IBM Support

IBM Security Access Manager for Enterprise Single Sign-On 8.2.2 Issues and Limitations



This document identifies the issues and limitations and provides workarounds for IBM Security Access Manager for Enterprise Single Sign-On. This document is continuously updated. Workarounds are added as critical issues are discovered.


Windows 10 and Windows 8.x support

  • On Windows 10, version 1607, the logon screen (ISAM ESSO Credential Provider) might attempt to cycle over and over again under rare circumstances.
    The existing default time out is insufficient for the logon process to complete successfully.
    Workaround : Increase the logon time out with the following steps. Launch the Windows Registry Editor. Browse to HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Authentication\LogonUI . Add the DWORD (32-bit) Value , IdleTimeOut . Assign a value of 300000 . Restart the computer.
  • On Windows 10, the lock screen is enabled by default and you must dismiss the lock screen before you log on to the ISAM ESSO Credential Provider.
    If you do not dismiss the lock screen, the ISAM ESSO Credential Provider might appear multiple times after you provide your credentials.
    Workaround: Launch the Windows Registry Editor. Browse to HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\ . Add a new key called Personalization . Right click on Personalization , click New > DWORD (32-bit) Value.
    The new DWORD(32-bit) entry name must be NoLockScreen and the value set to 1 .
  • When logging on to Windows 10 or unlocking the workstation, a Sign in button might be displayed instead of logging you on automatically. This behavior can also occur when AutoAdminLogon is set to 1 for shared desktops. This button appears because of a change in the Windows 10 Authentication framework for automatic desktop logon and unlock.
    Workaround: Click Sign in to automatically log on and unlock the desktop.
  • When you start Microsoft Internet Explorer 10 or later in Windows 8 or later for the first time, you are prompted to enable the ISAM ESSO Browser Helper Object add-on. Single sign-on works only after you enable the add-on and then open a new browser window or a new tab.
  • For Windows 8.x and Windows 10, 32-bit and 64-bit Windows Store apps are not supported.
  • Single sign-on to console applications are not supported in Windows 8 or later and Windows Server 2012 or later.
  • AccessStudio Retrospective Log Playback does not work on Windows 10.
    Workaround : Use Windows 7 or Windows 8.1.


  • With Internet Explorer Enhanced Protected Mode enabled, the web browser might hang with websites that contain frames.
  • For single sign-on with Firefox ESR, the following issues exist:
    • The Browser starts navigating form page trigger fires when a Web FORM on the page is submitted.
    • Access to DOM content inside cross-domain Frames and iFrames is not supported.
  • Single sign-on to Java applications does not work.
    Workaround: After installing AccessAgent, if single sign-on to Java applications must be enabled, run JVMSupport.vbs . See Enabling single sign-on for Java applications.
  • The ISAM ESSO Browser Helper Object is marked as "Not Verified" in Internet Explorer. This issue is caused due to a Microsoft security advisory that affects all code packages that were signed by using a certificate that signs with the SHA-1 algorithm. See the following security advisory. Functionality is not affected unless specific group policies are enabled to prevent the IBM Security Access Manager for Enterprise Single Sign-on Browser Helper Object from being enabled.
    Workaround : Disable any group policies that will block any "Not Verified" Browser Helper Objects (BHO).
  • When you install AccessAgent on Windows 7 or later, if ConsoleAppSupportEnabled in SetupHlp.ini file is set to 1 , a VBScript error is shown.
    Workaround: Set the ConsoleAppSupportEnabled to 0 and run the InstallConsoleSupport.vbs after installation.
  • AccessAgent related activities on Windows 8 or later, can cause a Windows Defender process to use 99% of the computer resources. As such, this issue can affect the performance of the computer.
    Workaround: Add the AccessAgent installation folder (for example: C:\Program Files\IBM\ISAM ESSO\AA ) to the Windows Defender process exception list. See Add an exclusion to Windows Defender Antivirus.
  • On Windows 8 and later, the AccessProfile action Click a menu option does not work if the context menu is displayed close to the outer edges of the Windows 8 and later application main window.
    Workaround: Move the application window closer to the left side of the Windows desktop.
  • The authentication service that is provisioned through an API does not work. The corresponding user name for the provisioned authentication service is not stored in the Wallet Manager.
    Workaround: The provisioned user must log on to AccessAgent and choose to cache the user Wallet. The user Wallet must be cached so that AccessAgent can process the user credentials for the provisioned authentication services.
  • Transparent Screen Lock is not supported on a remote desktop session because of a Windows Aero limitation.
  • The Transparent Screen Lock window might not update or refresh as fast as your application if the application refresh interval rate is lower than 500 milliseconds.
  • Some of the hot key combinations might not work as it can conflict with Windows Secure Attention Sequence such as Ctrl+Alt+Del.

