u.trust LAN Crypt 11.0.0 Administration release notes
After the acquisition of conpal GmbH in 4/2023 by Utimaco, the
product conpal LAN Crypt has been rebranded and will be continued under the
different brandname u.trust LAN Crypt. Version 11.0.0 is the first
rebranded version, a feature release and replaces the conpal LAN Crypt product.
The product is able to upgrade from the previous
conpal LAN Crypt 4.2.1.
The Legacyfilter
has been abandoned, and is not supported anymore.
Administration versions earlier than conpal LAN Crypt 4.1.1 are EOL.
Clients earlier than conpal LAN Crypt 4.1.3 are EOL.
We recommend to upgrade the clients to 4.2.1 and the administration to 4.2.0
before upgrading to u.trust
LAN Crypt 11.0.0.
u.trust LAN Crypt 11.0.0 also comes with improved security
functionality and several bugfixes.
New features:
§ Support for new versions of operating systems
§ 64 Bit .NET API
§ Several enhancements and
extensions for .NET API
§ LCSendP12Password helper tool, automatically send P12
passwords by email
§ New database tool CheckDatabase.exe
§ Improved CreateTables
§ Log Collector Utility
§ Client Performance Improvements, options to cache files for
encrypted SMB shares, DsStateCache for caching
unencrypted files
§ Rebranding
§ Detail work on dialogs and error messages
§ Option to renew assigned certificates
§ Most important cloud apps pre-registered and maintainable
via registry
§ Support for multiple policies
§ Show "Bypass" flag for rules in "Show
Profile"
Changes/Improvements
in V11:
§ u.trust LAN Crypt2Go replaces conpal LAN
Crypt Portable
§ Improvement of accessibility
§ Accelerated create-profile functionality
§ Improved certificate handling
§ Accelerated certificate creation
§ Support for certificates in computer-store, e.g. for
services
§ Optimizations, additional verifications and acceleration of
CreateTables for MS SQL and Oracle
§ ClearCache Option for DsStateCache
§ Removed support for
§ deprecated Oracle versions
§ profiles in legacy format
§ Improved messages
§ .Net API update to support version 8
§ Throttling when creating certificates to preserve resources
for OS accessibility
§ Performance tracing
§ When importing certificates (p12) from a file server,
certificates are now checked in true descending order (by number suffix).
§ Default ignored apps can be maintained via registry
The EULA has
been updated and is now only available in English and German.
The English
version is valid for all non-German speaking countries.
The actual
versions can be obtained from:
Please note the LAN
Crypt 11.0.0 Client release notes.
Older release notes for LAN Crypt remain valid, if not stated otherwise.
Requirements
The below
listed platforms have been tested and are officially supported. Other Service Pack
levels might work as well but have not run through a QA cycle and won´t be
analysed in case of occurring issues.
|
Supported Windows 64-bit
operating system platforms
|
|
Pro/Enterprise versions of Windows 10 21H2
(LTSC), 22H2
|
|
Pro/Enterprise versions of Windows 11 21H2,
22H2, 23H2
|
|
Windows Server 2022
|
|
Supported Citrix Environments
|
|
Citrix Virtual Apps and Desktop 7 1912 LTSR CU2 on WS 2019
|
|
Supported Database Servers
|
|
MS SQL 2019
|
|
MS SQL 2022
|
|
Oracle 19
|
If a
LAN Crypt Client (LCC) shall be used in combination with LAN Crypt Admin (LCA),
it requires a LAN Crypt Client of the same version. Otherwise, when
deinstalling the LCC, the LCA might not work anymore. It is required to use a
client of the same version (LC-1546).
Mixed
operation of old and new versions of LCA on the same database is not supported
(LC-3152).
New in LAN Crypt Administration release
11.0.0
- CheckDatabase.exe extends CheckMacAndRepair
functionality (LC-3808, LC-3255, LC-3372)
-
Performance
enhancements in VMAC check and console app with progress display
-
Default
settings for ODBC and security officer pre-configured
-
Added checks for existing CertData and CertificateMeta
entries for user certificates.
-
Added migration of CertificateMeta entries for user certificates without CertificateMeta entries and with CertData
entries
- MultiPolicySupport (LC-2094, LC-3419, LC-3480, LC-3471, LC-3651, LC-3782)
- Multikernel-,
Multithreading-Support for profile generation (LC-3362)
- Rebranding
GUI, icons, GPOs, EULA, file header and messages to u.trust LAN Crypt (LC-3156, LC-3299, LC-3595)
- API: profile generation
with new call structure (LC-3447)
- API: create SQL Index
for Users.LoginName (LC-3563)
- API: new option to disable V4 signature for better file I/O
performance.
Please contact support for details. (LC-3439, LC-3585)
- API: dotnet Meta info for profiles (LC-3445)
- API: New functions users.FindByShortName,
Users.FindByLoginName, Users.FindByImportGuid,
optimised filter search function (LC-3564, LC-3565, LC-3569)
- API: new
function to update the database schema (LC-3618)
- API: Implemented key
filtering for creation of profiles with .NET API (LC-3575, LC-3619)
- API: LCAdminApiNet.ps1 sample
for X64 (LC-3639)
- API: The .NET API has
been extended from 32 bit to 64 bit and is included in the setup (LC-3443)
- API: file IO error during
creation of a certificate is now mapped to a LCAPIERR_FILE_IO and
corresponding .NET exception (LC-3777)
- New LC Trace level for performance
measurements of create certificates and create profiles implemented with
trace level 65 (LC-3629, LC-3630)
- Send P12 password with
email tool (LC-3257)
- If the registry value DWORD HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Utimaco\SGLANCrypt\MovePolicyFromResolverCache is set to 1, the temporary policy file is moved from the resolver
cache instead of being copied and deleted. This improves performance when
the target directory and resolver cache are on the same volume, but the
created policy then has the ACL inherited from the resolver cache instead
of the target directory. In this case, the ACLs must be maintained outside
of LAN Crypt (LC-4064)
- DB: The database has been updated to manage certificates and enable
multi-policy support. There is no need to change the database schema. The
newly added DB tables are ignored by LCA v4.2 and LCA v11 can handle the
v42 DB (LC-3461). Mixed operation of old and new versions of LCA on the
same database is not supported (see LC-3152)
Changes in LAN Crypt Administration release 11.0.0
If the 'Check certificate
extension' group policy is not configured, this policy is treated as 'Enabled'.
Certificates without an
appropriate key usage will be rejected.
This applies to
Importing a user certificate into the LC
Client
Importing a SO certificate into the LC
Client
Assigning a user certificate in the LC
Administration Console
Assigning a SO certificate in the LC
Administration Console
Logging in to the LC Administration Console
Starting with LC v4.2.0, the behaviour was inadvertently treated as "disabled"
if the "Check certificate extension" group policy was not configured.
With LC v11.0.0 this has been
fixed so that LC behaves as it did before LC v4.2.0. (LC-3938)
Therefore, before upgrading
LCA and LCC to v11.0.0, make sure that the group policy is set to
"disabled" when using certificates without the x509v3 key usage
option.
- C++ runtime has been updated (LC-3295).
