u.trust LAN Crypt 13.0.0
Administration release notes
u.trust LAN Crypt 13.0.0 is a feature
release with a strong focus on improving security. There are quite some new security
features included, which need structural
changes of the database and that requires a migration of an existing database.
The version can upgrade from V11.0.0 or V11.0.1 or the respective
patched versions. See manual for further description
of the upgrade process.
Some features of this version
are not compatible with previous LAN Crypt product versions or their database
schema.
We've released V13.0.0 with
important improvements to enhance your data protection and system stability.
Key benefits of updating:
·
Default “SuperRandom” Random Number Generator
·
New symmetric encryption
algorithm, default for new users
(not compatible with LAN
Crypt V11 and older)
·
Cryptographic self-tests
·
Modernized cryptographic database protection
·
Transparent and fast upgrade procedures
·
Several improvements in stability and resilience
·
Encstatus tool
providing information about
encrypted files without necessity to install LAN Crypt
·
LAN Crypt2Go and LAN Crypt2Go Reader for Windows are included in the LAN
Crypt license (https://help.lancrypt.com/docs/2Go/menu/).
·
The non-VS-NfD release of
LAN Crypt now also contains
LAN Crypt2Go for Mac and Linux.
A dedicated version for government
customers to operate VS-NfD data is available.
Quick Update Recommendation
We suggest
updating to
·
Safeguard your data
·
Experience the latest system enhancements
·
Maintain optimal software reliability
Simple Next Steps
·
Download V13.0.0
·
Install the update
·
Migrate your database to the new structure
·
Enjoy improved system security
Older release notes
for LAN Crypt remain valid, if not stated otherwise.
The EULA is available in English and
German only. The English version is valid for all non-German speaking
countries.
The actual
versions can be obtained from:
Please note the LAN
Crypt 13.0.0 Client release notes.
Requirements
The below listed
platforms have been tested and are officially supported. Other Service Pack
levels might work as well but have not run through a QA cycle and won´t be
analysed in case of occurring issues.
|
Supported Windows 64-bit operating system
platforms
|
|
Pro/Enterprise versions of Windows 10 22H2 (VS-NfD version only), Enterprise LTSC 2021
|
|
Pro/Enterprise versions of Windows 11 22H2 (VS-NfD version only), 23H2, 24H2, 24H2 LTSC
|
|
Windows Server 2022, 2025
|
|
Supported Citrix Environments
|
|
Citrix Virtual Apps and Desktops 2402 LTRS on WS 2022 21H2
|
|
Supported Database Servers
|
|
MS SQL 2022
|
|
Oracle 19
|
If a LAN Crypt
Client (LCC) shall be used in combination with LAN Crypt Admin (LCA), it
requires a LAN Crypt Client of the same version. (LC-1546)
Mixed
operation of old and new versions of LCA on the same database is not supported. (LC-3152)
New
functionalities and changes in LAN Crypt Administration release
13.0.0
- Support has
been added for the new
CBC-uIV encryption mode, which is incompatible with v4 and v11 clients.
This algorithm is the default setting for new installations. (LC-3827,
LC-4435, LC-4437)
- C++ runtime
has been updated. (LC-4503)
- 3rd
party components updated (LC-4749, LC-4472)
- API: The COM API is considered
deprecated and will be removed in a further version. (LC-2823)
- API: Example scripts
for Multi Policy and Key
Tagging/Filtering have been added to the
setup. (LC-4162)
- API: We added a parameter to the LanCryptApi
function that points to the directory
containing the LAN Crypt API DLLs. (LC-4367)
- API: We have added LAN Crypt RNG
self-check functionality to the .NET ODBC logon process. New C# exceptions have been added for RNG errors. (LC-4425)
- API: Keys created without a name are now correctly
intercepted. (LC-4691)
- API: The MSBuild tags <RuntimeIdentifier> and <Prefer32Bit> have been added to the
StartFirstHere.csproj project
sample file for x86
and x64, ensuring that
the correct dotnet.exe
version (x86 or x64) is used. (LC-4095)
- Setup:
- “Custom” setup changed. .NET is now pre-selected instead of ScriptingAPI (since the COM API is considered deprecated).
(LC-4694)
- Required component
"SGLCScriptApiV4.dll" is now installed
with .Net API so that .Net API can be installed without installing the COM API.
(LC-3126)
-All features in the admin setup are now optional so that “API only” can be installed
and used. (LC-4680)
- Necessary Database upgrades
are detected and performed by the LAN Crypt
administration. The respective user interface has been improved. (LC-4354)
- The database
protection has been changed to a new method that uses a future-proof
MAC and an updated DB scheme
version. (LC-4068, LC-4353)
- The MAC protection of
the database has been extended
to cover additional tables. (LC-4093)
- The LogData
has been overhauled to use the new
MAC. The functionality to
archive to a file and verify the archive file has been
fixed. (LC-4359)
- LogArchive
protection overhauled. (LC-4732)
- A tool for evaluating the encryption status and mode
of encrypted files (encstatus.exe) is included
in the deployment and has been added
to the settings for default ignored applications. This tool can be used
with LAN Crypt filters.
Alternatively, the tool can be
used without LAN Crypt
being installed.
(LC-4616)
- Extended database tools
functionality:
- The CheckDatabase tool has been extended
to include the new '-c' or '--checkLoggingIntegrity'
switch that verifies the integrity of the logging.
This check is only performed once the integrity of the database
has been successfully verified.
(LC-4348)
- The new switch '-L'
allows you to set a limit
on the number of displayed errors. For example, this can be used
to avoid extensive lists when migrating the entire database to new MACs. (LC-4342)
- The performance of
the migration to CertificateMeta by CheckDatabase has been optimized.
(LC-4193)
- The CheckDatabase tool
has an added telemetry collector to provide statistical data on the data structure
in the LAN Crypt Administration database, as well as compatibility
checks regarding a later cloud migration. (LC-4742)
- For rules:
'Local volumes' are separated into 'Local fixed drives' and 'All local drives'. See manual for further description.
(LC-4562)
- For GPO Unhandled
Devices: renamed 'Local
Volumes' to 'Local Fixed Drives'. (LC-4630)
- Added GPO to administrate MovePolicyFromResolverCache.
(LC-4112)
- Added a GPO for
the RNG algorithm to be used
in the ADMX and GPO Editor. (LC-4314)
- “SuperRandom”
added as default RNG (LC-2617)
- Self-check of RNG added.
(LC-4405)
- Implemented
health checks for crypto functionality. (LC-4422)
- Added verification
of the crypto algorithms at program start-up. (LC-4500)
- P12 file
handling has been improved for security purposes. The password length
can now be set to between 12 and 60 characters
via the 'HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Utimaco\SGLANCrypt'
registry value,
'P12PasswordLength'. The default length is 20. See manual for further description. (LC-4255)
- The handling of
certificate timestamps
has been optimized. (LC-4449)
- Improved error handling in MSO/SO certificate
processing. (LC-4510)
- Certificate handling
has been improved for speed, particularly regarding
certificate migration. (LC-4448)
- Optimizations of SQL
in CreateTables. (LC-4684)
- CreateTables optimization
for handling SQL when verifying database integrity. (LC-4168)
- ODBC Trace:
removed server name. (LC-4766)
- Spaces around
the file mask in the encryption rules are removed. (LC-4656)
- Changed the icon for the
bypass rule to the 'No
Encryption' icon. (LC-4126)
- Initial creation
of the MSO will be checked for invalid characters in the name. (LC-4099)
- The recovery
key dialogue box will no longer display an error message when the user cancels.
(LC-4623)
- The “sglc_config.admx” can now be imported/uploaded to InTune – but deployment might still be an issue (see known issues). (LC-4059)
The missing XML tag attributes
'explainText' have been added. In addition, the header of the XML had to be supplemented
with the attributes:
-
xmlns:xsd=http://www.w3.org/2001/XMLSchema
- xmlns:xsi=http://www.w3.org/2001/XMLSchema-instance
- xmlns=http://schemas.microsoft.com/GroupPolicy/2006/07/PolicyDefinitions
- For diagnostic purposes,
we provide (via Support) a set of scripts orchestrated by a
central script named the 'Log Collector Utility'. This should be made
available to clients where diagnostic
data needs to be collected. (LC-3165)
Bugfixes in LAN
Crypt Administration release 13.0.0
- The unintended
display of the signing certificate on the SO page has been fixed.
Now, with either MSO or SO, the encryption certificate is not anymore displayed as the signature certificate. (LC-4259)
- Key name
generation: the old behaviour has been removed
from the "RandomizedShortKeyName" registry
setting. The default setting of 1 is now the
only option for generating
a short key name. (LC-4142)
- The user
login name with invalid characters is now handled
properly when updating user properties. API integration tests have been added to check the login name. Special characters are only allowed in short names. (LC-4097,
LC-4098)
- Group rights 'create and assign certificates'
fixed for menu and toolbar. (LC-4045)
- When creating
a profile, if a user does not have a certificate, the process is terminated, and the user is
considered invalid.
If this error is set
to be ignored, the user is assigned
a dummy certificate, which is now
ignored by CheckDatabase certificate
check. (LC-4703)
- Fixed memory
leak. (LC-4529)
- Error handling
has been improved for read errors from the administrative web port when interfacing with KMIP.
