WebAuth 4.7.0 Announcement
The WebAuth team is pleased to announce Stanford WebAuth 4.7.0. This release is primarily around improving the user information service calls, allowing for more than one method to be sent along to be handled. It also adds additional failed login error codes used by recent MIT and Heimdal.
For documentation and downloads of WebAuth 4.7.0, see:
The user-visible changes in this release are:
Recognize KRB5_BAD_ENCTYPE, KRB5_GET_IN_TKT_LOOP, KRB5_PREAUTH_FAILED, and KRB5KRB_AP_ERR_MODIFIED as additional synonyms for a failed login error code. Various combinations of recent MIT and Heimdal with different KDCs return these error codes if the password is incorrect.
Added new fields to the userinfo service parsing and the WebLogin handling. These allow for a more complicated multifactor configuration to be passed along from the user information service, with multiple possible multifactor devices and one default.
Give a validation remctl command its own timeout error, so that a failure to respond to validation is handled differently than any other timeout failure. This is done so that we can handle out-of-band multifactor methods, such as a phone call. Previously that would show up in WebLogin as a generic WK_ERR_UNRECOVERABLE_ERROR.
Ability to use JSON rather than XML for the user information service's return values. This is activated with the WebKdcUserInfoJSON configuration directive.
Refactored the userinfo code to separate remctl support, XML parsing, and JSON parsing into separate source files for readability.