Secret Server: 11.1.000007 Release Notes

11.1.000008 is a retroactive patch for this release. Please see Secret Server 11.7.000001 Release Notes for details.

Release dates:

January 25, 2022 (On-Premises)

January 15 2022 (Cloud) (unchanged from 11.1.000006)

Important: The 11.1.000007 update resolves a security vulnerability that was discovered during third-party penetration testing. The Common Vulnerability Scoring System (CVSS) rates the issue high (7.4). It impacts Secret Server On-Premises up to 11.1.000006. We recommend all affected Secret Server on-premise customers upgrade immediately to version 11.1.000007. This vulnerability does not apply to Secret Server Cloud, so there is not an update to address it.

Important: If you installed Secret Server as your default or top-level website and you have Privilege Manager (PM) and Secret Server installed together, you may experience the following issues after upgrading to .NET Framework 4.8:

  • PM agents will not register.
  • When a PM agent updates itself (using the agent utility), it states that there are zero policies to download.

If you believe this scenario applies to you, please contact Delinea Support before performing a .NET, Secret Server, or PM upgrade.

New Features and Enhancements

Master Encryption Key Rotation

Secret Server can now generate new master encryption keys via a rotation process. Previously, the master encryption key was generated at installation and rotation was not possible.

This feature is at Admin > Configuration on the Security tab in the Master Encryption Key Rotation section.

Secret encryption uses a different key, and the independent secret key rotation is still available.

SSH Jumpbox Route Support

SSH jumpbox routes allow SSH terminal and proxy to connect through one or more jumpbox servers in line to a final connection when launching from that target server's secret. An SSH jumpbox, a type of bastion host, is a regular Linux server, accessible from the Internet, that is a gateway to other Linux machines on a private network using the SSH protocol.

Bastion means a projecting part of a fortification. Bastion hosts are hardened and monitored servers that reside outside of an organization's security zone, usually exposed to the internet. SSH jumpboxes are also called bastion hosts, jump hosts, jump boxes, or jump servers. All jumpboxes are bastion hosts, but all bastion hosts are not necessarily jumpboxes.

RDP Clipboard and Drive Mapping

Gives the owner of a secret control of the RDP clipboard and drive mapping settings, restricting users from using their alternative settings. This provides administrators enforcement control over secrets and users’ RDP launcher settings.

Checkout Time Indicator

There is now an indicator within secret details that shows the remaining time on a checkout and can extend the checkout if required. The indicator is color coded and counts down in days, hours, or minutes.

Click the timer for an option to extend the checkout if this is enabled. The setting to enable checkout extension is at Admin > Configuration on the General tab. Enable the "Enable Secret Check Out Extension" check box after clicking the Edit button.

Enhanced Diagnostic and Logging Functionality

The logging level of Secret Server web nodes and distributed engines are now centrally configurable and collectable. This feature is especially useful for large systems with many nodes and engines.

Configuration for the web nodes is found on the Server Nodes configuration page, alongside role settings. Configuration for distributed engines is found in the Distributed Engine configuration page. Log levels include: All, Debug, Info, Warn, Error, Off, and Not Set (the default). Previously, manual configuration file changes were required. “Not Set” relies on the configuration files for the logging level, which was the previous default behavior.

The diagnostic feature for collecting logs is improved and now gathers logs from all nodes and engines. This feature is at Admin > Diagnostics.

API Automatic Checkout

There are now automatic check in and check out parameters for secret API calls that can check in and out, leave comments, and force check in. The parameters are:

  • autocheckout=true checks out the secret before performing any operations and then checks the secret back in afterwards.
  • forcecheckin=true checks in the secret if it is currently checked out before performing any operations.
  • The combination of autocheckout=true and autocheckin=false leaves the secret checked out after the operation completes.
  • The combination of autocheckout=true and autocheckin= true checks out the secret before performing any operations and then checks the secret back in afterwards.
  • autocomment=[comment] adds a check out or in comment. The comment must be in a URL-escaped format. For instance spaces are changed to %20.

This functionality is currently available on the following endpoints:

  • api/v1/secrets/{id}/

  • api/v1/secrets/{id}/change-password/

  • api/v1/secrets/{id}/email

  • api/v1/secrets/{id}/expiration

  • api/v1/secrets/{id}/expire/

  • api/v1/secrets/{id}/fields/{slug}/

  • api/v1/secrets/{id}/fields/{slug}/

  • api/v1/secrets/{id}/fields/{slug}/list

  • api/v1/secrets/{id}/fields/{slug}/listdetails

  • api/v1/secrets/{id}/general

  • api/v1/secrets/{id}/heartbeat/

  • api/v1/secrets/{id}/restricted/

  • api/v1/secrets/{id}/restricted/fields/{slug}/

  • api/v1/secrets/{id}/rpc-script-secrets

  • api/v1/secrets/{id}/security-general

  • api/v1/secrets/{id}/settings

  • api/v1/secrets/{id}/ssh-restricted-commands

  • api/v1/secrets/{id}/state

  • api/v1/secrets/{id}/summary/

  • api/v1/secrets/{secretId}/update-ssh-restricted-commands

  • api/v1/secrets/rdpproxy

  • api/v1/secrets/sshproxy

  • api/v1/secrets/sshterminal

  • api/v2/secrets/{id}/email

  • api/v2/secrets/{id}/general

  • api/v2/secrets/{id}/rpc-script-secrets

  • api/v2/secrets/{id}/security-general

  • api/v3/secrets/{id}/security-approval

  • api/v3/secrets/{id}/security-checkout

General

  • Added support for RabbitMQ version 3.9.5 with RabbitMQ Helper.
  • Updated syslog over TCP to meet the requirements of RFC-6587. Added a newline terminator at the end of each syslog message per RFC 6587. You can disable this by setting the "System Log force line feed end of line" advanced configuration setting to "False."
  • Upgraded RADIUS authentication to include EAP-TTLS-PAP.
  • Added options to prevent login via OAuth if SAML is enabled.
  • Improved audit logs with addition of username and display name data.
  • Added token (such as $EventUsername) translation to the input value for the secret field filter in event pipeline policies.
  • The "Restrict by" setting in launchers and now use notes, text fields, or list fields.

UI/UX

  • Added accessibility controls across Secret Server.
  • Added a "quick launcher" feature to the secret table view, providing faster access to the launchers from search results or folders.
  • Added screen reader hints.
  • Improved wording in the UI description for managed directory services groups.
  • UI description for user preference email settings now says users with view permissions see secret notifications.
  • Improved the UI for assigning multiple groups to a user from the user management page.
  • Improved the UI adding permissions to folders.
  • Improved the secret template administration pages.
  • Added a copy password button to the secret password history (Secret Item Value History popup). The history now has a multi-line text box, making it easier to manipulate text strings.
  • Added a #TIMEZONE parameter to the custom report builder. This inserts the user time zone (formatted for SQL) into the report. This can be used with SQL syntax for converting dates, such as CONVERT(DATE, DateRecorded AT TIME ZONE ''UTC'' AT TIME ZONE #TIMEZONE) as DateRecorded
  • Added a folder search to the folder picker.

API

  • The GET /folders API endpoint can now optionally return only root folders by using the new query parameter filter.OnlyIncludeRootFolders=true.

Bug Fixes

Access Requests and Secret Workflows

  • Fixed an issue where comments for checked-out secrets appear in the preview panel.
  • Fixed an issue when including owners as reviewers was only updated if another part of the step was updated.
  • Fixed the issue where the max allowed approvers setting was being reset to 1 instead of the number of approvers.

API

  • Fixed an issue with API secret endpoints not returning a 400 bad request statement when an approval workflow is used.

Alerts, Auditing, and Logs

  • Fixed an issue where auto export would report an error in the system log when it is not enabled.
  • Fixed an issue with the historical data import for Privileged Behavior Analytics not working.
  • Fixed an issue where inbox templates would not load if they were in a language different to the application.
  • Fixed a performance issue when retrieving secret audits with large numbers of audits and secret sessions associated with the secret.
  • Fixed an issue where AccessConfigs is null for some customers. The fix checks before using the values in AccessConfigs and creating additional logs.