- 3rd party
components updated, old components removed (LC-3747, LC-2680, LC-3144,
LC-3315, LC-3221, LC-3222, LC-3223, LC-3366, LC-3748, LC-3749, LC-3484)
- Removed Oracle 8, 9, 12 support from code (LC-3477)
- Rename from inWebo to Trustbuilder for 3rd party MFA (LC-3192)
- Improved error handling for export of log entries
(LC-3242)
- Buffer overflow
prevention measurements (LC-3314, LC-3357)
- Removed obsolete rule
path "Internet Cookies" (LC-321)
- Bypass rules default
wildcard is different from wildcard for other paths. (LC-3882)
- Improved PowerShell
.NET API sample script
with examples for find, filter, index (LC-3551)
- PowerShell
sample script modified to handle groups without keys (LC-4050)
- CreateTables: Removed support for
database formats older than 3.61 (LC-3462)
- CreateTables: Optimization of the
runtime when verifying the database (LC-3641)
- CreateTables: New verify check on CertData table with error if the corresponding
certificate is missing (LC-3628)
- Improved error message
when policy creation time is not within validity period of the SO
certificate (LC-3609)
- Replaced dbms_reputil from the Oracle SQL update script of CreateTables to create triggers in the Oracle database
(LC-3674)
- API: handle invalid
email address as error (LC-3780)
- Modified
implementation for "AD server exist" check when importing WinNT
users on non-domain-joined computers (LC-3788)
- More
accurate error message when writing certificate fails (LC-3684)
- The registry key RandomizedShortKeyName=0 is deprecated and unsupported
in versions newer than V4.0 (LC-4142)
- Default Ignored Apps
(except SearchProtocolHost.exe) will be set in the registry by the setup
at:
HKLM\SYSTEM\CurrentControlSet\Services\cplcdt2\Parameters\DefaultIgnoredApplications and can be modified by
the customer in case of need (LC-3935)
- Certificate handling
revised, CertificateMeta introduced, minor
performance optimizations (LC-3349)
- Base repository check
for SQL table: implementation for Oracle (LC-3789)
- The "Delete"
context menu item is hidden for selected certificates and the
"Unassign certificates" menu item is displayed instead (LC-343)
- C# API changed to C++ 20
compiler to overcome compatibility restrictions (LC-3823)
- API: C# tests, examples and
build script updated to .NET 8.0 (LC-4057)
- Changed error handling
to get a better error message when importing expired certificates
(LC-4144)
Bugfixes in LAN Crypt Administration
release 11.0.0
- Fixed
memory leak in create profile (LC-3224)
- Fixed
memory leak in DB handler (LC-3275)
- The
3rd party inventory "3rd_party_software.pdf" is present and up
to date in the LCA and LCC deployment folders and when installed with the
LC product (LC-2696, LC-3885).
- Version
information of the binaries has been made consistent (LC-3209)
- Names
of group keys are correctly limited to 128 characters in the input fields
of the administration (LC-3200)
- CreateTables: fixed display of “Drop tables” result
(LC-3095)
- Import
function for users fixed, when path unknown message occurred in directory
objects (LC-2931)
- Fixed
stack overflow in MMC, when database was modified outside of LAN Crypt
(LC-3198)
- Fixed
create certificates for users with invalid characters in name (LC-3387)
- Corrected
error message for ‘reset authorization’ when selected as a task (LC-3389)
- Improved handling of
security officers when using “Additional Authorization” (LC-3381)
- Fixed registry
write error for DATAID_LCINIT_FILETYPES_USER (LC-3431)
- Improved
error messages of “Build Profiles Wizard” (LC-997)
- CheckMacAndRepair: errors fixed when checking MAC of
table ACLS (LC-3395)
- Fixed
crash when import already imported root certificate from SO properties
(LC-3690)
- WinNT
import now correctly imports the alphabetically first user (LC-3691)
- Added
error message when user certificate creation fails (LC-3388)
- Accurate
message when certificate is imported from AD without domain entry
(LC-3738)
- CreateTables: Fixed verify check to handle "empty
values" (LC-3669)
- Fixed
ODBC exception on failed logon due to missing or incorrect configuration
(LC-3910)
- Fixed
error message in LC Trace for “AssertPathExists”
and unavailable directory (LC-3953)
- Fixed
error handling for certificate creation and file IO errors (LC-3163)
- Directory
import with WinNT tab 'Groups' now shows all groups (LC-3952)
- Performance
throttling by reducing the number of private key generation threads when
creating certificates (LC-3915)
- Certificates are
searched and processed correctly in both the user store and the computer
store (LC-4001)
- Fixed
issue for certificates with serial number 0 (LC-4139)
New and known issues in LAN Crypt
Administration release 11.0.0
- Login
name accepts characters despite restriction and can be saved (LC-4097)
Subsequent errors caused by
allowing special characters:
- Infinite
loop when creating profiles for login names with special characters
(LC-4098)
- First-time
creation of an MSO also allows restricted special characters (LC-4099)
- Infinite
loop when creating profile for login names with special characters for
more than one user.
Creating profiles for only one of
those users shows a message that does not refer to the login name, but to the
output directory, which can be confusing when troubleshooting. (LC-4098)
- First
time creation of MSO erroneously allows restricted special characters.
Creating the certificate with special characters does not work, but as
soon as an existing certificate is used, the MSO can log on.
The error message is also
confusing, as described in LC-4098, because it does not refer to the name in
the MSO or the certificate, but to the output directory and the password log
file (LC-4099)
- The PreventPlainFiles functionality has been officially supported and released
for LAN Crypt version 4.2. Administration is done solely via ADMX
templates.
Since previous versions were only made available on a project basis to
very few customers, no migration of existing settings was implemented.
The settings in older versions were stored under
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Utimaco\SGLCENC
"PreventPlainFiles"=....
Now, the settings are stored under
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\cplcdt2\Parameters]
"PreventPlainFiles"="...",
they can be managed via ADMX.
Note that the newer settings use a REG_MULTI_SZ. (LC-3792)
- CreateTables
is not compatible with the Oracle Instant Client 19.14 (LC-3670).
This applies at least to CreateTables V4.01,
V4.1.1 and V4.2.1.
An
update to Oracle Version 19.20 fixed this incompatibility.
- Non-standard screen scaling may result
in incorrect display of menus and setup (LC-4190)
- API: Deactivated keys are removed from
the policy when key filtering is enabled.
Deactivating
a key ensures that it cannot be reused, i.e. no new rules can be created with
that key. Existing rules with disabled keys can still be used in profiles.
However, if key filtering is enabled via the LCA dotnet API, all rules with
disabled keys will be filtered out and not written to the policy. This is a bug
in LC V11 and will be fixed in the next major on-premise
version (LC-4209).
Manuals, documentation and support
At https://support.conpal.de
registered
customers with active maintenance contracts get access to downloads,
documentation and knowledge items.
The administration contains an extensive context
sensitive help. This information is also available in the form of a pdf manual.
Download the admin product documentation at
https://help.lancrypt.com/docs/admin/11_0_0/de/
in German language, at
https://help.lancrypt.com/docs/admin/11_0_0/en/
in English language, at
https://help.lancrypt.com/docs/admin/11_0_0/fr/
in French language, and at
https://help.lancrypt.com/docs/admin/11_0_0/jp/
in Japanese language.
