=================================================================
AGENT FOR WINDOWS NT v4.0.3    README               July 11, 1997
=================================================================
-----------------------------------------------------------------
                   CONTENTS OF THIS DOCUMENT
-----------------------------------------------------------------
o Supported platforms
o Installation notes
o New features/Changes/Problems resolved
o Unsupported features
o Known anomalies
o Media contents

-----------------------------------------------------------------
                      SUPPORTED PLATFORMS
-----------------------------------------------------------------
o Windows NT v 5.0           (Intel and DEC ALPHA only)
o Windows NT v 4.0           (Intel and DEC ALPHA only)
o ACE/Server v 2.0 and above (all currently available releases)
o PowerPC is no longer a supported platform.

-----------------------------------------------------------------
                       INSTALLATION NOTES
-----------------------------------------------------------------
o DO NOT attempt to install this product on NT releases older 
  than 4.0!  NT release 4.0 introduced support for CAB file
  installation which is required for the installation program.

o In a domain environment, the ACE/Agent for NT should be 
  installed on the primary domain controller before it is 
  installed on any of the backup domain controllers.

-----------------------------------------------------------------
    NEW FEATURES/CHANGES/PROBLEMS RESOLVED in v4.0.3
-----------------------------------------------------------------
o Dropped support for Power PC platform.

o User authentication instructions included in distribution media
  and installed in the %SystemRoot%\system32\ACECLNT directory.

o Internal functional compatibility with ACE/Agent for Netscape
  WebID features allows for interoperability between Microsoft
  IIS servers and Netscape Web servers.

o The Remote properties sheet uses a fixed width font to display
  the editable custom logon greeting. This allows easier editing
  when theusers are trying to create patterns for logon banner
  text.

o The Web properties sheet no longer requires users to restart
  the WWW service for any changes in the settings. All changes
  take effect immediately after the OK or Apply button is pressed.
  The only change that requires a service restart is changing the
  enable status of the WebID feature set.

o The WebID system generated PIN is now displayed on a separate
  page based on the SHOWSYS.HTM template. This page is only visible
  for 10 seconds before the user is prompted to authenticate again.

-----------------------------------------------------------------
	NEW FEATURES/CHANGES/PROBLEMS RESOLVED in v4.0.2
-----------------------------------------------------------------
o The Remote properties sheet of the ACE/Client control panel
  provides an option to disable the domain prompt during remote 
  user logins. If the Disable Domain Prompt option is selected,
  you may specify a default domain for Remote Access logins 
  (RAS). The default domain will be used and any invalid 
  username/domain pair will force the user to enter their 
  username again.

o The control panel application allows setting of a custom logon
  greeting for Remote Access logins (RAS).

o The control panel application offers the option to prevent user
  name resolution for the NT Event Log messages when the challenge
  all option is active. This will reduce the logon delay when the
  RAS users are members of very large NT domains.

o The control panel application will only prompt users to reboot
  the workstation if they changed the enable status of local
  authentication.

o The control panel application will prompt users to restart the
  NT Remote Access Service if they changed the enable status of
  remote access authentication.

o The Event Log will display the selected primary address for a
  multihomed client when there is ambiguity. The default address
  is the address associated with the machine name definition in
  the TCP/IP network settings.

o Fixed a problem where a user would get the error
  "Authentication server not responding" during an authentication. 
  This problem sometimes occured if the ACE/Client and ACE/Server 
  were running on the same Windows NT system.

o Fixed a problem where the Remote Access Server (RAS) service 
  would de-activate a phone line after numerous failed 
  authentication attempts.

o Correction of duplicate packet detection fixes problem with
  access denied when ACE/Server logs report PASSCODE accepted.

o Eliminated timeout when accessing slave ACE/Server after master
  has gone offline.

-----------------------------------------------------------------
	NEW FEATURES/CHANGES/PROBLEMS RESOLVED in v4.0.1
-----------------------------------------------------------------
o The group memberships that control "Local" and "Remote" SecurID 
  PASSCODE challenge have been set to conform with the following 
  table:

  ---------------------------------------------------------------
  | Member of => | SDLOCAL         | Domain SDLOCAL             |
  ---------------------------------------------------------------
  | Local Logon  | Challenge       | Not Applicable             |
  ---------------------------------------------------------------
  | Domain Logon | Challenge on DC | Challenge on every machine |
  ---------------------------------------------------------------

  If a Domain Logon is attempted on a machine where a Local
  account with the same name is a member of "SDLOCAL", then the 
  user will be challenged even if the domain account is not a 
  member of "Domain SDLOCAL". The same rules apply for "SDREMOTE"
  and "Domain SDREMOTE".

o ACE/Client supports the protocol changes introduced in 
  ACE/Server v2.3

o Memory problem with NT/RAS service causing abnormal termination
  of the RAS process after prolonged continuous operation.

o WebID protection on CGI scripts and executables is now applied
  correctly and will work with FORMs using "GET" or "POST" in the
  ACTION tag.

o WebID administration will handle the "Show Files" option and
  will not drop individual file protections between successive
  runs.

-----------------------------------------------------------------
	NEW FEATURES/CHANGES/PROBLEMS RESOLVED in v4.0
-----------------------------------------------------------------
o Support for SecurID authentication on Microsoft IIS Web Servers
  running under Windows NT 3.51 and Windows NT 4.0.

o New design of Control Panel application with full 
  context-sensitive Help available.

o A "Challenge All" switch has been added for local authentication.

o Problem authenticating RAS users more than once after a reboot.
  The previously known fix was to reinstall ACE/Client for NT and
  change the binding of the primary Network Interface Card (NIC)
  under the TCP/IP protocol. It is no longer required to do this.
       
-----------------------------------------------------------------
                      UNSUPPORTED FEATURES
-----------------------------------------------------------------
o Security for Windows NT/RAS is invoked only if the user is 
  connecting through a COM port.  There is no support for ISDN or
  X.25.

o ACE/Agent protection is invoked only at the access points of 
  the network. There is currently no SecurID support for 
  netlogon access to Windows NT servers.

o WebID doesn't support virtual servers with different home 
  directories for the Microsoft IIS (Internet Information Server) 
  environment.
       
-----------------------------------------------------------------
                        KNOWN ANOMALIES
-----------------------------------------------------------------
o When the status of the WebID feature is changed from enabled to
  disabled and vice-versa the WWW service must be restarted. To
  perform this operation in IIS 4.0 K2 you must use the Control
  Panel Services applet. Using the Management Console function to
  stop and restart the Web Sites is not accomplishing the same
  result.

-----------------------------------------------------------------
                        MEDIA CONTENTS
-----------------------------------------------------------------
ACE/Agent for Windows NT: (CD-ROM only)
o ACECLCAB.EXE - NT v4.0/v5.0 CAB file stub installer
o ACECLNT.CAB  - CAB file containing the following files:

o ACECLNT.DLL  - Security Dynamics' shared DLL
o SDGINA.DLL   - Security Dynamics' local authentication DLL
o SDRAS40.DLL  - Security Dynamics' NT4.0/RAS Server DLL
o SDMSG.DLL    - Security Dynamics' common message file
o SDIIS.DLL    - Security Dynamics' CGI extension DLL
o SDIISFLT.DLL - Security Dynamics' Filter extension DLL
o SDIISCHK.DLL - Security Dynamics' Filter watchdog DLL
o SDIISUTL.DLL - Security Dynamics' IIS Utilities DLL
o SDWEBMGR.EXE - Security Dynamics' ISM integration program
o ERROR.HTM    - WebID error HTML template file
o FLTERROR.HTM - WebID filter error HTML template file
o PASSCODE.HTM - WebID PASSCODE request HTML template file
o NEWPIN.HTM   - WebID user New PIN HTML template file
o NEWPIN1.HTM  - WebID system New PIN HTML template file
o NEWPIN2.HTM  - WebID selectable New PIN HTML template file
o NEXTPRN.HTM  - WebID next tokencode request HTML template file
o SHOWSYS.HTM  - WebID system generated PIN display HTML template file
o SDTEST.EXE   - Security Dynamics' test program
o SDCONTRL.CPL - Security Dynamics' Control Panel program
o SDCONTRL.HLP - Security Dynamics' Control Panel help file
o SDCONTRL.CNT - Security Dynamics' Control Panel help contents
o LOC_CARD.DOC - Local authentication guide for Standard Cards
o RAS_CARD.DOC - NT/RAS authentication guide for Standard Cards
o LOC_PIN.DOC  - Local authentication guide for Pinpad Cards
o RAS_CARD.DOC - NT/RAS authentication guide for Pinpad Cards
o CLNTCHK.EXE  - Agent configuration screen display utility
o LICENSE.TXT  - Security Dynamics' License Agreement file
o README.TXT   - This file

