Secret Server: 11.2.000002 Release Notes (GA)
Release dates:
General Availability:
June 7, 2022 (On-Premises)
June 11, 2022 (Cloud)
The following release notes apply to both EA (11.2.000000) and GA. The bug fixes that only apply to GA are prefaced with (GA only).
The known issue with the replication process of the new disaster recovery feature launched in 11.2.000002 (June 7th, 2022) has been fixed.
New Features and Enhancements
New Branding
Thycotic and Centrify are now Delinea, and we have updated the interface styling to reflect the new company branding. Both light and dark mode are updated with new colors and component styles.
Improved Secret Browsing Experience
The classic UI was scheduled for removal in this release. Based on feedback, we deferred it to a later release. This section details the changes made to address the feedback on this change.
The secrets menu item in the new UI now has a collapsible folder tree panel that occupies the full height of the page. This replaces the folder tree at the bottom of the left navigation bar and delivers a significantly improved folder browsing experience.
Clicking a secret in the secret table view now opens an in-line card with details and actions. A launch button now appears when hovering over the row, where launchers are available, allowing launching without viewing secret details.
You can now pin a folder, limiting the folder tree to showing the contents of that pinned folder. With this, you can limit navigation to the folder and streamline navigation. Applying filters to the table in one pinned folder will not affect others, and the settings are remembered upon returning to that pinned folder.
We moved "favorites," "recent secrets," and "shared with me" to a widget bar, globally available in the top right in the new UI, allowing immediate access to your most important items.
New Secret Policy UI
We converted secret policy configuration to the new interface, adding a few changes. Policy settings are now grouped into tabs, grouping related settings together.
The "enforced" or "default" dropdowns are now checkboxes, improving usability.
New Administration Side Panel
A new administration menu is now available as a global side panel, allowing quick access to administration pages through a searchable list.
You can also pin pages in the list, creating a tailored quick-access list specific to a user. If the pinned item list is empty, there is a button to populate it with the default items that appeared on the previous list, which was available in the bottom-left "Admin" menu.
New Configuration Preview
A new configuration page is almost ready, and we need feedback on the new experience before making the page live. There is a new link to enable it in the top right-hand corner of the current configuration page.
Enabling the configuration preview changes the behavior of the new left administration panel, mentioned above, to include a new configuration section where the subsections are listed. Accessing any of these subsections navigates to the new configuration page, which has a dedicated search. This searches for configuration items by label, tooltip, and value content, displaying the search results and providing a link to a configuration section.
To disable the configuration preview, browse to the new configuration page, and disable the configuration preview in the top right-hand corner.
New Disaster Recovery Replication
There is now an efficient data replication method between multiple instances of Secret Server. This is typically used for replicating secret data into a backup vault for disaster recovery or business continuity. Currently, this is limited to secrets, templates, and launchers. Currently, DR replication does not include any other data, such as permissions, users, or policies, which future Secret Server versions will likely have.
Important: There is a known issue with the replication process of the new disaster recovery feature launched in 11.2.000002 (June 7th, 2022). A resolution is in progress and will be available soon. Please delay testing or implementing this feature until we release an update.
DR replication is available in Secret Server Platinum.
New Oracle Password Changer
A new Oracle password changer is available with new templates pre-configured for various configurations. The new password changer does not require installing any additional components on web servers and distributed engines, unlike the existing changer, which required Oracle ODAC components.
The new changer supports Oracle AS SYS, Oracle DataSource, and Oracle TCPS connections, and the new templates are pre-configured for these.
New Marking and Obfuscating PII
There is a new option available to enable the marking or obfuscation of Personally Identifiable Information (PII) in audit exports. This allows for data exportation for review by third parties without including any PII. Marking PII prepares exports for external cleanup, and obfuscation automatically removes it during exportation.
PII includes many internal stored attributes, such as IP addresses, usernames, and email addresses. Metadata fields can be flagged on creation as potentially containing PII, which aids applying the same filtering to user-configured metadata fields.