Note: The AccessAgent installation proceeds without a setup prompt, even when an incorrect IMS Server location is specified in the setuphlp.ini file.
Workaround : Set the correct IMS Server location post installation. This option is only applicable if the silent installation is triggered by using Setup.exe with the silent switches. See Installing the AccessAgent silently.

  • COM port policies are not supported for Terminal Server running on Windows Server 2016.

IMS Server

  • The "Installer User Interface Mode Not Supported" error occurs when you run the IMS Server installer on Windows Server 2012.
    Workaround: To fix this problem, you can do any of the following tasks:
    • Run the IMS Server installer in command line and add argument "-i GUI" or "-i Console".
    • Change the compatibility level of IMS Server installer to Windows 7 by doing the following tasks:
      1. Right-click on the IMS Server installer executable file.
      2. Go to Properties > Compatibility > Compatibility mode .
      3. Select the Run this program in compatibility mode for checkbox.
      4. Select Windows 7 from the drop-down menu.
      5. Click OK .
  • Enterprise directory validation fails when you create a new directory and apply the following configurations:

  • 1. Set the Use SSL to No in the Advanced window.
    2. Set the Enable AccessAssistant/Web Workplace password reset? to Yes but you do not provide details of the IBM Security Identity Manager Adapter.
    3. On the same page, set the Use SSL to Yes , which hides the IBM Security Identity Manager Adapter settings.
    4. Complete the required directory settings and click Next .
    Workaround: Go to the Enterprise Directories page and re-create or edit the enterprise directory settings and set the SSL setting correctly.


  • On Firefox ESR, the AccessStudio Web Finder tool is not supported . To generate the signature, use the Internet Explorer web browser.
  • The following triggers do not get fired when you run the AccessProfile in Windows 8 and Windows 8.1:
    • Window position changes
    • Window is shown
    • Text is displayed on a window
    • Text is displayed on a console window
  • Cannot pass property value of property store item from the AccessProfile widget to the main AccessProfile.
    Workaround: Transfer the property value contents onto an Account Data bag and pass the Account data bag by reference.
  • Cannot pass the value of an Account data bag or Property Store Item parameter variable by value. The data becomes null after providing some value.
    Workaround: Copy the value assigned to the parameter variable into a new variable and pass the new variable by reference.

Cognos reporting

  • When generating a Cognos-based report, if you require only the records for the current date, you must specify both the start date and end date. Otherwise, the previous data are also displayed in the report.

Third-party limitations

  • The AccessAgent Installer cannot display the following texts in bidirectional mirroring:
    • Language selection options
    • IMS Server error message
  • AccessStudio cannot display the following items in bidirectional mirroring:
    • Drag-and-drop bar and icon
    • Title and subtitle bar
  • Some GB18030 G1 characters are not displayed correctly in some AccessStudio fields.
  • AccessStudio cannot import an AccessProfile from the IMS Server if the AccessProfile contains a field with characters outside the Basic Multilingual Plane (BMP).

Document information

More support for: IBM Security Access Manager for Enterprise Single Sign-On

Software version: 8.2.2

Operating system(s): Windows

Reference #: 1971784

Modified date: 31 July 2018

Translate this page: