LogonBox SSPR 2.4.10 – Now Available

Posted on by Lee Painter
Windows two-factor authentication

Introduction

LogonBox is pleased to announce the immediate availability of LogonBox SSPR 2.4.10 and the Desktop Credentials Provider version 6.3.

This release includes performance improvements relating to account unlocks and syncing large numbers of users, some updates to the Desktop Credentials Provider as well as some security updates.

Performance improvements

If a sync contains large numbers of groups (over 10,000 or so), LogonBox could be very slow for some operations.

Therefore we have added a number of improvements to address this, such as adding some missing indexes to the database as well as optimising how we write user properties on a sync so we can avoid excessive database reads of group relationships.

It is now possible to not synchronise groups at all if you are not likely to manage them from LogonBox. This can speed up syncs significantly.

Particularly noticeable from an end-user perspective was the time taken to unlock an account. Optional properties have been added which can speed up unlocks by a factor of 5, which will become the new default from the release after this one.

 

Updated Desktop Credentials Provider

We now have a new Credentials Provider available which addresses some issues that were discovered when using RDP.

Security Updates

A number of security updates have been added:

  • CSR signature algorithm for SSL Certificates has been upgraded to SHA512WithRSA
  • JQuery has been updated to version 3.7.1 to address potential vulnerabilities
  • Added CSP headers to initial root redirect page /. Previously these headers were only on the end page you were redirected to.
  • Added option to turn off Gzip compression of web pages as another mitigation for the BREACH vulnerability
  • Calls to the password generator API now require an authenticated session.

 

Synchronise Schedules for sub-tenants

It is now possible to alter synchronise/reconcile schedules separately for any sub-tenants/realms again.

 

Upgrade Instructions

You can directly upgrade from the web UI or the operating system.

To upgrade from the web UI, log on to your admin account, navigate to Server Status from the main dashboard, and click Update. If you have Updates, Features & Licensing->Update Prompt turned on, you may also be prompted automatically upon login.

 

To upgrade from the operating system:

On Windows – download the new installer, run the installer, and follow the prompts.

 

On a LogonBox VM – from a shell, type in:

apt update
apt upgrade

 

If you are still running a version before 2.3, you will need to perform some extra steps from the OS, as detailed here:

https://docs.logonbox.com/app/manpage/en/article/6172513

Our support team will upgrade Cloud customers over the coming week.

 

Changes

Here is a summary of the changes in this release.

Features

  • Can now alter AD sync schedules again in sub-tenants.
  • CSR signature algorithm for SSL Certificates has been upgraded to SHA512WithRSA
  • JQuery has been updated to version 3.7.1 to address potential vulnerabilities
  • Added CSP headers to initial root redirect page /
  • Added option to turn off Gzip compression of web pages as another mitigiation for the BREACH vulnerability
  • Calls to the password generator API now require an authenticated session.
  • Added an index to a database table to improve performance when reading AD groups.
  • Option added to Group filter mode for AD – Disable Group Support. This can significantly speed up syncs on large AD domains if you’re not interested in managing groups via LogonBox.
  • Optimised user property writing during synchronization to avoid excessive database reads of group relationships
  • Improvements to account unlocking – optional properties now supported to help speed up slow account unlocks

Bugs

    • Resolved an issue where the Secure Node client could consume max CPU and RAM with constant connection retries
    • Users can no longer authenticate when Cache Passwords is set and their account is locked
    • Mitigation added for BREACH vulnerability, random bytes can now be written to any gzipped web response
    • When using Azure/O365, when a user logs off LogonBox, this now will log the user off Azure as expected
    • Profile History graph is now working again on the Insights page of the admin dashboard
    • Server log file should log significantly fewer lines when large numbers of groups are excluded in a sync, resulting in much smaller log file
    • Fixed a display order issue with Captcha authentication module when it is placed at the beginning of an authentication flow
    • Fixed incorrect message with the free license which suggested the server was not entitled to updates
    • The Windows Desktop Login (winlogin) authentication scheme can now only be used by the Credentials Provider. This can no longer be authenticated via a web browser
    • Checking for password expiry on linked accounts in secondary directories now correctly reports the expiry days for the linked account
    • Added some missing database cascades which could stop roles from being deleted
    • Duo authentications should no longer end up in an auth loop if Duo bypass MFA is enabled
    • Fixed a memory leak relating to Roles when large amounts of users or groups are present