This feature currently only applies to audit tables available in the interface.
New Password Complexity Rules
We have added two new optional features to password requirement configuration:
- Variable Rule Matching: Passwords must match a specific number of your password character sets. Previously, all defined character sets must match. Now, you can define that one or more sets must match. For example, three of four sets must match.
- Must End With: A password’s final character must match a defined character set. This support compatibility with systems with similar requirements.
New Secret Checkout Expiration Notification
There is now a globally configurable checkout expiration that notifies users with a checked-out secret via their Secret Server inbox and inbox rules when a defined checkout period percentage has elapsed. For example, setting checkout expiration to 80% notifies users when 20% of the checkout interval remains.
This setting is available under "user experience" in the configuration page.
New Role-based Access Control for Reports
We have added a "Browse Reports" role that allows access to reports restricted by permissions. Permissions are configurable at the category and report levels and share a similar inheritance model to secrets and folders. You can define users or groups with "view" or "edit" permissions for each category or report.
Users with the existing "view reports" and "edit reports" roles are not restricted by the permissions set.
New Extendable Access Requests
You can now request future access to a secret you currently have access to—no need to wait for the current access to expire before asking for more time. A new access window is granted using the existing approval method. The new window’s start time is automatically set to the end time of the current one.
General
- Secret exports now support using a doublelock password instead of a local password, providing a method for federated users to manage passwords.
- RDP Settings, such as accessing the clipboard, are now enforceable on secrets by policy.
- Web Password Filler now supports URL lists. You can map a list to the URL field in web launcher mappings.
- Restored support for AES-*-ctr algorithms in Secure Blackbox when running in FIPS mode. SSH heartbeat, RPC, and proxy can once again connect to machines using –ctr algorithms.
- Added new tokens for recipient time, server time, and UTC time to inbox templates.
- Syslog messages are now sent to SIEM systems in UTF-8 encoding, which supports non-ASCII characters. Users who wish to view UTF-8 characters, such as Cyrillic or Korean, in their SIEM system will need to configure their SIEM servers to receive UTF-8 messages.
- Updated the protocol handler for session connector.
- Optimized SQL queries around RPC scheduling to increase performance.
- Web launcher support for HTTP: Web launchers by default force HTTPS, regardless of the protocol scheme in the URL field. Advanced configuration now as a "Web Launcher Forces HTTPS" setting to disable this for http:// URLs.
- Optimized performance of APIs related to Web Password Filler.
- Added a "preserve client process" setting to SSH-proxied process launchers that preserves the session if the launched process closes. This allows tabbed SSH clients to operate correctly as launched sessions.
UI/UX
- Log in autocomplete is now always on. We deleted the "allow autocomplete" setting from Admin > Configuration > Login.
- SSH Terminal now displays the last heartbeat status of a secret in the output of the "cat" command.
API
- Created a more usable version of the secret policy API.
- Adjusted /api/v1/folders sort order to return deterministic results.
Bug Fixes
Access Requests, Secret Workflows, and Doublelocks
- Fixed an issue where extend checkout would fail for users with view permission.
- Fixed an issue that did not allow custom check out intervals when set to maximum values.
- Fixed an issue with the Revoke button being invisible in the approval and requests inbox. It is now visible for basic approvals but not for workflow approvals as these do not support revocation.
- Fixed an issue where doublelock access would be intermittent if requests hit different web nodes.
- Fixed an issue where a workflow could be created and activated with no approvers
API and Scripting
- Fixed an issue where an empty "items" property existed on the api/v1/lists/{categorizedListid} endpoint.
- Fixed an issue where applying a policy with "Web launcher requires Incognito mode" set during API secret creation caused creation failure.
- Fixed an issue where an empty "items" property existed on the api/v1/lists/{categorizedListid}.
