Previous Topic: Defects FixedNext Topic: User Names with Accentuated Characters Appeared Differently in REMOTE_USER Variable than in Other SiteMinder Variables (142470, 154435)

Release NotesWeb Agent Release NotesDefects Fixedr12.0.3.09 Agents for IIS with ARR in Classic Pipeline Mode not Prompting for Credentials (154054)Web Agent Option Pack Upgrade Not Notified (159350, 161221)

Web Agent Option Pack Upgrade Not Notified (159350, 161221)

Symptom:

If the Web Agent Option Pack is already installed, the installer does not detect the existing version and notify the user.

Solution:

This is no longer an issue. The Web Agent Option Pack installer uninstalls the existing version and upgrades to the new version automatically.

STAR Issue: 20921319

FCC Mistakenly Allows User to Authenticate Against a Resource Protected by the Windows Authentication Scheme (151098)

Symptom:

In certain configurations, a vulnerability existed whereby an attacker could use a Web Agent acting as an FCC to generate a SiteMinder session for any valid Windows user. This vulnerability existed in configurations in which the same SiteMinder Agent name or Agent group name is used in both an HTML Forms-protected realm and a Windows-protected realm.

Solution:

This issue has been fixed. The FCC no longer authenticates against Windows authentication schemes by default. However, this behavior can be changed by setting the EnableFCCWindowsAuth configuration parameter.

Star Issue: 20729316;01

More information:

How to Configure the FCC to Allow Windows Authentication