(LC-4598)
- Fixed an error
in the rule creation for parsing ShellFolders.
(LC-4545)
- Entering long strings in the antivirus configuration brought up the message 'String not found'. This issue has now been
resolved. (LC-4245)
- Trimmed the trailing spaces before using the directory name in the CreateProfiles function.
(LC-4599)
- If the GPO
“Cached Policy File Lifetime” was set to too
long, the incorrect message 'Error on
substitution of placeholder' appeared. This message
has now been corrected. (LC-4727)
- The incorrect
consistency check for archived logging data has been
fixed. (LC-4371)
- Fixed the
behavior when entering spaces within the encryption rule. (LC-4091)
- API: Missing
strings for logging changes have been added. (LC-4381)
- Limited date entry
to 1970 as minimum for logging. (LC-4029)
- Cosmetic changes
have been applied to the Log Archive. The
space before the date has been removed and the column label 'UNUSED' has been added. (LC-4741)
New and known issues in LAN Crypt
Administration release 13.0.0
- Profiles containing
the MultiPolicy
feature or the new CBC-uIV format (i.e. v11 or v13 nodes) are not compatible with v4 clients. (LC-3717)
- CBC/OFB can still be configured
even though it is deprecated. This option will be removed
in a future version.
(LC-3932)
- Displaying Japanese characters
(Windows Server 2025 only):
When creating rules that combine Japanese and Western European characters, the font displayed may change within LCA. This results in inconsistent font appearance. There is currently no solution or workaround for this cosmetic
behaviour. This issue is exclusive to Windows
Server 2025 and does not affect any other supported operating systems. (LC-4479)
- LAN Crypt ADMX settings
might not be deployable with InTune. (LC-4668)
- The VS-NfD
version of LC2Go creates files in CBC-uIV format – these can currently not be used for the
KeyImport feature of
LCA. (LC-4853)
- CheckDatabase cannot
check some tables when the name
for the database contains a period. This will be fixed in the next version. (LC-4851)
Manuals,
documentation and support
Tickets opened in the old support portal at https://support.conpal.de will be redirected
to the new
Utimaco support portal (https://support.hsm.utimaco.com/support).
Registered customers with active maintenance contracts get access to downloads,
documentation and knowledge items.
Japanese versions must
be obtained from our partner Next Security https://next-security.jp
The
administration contains
extensive context sensitive help. This information is
also available in the form of a pdf manual.
Download
the admin product documentation at
https://help.lancrypt.com/docs/admin/13_0_0/de/
in German language, at
https://help.lancrypt.com/docs/admin/13_0_0/en/
in English language, at
https://help.lancrypt.com/docs/admin/13_0_0/fr/
in French language,
at
https://help.lancrypt.com/docs/admin/13_0_0/jp/ in Japanese language.
API
documentation can be obtained from:
https://help.lancrypt.com/docs/api/client/en/
https://help.lancrypt.com/docs/api/admin/en/
https://help.lancrypt.com/docs/api/admin/net/index.html
u.trust
LAN Crypt 11.0.1 Administration release notes
u.trust LAN
Crypt 11.0.1 is a maintenance/service release, there are no new features
included.
The
version can upgrade from V11.0.0 or V4.2.1.
It
is strongly recommended that V11.0.0 clients are upgraded to V11.0.1
We've
released V11.0.1 with important improvements to enhance your data protection
and system stability. Key benefits of updating:
·
Prevents potential data risks
·
Ensures smoother system performance
·
Protects your valuable information
Quick Update Recommendation
We
suggest updating to V11.0.1 to:
·
Safeguard your data
·
Experience the latest system enhancements
·
Maintain optimal software reliability
Simple Next Steps
·
Download V11.0.1
·
Install the update
·
Enjoy improved system security
Please
also refer to the u.trust
LAN Crypt 11.0.0 part of the release notes.
Older
release notes for LAN Crypt remain valid, if not stated otherwise.
u.trust
LAN Crypt 11.0.1 comes with several bugfixes.
The
EULA is available in English and German only. The English version is valid for
all non-German speaking countries.
The
actual versions can be obtained from:
Please note the LAN Crypt 11.0.1 Client release notes.
Requirements
The
below listed platforms have been tested and are officially supported. Other
Service Pack levels might work as well but have not run through a QA cycle and
won´t be analysed in case of occurring issues.
|
Supported Windows 64-bit
operating system platforms
|
|
Pro/Enterprise versions of Windows 10 21H2
(LTSC), 22H2
|
|
Pro/Enterprise versions of Windows 11 22H2,
23H2, 24H2, 24H2 LTSC
|
|
Windows Server 2022, 2025
|
|
Supported Citrix Environments
|
|
Citrix Virtual Apps and Desktop 7 1912 LTSR CU2 on WS 2019
|
|
Supported Database Servers
|
|
MS SQL 2019
|
|
MS SQL 2022
|
|
Oracle 19
|
If
a LAN Crypt Client (LCC) shall be used in combination with LAN Crypt Admin
(LCA), it requires a LAN Crypt Client of the same version. Otherwise, when
deinstalling the LCC, the LCA might not work anymore. It is required to use a
client of the same version (LC-1546).
Mixed
operation of old and new versions of LCA on the same database is not supported
(LC-3152).
Changes in
LAN Crypt Administration release 11.0.1
- C++ runtime has
been updated. (LC-4505)
- 3rd
party components updated
Bugfixes
in LAN Crypt Administration release 11.0.1
- The search
result for users and groups in directory objects was not parsed correctly.
As a result, users and groups deleted in AD were not deleted in the LC
database during synchronization. This has been fixed. (LC-4424)
- Profile
creation using the .Net API with key filtering feature has been fixed
regarding disabled keys to behave like profile creation using the GUI.
(LC-4202, LC-4209)
- CheckDatabase did not repair KeyUsagePlaceMac records. An
incorrect column was used for sorting during the check, causing the VMAC
to be calculated incorrectly. This has been fixed. (LC-4210)
New
and known issues in LAN Crypt Administration release 11.0.1
- Key name
generation: behaviour with
the legacy registry setting "RandomizedShortKeyName" is
wrong and will be fixed in a future release. The
default of 1 is the only supported setting for generating a short key
name. (LC-4142)
- A signature
certificate is currently always displayed for the MSO or SO. You can no
longer create a (M)SO that does not have a dedicated signature
certificate. In addition, all(!) existing (M)SO now also have a signature
certificate. Please keep in mind that both
certificates must be reassigned during a certificate renewal. This behaviour
will be changed in a future release. (LC-4259)
Manuals,
documentation and support
The
support portal at https://support.conpal.de will redirect you to
the new Utimaco support portal. Registered customers with active maintenance
contracts get access to downloads, documentation and knowledge items.
The
Japanese version can be obtained from our partner Next Security https://next-security.jp
The
administration contains extensive context sensitive help. This information is
also available in the form of a pdf manual.
Download
the admin product documentation at
https://help.lancrypt.com/docs/admin/11_0_1/de/
in German language, at
https://help.lancrypt.com/docs/admin/11_0_1/en/
in English language, at
https://help.lancrypt.com/docs/admin/11_0_1/fr/
in French language, at
https://help.lancrypt.com/docs/admin/11_0_1/jp/
in Japanese language.
API
documentation can be obtained from:
https://help.lancrypt.com/docs/api/client/en/
https://help.lancrypt.com/docs/api/admin/en/
https://help.lancrypt.com/docs/api/admin/net/index.html
Updates
for the context-sensitive help are made available via our support portal if
necessary.
u.trust
LAN Crypt 11.0.0 Administration release notes
After
the acquisition of conpal GmbH in 4/2023 by
Utimaco, the product conpal
LAN Crypt has been rebranded and will be continued under the different brandname u.trust LAN Crypt. Version 11.0.0
is the first rebranded version, a feature release and replaces
the conpal LAN Crypt product.
The
product is able to upgrade from the previous
conpal LAN Crypt 4.2.1.
The
Legacyfilter has been abandoned,
and is not supported anymore.
Administration
versions
earlier
than
conpal LAN Crypt 4.1.1 are EOL.
Clients
earlier
than
conpal LAN Crypt 4.1.3 are EOL.
We
recommend to upgrade the clients to 4.2.1 and the administration
to
4.2.0 before
upgrading
to
u.trust
LAN Crypt 11.0.0.
u.trust
LAN Crypt 11.0.0 also comes with improved security
functionality and several bugfixes.
New
features:
§
Support for new versions of operating systems
§
64 Bit .NET API
§
Several
enhancements and extensions for .NET API
§
LCSendP12Password helper tool, automatically send P12
passwords by email
§
New database tool CheckDatabase.exe
§
Improved CreateTables
§
Log Collector Utility
§
Client Performance Improvements, options to cache files for
encrypted SMB shares, DsStateCache for caching unencrypted files
§
Rebranding
§
Detail work on dialogs and error messages
§ Option
to renew assigned certificates
§ Most
important cloud apps pre-registered and maintainable via registry
§ Support
for multiple policies
§
Show "Bypass" flag for rules in "Show
Profile"
Changes/Improvements
in V11:
§ u.trust LAN Crypt2Go replaces conpal
LAN Crypt Portable
§
Improvement of accessibility
§
Accelerated create-profile functionality
§
Improved certificate handling
§
Accelerated certificate creation
§
Support for certificates in computer-store, e.g. for
services
§
Optimizations, additional verifications
and acceleration of CreateTables for MS SQL and
Oracle
§
ClearCache
Option for DsStateCache
§
Removed support for
§
deprecated Oracle versions
§
profiles in legacy format
§
Improved messages
§
.Net API update to support version 8
§
Throttling when creating certificates to preserve
resources for OS accessibility
§
Performance tracing
§
When importing certificates (p12) from a file server,
certificates are now checked in true descending order (by number suffix).
