Secret Server Cloud Release Notes for June 3, 2023

Release Dates and Notes

Cloud: June 3, 2023

Component Versions

Distributed Engine and Advanced Session-Recording Agent: 8.4.8.0

Protocol Handler: 6.0.3.26

New Features

Checked Out Secret View

Implemented the Checked Out Secret view to Quick Access in the Secrets Folder panel. This is a quick view, showing users all of the secrets that are currently checked out to them.

RADIUS Silent Answer

Silent Answer is a new RADIUS configuration option that allows setting the response to a predefined string value. This is to support push notification and other interactive variations in advanced RADIUS authentication configuration. The new setting replaces "Attempt User Password" and allows for sending the user password or another predefined string.

Check Out Recovery

We updated "Force Check In" to enable secret owners with the "Force Check In" role permission to force a check in of secrets that are configured to change their password upon check in. When a force check in is initiated, the secret is automatically checked out to the owner. This enhancement is particularly useful in scenarios where a secret is checked out with a failing RPC configuration and cannot be checked in by the current user. With this change, the owner can take over the checkout session, resolve the secret configuration issue, and then perform a standard secret check in.

Syslog Metadata for Launched Sessions

For built-in launchers, during a launch event, the launch target host is included within the details of the Syslog message as an additional "Host" field. Previously, this was only sent for launchers requiring host selection but now includes launchers with a static host-target mapping.

Launcher Administration Page Conversion

We updated the Launcher Administration pages under Secret Templates to use our new UI patterns with a modern design. No functionality is affected, but the page is more responsive and intuitive.

SSH Key Authentication Passphrase Requirement

We added a new configuration setting to the login configuration page that allows administrators to enable a mandatory requirement for passphrases when users generate SSH keys for SSH Terminal key authentication.

Enhancements

  • Added a Managed field to the Discovery Network view to show when a discovery item is managed.
  • Added a Password Age column to the redesigned Discovery Network View.
  • Added a Quick Access link to see all Secrets you currently have checked out.
  • Added filters to the Secret Search API endpoint to allow filtering results by checked-out status: paging.filter.showSecretsCheckedOutByUser and paging.filter.showCheckedOutSecrets
  • Added info to logs to indicate why users cannot match or create users in SSC. Find this at Secrets > Admin > Platform Integration > Logs tab. Common notifications include DuplicateUserMappedToDifferentProviderName: The user was initially setup to a different Platform source, the URL or userid (provider key) changed, indicating the original use was deleted. MaxLicensedUsersException: All licenses are taken so additional users cannot be added.
  • Added integration support for Platform users matching local SS users that do not have an @ in their name. If platform user is username@local or username@tenantname then the username portion will be used to match local users on the SS side.
  • Added support for LDAP RFC2307 group membership, used in OpenLDAP.
  • Added the option to require a passphrase for user public SSH keys.
  • Added validation messages to password requirement rules for when password requirements are too complex to reliably generate a password.
  • The Discovery Service Accounts detail page now displays both the services running under a directory account and the computers on which those services run.
  • Distributed engines no longer need directory services enabled to perform discovery.
  • Introduced a new Launch Secret role permission, which is needed to use launchers. This permission is automatically granted to roles with the View Secret permission, which previously controlled this behavior.
  • Removed the secretitemvaluetransitionhistory.aspx page and replaced it with an API endpoint, removing the possibility of bypassing the Hide Launcher Password control.
  • RPC heartbeat and password change logs are now full screen instead of a dialog box.
  • The PowerShell script timeout no longer defaults to 90 seconds. Instead, it now uses the value from the Event Pipelines Maximum Script Run Time (Minutes) setting in advanced configuration.
  • The new folder icon in the secret panel no longer shows if the user does not have the Administer Folders role permission.
  • The user audit report now has a filter panel and a description for how rotated secrets are calculated for this report.
  • There is now a pending RPC screen and a timer that checks you back in, blocking seeing secret info indefinitely.
  • Users can no longer access secrets that have failed processing a password change. Instead, they are shown a message stating the change failed.
  • We now initially load 60 secrets when viewing a grid to support 4k monitors. This was previously 30.
  • Within the details of the syslog message, there is now a username field that contains the mapped username for the launcher on a launch event. It appears as Username: [<username>] for the built in launchers.
  • Within the details of the syslog message, there is now a Host field with the value of the mapped host for the launcher on a launch event. It appears as Host: [<host>] for the built in launchers.

Bug Fixes

  • Fixed an issue where Platform integration user synchronization failed if duplicate usernames existed in Secret Server.
  • Fixed an issue where a secret template could be saved without RPC mappings configured.
  • Fixed an issue where all event subscriptions did not fire for secrets in subfolders of the target folder.
  • Fixed an issue where Disaster Recovery (DR) email alerts failed to send.
  • Fixed an issue where extended fields were not properly exported to CSV files.
  • Fixed an issue where keystroke data from the advanced session recording agent did not appear in the keystroke activity details area of the playback page.
  • Fixed an issue where large messages from distributed engines to engine workers would not process. Engine workers may have crashed especially frequently in environments having four or more workers, including Secret Server Cloud.
  • Fixed an issue where LDAP sync via distributed engines would not work when the base DN was different from DC.
  • Fixed an issue where links on the Session Monitoring page while in grid mode would not correctly link to Secret Server Cloud with authentication.
  • Fixed an issue where the API endpoint api/v1/secrets/{id}/fields/{slug}/ logged an audit that the password was displayed when the actual password was not returned to the user due to hide launcher password being enabled.
  • Fixed an issue where the Confirm Action button in the bulk operation dialog box would remain active while the operation is processing. This is now correctly disabled to prevent initiating the action multiple times.
  • Fixed an issue where the SubscriptionName condition for a notification rule would display the event subscription ID instead. It now correctly uses the name when the user has the appropriate roles to list the subscriptions.
  • Fixed an issue where the terminate session mouseover tooltip displayed incorrect text.
  • Fixed an issue with a secret template name validation message not showing.
  • Fixed an issue with negative numbers exporting incorrectly when exporting a CSV.
  • Fixed an issue with new Platform trials not creating personal folders in Secret Server.
  • Fixed an issue with secret search producing SQL errors for customers with a lot of secret templates.
  • Fixed an issue with stacked dialog boxes. The CSS styles for the Platform Opt In dialog box have been adjusted to align with Angular15.
  • Fixed conditions that prevented users from being removed from a group due to the system incorrectly identifying that they would be unable to complete the same operation.
  • Fixed issues with user and group syncing between Secret Server Cloud and Platform.
  • Improved usability in specific UI areas to enhance the user experience.
  • Updated Createuser.aspx to redirect users to the new User Management page.

Future and Recent Deprecations

This section describes planned future deprecation of feature or platform support in Secret Server.
Not applicable for the current release.