API documentation can be obtained from:
https://help.lancrypt.com/docs/api/client/en/
https://help.lancrypt.com/docs/api/admin/en/
Updates for the context-sensitive help are made
available via our support portal if necessary.
conpal LAN Crypt 4.2.0
Administration release notes
conpal LAN Crypt 4.2.0
is a feature release that also comes with improved security functionality and
several bugfixes. New features:
- Malware Protection
- OneDrive Settings
package
- LAN Crypt 2Go Key Import
- Adding Multiple
Encryption Groups to a User
- Bypass Rules Deployment
- Multiple Virus Scanner
Configurations
- PreventPlainFilesPath Option
- New Operating Systems
Support
- Additional Database
Support
- API extensions
- Localization Support for
MFA
- Client Performance
Improvements
- HTML-Based Client Help
- On-Premise OneNote Support
- Search field for groups
- Network filter
installation without network interruption
- Detail work on icons,
dialogs and error messages
- LCA 64-bit .NET API
- Several enhancements for
.NET API
- Support of Server-Side
Copy
- DsStateCache for caching unencrypted
files
- Renewal of assigned certificates
Please note the LAN
Crypt 4.2.0 Client release notes.
Older release notes for LAN Crypt remain valid, if not stated otherwise.
Requirements
The below
listed platforms have been tested and are officially supported. Other Service
Pack levels might work as well but have not run through a QA cycle and won´t be
analysed in case of occurring issues.
|
Supported Windows 64-bit
operating system platforms
|
|
Pro/Enterprise
versions of Windows 10 1809 (LTSC), 20H2, 21H2, 21H2 (LTSC), 22H2
|
|
Pro/Enterprise
versions of Windows 11 21H2, 22H2
|
|
Windows
Server 2019
|
|
Windows
Server 2022
|
|
Supported Citrix Environments
|
|
Citrix Virtual Apps and Desktop 7 1912 LTSR CU2 on WS 2019
|
|
Supported Database Servers
|
|
MS SQL 2019
|
|
MS SQL 2022
|
|
Oracle 19
|
|
Please
note:
MS SQL Server 2017 has a Mainstream Support End Date of Oct 11, 2022 and will therefore not be supported by LAN Crypt
Administration v4.2.0. MS SQL Server 2019 and 2022 are supported.
Oracle 8,9 and 12 will not be supported by LAN Crypt Administration v4.2.0.
Oracle 19 is supported.
|
If a
LAN Crypt Client (LCC) shall be used in combination with LAN Crypt Admin (LCA),
it requires a LAN Crypt Client of the same version. Otherwise, when
deinstalling the LCC, the LCA does not work anymore. It is required,
to use a client of the same version (LC-1546).
Mixed
operation of old and new versions of LCA on the same database is not supported
(LC-3152).
New in conpal LAN Crypt Administration
release 4.2.0
- LAN
Crypt 2Go Key Import: Key value, GUID, name and encryption algorithm can be
imported from a file encrypted with LC2Go. This enables the LAN Crypt
client to read and decrypt files encrypted by LC2Go with a password and
vice versa (LC-2859).
- Additional security
function – no plain file access on removables: Malware import protection
for removables (external USB sticks or HDD) with a single rule by
disallowing plain file access on external storage devices (LC-2861).
- Adding multiple
encryption groups to a user at once. Groups can be selected directly from
the users' properties menu (LC-1027).
- Search
field for Groups in tree view for MMC added (LC-145).
- Bypass rules can now be
deployed with the profile. Although bypass rules should only be considered
in very rare cases and only after contacting conpal support, they can be
deployed via a profile instead of registry settings and GPO for simplified
deployment (LC-2864, LC-2991, LC-3079, LC-3045, LC-3080). Please note: LAN
Crypt Administration API does not support creation or validation of bypass
rules. Conflicts of ignore and bypass rules are possible (LC-3096).
- Enable configuration of
multiple Virus Scanners without delay when profile is loaded. The
configured AV process needs to either run during profile loading or be
configured with a full path. Wildcards can now be used as part of the path
(LC-2925).
- PreventPlainFilesPath policy added to ADMX.
This setting prevents that plain files are created in defined network
paths or on mapped drives if no conpal LAN Crypt user profile has been
loaded yet, or the user does not have one (LC-1492).
- Oracle support in .NET
API (LC-2912)
- LCA 64-bit .NET API
(LC-2692)
- Support of
Windows 10 and Windows 11 – 22H2, and MS SQL Server 2022
Changes in conpal LAN Crypt Administration release
4.2.0
- Assignment
of certificates associated with the "MS Base Cryptographic Provider
v1.0" is now prevented (LC-2642).
- Enable
configuration of multiple Virus Scanners without delay when profile is
loaded, see documentation of the modified operation mode (LC-2925)
- The
setting “Only SO with the ‘Generate profile’ right can generate keys (keys
without a value are not permitted)” is now activated by default, so that
new keys are always created with random values as default if no key value
has been specified (LC-2544).
- Recovery
key: Tabular representation changed to simple field. Only one recovery key
is now supported (LC-339, LC-2727).
- Limitation
of string length: renaming SO, MSO Wizard (Name and E-Mail) (LC-597,
LC-796, LC-988)
- Renew
certificates for multiple users who already have certificates assigned:
New checkbox added to existing wizard to allow "Create new
Certificates (even if there are already existing ones)". This option
was also added to the corresponding API functions. (LC-2817).
- Import function of
intermediate and root certificates stores these certificates in the
correct certificate stores now (LC-2611)
- Necessary
permissions for CreateTables.exe reduced (LC-2690).
- Updated Windows start menu folder names. Changed to
“conpal LAN Crypt Administration” and “conpal LAN Crypt Client” (LC-1261).
- Change of the build numbering
(LC-2927).
- Product icons modified (LC-2860).
- Embedded
libraries updated (LC-3035).
- .NET-API now requires an
additional parameter for Database.Logon().
Sample scripts show proper functionality (LC-2965).
- CreateTables: Oracle
8, 9 and 12 support is removed (LC-3074).
- CreateTables now accepts password
for ODBC connection from command line (LC-2795).
Bugfixes in conpal LAN Crypt
Administration release 4.2.0
- Assistant
for Recovery Key with/without ESKM - settings, cache and dialog options
fixed (LC-2382, LC-2746, LC-2747, LC-2748).
- .NET
API: CreateCertificate(UserName)
and Certificates.CreateCertificate(UserName) created a .p12 with a wrong name and
wrong certificate details. Creating certificates for a group instead of a
user did not show this error. Now login names are correctly used
(LC-2701).
- Wrong
translation in the German settings corrected (LC-3051).
- Translations
for LAN Crypt Japanese language version (LC-2906, LC-2897, LC-2882).
- LCA
Help "question mark" and F1 key in Central Settings work now
(LC-394).
- Certificate
import issues fixed (e.g., when administrative rights where required for
import of user certificates) (LC-3006).
- The
MSO wizard allows several parent windows to open the folder selection file
dialog to save profile and security keys. This caused a crash in some
circumstances (LC-787).
- In
certain scenarios the private keys from imported MSO certificates could
not be found for logon. This is now fixed (LC-2806).
- Adding
or deleting a large number of users at once from
a user group, clicking on Apply and then Cancel caused LAN Crypt to crash
(LC-2899, LC-2913).
- Crash
during LDAP certificate assignment when entering long texts has been fixed
(LC-605).
- Enforcement
of unique Server and alias names (LC-2919).
- Certificate
status information after certificate generation fixed (LC-739).
- Recovery
option: If a higher value than the number of existing additional SO was
entered in the "Additional authorization" setting, a warning
appeared that could only be confirmed with OK. After that, the entered
value was applied anyway. In the worst case, this could lead to the MSO
being locked out, which can only be undone using the recovery key. To
solve this, a Cancel button was added (LC-804).
- If a
user belongs to several groups and identical paths for rules are created
in these groups, the profile is not created with a message. There the path
information was missing (LC-1481).
- Creating
a user profile with user properties outside the maximum allowed character
length is correctly aborted, but the next profile creation within the
maximum allowed character length resulted in the same error. This has been
fixed (LC-2930).
- Create
user: Input field length limited (LC-795)
- CreateTables: Update for Oracle now works correctly
(LC-2943).
- If
certificates are added to users via the CertAssign
wizard, the correct number of assigned certificates is now displayed
(LC-1456).
- Corrected
error message when creating users within a group but canceling the dialog
(LC-192).
- WinNT
import: Special scenarios caused errors/crashes. User
can be imported now. There is a remaining limitation regarding
E-Mail-addresses (LC-2502).
- Start
menu cascaded incorrectly (LC-3073).
- GPO
handle overflow in “Cached policy file lifetime” setting fixed (LC-552).
- null-pointer
crash during profile creation fixed (LC-2751).
- The
3rd party inventory "3rd_party_software.pdf" is present and up
to date in the LCA and LCC deployment folders. The
"3rd_party_software.pdf" installed with the LC product is
missing an entry:
- "libkmip/BSD license" (LC-2696).
- KeyValue is not set when Default key is created. The
manual is updated with more specific information in the key tab/key value
section (LC-2544).
- When
IP addresses are used for generating rules, several conditions must be
taken into consideration to avoid wrong execution. Correct syntax is
required for IP rules, otherwise they will not be ignored by the registry
setting RemoveDomainFromRules
functionality (LC-1483, LC-2454).
- LAN
Crypt Administration/MMC sometimes crashes when deleting groups created by
C# example script (LC- 2268).
- The
message ‘Path unknown’ is displayed incorrectly when importing users with
anonymous LDAP authentication. User import is not possible in this session
afterwards (LC-2931).
- MMC crash can occur, if profiles are created in a group
tree with more than 80 groups nested into each other (LC-3193).
Manuals, documentation and support
At https://support.conpal.de
registered
customers with active maintenance contracts get access to downloads,
documentation and knowledge items.
The administration contains an extensive context
sensitive help. This information will be available in form of a pdf manual a
couple of days after release for download.
Download the admin product documentation at
https://docs.lancrypt.com/ja/admin/lc_420_ahjpn.pdf in Japanese
language, at
https://help.lancrypt.com/docs/admin/de/ in German
language, at
https://help.lancrypt.com/docs/admin/en/ in English
language and at
https://help.lancrypt.com/docs/admin/fr/ in French
language.
API documentation can be obtained from:
https://help.lancrypt.com/docs/api/client/en/
https://help.lancrypt.com/docs/api/admin/en/
Updates for the context-sensitive help are made
available via our support portal if necessary.
conpal LAN Crypt 4.1.2
Administration release notes
conpal LAN Crypt 4.1.2 is
a Japanese language version and available by our partner in Japan only. It is
functional identical to LAN Crypt 4.1.1.
Please refer to the conpal LAN Crypt 4.1.1 part of the release notes.
Older
release notes for LAN Crypt remain valid, if not stated otherwise.
Manuals, documentation and support
At https://support.conpal.de registered customers with active maintenance contracts get access
to downloads,documentation
and knowledge items.
The
administration contains an extensive context sensitive help. This information
will be available in form of a pdf manual a couple of
days after release for download.
Download
the admin product documentation at
https://docs.lancrypt.com/ja/admin/lc_412_ahjpn.pdf in Japanese language, at
https://docs.lancrypt.com/de/admin/lc_411_ahdeu.pdf in German language, at
https://docs.lancrypt.com/en/admin/lc_411_aheng.pdf in English language and at
https://docs.lancrypt.com/fr/admin/lc_411_ahfra.pdf in French language. Please note, the French
manual will be published delayed, for the time being use the English manual.
conpal LAN Crypt 4.1.1
Administration release notes
conpal LAN Crypt 4.1.1
is a maintenance release, there are no new features included.
Please refer to the conpal LAN Crypt 4.1.0 part of the release notes.
Older
release notes for LAN Crypt 4.00.x remain valid, if not stated otherwise.
Requirements
The below listed platforms
are officially supported. Other Service Pack levels might work as well but have
not run through a QA cycle and won´t be analysed in case of occurring issues.
|
Platforms supported
|
32-bit
|
64-bit
|
|
Pro/Enterprise Versions of Windows 10 1809 (LTSC), 20H2, 21H1, 21H2,
Windows 11
|
No
|
Yes
|
|
Windows Server 2019
|
No
|
Yes
|
|
Windows Server 2022
|
No
|
Yes
|
If a
LAN Crypt Client (LCC) shall be used in combination with LAN Crypt Admin (LCA),
it requires a LAN Crypt Client of the same version. Otherwise, when
deinstalling the LCC, the LCA does not work anymore. It is required,
to use a client of the same version (LC-1546).
Bugfixes in conpal LAN Crypt
Administration, Release 4.1.1
- Recovery key does now
work with "1 of 1" key assignment. Fix works as well for KMIP
server (LC-2724)
- Corrupt MAC for database
with multifactor authentication can now be repaired (LC-2577)
- Virtual Smart Card:
Cancel the dialog for PIN entry now does not attempt smart card logon
anymore (LC-2408)
Manuals, documentation and support
At https://support.conpal.de registered customers with active maintenance contracts get access
to downloads,documentation
and knowledge items.
The
administration contains an extensive context sensitive help. This information
will be available in form of a pdf manual a couple of days after release for
download.
Download
the admin product documentation at
https://docs.lancrypt.com/de/admin/lc_411_ahdeu.pdf in German language, at
https://docs.lancrypt.com/en/admin/lc_411_aheng.pdf in English language and at
https://docs.lancrypt.com/fr/admin/lc_411_ahfra.pdf in French language. Please note, the French
manual will be published delayed, for the time being use the English manual
Updates for the context-sensitive help are made
available via our support portal if necessary.
conpal LAN Crypt 4.1.0
Administration release notes
conpal LAN Crypt 4.1.0
comes with support for new operating systems new functionality, improved
security functionality and new features
e.g.
·
Richer support for SGN/SafeGuard Fileshare customers
·
Portable file encryption
·
Minifilter with caching capabilities
for SMB network shares
·
New .NET Administration API
·
Client API login with user context
·
LAN Crypt-Service functionality
·
Manipulation protection for processes
·
Multi factor Authentication based on 3rd party technology
·
Interoperation with Azure technologies (like Azure SQL)
·
Oracle 19 Support
The Legacyfilter
has been abandoned, but is still supported with the
4.00.x version of the product.
If not stated otherwise
the older release notes for LAN Crypt 4.00.3, 4.00.2, 4.00.1 and 4.00 remain
valid.
Please note the LAN
Crypt 4.1.0 Client release notes.
Requirements
The below listed platforms
are officially supported. Other Service Pack levels might work as well but have
not run through a QA cycle and won´t be analysed in case of occurring issues.
|
Platforms supported
|
32-bit
|
64-bit
|
|
Pro/Enterprise Versions of Windows 10 1809 (LTSC), 1909 (19H2), 20H2,
21H1, 21H2, Windows 11
|
No
|
Yes
|
|
Windows Server 2016
|
No
|
Yes
|
|
Windows Server 2019
|
No
|
Yes
|
|
Windows Server 2022
|
No
|
Yes
|
If a
LAN Crypt Client (LCC) shall be used in combination with LAN Crypt Admin (LCA),
it requires a LAN Crypt Client of the same version. Otherwise, when
deinstalling the LCC, the LCA does not work anymore. It is required,
to use a client of the same version (LC-1546).
New in conpal LAN Crypt Administration
release 4.1.0
- Support for SGN/SafeGuard
FileShare keys. In combination with a key export
and a key import tool Fileshare encrypted files
can be handled by conpal LAN Crypt Client 4.00.3 or newer with Minifilter. The LAN Crypt Administration 4.00.3 or
newer is required for the key import.
- New
.NET API: Provision of the existing V4.0 API as .NET library (A compilable C++/CLI project ‘LCNetApi’ ), including a C# test project that calls some of
these functions as examples (LC-1472). Please also have a look at the
section .NET API in these release notes.
- Administration
capabilities for clientside Multifactor
Authentication of the 3rd party technology of inWebo
Changes in 4.1.0
- Sometimes
LAN
Crypt 3.97, or 4.00 clients cannot find user certificates, if the profile
was created with LAN Crypt Administration 4.00.x before 4.00.3. The client
cannot load the profile with the error message: `User certificate not
found` (LC-2010)
LAN Crypt 4.1 Administration generates profiles, which do not lead to that
error.
- msiexec: When LAN Crypt
packages are installed, the packagename for the userapplication is now corrected to ´UserApplication` instead of client.
The AddLocal parameter is named ’UserApplication’ instead of ’Client’ (LC-2214)
- Performance
improvements in the wizard for certificate allocation (LC-1708, LC-745).
- Performance
improvements when loading objects, e.g. when WIN-NT domain names are
appended with characters (LC-664).
- Boost library removed for better maintenance of
security relevant functions (LC-474).
- The LAN Crypt certificates are changed
to conpal branding (LC-1265).
- Algorithm names are now consistent in
client and admin (LC-952).
- Trusted Vendor behaves differently in v4 with respect
to expired certificates. In LCA v4 there is a new check so that expired
certificates can no longer be used. When importing a certificate from a cer file (in the Trusted Vendors tab), an error
message now appears if that cert has expired. When using an exe file, the
validity is (apparently) not currently checked. Certs can be added to
Trusted Vendors from the exe, even if they are invalid. This makes sense
if, for example, a three year old program is to
be added. However, the behavior is different between import from *.exe and
from *.cer and therefore documented (LC-1114).
Bugfixes
in 4.1.0
- A SO was able to log on
to the administration, when logging was enabled, but not possible
(LC-1683).
- The limitation of the manual
input of the key GUID to 16 bytes did not work reliably (LC-1157).
- The action ‘ Find key’ was
selectable, although SO had no right for the administration of keys
(LC-1284).
- Crash when expanding
groups in deep tree structure (LC-1684).
- Text
correction: Error message Additional authorization. (LC-927, LC-1291).
- Text
correction: Additional Authorization - If a value is specified for the
number of SOs required for additional authorization that is higher than
the amount of additional SOs that are created, a warning appeared, the
warning text was not correct (LC-1201).
- When editing a LC group
structure with a minimum depth of 25 subgroups, LCA crashed when creating
new rules via the "conpal LAN Crypt Encrypting Rules and Tags"
tab (LC-1430).
- AD imports from too
large OUs failed (LC-1460).
- If a long directory name
was entered in the LC Admin during certificate assignment from file, a
buffer overflow occurs internally (LC-1055).
- Crash on certificate
assignment with wrong data type. Assigning a certificate from a file using
the Certificate Wizard sometimes causd LCA to
crash if binary files (e.g. P12 files) were used (LC-1404).
- Robustness for handling
of special characters has been improved (e.g. for the certificate import
wizard) (LC-1445).
- If CreateTables
was called with an invalid ODBC name, an unhelpful error message appeared
(LC-1873).
- Upgrade
installation LCA and LCC v3 -> v4: MSI ProductCode did
not match with Registry ProductCode (LC-1324).
- When cancelling the import of the Active Directory in
the Certificate Assignment Wizard, the LCA console would freeze, while the
process was running. (LC-576).
- Crash when copying / moving large tree structures
(LC-675).
- Admin RecoveryKey was
processed internally without transaction backup (LC-341).
- Profile creation wizard behaved differently when called
in different places (In total user overview, in user list within a group)
(LC-819).
- If LAN Crypt logging was enabled, but the log table got
corrupted, no SO could log in anymore. As a fix the MSO now can log on to
LCA despite a MAC error in logging, disable logging and repairing the MAC
(LC-190).
- GPME - Crash if input for locations was too long. It concerned
Location for Security Officer certificates, Location for policy files,
Location for key files (LC-724).
New known issues
- LAN Crypt uses CSP
(Cryptographic Service Provider) to access smartcards. Containers are not
specified during access. Therefore, conflicts can occur when using several
smartcard readers on one machine, especially if a smartcard is inserted in
several readers and "identical" certificates / containers are
present there (LC-1121).
- When LAN Crypt
Administration v3 and LAN Crypt client v4.x are installed on the same
machine, the deinstallation of the LAN Crypt Client leads to improper
function, because the connection to LCSERVN.EXE is not available anymore
(LC-1546).
It is strongly recommended, to install the same client versions with the
administration (v4 LCA and v4 LCC).
- Not really
new, but important: The default database, not the master database
shall be used, when creating the LAN Crypt database (LC-84), see the section 3.2. in the manual.
- The VisualStudio
runtime might not be available on some machines. In this case e.g.
deinstallation of the product might not be possible.
https://docs.microsoft.com/en-us/cpp/windows/latest-supported-vc-redist?view=msvc-170
https://aka.ms/vs/17/release/vc_redist.x86.exe
https://aka.ms/vs/17/release/vc_redist.x64.exe
- CreateTables.exe still
offers options for Oracle 8,9, and 12, even though they are not anymore
supported.