§
Default ignored apps can be maintained via registry
The
EULA has been updated and is now only available in English and German.
The
English version is valid for all non-German speaking countries.
The
actual versions can be obtained from:
Please note the LAN Crypt 11.0.0 Client release notes.
Older release notes for LAN Crypt remain valid, if not
stated otherwise.
Requirements
The
below listed platforms have been tested and are officially supported. Other
Service Pack levels might work as well but have not run through a QA cycle and
won´t be analysed in case of occurring issues.
|
Supported Windows 64-bit
operating system platforms
|
|
Pro/Enterprise versions of Windows 10 21H2
(LTSC), 22H2
|
|
Pro/Enterprise versions of Windows 11 21H2,
22H2, 23H2
|
|
Windows Server 2022
|
|
Supported Citrix Environments
|
|
Citrix Virtual Apps and Desktop 7 1912 LTSR CU2 on WS 2019
|
|
Supported Database Servers
|
|
MS SQL 2019
|
|
MS SQL 2022
|
|
Oracle 19
|
If
a LAN Crypt Client (LCC) shall be used in combination with LAN Crypt Admin
(LCA), it requires a LAN Crypt Client of the same version. Otherwise, when
deinstalling the LCC, the LCA might not work anymore. It is required to use a
client of the same version (LC-1546).
Mixed
operation of old and new versions of LCA on the same database is not supported
(LC-3152).
New
in LAN Crypt Administration release 11.0.0
- CheckDatabase.exe
extends CheckMacAndRepair functionality (LC-3808, LC-3255, LC-3372)
-
Performance
enhancements in VMAC check and console app with progress display
-
Default
settings for ODBC and security officer pre-configured
-
Added checks for existing CertData and CertificateMeta entries for user certificates.
-
Added migration of CertificateMeta entries for user certificates without CertificateMeta entries and with CertData entries
- MultiPolicySupport
(LC-2094, LC-3419, LC-3480, LC-3471, LC-3651, LC-3782)
- Multikernel-,
Multithreading-Support for profile
generation (LC-3362)
- Rebranding
GUI, icons, GPOs, EULA, file
header and messages to u.trust
LAN Crypt (LC-3156, LC-3299, LC-3595)
- API: profile
generation with new call structure (LC-3447)
- API: create SQL Index for Users.LoginName (LC-3563)
- API: new option
to disable V4 signature for better file I/O performance. Please contact support for details. (LC-3439, LC-3585)
- API: dotnet
Meta info for profiles (LC-3445)
- API: New functions users.FindByShortName, Users.FindByLoginName, Users.FindByImportGuid, optimised filter search function (LC-3564,
LC-3565, LC-3569)
- API: new function to
update the database schema (LC-3618)
- API: Implemented key
filtering for creation of profiles with .NET API (LC-3575, LC-3619)
- API:
LCAdminApiNet.ps1 sample for X64 (LC-3639)
- API: The .NET
API has been extended from 32 bit to 64 bit and is included in the setup
(LC-3443)
- API: file IO
error during creation of a certificate is now mapped to a LCAPIERR_FILE_IO
and corresponding .NET exception (LC-3777)
- New LC Trace
level for performance measurements of create certificates and create
profiles implemented with trace level 65 (LC-3629, LC-3630)
- Send P12
password with email tool (LC-3257)
- If the registry
value DWORD HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Utimaco\SGLANCrypt\MovePolicyFromResolverCache is set to 1,
the temporary policy file is moved from the resolver cache instead of
being copied and deleted. This improves performance when the target
directory and resolver cache are on the same volume, but the created
policy then has the ACL inherited from the resolver cache instead of the
target directory. In this case, the ACLs must be maintained outside of LAN
Crypt (LC-4064)
- DB: The
database has been updated to manage certificates and enable multi-policy
support. There is no need to change the database schema. The newly added
DB tables are ignored by LCA v4.2 and LCA v11 can handle the v42 DB
(LC-3461). Mixed operation of old and new versions of LCA on the same
database is not supported (see LC-3152)
Changes in
LAN Crypt Administration release 11.0.0
If the 'Check
certificate extension' group policy is not configured, this policy is treated
as 'Enabled'.
Certificates without
an appropriate key usage will be rejected.
This applies to
Importing a user certificate into the LC
Client
Importing a SO certificate into the LC
Client
Assigning a user certificate in the LC
Administration Console
Assigning a SO certificate in the LC
Administration Console
Logging in to the LC Administration Console
Starting with LC
v4.2.0, the behaviour was inadvertently treated as "disabled" if the
"Check certificate extension" group policy was not configured.
With LC v11.0.0 this
has been fixed so that LC behaves as it did before LC v4.2.0. (LC-3938)
Therefore, before upgrading LCA
and LCC to v11.0.0, make sure that the group policy is set to
"disabled" when using certificates without the x509v3 key usage
option.
- C++
runtime has been updated (LC-3295).
- 3rd
party components updated, old components removed (LC-3747, LC-2680,
LC-3144, LC-3315, LC-3221, LC-3222, LC-3223, LC-3366, LC-3748, LC-3749,
LC-3484)
- Removed
Oracle 8, 9, 12 support from code (LC-3477)
- Rename
from inWebo to Trustbuilder for 3rd party MFA
(LC-3192)
- Improved
error handling for export of log entries (LC-3242)
- Buffer overflow
prevention measurements (LC-3314, LC-3357)
- Removed
obsolete rule path "Internet Cookies" (LC-321)
- Bypass rules
default wildcard is different from wildcard for other paths. (LC-3882)
- Improved PowerShell .NET
API sample
script
with examples for find, filter, index (LC-3551)
- PowerShell
sample script modified to handle groups without keys (LC-4050)
- CreateTables: Removed support for database
formats older than 3.61 (LC-3462)
- CreateTables: Optimization of the runtime when verifying the database (LC-3641)
- CreateTables: New verify check on CertData table with error if the corresponding certificate is missing
(LC-3628)
- Improved error
message when policy creation time is not within validity period of the SO
certificate (LC-3609)
- Replaced dbms_reputil from the Oracle SQL update script
of CreateTables to create triggers in the Oracle
database (LC-3674)
- API: handle
invalid email address as error (LC-3780)
- Modified
implementation for "AD server exist" check when importing WinNT
users on non-domain-joined computers (LC-3788)
- More accurate
error message when writing certificate fails (LC-3684)
- The registry key RandomizedShortKeyName=0 is deprecated and unsupported
in versions newer than V4.0 (LC-4142)
- Default
Ignored Apps (except SearchProtocolHost.exe) will be set in the registry
by the setup at:
HKLM\SYSTEM\CurrentControlSet\Services\cplcdt2\Parameters\DefaultIgnoredApplications and can be
modified by the customer in case of need (LC-3935)
- Certificate handling revised, CertificateMeta introduced,
minor performance optimizations
(LC-3349)
- Base repository
check for SQL table: implementation for Oracle (LC-3789)
- The
"Delete" context menu item is hidden for selected certificates
and the "Unassign certificates" menu item is displayed instead
(LC-343)
- C# API changed
to C++ 20 compiler to overcome compatibility restrictions (LC-3823)
- API: C# tests,
examples and build script updated to .NET 8.0 (LC-4057)
- Changed error
handling to get a better error message when importing expired certificates
(LC-4144)
Bugfixes
in LAN Crypt Administration release 11.0.0
- Fixed memory
leak in create profile (LC-3224)
- Fixed memory
leak in DB handler (LC-3275)
- The 3rd party
inventory "3rd_party_software.pdf" is present and up to date in
the LCA and LCC deployment folders and when installed with the LC product
(LC-2696, LC-3885).
- Version
information of the binaries has been made consistent (LC-3209)
- Names of group
keys are correctly limited to 128 characters in the input fields of the
administration (LC-3200)
- CreateTables: fixed display of “Drop tables” result (LC-3095)
- Import function
for users fixed, when path unknown message occurred in directory objects
(LC-2931)
- Fixed stack
overflow in MMC, when database was modified outside of LAN Crypt (LC-3198)
- Fixed create
certificates for users with invalid characters in name (LC-3387)
- Corrected error
message for ‘reset authorization’ when selected as a task (LC-3389)
- Improved
handling of security officers when using “Additional Authorization”
(LC-3381)
- Fixed
registry write error for DATAID_LCINIT_FILETYPES_USER (LC-3431)
- Improved error
messages of “Build Profiles Wizard” (LC-997)
- CheckMacAndRepair: errors fixed when checking MAC of table ACLS (LC-3395)
- Fixed crash
when import already imported root certificate from SO properties (LC-3690)
- WinNT import
now correctly imports the alphabetically first user (LC-3691)
- Added error
message when user certificate creation fails (LC-3388)
- Accurate
message when certificate is imported from AD without domain entry
(LC-3738)
- CreateTables: Fixed verify check to handle "empty values"
(LC-3669)
- Fixed ODBC
exception on failed logon due to missing or incorrect configuration
(LC-3910)
- Fixed error
message in LC Trace for “AssertPathExists”
and unavailable directory
(LC-3953)
- Fixed error
handling for certificate creation and file IO errors (LC-3163)
- Directory
import with WinNT tab 'Groups' now shows all groups (LC-3952)
- Performance
throttling by reducing the number of private key generation threads when
creating certificates (LC-3915)
- Certificates
are searched and processed correctly in both the user store and the
computer store (LC-4001)
- Fixed issue for
certificates with serial number 0 (LC-4139)
New
and known issues in LAN Crypt Administration release 11.0.0
- Login name
accepts characters despite restriction and can be saved (LC-4097)
Subsequent errors caused by
allowing special characters:
- Infinite loop
when creating profiles for login names with special characters (LC-4098)
- First-time
creation of an MSO also allows restricted special characters (LC-4099)
- Infinite loop
when creating profile for login names with special characters for more
than one user.