- Fixed an issue where JSON values could not be used as script arguments. These are now handled correctly in PowerShell.
- Fixed a SQL timeout issue from the adjusted data retention cleanup of the SDK client table.
- Fixed an issue where duplicate metadata fields could be created via the API.
- Fixed an issue with the DomainStatus value not being correctly populated in calls to the GET /api/v1/directory-services/synchronization endpoint.
- Fixed an issue where the /api/v1/directory-services/synchronization/log endpoint would not return data. This endpoint was renamed to /logs and now returns appropriate data.
Alerts, Auditing, and Logs
- Fixed an issue where an IP address was not displaying in the user audit page in the new UI.
- Fixed an issue where incorrect messaging was logged due to an IP address change. The log no longer references user location.
- Fixed bug where a "value cannot be null." error was written to the logs when updating node records during upgrade.
- Fixed an issue with URL generation for inbox notification emails.
- Fixed an issue where an incorrect IP address could be sent to syslog.
- Fixed an issue where verbose logging in distributed engines that indicates which key it is encrypting and decrypting communications with Secret Server specified it is logging a hash of the key, not the key itself.
- Fixed an issue where operational logs for multiple processes would not clean up due to the database table being too large.
- Fixed an issue where dual controls would not insert correct audits for launch events.
Authentication, Login, and Directory Services
- Fixed an issue where privileged password changing would not work for a user defined by the user principal name. The Active Directory password change now works with both UPN and SAM account name formats.
- Fixed an issue where SAML logins would not reset login failures for account lockout policies.
- Fixed an issue where OpenLDAP directory synchronization would not accept a custom port.
- Fixed an issue where the login page would load slowly when using HSM integration.
- Fixed an issue where CAPTCHA would sometimes fail due to session persistence.
- Fixed an issue with SAML SLO failing when the identity provider failed to log out.
- Fixed an issue where an incorrect identifying IP address was sent to Duo. This now sends the client address.
- Fixed an issue where Azure AD directory synchronization failed due to an unexpected value for OnPremisesImmutableId. These values are now anticipated.
- Fixed an issue where SAML login could be attempted for users assigned to disabled domains.
- Fixed an issue where the download service-provider metadata in SAML configurations showed even though there was not any metadata to download.
- Fixed an issue where engine logs would be cleaned up in a single transaction that could time out.
- Fixed an issue where Azure AD synchronization would incorrectly map users that had their username changed.
Disaster Recovery
The known issue with the replication process of the new disaster recovery feature launched in 11.2.000002 (June 7th, 2022) has been fixed.
- (GA only) Fixed an issue with disaster recovery synchronization not updating synchronized folder names.
- (GA only) Fixed an issue with disaster recovery synchronization not synchronizing secrets predating a new synchronization folder.
- (GA+ only) Fixed an issue where the CLR detected an invalid program.
- (GA+ only) Fixed an edge case issue where data may fail to replicate if edits occur while a replication is taking place.
- (GA+ only) Fixed an edge case issue where editing a secret field launcher may cause a null reference during DR replication.
- (GA+ only) Fixed an InvalidCastException that was introduced in the fix for RC13.
- (GA+ only) Fixed an issue where launcher sessions expired immediately when launched from the DR replica.
Discovery
- Fixed an issue where changing the secret on a discovery import rule would not save.
- (GA only) Fixed an issue where GCP discovery would return no results and not create the source organizational structure if errors to certain calls were received.
Encryption, Passwords, and Certificates
- Fixed an issue where credentials were not correctly supplied to "post change failure" or "post change success" commands, resulting in a failed connection instead of these commands running.
Event Subscriptions and Pipelines
- Fixed an issue where a secret metadata filter in an event pipeline would not work unless another task or filter had a $ token.
- Fixed the language resource for event pipeline policies.
- Fixed an issue where group name was not present when an event subscription was created for "User - Removed from group."
- Fixed an issue where subscribers could not be removed from an event subscription notification rule.
