system maintenance task runs at 1:00 AM.
  • More secure communication protocol. The updated protocol uses 2048-bit RSA keys, has better error detection, and uses fewer CPU cycles.
  • E‑mail alerts are sent in the user's preferred language if possible. The preferred language is set after a successful enroll, reset, unlock, or change.
  • Can send all PPE queries to a specific PPE server.
  • Default database updated to SQL Server Compact 4.0 SP1.
  • Improved multithreading performance when querying the database.
  • Replaced the 32-bit APR Server service with a 64-bit version.

Web Interface

  • REST API to remind (or require) users to enroll.
  • Page content and layout changes for small phone screens.
  • Icons are in Scalable Vector Graphics (SVG) format. These look sharper when resized, and make it easy to change the color scheme.
  • Improved encryption of temporary data.
  • Improved handling of e‑mail addresses with unusual characters.
  • Updated response headers to improve compatibility with some browsers, and to reduce the likelihood of user-submitted information being cached.
  • Answer fields are masked during Reset and Unlock.
  • Performance improvements to the page generator and request parser.

Password Reset Client

  • Displays HTML in Internet Explorer 11 mode for improved compatibility with the latest web standards.
  • Improved compatibility with third-party credential providers.
  • Updated window sizing algorithm to suit the APR V3 page templates.
  • Client closes with the JavaScript window.close() method.
  • Displays messages after the page finishes loading to avoid display problems.

Data Console

  • Can run remotely after database is moved to SQL Server.
  • .xlsx and .xml export file formats.
  • Filter icons shown in column headers.
  • Improved data reading, sorting, and filtering performance.

Configuration Console

Installer

  • Offers to silently install IIS before the Web Interface.
  • Automatically installs required IIS Role Services.
  • Sets the APR application pool to 64-bit.
  • Installs SQL Server Compact 4.0 SP1.

What's new in APR V2.6

Web Interface and APR Server

  • Tested for compatibility with Windows Server 2012 R2.

Password Reset Client

  • Compatible with Windows 8.1 and Server 2012 R2. The current Password Reset Client version is 2.9. The PRC installer is included with APR V2.6, and it is also available separately.

What's new in APR V2.5

Web Interface

  • Compatible with Windows 2012.
  • Displays a diagnostic message if Password Policy Enforcer does not respond to a request. This is likely to happen if a domain controller is not running PPE, or if a firewall is blocking access to the PPS port.
  • Improved handling of errors and error messages. Some scenarios that previously displayed an unknown error, system error, or generic error message now display more specific error messages.

APR Server

Password Reset Client

  • Compatible with Windows 8 and Windows 2012.
  • Improved compatibility with third-party credential providers.
  • Installs without a restart on Windows Vista and later. A restart is needed when upgrading from an older version.
  • Fixed bug that could cause duplication of some keystrokes.

Data Console

  • Prompts for elevation to avoid "Database missing or locked" error.

New in APR V2.1

Web Interface

  • Multiple instances of the Web Interface can now run on one server and communicate with different APR Servers.

APR Server

  • Added Permissions tab to control which users can enroll and change their password.
  • Some customers reported large numbers of user profiles on the APR Server computer. These were created by Windows when users changed their password. APR now uses a different method to change passwords that stops Windows from creating the profiles.

Password Reset Client

  • Does not display a second logon prompt when making an RDP connection to Windows 7 and 2008 R2.
  • Displays the "Reset password..." command link immediately by default on Windows Vista and later. Previous versions only displayed it after an incorrect password.
  • Added a configuration setting called AlwaysShowResetLink to control when the "Reset password..." command link is shown on Windows Vista and later.

Configuration Console

  • Warns if the license is expired, expiring soon, or invalid.
  • Additional checking of license details when a new license key is imported.
  • Prompts for elevation to ensure the user has sufficient permissions to update APR's configuration.

New in APR V2.0

Web Interface

  • Compatible with Windows 2008 and 2008 R2.
  • Updated HTML templates allow customization of all user interface elements, including error messages.
  • Accepts user-created enrollment questions.
  • Displays the Password Policy Enforcer policy message during password resets and changes.
  • Works without a firewall rule for Password Policy Enforcer Integration when the web server is in a DMZ.
  • Gets user and domain names from URL parameters.

APR Server

  • Compatible with Windows 2008 and 2008 R2.
  • Hashes answers with the SHA-256 algorithm.
  • Sends e-mail alerts to notify users when account is used.
  • Uses a Microsoft SQL Server Compact Edition database. SQL Server Compact is free to use. The database engine is installed by the APR Setup Wizard. No configuration or maintenance needed.
  • Can use a service account that is not a member of the Domain Admins group.
  • More detailed auditing with events stored in a database.
  • Optimized for multi-CPU and multi-core servers.
  • Configurable inactivity timeout, minimum answer length, and minimum password age.
  • Works with DNS, UPN, and NetBIOS names.

Password Reset Client

  • Included free with all licenses. The Password Reset Client allows users to access APR from the Windows Logon and Unlock Computer screens.

Data Console

  • The Data Console is a viewer for the audit log and users database.
  • Uses filters to quickly find relevant information.
  • Displays a recent activity chart with drill-down to events.
  • Exports to Microsoft Excel, HTML, and Text files.
  • Displays last enroll, reset, unlock, and change times.
  • Permits manual deletion of users.