Creating profiles for only one of
those users shows a message that does not refer to the login name, but to the
output directory, which can be confusing when troubleshooting. (LC-4098)
- First time
creation of MSO erroneously allows restricted special characters. Creating
the certificate with special characters does not work, but as soon as an
existing certificate is used, the MSO can log on.
The error message is also
confusing, as described in LC-4098, because it does not refer to the name in
the MSO or the certificate, but to the output directory and the password log
file (LC-4099)
- The
PreventPlainFiles
functionality has been officially supported and released for LAN Crypt
version 4.2. Administration is done solely via ADMX templates.
Since previous versions were only made available on
a project basis to very few customers, no migration of existing settings
was implemented.
The settings in older versions were stored under
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Utimaco\SGLCENC
"PreventPlainFiles"=....
Now,
the settings are stored under
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\cplcdt2\Parameters]
"PreventPlainFiles"="...",
they can be managed via ADMX.
Note that the newer settings use a REG_MULTI_SZ. (LC-3792)
- CreateTables
is not compatible with
the Oracle Instant Client 19.14 (LC-3670).
This applies at least to CreateTables V4.01,
V4.1.1 and V4.2.1.
An update to Oracle
Version 19.20 fixed this incompatibility.
- Non-standard
screen scaling may result in incorrect display of menus and setup
(LC-4190)
- API:
Deactivated keys are removed from the policy when key filtering is
enabled.
Deactivating a key
ensures that it cannot be reused, i.e. no new rules can be created with that
key. Existing rules with disabled keys can still be used in profiles.
However,
if key filtering is enabled via the LCA dotnet API, all rules with disabled
keys will be filtered out and not written to the policy. This is a bug in LC
V11 and will be fixed in the next major on-premise version (LC-4209).
Manuals,
documentation and support
At
https://support.conpal.de registered
customers with active maintenance contracts get access to downloads,
documentation and knowledge items.
The
administration contains an extensive context sensitive help. This information
is also available in the form of a pdf manual.
Download
the admin product documentation at
https://help.lancrypt.com/docs/admin/11_0_0/de/
in German language, at
https://help.lancrypt.com/docs/admin/11_0_0/en/
in English language, at
https://help.lancrypt.com/docs/admin/11_0_0/fr/
in French language, and at
https://help.lancrypt.com/docs/admin/11_0_0/jp/
in Japanese language.
API
documentation can be obtained from:
https://help.lancrypt.com/docs/api/client/en/
https://help.lancrypt.com/docs/api/admin/en/
Updates
for the context-sensitive help are made available via our support portal if
necessary.
conpal
LAN Crypt 4.2.0 Administration release notes
conpal
LAN Crypt 4.2.0 is a feature release that also comes with improved security
functionality and several bugfixes. New features:
- Malware
Protection
- OneDrive
Settings package
- LAN Crypt 2Go
Key Import
- Adding Multiple
Encryption Groups to a User
- Bypass Rules
Deployment
- Multiple Virus
Scanner Configurations
- PreventPlainFilesPath Option
- New Operating
Systems Support
- Additional
Database Support
- API extensions
- Localization
Support for MFA
- Client
Performance Improvements
- HTML-Based
Client Help
- On-Premise
OneNote Support
- Search field
for groups
- Network filter
installation without network interruption
- Detail work on
icons, dialogs and error messages
- LCA 64-bit .NET
API
- Several
enhancements for .NET API
- Support of
Server-Side Copy
- DsStateCache for caching unencrypted files
- Renewal of assigned
certificates
Please note the LAN Crypt 4.2.0 Client release notes.
Older release notes for LAN Crypt remain valid, if not
stated otherwise.
Requirements
The
below listed platforms have been tested and are officially supported. Other
Service Pack levels might work as well but have not run through a QA cycle and won´t
be analysed in case of occurring issues.
|
Supported Windows 64-bit
operating system platforms
|
|
Pro/Enterprise versions of
Windows 10 1809 (LTSC), 20H2, 21H2, 21H2 (LTSC), 22H2
|
|
Pro/Enterprise versions of
Windows 11 21H2, 22H2
|
|
Windows Server 2019
|
|
Windows Server 2022
|
|
Supported Citrix Environments
|
|
Citrix Virtual Apps and Desktop 7 1912 LTSR CU2 on WS 2019
|
|
Supported Database Servers
|
|
MS SQL 2019
|
|
MS SQL 2022
|
|
Oracle 19
|
|
Please
note:
MS SQL Server 2017 has a Mainstream Support
End Date of Oct 11, 2022 and will
therefore not be supported by LAN Crypt Administration v4.2.0. MS SQL Server 2019 and 2022
are supported.
Oracle 8,9 and 12 will not be supported by LAN Crypt Administration v4.2.0. Oracle 19 is supported.
|
If
a LAN Crypt Client (LCC) shall be used in combination with LAN Crypt Admin
(LCA), it requires a LAN Crypt Client of the same version. Otherwise, when deinstalling
the LCC, the LCA does not work anymore. It is required, to use a client of the
same version (LC-1546).
Mixed
operation of old and new versions of LCA on the same database is not supported
(LC-3152).
New
in conpal LAN Crypt Administration release 4.2.0
- LAN Crypt 2Go
Key Import: Key value, GUID, name and encryption algorithm can be imported
from a file encrypted with LC2Go. This enables the LAN Crypt client to
read and decrypt files encrypted by LC2Go with a password and vice versa
(LC-2859).
- Additional
security function – no plain
file access on removables: Malware import protection for removables (external USB sticks
or HDD) with a single
rule by disallowing plain file access on external storage devices
(LC-2861).
- Adding multiple
encryption groups to a user at once. Groups can be selected directly from
the users' properties menu (LC-1027).
- Search field
for Groups in tree view for MMC added (LC-145).
- Bypass rules
can now be deployed with the profile. Although bypass rules should only be
considered in very rare cases and only after contacting conpal
support, they can be deployed via a profile
instead of registry settings and GPO for simplified deployment (LC-2864,
LC-2991, LC-3079, LC-3045, LC-3080). Please note: LAN Crypt Administration
API does not support creation or validation of bypass rules. Conflicts of
ignore and bypass rules are possible (LC-3096).
- Enable configuration
of multiple Virus Scanners without delay when profile is loaded. The
configured AV process needs to either run during profile loading or be
configured with a full path. Wildcards can now be used as part of the path
(LC-2925).
- PreventPlainFilesPath policy added to ADMX. This setting prevents that plain files are
created in defined network paths or on mapped drives if no conpal LAN Crypt user profile has been loaded yet, or the
user does not have one (LC-1492).
- Oracle support
in .NET API (LC-2912)
- LCA 64-bit .NET
API (LC-2692)
- Support of
Windows 10 and Windows 11 – 22H2, and MS SQL Server 2022
Changes in
conpal LAN Crypt Administration release 4.2.0
- Assignment of
certificates associated with the "MS Base Cryptographic Provider
v1.0" is now prevented (LC-2642).
- Enable
configuration of multiple Virus Scanners without delay when profile is
loaded, see documentation of the modified operation mode (LC-2925)
- The setting
“Only SO with the ‘Generate profile’ right can generate keys (keys without
a value are not permitted)” is now activated by default, so that new keys
are always created with random values as default if no key value has been
specified (LC-2544).
- Recovery key:
Tabular representation changed to simple field. Only one recovery key is
now supported (LC-339, LC-2727).
- Limitation of
string length: renaming SO, MSO Wizard (Name and E-Mail) (LC-597, LC-796,
LC-988)
- Renew
certificates for multiple users who already have certificates assigned:
New checkbox added to existing wizard to allow "Create new
Certificates (even if there are already existing ones)". This option
was also added to the corresponding API functions. (LC-2817).
- Import function
of intermediate and root certificates stores these certificates in the
correct certificate stores now (LC-2611)
- Necessary
permissions for CreateTables.exe reduced (LC-2690).
- Updated
Windows start menu folder names. Changed
to “conpal LAN Crypt Administration” and “conpal LAN Crypt Client”
(LC-1261).
- Change
of the build numbering (LC-2927).
- Product
icons modified (LC-2860).
- Embedded
libraries updated (LC-3035).
- .NET-API now requires an additional parameter
for Database.Logon().