Authentication, Login, and Directory Services

  • Fixed an issue where OAuth tokens generated with a maximum lifetime would sometimes return an error.
  • Increased the size limit of SAML certificate storage to accommodate larger certificates.
  • Fixed an issue where certain LDAP directories could not synchronize because they did not support the SearchOptions control.
  • Fixed an issue with bulk operations to disable two-factor authentication not running on the User Administration page.
  • Fixed an Secret Server Cloud error when users attempted to use the "lost my phone" feature.
  • Improved the AD sync error messaging by separating users from domains that failed to sync from those whose domains have no users in the latest sync, delivering separate error messages for each.
  • Fixed a login issue by enforcing an existing restriction of application accounts from logging into the UI for SAML authentication.
  • Fixed an issue with AD and LDAP Secret Server users not being able to successfully authenticate with a public key over SSH Terminal.
  • Fixed an issue when 2FA was enabled for users with no entry in the tbuser fields causing login failure.
  • Fixed an issue where duplicate item rows were added when generating a SSH key and passing to the passphrase. The duplicate caused an error in validation that expected only one row per field.
  • Fixed an issue with AD sync over a distributed engine with "TLS error auditing" enabled that caused "disable user management" to stop working.

Discovery

  • Fixed an issue with discovery host-range mapping validation.
  • Fixed an issue where a mouseover tool tip was not showing the full OU path on the Discovery Domain Scope page for excluded OUs.
  • Fixed an issue where previously scanned Linux machines were not displayed in discovery network view.
  • Fixed an issue with discovery import rules for windows local account templates that prevented successful account import.
  • Fixed an issue where an invalid secret template configuration caused a page load error when navigating to the Discovery Network View page.

Encryption, Passwords, and Certificates

  • Fixed an issue with the password report in the dashboard UI to properly update the date.
  • Fixed an issue where the "Prevent Username in Password" setting was not working for a password template.

Event Subscriptions and Pipelines

  • Reduced the EventQueue "maximum batches per job" default from unlimited to 100. This is an advanced configuration item.
  • Fixed an issue that prevented recording an audit log and sending an event subscription when "Require Two Factor for these Login Types" is set to "Web Services Login Only."

Folders

Fixed an issue where folder owners cannot move secrets to a folder if the owner does not have access to the folder's parent folder.

General

  • Added table monitoring for DIM for new tables.
  • Fixed an incorrect error code displayed when navigating to a URL containing invalid characters. Navigating to the URL now displays a 404 error.
  • Fixed an issue with unclear licensing errors. Highlighted the error and clarified working.
  • Fixed an issue with non-English languages displaying the product name incorrectly.
  • Fixed a CVSS 7.4 security issue. It impacts Secret Server On-Premises up to 11.1.000006. See the important note at the top of these release notes.

Heartbeat, Distributed Engines, and RPC

  • Fixed an issue where changes to proxy endpoint settings would not be audited on distributed engine proxy endpoints.
  • Fixed an issue with distributed engine activation requiring MSDTC to be enabled.
  • Fixed an issue with dropped connections to RabbitMQ causing worker process connections to RabbitMQ to accumulate additional connection channels, impacting connectivity.
  • Fixed an issue where changing a dependency group site assignment to "Use Site from Secret" would throw an application error.
  • Fixed an issue where a secret would be queued for password changing every password changing interval due to an invalid change schedule setting.
  • Fixed an issue on the Secret Remote Password Changing settings tab where the option to remove associated secrets would not display.
  • Fixed an issue with the Test Dependency button on the Secret Dependency view did not work correctly on the New UI.
  • Fixed an issue where bulk operation "Assign to Site" required heartbeat or remote password changing to be enabled on the template
  • Fixed an issue on the RPC configuration auto-change schedule not honoring a scheduled "when password expires" change.
  • Fixed an issue that occurred when running RPC on a secret and then switching to view another secret—if the first secret's RPC fails, the information is displayed on the second secret.
  • Fixed an issue where RPCNextAttemptTime does not update when adjusting the auto change schedule after a failed RPC attempt.
  • Fixed an issue in discovery where the Secret Type field does not provide dropdown options in the UI if RPC is disabled on the secret template’s password changer.
  • Fixed an issue with the application path of Secret Server being used in a distributed engine for ComPlus dependencies.

