Known issues

  • PingAccess 6.3 deployments that use the Sideband API feature cannot be upgraded using the zero downtime upgrade procedure. You must use a planned outage to upgrade such an environment.
  • Depending on the source version, the upgrade process may change the default settings for the SameSite cookie attribute to make PingAccess cookies work on all browsers. Review the settings for each web session in Access > Web Sessions to verify that your SameSite cookie attribute values are set to None or Lax, depending on the third-party context needs for PA cookies.
  • Use of TLSv1.0 has been maintained for use by legacy versions of Internet Explorer. Since continued use of TLSv1.0 is not recommended for security reasons, users should upgrade to the latest version of Internet Explorer to make use of the more secure TLSv1.1, TLSv1.2, or TLSv1.3.
  • PingAccess may have difficulty maintaining TLS 1.3 connections when using JDK 11.0.0, 11.0.1, or 11.0.2 because of a defect in those versions. This might cause upgrades to fail on systems using these versions.
  • Engines and admin replicas do not connect to admin console if a combination of IP addresses and DNS names are used.
  • The token processor can't connect to a JWKS endpoint via SSL when an IP is used rather than a hostname. To workaround this issue, add the hostname as the subject alt name on the key pair.
  • When using Internet Explorer 11, you may not be able to view the full application or resource policy because the scroll bar is missing.
  • If you create multiple virtual hosts with a shared hostname and associate the hostname with a server key pair, the virtual hosts retain the connection with the server key pair even if they are subsequently renamed. The virtual host must be deleted and recreated to remove the association.
  • Upgrades will fail with a risk-based authorization rule if a third-party service is not used in the rule.
  • Log files may contain excessive warnings issued by Hibernate during startup.
  • Asynchronous front-channel logout might fail in some browsers depending on end-user settings. See for browser-specific workarounds.
  • When using Internet Explorer 11 to access the PingAccess admin console locally by host name, you must disable Compatibility View so that the admin console will load correctly.
  • Assigning a new key pair to the Admin HTTPS listener if the browser does not trust the new key pair can prevent the UI from functioning. The workaround is to close the browser and re-open it so that all connections to the admin node use the new certificate.
  • Invalid special characters ((),/;<=>?@[\]{}") can be added to the Certificate to Header Mapping field in an identity mapping. Adding this identity mapping to an application will cause 400 errors when the application is accessed.
  • On Internet Explorer 11, the Targets field is sometimes unusable when clicked. The workaround is to double-click the field or to click the Name field and then click Tab.
  • If PingAccess is repeatedly stopped and restarted in FIPS mode, subsequent restarts can take up to 5 minutes to complete. The workaround is to use a tool such as rng-tools to refresh /dev/random and make more entropy available faster. For example:
    sudo yum install rng-tools
    sudo rngb -b 
  • After starting PingAccess for the first time on a Windows system or upgrading PingAccess on a Windows system, a warning message is logged reporting that the pa.jwk file was not made non-executable. This message can be ignored.

Known limitations

  • Internet Explorer and Firefox do not correctly support the HTML5 time tag. When using the Time Range rule, enter time in 24-hour format.
  • When installing PingAccess as a Windows service using Windows PowerShell and Java 8, the error message "Could not find or load main class" can be safely ignored.
  • Request Preservation is not supported with Safari Private Browsing.
  • When using IE 11 to access the PingAccess admin console remotely, a fully qualified domain name or IP address must be specified. For example, and will work, while specifying only the host name, https://console:9000, will not.
  • Incorrect handling for IPv6 literals in Host header. Note that IPv6 is not currently supported.
  • The PingAccess 6.3.2 incremental maintenance package is unavailable. Upgrades from PingAccess 6.3 versions prior to 6.3.2 do not support the incremental upgrade package and must use the Upgrade Utility to perform the upgrade.