Sample scripts show proper functionality (LC-2965).
- CreateTables: Oracle 8, 9
and 12 support is removed (LC-3074).
- CreateTables now accepts password for ODBC connection from command line
(LC-2795).
Bugfixes
in conpal LAN Crypt Administration release 4.2.0
- Assistant for
Recovery Key with/without ESKM - settings, cache and dialog options fixed
(LC-2382, LC-2746, LC-2747, LC-2748).
- .NET API: CreateCertificate(UserName) and Certificates.CreateCertificate(UserName)
created a .p12 with a
wrong name and wrong certificate details. Creating certificates for a
group instead of a user did not show this error. Now login names are
correctly used (LC-2701).
- Wrong
translation in the German settings corrected (LC-3051).
- Translations
for LAN Crypt Japanese language version (LC-2906, LC-2897, LC-2882).
- LCA Help
"question mark" and F1 key in Central Settings work now
(LC-394).
- Certificate import
issues fixed (e.g., when administrative rights where required for import
of user certificates) (LC-3006).
- The MSO wizard
allows several parent windows to open the folder selection file dialog to
save profile and security keys. This caused a crash in some circumstances
(LC-787).
- In certain
scenarios the private keys from imported MSO certificates could not be
found for logon. This is now fixed (LC-2806).
- Adding or
deleting a large number of users at once from a user group, clicking on
Apply and then Cancel caused LAN Crypt to crash (LC-2899, LC-2913).
- Crash during
LDAP certificate assignment when entering long texts has been fixed
(LC-605).
- Enforcement of
unique Server and alias names (LC-2919).
- Certificate
status information after certificate generation fixed (LC-739).
- Recovery
option: If a higher value than the number of existing additional SO was
entered in the "Additional authorization" setting, a warning
appeared that could only be confirmed with OK. After that, the entered
value was applied anyway. In the worst case, this could lead to the MSO
being locked out, which can only be undone using the recovery key. To
solve this, a Cancel button was added (LC-804).
- If a user
belongs to several groups and identical paths for rules are created in
these groups, the profile is not created with a message. There the path
information was missing (LC-1481).
- Creating a user
profile with user properties outside the maximum allowed character length
is correctly aborted, but the next profile creation within the maximum
allowed character length resulted in the same error. This has been fixed
(LC-2930).
- Create user:
Input field length limited (LC-795)
- CreateTables: Update for Oracle now works correctly (LC-2943).
- If certificates
are added to users via the CertAssign wizard, the correct number of assigned
certificates is now displayed (LC-1456).
- Corrected error
message when creating users within
a group but canceling the dialog (LC-192).
- WinNT import:
Special scenarios caused errors/crashes. User can be imported now. There
is a remaining limitation regarding E-Mail-addresses (LC-2502).
- Start menu
cascaded incorrectly (LC-3073).
- GPO handle
overflow in “Cached policy file lifetime” setting fixed (LC-552).
- null-pointer
crash during profile creation fixed (LC-2751).
New
and known issues
in conpal LAN Crypt Administration release 4.2.0
- The 3rd party
inventory "3rd_party_software.pdf" is present and up to date in
the LCA and LCC deployment folders. The "3rd_party_software.pdf"
installed with the LC product is missing an entry:
- "libkmip/BSD license"
(LC-2696).
- KeyValue is not set when Default key
is created. The manual is updated with more specific information in the
key tab/key value section (LC-2544).
- When IP
addresses are used for generating rules, several conditions must be taken
into consideration to avoid wrong execution. Correct syntax is required
for IP rules, otherwise they will not be ignored by the registry setting RemoveDomainFromRules functionality
(LC-1483, LC-2454).
- LAN Crypt
Administration/MMC sometimes crashes when deleting groups created by C#
example script (LC- 2268).
- The message
‘Path unknown’ is displayed incorrectly when importing users with
anonymous LDAP authentication. User import is not possible in this session
afterwards (LC-2931).
- MMC
crash can occur, if profiles are created in a group tree with more than 80
groups nested into each other (LC-3193).
Manuals,
documentation and support
At
https://support.conpal.de registered
customers with active maintenance contracts get access to downloads,
documentation and knowledge items.
The
administration contains an extensive context sensitive help. This information
will be available in form of a pdf manual a couple of days after release for
download.
Download
the admin product documentation at
https://docs.lancrypt.com/ja/admin/lc_420_ahjpn.pdf in Japanese
language, at
https://help.lancrypt.com/docs/admin/de/ in German language,
at
https://help.lancrypt.com/docs/admin/en/ in English language
and at
https://help.lancrypt.com/docs/admin/fr/ in French language.
API
documentation can be obtained from:
https://help.lancrypt.com/docs/api/client/en/
https://help.lancrypt.com/docs/api/admin/en/
Updates
for the context-sensitive help are made available via our support portal if
necessary.
conpal
LAN Crypt 4.1.2 Administration release notes
conpal
LAN Crypt 4.1.2 is a Japanese language version and available by our partner in
Japan only. It is functional identical to LAN Crypt 4.1.1.
Please
refer
to
the
conpal LAN Crypt 4.1.1 part of the release notes.
Older release notes for LAN Crypt
remain valid, if not stated otherwise.
Manuals,
documentation and support
At
https://support.conpal.de registered
customers with active maintenance
contracts get access to downloads,documentation and knowledge
items.
The administration contains an
extensive context sensitive help. This information will be available in form of
a pdf manual a couple of days after release for download.
Download the admin product
documentation at
https://docs.lancrypt.com/ja/admin/lc_412_ahjpn.pdf in
Japanese language, at
https://docs.lancrypt.com/de/admin/lc_411_ahdeu.pdf in
German language, at
https://docs.lancrypt.com/en/admin/lc_411_aheng.pdf in
English language and at
https://docs.lancrypt.com/fr/admin/lc_411_ahfra.pdf in
French language.
Please note, the French manual
will be published delayed, for the time being use the English manual.
conpal
LAN Crypt 4.1.1 Administration release notes
conpal
LAN Crypt 4.1.1 is a maintenance release, there are no new features included.
Please
refer
to
the
conpal LAN Crypt 4.1.0 part of the release notes.
Older release notes for LAN Crypt
4.00.x remain valid, if not stated otherwise.
Requirements
The below listed
platforms are officially supported. Other Service Pack levels might work as well but have not
run through a QA cycle and won´t be analysed in case of occurring issues.
|
Platforms supported
|
32-bit
|
64-bit
|
|
Pro/Enterprise
Versions of Windows 10 1809 (LTSC), 20H2, 21H1, 21H2, Windows 11
|
No
|
Yes
|
|
Windows
Server 2019
|
No
|
Yes
|
|
Windows
Server 2022
|
No
|
Yes
|
If
a LAN Crypt Client (LCC) shall be used in combination with LAN Crypt Admin
(LCA), it requires a LAN Crypt Client of the same version. Otherwise, when
deinstalling the LCC, the LCA does not work anymore. It is required, to use a
client of the same version (LC-1546).
Bugfixes
in conpal LAN Crypt Administration, Release 4.1.1
- Recovery key
does now work with "1 of 1" key assignment. Fix works as well
for KMIP server (LC-2724)
- Corrupt MAC for
database with multifactor authentication can now be repaired (LC-2577)
- Virtual
Smart Card: Cancel the dialog for PIN entry now does not attempt smart
card logon anymore (LC-2408)
Manuals,
documentation and support
At
https://support.conpal.de registered
customers with active maintenance
contracts get access to downloads,documentation and knowledge
items.
The administration contains an
extensive context sensitive help. This information will be available in form of
a pdf manual a couple of days after release for download.
Download the admin product
documentation at
https://docs.lancrypt.com/de/admin/lc_411_ahdeu.pdf in
German language, at
https://docs.lancrypt.com/en/admin/lc_411_aheng.pdf in
English language and at
https://docs.lancrypt.com/fr/admin/lc_411_ahfra.pdf in
French language.
Please note, the French manual
will be published delayed, for the time being use the English manual
Updates
for the context-sensitive help are made available via our support portal if
necessary.
conpal
LAN Crypt 4.1.0 Administration release notes
conpal
LAN Crypt 4.1.0 comes with support for new operating
systems new functionality, improved security functionality and new features
e.g.
·
Richer
support for
SGN/SafeGuard
Fileshare customers
·
Portable file encryption
·
Minifilter with caching capabilities for
SMB network shares
·
New .NET Administration API
·
Client API login with user context
·
LAN Crypt-Service functionality
·
Manipulation protection for processes
·
Multi factor Authentication based on 3rd
party technology
·
Interoperation with Azure technologies (like Azure SQL)
·
Oracle 19 Support
The
Legacyfilter has been abandoned,
but is still supported with the 4.00.x version of the product.
If
not stated otherwise the older release notes for LAN Crypt 4.00.3, 4.00.2,
4.00.1 and 4.00 remain valid.
Please note the LAN Crypt 4.1.0 Client release notes.
Requirements
The below listed
platforms are officially supported. Other Service Pack levels might work as
well but have not run through a QA cycle and won´t be analysed in case of
occurring issues.
|
Platforms supported
|
32-bit
|
64-bit
|
|
Pro/Enterprise
Versions
of Windows 10 1809 (LTSC), 1909 (19H2), 20H2, 21H1, 21H2, Windows 11
|
No
|
Yes
|
|
Windows
Server 2016
|
No
|
Yes
|
|
Windows
Server 2019
|
No
|
Yes
|
|
Windows
Server 2022
|
No
|
Yes
|
If
a LAN Crypt Client (LCC) shall be used in combination with LAN Crypt Admin
(LCA), it requires a LAN Crypt Client of the same version. Otherwise, when
deinstalling the LCC, the LCA does not work anymore. It is required, to use a
client of the same version (LC-1546).
New
in conpal LAN Crypt Administration release 4.1.0
- Support for SGN/SafeGuard FileShare keys. In
combination with a key export and a key import tool Fileshare encrypted files can be handled by conpal LAN
Crypt Client 4.00.3 or newer with Minifilter.
The LAN Crypt Administration 4.00.3 or newer is required for the key
import.
- New .NET API:
Provision of the existing V4.0 API as .NET library (A compilable C++/CLI project ‘LCNetApi’
),
including a C# test
project that calls some of these functions as examples (LC-1472). Please
also have a look at the section .NET API in these release notes.
- Administration capabilities for clientside Multifactor Authentication
of the 3rd party technology of inWebo
Changes in 4.1.0
- Sometimes
LAN
Crypt 3.97, or 4.00 clients cannot find user certificates, if the profile
was created with LAN Crypt Administration 4.00.x before 4.00.3. The client
cannot load the profile with the error message: `User certificate not
found` (LC-2010)
LAN Crypt 4.1 Administration generates profiles,
which do not lead to that error.
- msiexec: When LAN Crypt packages are installed, the packagename for the userapplication
is now corrected to ´UserApplication` instead of client.
The AddLocal parameter is named ’UserApplication’ instead of ’Client’
(LC-2214)
- Performance
improvements in the wizard for certificate allocation (LC-1708, LC-745).
- Performance
improvements when loading objects, e.g. when WIN-NT domain names are
appended with characters (LC-664).
- Boost
library removed for better maintenance of security relevant functions
(LC-474).
- The
LAN Crypt certificates are
changed to conpal branding (LC-1265).
- Algorithm
names are now consistent in client and admin (LC-952).
- Trusted
Vendor behaves differently in v4 with respect to expired certificates. In
LCA v4 there is a new check so that expired certificates can no longer be
used. When importing a
certificate from a cer file (in the Trusted Vendors tab), an
error message now appears if that cert has expired. When using an exe
file, the validity is (apparently) not currently checked. Certs can be
added to Trusted Vendors from the exe, even if they are invalid. This
makes sense if, for example, a three year old program is to be added. However, the behavior is different between import from *.exe and from *.cer and therefore documented (LC-1114).
Bugfixes
in 4.1.0
- A SO was able
to log on to the administration, when logging was enabled, but not
possible (LC-1683).
- The limitation
of the manual input of the key GUID to 16 bytes did not work reliably
(LC-1157).
- The action ‘
Find key’ was
selectable, although SO had no right for the administration of keys
(LC-1284).
- Crash when
expanding groups in deep tree structure (LC-1684).
- Text
correction: Error message Additional authorization. (LC-927, LC-1291).
- Text
correction: Additional Authorization - If a value is
specified for the number of SOs required for additional authorization
that is higher than the amount of additional SOs that are created, a warning
appeared, the warning text was not correct (LC-1201).
- When editing a
LC group structure with a minimum depth of 25 subgroups, LCA crashed when creating new rules via the "conpal LAN Crypt Encrypting Rules and
Tags" tab (LC-1430).
- AD imports from too large OUs failed
(LC-1460).
- If a long
directory name was entered in the LC Admin during certificate assignment
from file, a buffer overflow occurs internally (LC-1055).
- Crash on
certificate assignment with wrong data type. Assigning a certificate from
a file using the Certificate Wizard sometimes causd LCA to crash if binary files (e.g. P12 files) were used (LC-1404).
- Robustness for
handling of special characters has been improved (e.g. for the certificate
import wizard) (LC-1445).
- If CreateTables was called with an invalid ODBC name, an unhelpful error message
appeared (LC-1873).
- Upgrade
installation LCA and LCC v3 -> v4: MSI ProductCode
did not match with
Registry ProductCode (LC-1324).
- When
cancelling the import of the Active Directory in the Certificate
Assignment Wizard, the LCA console would freeze, while the process was
running. (LC-576).
- Crash
when copying / moving large tree structures (LC-675).
- Admin
RecoveryKey was processed
internally without transaction backup (LC-341).
- Profile
creation wizard behaved differently when called in different places (In
total user overview, in user list within a group) (LC-819).
- If
LAN Crypt logging was enabled, but the log table got corrupted, no SO
could log in anymore. As a fix the MSO now can log on to LCA despite a MAC
error in logging, disable logging and repairing the MAC (LC-190).
- GPME
- Crash if input for locations was too long. It concerned Location for Security
Officer certificates, Location for policy files, Location for key files
(LC-724).
New known issues
- LAN Crypt uses
CSP (Cryptographic Service Provider) to access smartcards. Containers are
not specified during access. Therefore, conflicts can occur when using
several smartcard readers on one machine, especially if a smartcard is
inserted in several readers and "identical" certificates /
containers are present there (LC-1121).
- When LAN Crypt
Administration v3 and LAN Crypt client v4.x are installed on the same
machine, the deinstallation of the LAN Crypt Client leads to improper
function, because the connection to LCSERVN.EXE is not available anymore
(LC-1546).
It is strongly recommended, to install the same
client versions with the administration (v4 LCA and v4 LCC).
- Not really new,
but important: The default database, not the master database shall be
used, when creating the LAN Crypt database (LC-84), see the section 3.2.
in the manual.
- The VisualStudio runtime might not be available on some machines. In this case
e.g. deinstallation of the product might not be possible.
https://docs.microsoft.com/en-us/cpp/windows/latest-supported-vc-redist?view=msvc-170
https://aka.ms/vs/17/release/vc_redist.x86.exe
https://aka.ms/vs/17/release/vc_redist.x64.exe
- CreateTables.exe
still offers options for Oracle 8,9, and 12, even though they are not
anymore supported.
.NET API (LC-2437)
- When using the
.Net Admin API, if you receive the following message when initializing the
Admin API, a package reference must be included in your project:
Message:
The type initializer for 'Microsoft.Win32.Registry'
threw an exception. Registry is not supported on this platform.
Necessary
reference:
<PackageReference
Include="Microsoft.Win32.Registry" Version="5.0.0"
/>
§
If
you do not perform a product installation when using the .Net Admin API on the
server and distribute the DLLs yourself, the registry entry for the
installation directory must be set accordingly by you, otherwise dependent DLLs
will not be found at runtime.
Key:
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\conpal\LAN Crypt\Admin\Setup
Value:
InstallDir, Type REG_SZ
Example:
c:\Program Files (x86)\conpal\LAN Crypt\Administration
- Due to the 32
bit DLLs used, the dotnet SDK must also be installed in the x86 variant.
- The example program StartFirstHere is set up for
dotnet core 3.1. If you use dotnet 6.0, you have to
change the TargetFramework entry to ‘net6.0’ in the project file ‘StartFirstHere.csproj’.
- When using the
sample programs, the path to the
API dlls in the respective script must be adjusted for an LCA installation outside the
conpal default path.
Manuals,
documentation and support
At
https://support.conpal.de registered
customers with active maintenance
contracts get access to downloads,documentation and knowledge
items.
The administration contains an
extensive context sensitive help. This information will be available in form of
a pdf manual a couple of days after release for download.
Download the admin product
documentation at
https://docs.lancrypt.com/de/admin/lc_410_ahdeu.pdf in
German language, at
https://docs.lancrypt.com/en/admin/lc_410_aheng.pdf in
English language and at
https://docs.lancrypt.com/fr/admin/lc_410_ahfra.pdf in
French language.
Please note, the French manual
will be published delayed, for the time being use the English manual
Updates
for the context-sensitive help are made available via our support portal if
necessary.
conpal
LAN Crypt 4.00.3 Administration release notes
conpal
LAN Crypt 4.00.3 Admin comes with support for new operating systems
and for
SGN/SafeGuard
Fileshare. If not stated otherwise the older release notes for LAN Crypt
4.00.2, 4.00.1 and 4.00 remain valid.
Please note the LAN Crypt 4.00.3 Client release notes.
Requirements
The below listed
platforms are officially supported. Other Service Pack
levels might work as well but have not run through a QA cycle and won´t be
analysed in case of occurring issues.
|
Platforms supported
|
32-bit
|
64-bit
|
|
Windows
10 1909 (19H2), 2004 (20H1) Pro/Enterprise, 20H2 Pro/Enterprise, 21H2
pro/Enterprise, Windows 11 Pro/Enterprise
|
No
|
Yes
|
|
Windows Server 2012
|
No
|
Yes
|
|
Windows
Server 2012 R2
|
No
|
Yes
|
|
Windows
Server 2016
|
No
|
Yes
|
|
Windows
Server 2019
|
No
|
Yes
|
New
in conpal LAN Crypt Client release 4.00.3
- Windows
11 support
- Windows 10 21H2 support
- Support for SGN/SafeGuard FileShare keys. In
combination with a key export and an key import tool Fileshare encrypted files can be handled by conpal LAN
Crypt 4.00.3 Client with Minifilter.
The LAN Crypt Administration 4.00.3 is required for the key import.
Changes in 4.00.3
- LAN Crypt 3.97,
or 4.00 Client cannot find user certificate if profile was created with
LAN Crypt Administration 4.00.x before 4.00.3, client cannot load the
profile with the error message: " User certificate not found
(LC-2010)
Manuals,
documentation and support
At
https://support.conpal.de registered
customers with active maintenance
contracts get access to downloads,documentation and knowledge
items.
The administration contains an
extensive context sensitive help. This information will be available in form of
a pdf manual a couple of days after release for download.
Download the admin product
documentation at
https://docs.lancrypt.com/de/admin/lc_401_ahdeu.pdf in
German language, at
https://docs.lancrypt.com/en/admin/lc_401_aheng.pdf in
English language and at
https://docs.lancrypt.com/fr/admin/lc_401_ahfra.pdf in
French language.
Updates
for the context-sensitive help are made available via our support portal if
necessary.
conpal LAN Crypt 4.00.2 Administration release notes
conpal
LAN Crypt 4.00.2 is in focus a maintenance release. If stated otherwise the
release notes for LAN Crypt 4.00.1 remain valid.
Please note the LAN Crypt 4.00.2 Client release notes.
Requirements
The below listed platforms are officially supported.
Other Service Pack levels might work as well but have not run through a QA
cycle and won´t be analysed in case of occurring issues.
|
Platforms supported
|
32-bit
|
64-bit
|
|
Windows
10 1909 (19H2), 2004 (20H1) Pro/Enterprise, 20H2 Pro/Enterprise
|
No
|
Yes
|
|
Windows Server 2012
|
No
|
Yes
|
|
Windows
Server 2012 R2
|
No
|
Yes
|
|
Windows
Server 2016
|
No
|
Yes
|
|
Windows
Server 2019
|
No
|
Yes
|
Bugfixes in 4.00.2
- Administration API:"EnumSubGroups does
not show all sub groups of the root group for
security officers other than the MSO (LC-1871)"
Manuals, documentation and support
At https://support.conpal.de registered
customers with active maintenance
contracts get access to downloads,documentation and knowledge
items.
The administration contains an
extensive context sensitive help. This information will be available in form of
a pdf manual a couple of days after release for download.
Download the admin product
documentation at
https://docs.lancrypt.com/de/admin/lc_401_ahdeu.pdf in German language,
at
https://docs.lancrypt.com/en/admin/lc_401_aheng.pdf in English language
and at
https://docs.lancrypt.com/fr/admin/lc_401_ahfra.pdf in French language.
Updates for the context-sensitive
help are made available via our support portal if necessary.
conpal LAN Crypt
4.00.1 Administration release notes
Please note the LAN Crypt 4.00.1 Client release
notes.
Requirements
The below listed platforms are
officially supported. Other Service Pack levels might work as well but have not
run through a QA cycle and won´t be analysed in case of occurring issues.
|
Platforms supported
|
32-bit
|
64-bit
|
|
Windows 10 1803 (RS4), 1809
(RS5), 1903 (19H1), 1909 (19H2), 2004 (20H1) Pro/Enterprise, 20H2
Pro/Enterprise
|
No
|
Yes
|
|
Windows
Server 2012
|
No
|
Yes
|
|
Windows Server 2012 R2
|
No
|
Yes
|
|
Windows Server 2016
|
No
|
Yes
|
|
Windows Server 2019
|
No
|
Yes
|
New in conpal LAN
Crypt Admin release 4.00.1
- Windows
10 20H2 support
- Add
translations for error message on unsupported OS (LC-1251)
Changes in 4.00.1
·
Now the MiniFilter can handle the setting of
the tab „Client-API“. No separate script necessary
anymore. (LC-690) (LC-1216)
Bugfixes in 4.00.1
- Updated
helpfiles (LC-84, LC-645, LC-801, LC-1421)
- Client-API-Dll can handle long pathnames now (LC-1454)
- Findkey shows keys to unauthorized SOs/Find Keys Degradation
(LC-1384)
- Key
wrapping could not be disabled (LC-1231)
- Missing
link in English helpfile (LC-1290)
- Branding
(LC-935)
- Freeze-after-certificate-creation-cancel
(LC-1246)
- cleared
profile not loaded (LC-1427)
- Create
certificates dialog now finishes the progress even if some users already
have a certificate. (LC-1467)
- Fix
search filter crash (LC-1463)
- Branding
topics (LC-1518) createtables
branding (LC-698)
- GPO
context sensitive help (LC-1236).
Manuals,
documentation and support
At https://support.conpal.de registered
customers with active maintenance
contracts get access to downloads,documentation and knowledge
items.
The administration contains an
extensive context sensitive help. This information will be available in form of
a pdf manual a couple of days after release for download.
Download the admin product
documentation at
https://docs.lancrypt.com/de/admin/lc_401_ahdeu.pdf in German language,
at
https://docs.lancrypt.com/en/admin/lc_401_aheng.pdf in English language
and at
https://docs.lancrypt.com/fr/admin/lc_401_ahfra.pdf in French language.
Updates for the context-sensitive
help are made available via our support portal if necessary.
conpal LAN Crypt
4.00.0 Administration release notes
Please note the LAN Crypt 4.00.0 Client release
notes.
conpal LAN Crypt is the successor of SafeGuard LAN Crypt.
conpal LAN Crypt 3.97
Administration was the initial release of conpal for the Administration. It contained fixes and hotfixes of the previous SafeGuard LAN Crypt 3.90 Administration,
but almost no functional enhancements. In sense of operating systems and
databases additional versions were supported and support for some operating
systems and databases have been dropped.
conpal LAN Crypt 4.00
Administration is a significant rework of the Administration, focused on
improvements in operational speed and laying the ground for a complete
replacement of the API functionality by a faster and more modern approach. It
is reworked bottom up, including the cryptographic base.
Some
new functions, like SHA2 support for LAN Crypt generated certificates, have
been added.
Novell
and Windows 7 support has been dropped, Oracle support for more current
databases has been added. Current operating systems are supported.
In
addition new client capabilities can be managed.
Please note that we have invested
considerable effort in the continuity of the product. A migration of 3.9x
databases requires minimal effort.
Mixed
environments of older and current clients are supported (please refer to
section operation).
Manuals,
documentation and support
At https://support.conpal.de registered
customers with active maintenance
contracts get access to downloads,documentation and knowledge
items.
The administration contains an
extensive context sensitive help. This information will be available in form of
a pdf manual a couple of days after release for download.
Download the admin product
documentation at
https://docs.lancrypt.com/de/admin/lc_400_ahdeu.pdf in German language,
at
https://docs.lancrypt.com/en/admin/lc_400_aheng.pdf in English language
and at
https://docs.lancrypt.com/fr/admin/lc_400_ahfra.pdf in French language.
Updates for the context-sensitive
help are made available via our support portal if necessary.
Requirements
The below listed platforms are
officially supported. Other Service Pack levels might work as well but have not
run through a QA cycle and won´t be analysed in case of occurring issues.
|
Platforms supported
|
32-bit
|
64-bit
|
|
Windows 10 Build 1803, 1809,
1903, 1909, 2004 Pro/Enterprise
|
No
|
Yes
|
|
Windows
Server 2012
|
No
|
Yes
|
|
Windows Server 2012 R2
|
No
|
Yes
|
|
Windows Server 2016
|
No
|
Yes
|
|
Windows Server 2019
|
No
|
Yes
|
Microsoft SQL Server 2012 SP4
Microsoft
SQL Server 2016 SP2
Microsoft
SQL Server 2017
Microsoft
SQL Server 2019
Azure
SQL has been verified to be functional with LAN Crypt administration 3.97 and
4.0 LAN Crypt 4.0 provides the ability to logon using the active directory
interactive authentication. LAN Crypt 3.97 does not support this type of
authentication.
Oracle
12 and Oracle 19 are supported, whereas SQL Server remains LAN Crypt’s
preferred database.
A LAN Crypt database created
under LAN Crypt 3.90 or 3.97 must be updated in advance using "CreateTables.exe %ODBCName% m u" for use under LAN Crypt 4.00 Administration.
The createtables tool provides a help message for specifics
regarding e.g. Oracle.
Upgrade
For an upgrade-installation you
can find additional information in the user manual.
An
upgrade installation of
the
administration
is
supported
from
conpal LAN Crypt 3.97 (recommended)
and SafeGuard
LAN Crypt 3.90.
Migration
of older versions is not supported, but technically possible, we recommend to
make use of Professional services in such cases.
New in conpal LAN
Crypt Administration release 4.00.0
- Windows
Server 2019 is now supported
- Microsoft
SQL Server 2019 is now supported
- Oracle
19 and Oracle 12 are supported, whereas SQL
Server remains LAN Crypt’s preferred database
- Support
for policies for Removables, Opticals, Local Volumes, Boot Volume and Network
Shares - to be executed on v4 Clients
- Integration
of earlier patches for LAN Crypt
- SHA2
support for LAN Crypt generated certificates (*SO, User)
Operation of LAN
Crypt 4.00 administrative environments
A mixed operation of LAN Crypt v4 Admin and LAN Crypt
v3.x Admin is not supported.
It is possible to run a v3.97 Admin with v4 Clients and
v3 Clients.
It is possible to run a v4.00 Admin with v4 Clients and
v3 Clients.
XML is the only supported policy file format of v4.00
Admin and v4.00 Clients.
New profile files are created by v4.00, with sections
for v3 and v4 Clients.
The new encryption rules for Removables, Opticals etc are transported in the new section.
Once new rules have been created with v4.00, it is no
longer possible to create profiles with a v3 Admin. Doing so would potentially
have negative effects on the client.
Changes
- Integration
of new cryptographic libraries in Admin and Client (for security reasons)
- Renewal
of 3rd party libraries (for
security reasons)
- Integration
of a new random number generator (for security reasons)
- Significant
improvement of administrative tasks in large installations
- All
in all, the optimizations carried out are clearly noticeable in many
areas. This concerns both the API and the management program. Since
central points have been optimized, the overall system has become faster.
Individual areas with optimizations have become dramatically faster.
- Reduction
of database accesses: In many functions the access to the database has
been drastically reduced.
- Improvement
SQL Indexes:
- New
indices were added specifically when a clearly measurable improvement in
performance was achieved.
- Improvement
in processing algorithms:
- Internally,
functions have been structurally revised to achieve better throughput.
In particular, double reading of identical data records has been removed
in many places.
- In
order
to use parallelization optimally, at least 4 cores should be available
on the computer. More cores do not provide much performance improvement
at the moment.
- When
creating certificates for large groups, more cores are also used well
and up to 12 cores are advantageous. Based on our measurements and
configurations we recommend 6-8 cores.
- Beginning
with V4.00.0, the functions that process many individual orders in one
order are parallelized. Examples are the creation of certificates and
profiles.
- Examples
for the parallelisation of certificate creation are reading the
database, creating keys, and writing the certificates. Here, these steps
function as in a pipeline, so to speak. Another example is the creation
of profiles. Here, too, the tasks are treated like a pipeline with the substeps reading the database information, preparing the XML
profile, signing profiles, compressing, and writing profiles. The
subareas are well separated and the runtime for larger groups has been
approximately halved in our test environments.
- Optimization
of memory management:
At central points, the memory handling was improved and
optimized. These optimizations were clearly measurable, but only lead to small
improvements in relation to database accesses.
- Optimization
of functions:
Many functions have been technically revised
internally for better maintainability and performance.
- SQL
Express is no longer supplied with the distribution. It can be downloaded
directly from the Microsoft site.
- Due
to security improvements in LAN Crypt 4.00 a warning appears, when weak
algorithms are selected (XOR, DES, 3DES, IDEA). (LC-957, LC-958, LC-1056)
For continuity reasons (e.g. backup) such algorithms are
not prohibited.
For the selection of XOR this is reinforced, and the SO
must also have the right to define GUIDs for new keys to be able to select this
algorithm.
- Certificates
are generated with SHA2 instead of SHA1 (LC-336)
- XTS-AES
is the default encryption algorithm in LAN Crypt 4.00
- Support
for other databases and operating systems than the ones mentioned has been
dropped
- The
usage of the Client API must be configured in the Administration and – in case the minifilter is used on client-side - the included script to
enable permissions for specific applications has to be adopted and
executed on the client-side
- Changed
behaviour regarding client API permissions for security improvement:
Long path names are now default for client API
configuration. For convenience reasons short names are internally completed by
searching some protected paths, when program names are
configured without path information. The client will search in the following
directories:
LAN Crypt Install Dir\Shared\ (non-recursive)
CSIDL_SYSTEM (typical C:\Windows\System32,
non-recursive)
CSIDL_WINDOWS (typical C:\Windows, non-recursive)
CSIDL_PROGRAM_FILES (typical C:\Program Files,
recursive)
If an EXE file with the specified name is found, the
full path will be internally added.
Other pathes are now untrusted for short file names. (LC-690)
- Group
policy configuration is also possible with administrative templates. The
support for adm has been dropped. The admx template files are located in the config
folder of the product package. Please see http://msdn.microsoft.com/en-us/library/bb530196.aspx for information on how the
files have to be installed.
- Import
from a Novell directory has not been supported since
v3.90. Other Novell functionality is now as well not supported and will
not be functional in the administration.
- Additional
API functions have been added
- The
EULA has been updated (for German, English and French)
- The
3rd parties’ inventory has been
consolidated and updated
- Admin
does not start with "Selected users and certificates” anymore (but
this behaviour can be configured. (LC-844)
Bugfixes
- Recovery
key handling fixed. (LC-434)
- Password
file: missing carriage return (LC-247)
- Preselected
button and triggered action on <Enter> don't match while creating
groups (LC-213)
- Wrong
error message when trying to build profiles with expired certificates
(LC-194)
Known issues
- The
detailed description text in the admin log for the action Create profile
is erroneously truncated after the first character (LC-1227)
- Explicit
rules for file extensions are not executed correctly by the minifilter. The Minifilter does not execute rules like *.ext correctly for encryption and ignore rules. As a
workaround, we recommend to add an additional rule like *\*.ext. Having both rules, *.ext and *\*.ext active, works as well for V3.9x and V4.0 clients
- MSO
smart card login fails on WS2012 R2 (LC-1120):
In Windows Server 2012 R2, SO logon with certificate on
smart card is not possible. According to our tests, this is the only supported
operating system with this limitation.
- Deleting
nested groups requires a relatively large amount of memory and can lead to
instability. Therefore, we recommend not to nest more than 200 groups into
each other. (LC-527)
- Network
errors:
If the network connection to the SQL server, or to
a LDAP source, is broken during LAN Crypt administration, the LAN Crypt
Administration must be closed and restarted (after the network problem is
fixed).
- Entering
very long data into LAN Crypt dialogues (e.g. configuring trusted
applications or virus-scanners) might lead to crashes of the
administration console. In addition these data is not are not saved in the
configuration database (LC-570)
- Simultaneous
administration:
If more than one SO is working with the LAN Crypt
database at the same time, problems can occur. We recommend a regular
manual refresh in that case.
- admx do not recognize new placeholders for
unhandled devices (LC-1201)
- If
the new placeholders for Unhandled Devices are selected in the LAN Crypt node of the gpme, they are not displayed in the administrative
template and therefore cannot be managed there.
- LDAP
import and synchronization:
- If
objects are imported from a domain, you must specify the domain name and
not the computer name in the server configuration!
When configuring server logon data in central
settings you should either only enter the domain name as server name or
add the domain name as an alias.
- On
the root level (e.g. domain), only 999 objects are displayed and
imported.
- Page
controls have to be enabled on the LDAP server.
- Certificate
store:
LAN Crypt
only supports certificates in one of the user certificate stores. It does
not support certificates in machine stores.
- Installation
on 64-bit operating systems:
LAN Crypt Administration is installed on 64-bit
operating systems, therefore the following has to be considered:
- ODBC
administration:
The ODBC connection used by LAN Crypt
Administration has to be configured using the 32-bit ODBC Data
Source Administrator
(%WINDIR%\SysWOW64\odbcad32.exe or use the shortcut in the start menu).
Remark: The shortcut in the LAN Crypt start menu
is not displayed on Windows Server 2012. Please use the shortcut ODBC Data Sources (32-bit)
available in Administrative Tools
instead.
- Group
policy plugin:
The group policy plugin to administer LAN Crypt is
not shown in the Windows group policy editor. To administer the LAN Crypt
policies, the 32-bit Group Policy Editor has
to
be
used
(%WINDIR%\SysWOW64\gpedit.msc
for
local
policies
or
%WINDIR%\SysWOW64\gpme.msc
for
Active
Directory policies or use the shortcut in the start menu).
As an alternative the administrative templates can
be used which are stored in the config folder of the product package.
- Scripting
API:
The scripting API is only available for 32-bit
applications. If a Visual Basic-Script is started which uses the LAN
Crypt scripting API, it has to be started from the 32-bit Windows
Scripting Host (%WINDIR%\SysWOW64\cscript.exe or %WINDIR%\SysWOW64\wscript.exe).
- Firewall
settings:
If the Microsoft SQL Server database is located on
another machine, please ensure that the firewall is configured correctly.
Additional information can be found here: http://msdn.microsoft.com/en-us/library/cc646023.aspx.
- To
operate LAN Crypt
clients as a service, additional configuration steps are needed. Please
contact support for further details.
- For performance (testing) in VMware VMs, it is recommended not to configure more CPUs
than the host has available. Scaling should be done by the number of cores
(i.e. not 2 CPU & 2 cores, better 1 CPU & 4 cores if only 1 host
CPU is available).
- GPO
context sensitive help:
For the operation of the Group Policies (GPO
settings) there is documentation available in the side panel of the
console. There is also a context sensitive help (sglcconfig040x.chm.)
available. In version 4.00.0, the
old version without rebranding was erroneously integrated into the setup.
This version is technically almost correct but may
still contain
incorrect
references
to
SafeGuard
or
outdated
license
information.
If necessary, an updated version can be obtained from Support a few days
after release and will be included in later
deliveries. To update, this must then be copied to %\Windows\Help
(LC-1236).
- The
rebranding of Sophos SafeGuard to conpal is comprehensive but may inadvertently be
incomplete.