Installation, Upgrade, and Uninstall

None

Launchers

  • Fixed an issue where the "Hide Launcher Password" setting would hide the password field from a secret owner when the field also has "View Requires Edit" enabled.
  • Fixed an error when a machine list restricts an input field on a secret launcher.
  • Fixed an issue with protocol handler that caused certificate errors from the IDP or delays in validating the CRL.

Remote Access and Proxies

  • Fixed an issue with proxied SSH connections to slow devices where "Connect As" commands were not inputted correctly.
  • Fixed an issue where some key-exchange algorithms were not supported for various SSH tasks, including proxy, discovery, heartbeat and password changing.
  • Fixed an issue where SSH command restrictions using allowed command lists would close the connection when trying to navigate the command restrictions menus.
  • Fixed an issue with automatic sudo elevation during SSH proxy sessions identifying password prompts incorrectly and attempting to enter the password.
  • Fixed an issue with SSH proxy session performance when sending or receiving large quantities of data.
  • Fixed an issue where using SSH Blocked Command lists prevented exiting text editors in an SSH session.
  • Fixed an issue with reports using date range filters. The local timezone is now correctly filters the report, as opposed to UTC.
  • Fixed a memory leak issue in SSH proxy on Web node connections.
  • Fixed an issue where PuTTY did not load the default session logging location.
  • Fixed an issue where SSH Terminal was locked out due to an authorization issue when launching a secret.

Reports

  • Fixed an issue with users not receiving report emails.
  • Fixed an issue where scheduled reports failed to send emails when the report file size was too large, producing an error.

Secret Server Cloud

Fixed an issue where secret key rotation could trigger database growth when used with KMS key protection.

Secrets, Policies, and Templates

  • Fixed an issue with the secret template interface that prevented users from setting a default deprived secret. This was possible in the Classic UI.
  • Clarified an error when changing the field type on a secret template that occurs if the field is mapped to the "Restrict By" setting of a launcher.
  • Fixed an issue on the Secret General tab where the icon indicating that a session is not recorded did not display on Web Password Filler launchers.
  • Fixed an issue with secret search where results appeared to be matching any word in the search text instead of all words.
  • Fixed an issue with secret import not using the site from the import XML unless the site was also added during the same import. Import will now use the site ID on the secret if sites were not also imported.
  • Fixed an issue where a checked-in secret's password is visible. Secret Server now displays an error if the user tries to click the view password link on a the secret.
  • Fixed an issue that prevented access to a secret in "unlimited admin mode" if the secret is checked-out and requires a comment.
  • Fixed an issue with secret search when searching an encrypted secret field with partial matches of some terms.
  • Fixed an issue with the Secret Settings interface showing incorrect settings when a secret policy was enforced.

Session Recording

None

Users and Groups

  • Fixed an issue with automatic user management not correctly enabling or re-enabling users in some configurations during SAML login.
  • Fixed an issue in the UI where groups with long names obscured permission dropdown-list options. Long group names now text wrap to allow viewing.

UX/UI

Fixed an issue where switching languages would display the incorrect OEM logo and product name in the classic UI.

Web Password Filler

None

Future and Recent Deprecations

This section describes planned future deprecation of feature or platform support in Secret Server.

  • Internet Explorer 11. Support for Internet Explorer 11 ends on 31 August 2021. Secret Server releases after that date will not support Internet Explorer 11.
  • Secret Server Classic UI. The Classic UI option in Secret Server is scheduled to be removed in Q2 2022. After that time, the New UI will be the only available UI option in Secret Server.