.NET API (LC-2437)
- When
using the .Net Admin API, if you receive the following message when
initializing the Admin API, a package reference must be included in your
project:
Message:
The type initializer for 'Microsoft.Win32.Registry'
threw an exception. Registry is not supported on this platform.
Necessary reference:
<PackageReference Include="Microsoft.Win32.Registry"
Version="5.0.0" />
§ If
you do not perform a product installation when using the .Net Admin API on the
server and distribute the DLLs yourself, the registry entry for the
installation directory must be set accordingly by you, otherwise dependent DLLs
will not be found at runtime.
Key:
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\conpal\LAN Crypt\Admin\Setup
Value:
InstallDir, Type REG_SZ
Example:
c:\Program Files (x86)\conpal\LAN Crypt\Administration
- Due
to the 32 bit DLLs used, the dotnet SDK must also
be installed in the x86 variant.
- The
example program StartFirstHere is set up for
dotnet core 3.1. If you use dotnet 6.0, you have to
change the TargetFramework entry to ‘net6.0’ in
the project file ‘StartFirstHere.csproj’.
- When
using the sample programs, the path to the API dlls
in the respective script must be adjusted for an LCA installation outside
the conpal default path.
Manuals, documentation and support
At https://support.conpal.de registered customers with active maintenance contracts get access
to downloads,documentation
and knowledge items.
The
administration contains an extensive context sensitive help. This information
will be available in form of a pdf manual a couple of days after release for
download.
Download
the admin product documentation at
https://docs.lancrypt.com/de/admin/lc_410_ahdeu.pdf in German language, at
https://docs.lancrypt.com/en/admin/lc_410_aheng.pdf in English language and at
https://docs.lancrypt.com/fr/admin/lc_410_ahfra.pdf in French language. Please note, the French
manual will be published delayed, for the time being use the English manual
Updates for the context-sensitive help are made
available via our support portal if necessary.
conpal LAN Crypt 4.00.3
Administration release notes
conpal LAN Crypt 4.00.3
Admin comes with support for new operating systems and for SGN/SafeGuard Fileshare. If not
stated otherwise the older release notes for LAN Crypt 4.00.2, 4.00.1 and 4.00
remain valid.
Please note the LAN
Crypt 4.00.3 Client release notes.
Requirements
The below listed platforms
are officially supported. Other Service Pack levels might work as well but have
not run through a QA cycle and won´t be analysed in case of occurring issues.
|
Platforms supported
|
32-bit
|
64-bit
|
|
Windows 10 1909 (19H2), 2004 (20H1) Pro/Enterprise, 20H2
Pro/Enterprise, 21H2 pro/Enterprise, Windows 11 Pro/Enterprise
|
No
|
Yes
|
|
Windows Server 2012
|
No
|
Yes
|
|
Windows Server 2012 R2
|
No
|
Yes
|
|
Windows Server 2016
|
No
|
Yes
|
|
Windows Server 2019
|
No
|
Yes
|
New in conpal LAN Crypt Client release
4.00.3
- Windows 11 support
- Windows 10 21H2 support
- Support
for SGN/SafeGuard FileShare
keys. In combination with a key export and an key
import tool Fileshare encrypted files can be
handled by conpal LAN Crypt 4.00.3 Client with Minifilter.
The LAN Crypt Administration 4.00.3 is required for the key import.
Changes in 4.00.3
- LAN Crypt 3.97, or 4.00
Client cannot find user certificate if profile was created with LAN Crypt Administration
4.00.x before 4.00.3, client cannot load the profile with the error
message: " User certificate not found (LC-2010)
Manuals, documentation and support
At https://support.conpal.de registered customers with active maintenance contracts get access
to downloads,documentation
and knowledge items.
The
administration contains an extensive context sensitive help. This information
will be available in form of a pdf manual a couple of
days after release for download.
Download
the admin product documentation at
https://docs.lancrypt.com/de/admin/lc_401_ahdeu.pdf in German language, at
https://docs.lancrypt.com/en/admin/lc_401_aheng.pdf in English language and at
https://docs.lancrypt.com/fr/admin/lc_401_ahfra.pdf in French language.
Updates for the context-sensitive help are made
available via our support portal if necessary.
conpal LAN Crypt
4.00.2 Administration release notes
conpal LAN Crypt 4.00.2
is in focus a maintenance release. If stated otherwise the release notes for
LAN Crypt 4.00.1 remain valid.
Please note the LAN
Crypt 4.00.2 Client release notes.
Requirements
The below listed platforms are officially supported. Other Service Pack
levels might work as well but have not run through a QA cycle and won´t be
analysed in case of occurring issues.
|
Platforms supported
|
32-bit
|
64-bit
|
|
Windows 10 1909 (19H2), 2004 (20H1) Pro/Enterprise, 20H2
Pro/Enterprise
|
No
|
Yes
|
|
Windows Server 2012
|
No
|
Yes
|
|
Windows Server 2012 R2
|
No
|
Yes
|
|
Windows Server 2016
|
No
|
Yes
|
|
Windows Server 2019
|
No
|
Yes
|
Bugfixes in 4.00.2
- Administration API:"EnumSubGroups does not show all sub groups of the root group for security officers
other than the MSO (LC-1871)"
Manuals, documentation and support
At
https://support.conpal.de registered customers with active maintenance contracts get access to downloads,documentation and
knowledge items.
The
administration contains an extensive context sensitive help. This information
will be available in form of a pdf manual a couple of
days after release for download.
Download
the admin product documentation at
https://docs.lancrypt.com/de/admin/lc_401_ahdeu.pdf in German language, at
https://docs.lancrypt.com/en/admin/lc_401_aheng.pdf in English language and at
https://docs.lancrypt.com/fr/admin/lc_401_ahfra.pdf in French language.
Updates for the context-sensitive help are made available via our
support portal if necessary.
conpal LAN Crypt 4.00.1 Administration release notes
Please
note the LAN Crypt
4.00.1 Client release notes.
Requirements
The below listed platforms are
officially supported. Other Service Pack levels might work as well but have not
run through a QA cycle and won´t be analysed in case of occurring issues.
|
Platforms supported
|
32-bit
|
64-bit
|
|
Windows 10 1803 (RS4), 1809
(RS5), 1903 (19H1), 1909 (19H2), 2004 (20H1) Pro/Enterprise, 20H2
Pro/Enterprise
|
No
|
Yes
|
|
Windows Server 2012
|
No
|
Yes
|
|
Windows Server 2012 R2
|
No
|
Yes
|
|
Windows Server 2016
|
No
|
Yes
|
|
Windows Server 2019
|
No
|
Yes
|
New in conpal LAN Crypt Admin release 4.00.1
- Windows 10 20H2 support
- Add
translations for error message on unsupported OS (LC-1251)
Changes in 4.00.1
·
Now the MiniFilter
can handle the setting of the tab „Client-API“. No
separate script necessary anymore. (LC-690) (LC-1216)
Bugfixes in 4.00.1
- Updated helpfiles (LC-84, LC-645, LC-801,
LC-1421)
- Client-API-Dll
can handle long pathnames now (LC-1454)
- Findkey shows keys to unauthorized SOs/Find Keys
Degradation (LC-1384)
- Key wrapping could not be
disabled (LC-1231)
- Missing link in English
helpfile (LC-1290)
- Branding (LC-935)
- Freeze-after-certificate-creation-cancel
(LC-1246)
- cleared profile not loaded
(LC-1427)
- Create certificates dialog now
finishes the progress even if some users already have a certificate.
(LC-1467)
- Fix search filter crash
(LC-1463)
- Branding topics (LC-1518) createtables branding (LC-698)
- GPO context sensitive help (LC-1236).
Manuals, documentation and support
At
https://support.conpal.de registered customers with active maintenance contracts get access to downloads,documentation and
knowledge items.
The
administration contains an extensive context sensitive help. This information
will be available in form of a pdf manual a couple of days after release for
download.
Download
the admin product documentation at
https://docs.lancrypt.com/de/admin/lc_401_ahdeu.pdf in German language, at
https://docs.lancrypt.com/en/admin/lc_401_aheng.pdf in English language and at
https://docs.lancrypt.com/fr/admin/lc_401_ahfra.pdf in French language.
Updates for the context-sensitive help are made available via our
support portal if necessary.
conpal LAN Crypt 4.00.0 Administration release notes
Please
note the LAN Crypt
4.00.0 Client release notes.
conpal LAN Crypt is the
successor of SafeGuard LAN Crypt.
conpal LAN Crypt 3.97
Administration was the initial release of conpal for the Administration. It
contained fixes and hotfixes of the previous SafeGuard
LAN Crypt 3.90 Administration, but almost no functional enhancements. In sense
of operating systems and databases additional versions were supported and
support for some operating systems and databases have been dropped.
conpal LAN Crypt 4.00
Administration is a significant rework of the Administration, focused on
improvements in operational speed and laying the ground for a complete
replacement of the API functionality by a faster and more modern approach. It
is reworked bottom up, including the cryptographic base.
Some new functions, like SHA2 support for LAN Crypt generated certificates,
have been added.
Novell and Windows 7 support has been dropped, Oracle support for more current
databases has been added. Current operating systems are supported.
In addition new client capabilities can be managed.
Please note that we have
invested considerable effort in the continuity of the product. A migration of
3.9x databases requires minimal effort.
Mixed environments of older and current clients are supported (please refer to
section operation).
Manuals, documentation and support
At
https://support.conpal.de registered customers with active maintenance contracts get access to downloads,documentation and
knowledge items.
The
administration contains an extensive context sensitive help. This information will
be available in form of a pdf manual a couple of days after release for
download.
Download
the admin product documentation at
https://docs.lancrypt.com/de/admin/lc_400_ahdeu.pdf in German language, at
https://docs.lancrypt.com/en/admin/lc_400_aheng.pdf in English language and at
https://docs.lancrypt.com/fr/admin/lc_400_ahfra.pdf in French language.
Updates for the context-sensitive help are made available via our
support portal if necessary.
Requirements
The below listed platforms are
officially supported. Other Service Pack levels might work as well but have not
run through a QA cycle and won´t be analysed in case of occurring issues.
|
Platforms supported
|
32-bit
|
64-bit
|
|
Windows 10 Build 1803, 1809,
1903, 1909, 2004 Pro/Enterprise
|
No
|
Yes
|
|
Windows Server 2012
|
No
|
Yes
|
|
Windows Server 2012 R2
|
No
|
Yes
|
|
Windows Server 2016
|
No
|
Yes
|
|
Windows Server 2019
|
No
|
Yes
|
Microsoft SQL Server 2012 SP4
Microsoft SQL Server 2016 SP2
Microsoft SQL Server 2017
Microsoft SQL Server 2019
Azure SQL has been verified to be functional with LAN Crypt administration 3.97
and 4.0 LAN Crypt 4.0 provides the ability to logon using the active directory
interactive authentication. LAN Crypt 3.97 does not support this type of
authentication.
Oracle 12 and Oracle 19 are supported, whereas SQL Server remains LAN Crypt’s
preferred database.
A LAN Crypt database created
under LAN Crypt 3.90 or 3.97 must be updated in advance using
"CreateTables.exe %ODBCName% m u" for use
under LAN Crypt 4.00 Administration. The createtables
tool provides a help message for specifics regarding e.g. Oracle.
Upgrade
For an upgrade-installation
you can find additional information in the user manual.
An upgrade installation of the administration is supported from conpal LAN
Crypt 3.97 (recommended) and SafeGuard LAN Crypt
3.90.
Migration of older versions is not supported, but technically possible, we
recommend to make use of Professional services in such
cases.
New in conpal LAN Crypt Administration release 4.00.0
- Windows
Server 2019 is now supported
- Microsoft
SQL Server 2019 is now supported
- Oracle 19
and Oracle 12 are supported, whereas SQL Server remains LAN Crypt’s
preferred database
- Support
for policies for Removables, Opticals,
Local Volumes, Boot Volume and Network Shares - to be executed on v4
Clients
- Integration
of earlier patches for LAN Crypt
- SHA2
support for LAN Crypt generated certificates (*SO, User)
Operation of LAN Crypt 4.00 administrative
environments
A mixed operation of LAN Crypt v4 Admin and LAN
Crypt v3.x Admin is not supported.
It is possible to run a v3.97 Admin with v4
Clients and v3 Clients.
It is possible to run a v4.00 Admin with v4
Clients and v3 Clients.
XML is the only supported policy file format of
v4.00 Admin and v4.00 Clients.
New profile files are created by v4.00, with
sections for v3 and v4 Clients.
The new encryption rules for Removables, Opticals etc are
transported in the new section.
Once new rules have been created with v4.00, it
is no longer possible to create profiles with a v3 Admin. Doing so would
potentially have negative effects on the client.
Changes
- Integration
of new cryptographic libraries in Admin and Client (for security reasons)
- Renewal
of 3rd party libraries (for security reasons)
- Integration
of a new random number generator (for security reasons)
- Significant
improvement of administrative tasks in large installations
- All in all, the optimizations carried out are
clearly noticeable in many areas. This concerns both the API and the
management program. Since central points have been optimized, the overall
system has become faster. Individual areas with optimizations have become
dramatically faster.
- Reduction of database accesses: In many
functions the access to the database has been drastically reduced.
- Improvement SQL Indexes:
- New indices were added specifically when a
clearly measurable improvement in performance was achieved.
- Improvement in processing algorithms:
- Internally, functions have been structurally
revised to achieve better throughput. In particular,
double reading of identical data records has been removed in many
places.
- In order to use
parallelization optimally, at least 4 cores should be available on the
computer. More cores do not provide much performance improvement at the moment.
- When creating certificates for large groups,
more cores are also used well and up to 12 cores are advantageous. Based
on our measurements and configurations we recommend 6-8 cores.
- Beginning with V4.00.0, the functions that
process many individual orders in one order are parallelized. Examples
are the creation of certificates and profiles.
- Examples for the parallelisation of certificate
creation are reading the database, creating keys, and writing the
certificates. Here, these steps function as in a pipeline, so to speak.
Another example is the creation of profiles. Here, too, the tasks are
treated like a pipeline with the substeps
reading the database information, preparing the XML profile, signing
profiles, compressing, and writing profiles. The subareas are well
separated and the runtime for larger groups has been approximately
halved in our test environments.
- Optimization of memory management:
At central points, the memory
handling was improved and optimized. These optimizations were clearly
measurable, but only lead to small improvements in relation to database
accesses.
- Optimization of functions:
Many functions have been technically revised internally for better
maintainability and performance.
- SQL
Express is no longer supplied with the distribution. It can be downloaded
directly from the Microsoft site.
- Due to
security improvements in LAN Crypt 4.00 a warning appears, when weak
algorithms are selected (XOR, DES, 3DES, IDEA). (LC-957, LC-958, LC-1056)
For continuity reasons (e.g.
backup) such algorithms are not prohibited.
For the selection of XOR this
is reinforced, and the SO must also have the right to define GUIDs for new keys
to be able to select this algorithm.
- Certificates
are generated with SHA2 instead of SHA1 (LC-336)
- XTS-AES
is the default encryption algorithm in LAN Crypt 4.00
- Support
for other databases and operating systems than the ones mentioned has been
dropped
- The
usage of the Client API must be configured in the Administration and – in
case the minifilter is used on client-side - the
included script to enable permissions for specific applications has to be adopted and executed on the client-side
- Changed
behaviour regarding client API permissions for security improvement:
Long path names are now
default for client API configuration. For convenience reasons short names are
internally completed by searching some protected paths, when program names
are configured without path information. The client will search in the
following directories:
LAN Crypt Install Dir\Shared\
(non-recursive)
CSIDL_SYSTEM (typical
C:\Windows\System32, non-recursive)
CSIDL_WINDOWS (typical
C:\Windows, non-recursive)
CSIDL_PROGRAM_FILES (typical
C:\Program Files, recursive)
If an EXE file with the
specified name is found, the full path will be internally added.
Other pathes
are now untrusted for short file names. (LC-690)
- Group
policy configuration is also possible with administrative templates. The
support for adm has been dropped. The admx template files are located in
the config folder of the product package. Please see http://msdn.microsoft.com/en-us/library/bb530196.aspx for information on how
the files have to be installed.
- Import from
a Novell directory has not been supported since v3.90. Other Novell
functionality is now as well not supported and will not be functional in
the administration.
- Additional
API functions have been added
- The
EULA has been updated (for German, English and French)
- The 3rd
parties’ inventory has been consolidated and updated
- Admin
does not start with "Selected users and certificates” anymore (but
this behaviour can be configured. (LC-844)
Bugfixes
- Recovery
key handling fixed. (LC-434)
- Password
file: missing carriage return (LC-247)
- Preselected
button and triggered action on <Enter> don't match while creating
groups (LC-213)
- Wrong
error message when trying to build profiles with expired certificates
(LC-194)
Known issues
- The detailed
description text in the admin log for the action Create profile is
erroneously truncated after the first character (LC-1227)
- Explicit
rules for file extensions are not executed correctly by the minifilter. The Minifilter
does not execute rules like *.ext correctly for
encryption and ignore rules. As a workaround, we recommend to add an additional rule like *\*.ext. Having both
rules, *.ext and *\*.ext
active, works as well for V3.9x and V4.0 clients
- MSO
smart card login fails on WS2012 R2 (LC-1120):
In Windows Server 2012 R2, SO
logon with certificate on smart card is not possible. According to our tests,
this is the only supported operating system with this limitation.
- Deleting
nested groups requires a relatively large amount of memory and can lead to
instability. Therefore, we recommend not to nest more than 200 groups into
each other. (LC-527)
- Network
errors:
If the network connection to the SQL server, or to a LDAP source, is
broken during LAN Crypt administration, the LAN Crypt Administration must
be closed and restarted (after the network problem is fixed).
- Entering
very long data into LAN Crypt dialogues (e.g. configuring trusted
applications or virus-scanners) might lead to crashes of the
administration console. In addition these data is
not are not saved in the configuration database (LC-570)
- Simultaneous
administration:
If more than one SO is working with the LAN Crypt database at the same
time, problems can occur. We recommend a regular manual refresh in that
case.
- admx do not recognize new
placeholders for unhandled devices (LC-1201)
- If the new placeholders for Unhandled Devices
are selected in the LAN Crypt node of the gpme,
they are not displayed in the administrative template and therefore
cannot be managed there.
- LDAP
import and synchronization:
- If objects are imported from a domain, you must
specify the domain name and not the computer name in the server
configuration!
When configuring server logon data in central settings you should either
only enter the domain name as server name or add the domain name as an
alias.
- On the root level (e.g. domain), only 999
objects are displayed and imported.
- Page controls have to
be enabled on the LDAP server.
- Certificate
store:
LAN Crypt only supports certificates in one of the user certificate
stores. It does not support certificates in machine stores.
- Installation
on 64-bit operating systems:
LAN Crypt Administration is installed on 64-bit operating systems, therefore the following has to be considered:
- ODBC administration:
The ODBC connection used by LAN Crypt Administration has
to be configured using the 32-bit ODBC Data Source
Administrator (%WINDIR%\SysWOW64\odbcad32.exe or use the shortcut in
the start menu).
Remark: The shortcut in the LAN Crypt start menu is not displayed on
Windows Server 2012. Please use the shortcut ODBC Data Sources (32-bit) available in
Administrative Tools
instead.
- Group policy plugin:
The group policy plugin to administer LAN Crypt is not shown in the
Windows group policy editor. To administer the LAN Crypt policies, the
32-bit Group Policy Editor has to be used
(%WINDIR%\SysWOW64\gpedit.msc for local
policies or %WINDIR%\SysWOW64\gpme.msc for
Active Directory policies or use the shortcut in the start menu).
As an alternative the administrative templates can be used which are
stored in the config folder of the product package.
- Scripting API:
The scripting API is only available for 32-bit applications. If a Visual
Basic-Script is started which uses the LAN Crypt scripting API, it has to be started from the 32-bit Windows Scripting
Host (%WINDIR%\SysWOW64\cscript.exe or %WINDIR%\SysWOW64\wscript.exe).
- Firewall
settings:
If the Microsoft SQL Server database is located on another machine, please
ensure that the firewall is configured correctly. Additional information
can be found here: http://msdn.microsoft.com/en-us/library/cc646023.aspx.
- To
operate LAN Crypt clients as a service, additional configuration steps are
needed. Please contact support for further details.
- For
performance (testing) in VMware VMs, it is recommended not to configure
more CPUs than the host has available. Scaling should be done by the
number of cores (i.e. not 2 CPU & 2 cores, better 1 CPU & 4 cores
if only 1 host CPU is available).
- GPO
context sensitive help:
For the operation of the Group Policies (GPO settings) there is
documentation available in the side panel of the console. There is also a
context sensitive help (sglcconfig040x.chm.) available. In version 4.00.0, the old
version without rebranding was erroneously integrated into the setup. This
version is technically almost correct but may still contain incorrect
references to SafeGuard or outdated license
information. If necessary, an updated version can be obtained from Support
a few days after release and will be included in later deliveries. To
update, this must then be copied to %\Windows\Help (LC-1236).
- The
rebranding of Sophos SafeGuard to conpal is
comprehensive but may inadvertently be incomplete.