- (GA only) Fixed an issue with event pipelines not running with certain date formats.
Folders
- Optimized folder tree loading when over 1000 folders are displayed.
- Fixed an issue where "delete folder" was not available in the row options menu for folder items.
- (GA only) Fixed an issue where folder edit view would not update when editing one folder following another.
General
- Fixed an issue with custom dictionaries attached to password requirements not updating correctly.
- Fixed an issue where a problem with a single site caused messages to stop processing for multiple sites.
- Fixed an issue where the session connector would not install on non-English language systems.
- Fixed a CVE-2018-1185 vulnerability in the log4net package, which was updated to 2.0.14.
- Updated the time zone database library with the latest information.
- Fixed the Connection Manager download Links for IBM tenants.
- Fixed an issue where large emails would fail to send due to RabbitMQ maximum message size.
- Fixed an issue where user personally identifiable information PII removal would not erase the UserPrincipalName from the database.
- Fixed an issue where license expiration comparison was not considering local date formatting and displaying an activation error when parsing dates.
- Fixed an issue that caused large domain-synchronization messages to not send, creating partial result sets for directory synchronization.
- Fixed an issue where email would not send from a web node with the background worker disabled.
- Custom dictionaries now support two-character entries.
- Fixed an issue where all IP address restrictions would not display more than 30 entries.
Heartbeat, Distributed Engines, and RPC
- Fixed an issue with high command throughput against SAP systems causing issues with logging those commands. We throttled the SAP password changers send-commands rate, which is configurable at Admin > Remote Password Changing > Configure Password Changing > SAP Account (or SAP SNC Account) > Advanced Settings. This delay defaults to 500 ms.
- Optimized the distributed engine administration page.
- Fixed an issue where distributed engines would fail to connect to the Azure service bus after updating.
- Fixed an issue where disabling RPC globally would also disable heartbeat globally for distributed engine sites.
- Fixed an issue where the distributed engine setup assistant page would show, even after a site connector had been created.
- Fixed an issue where successful password changes with failed dependencies would show as canceled.
- Fixed an issue where automatic user management may not be processed on an engine site.
- Fixed an issue where heartbeat would fail if a valid client certificate existed for the LDAP connection used to heartbeat. Heartbeat now attempts Kerberos first.
Installation, Upgrade, and Uninstall
None
Integration
- Fixed an issue where a CredSSP generic error returned when a ticketing system integration script failed. This now returns the specific error.
- Fixed an issue where using HSM integration without having performed a master encryption key rotation would cause performance issues.
- Resolved an issue where Connection Manager would not correctly present fields requiring a user prompt.
- Fixed an issue with misleading settings for ticket system configuration. It now always prompts for a site.
- Fixed an issue where "RADIUS default username" could not be set on existing users when enabling RADIUS.
Launchers and Protocol Handlers
- Fixed an issue where mapping a launcher port field failed with the error "this field must be a number."
- Fixed an issue where launcher restrictions were not letting users limit user input in some scenarios.
- Fixed an issue where using "run process as secret credentials" launcher option and enabling session recording could result in launcher startup failure due to an access denied error.
- Fixed an issue where session connector RDP launchers would fail if there was no domain on the secret.
- Fixed an issue that caused proxied launchers to not display the port field if the launcher was modified after creation.
- Fixed an issue where protocol handler would downgrade if a newer version than the version available from the server is used.
- Fixed an issue where the 64-bit installer of protocol handler would include a 32-bit executable. This could start a race condition, causing launchers to close.
- Fixed an issue where the session-connector protocol handler could update to the normal client version, disabling some session recording features.
- (GA only) Fixed an issue where some configurations of "hide launcher password" and "field view permissions" would evaluate incorrectly.
Networking
- Fixed an issue where checking for WinRM service status required administrative privileges.
Remote Access and Proxies
- Fixed an issue where SSH terminal froze when launching secrets with failing heartbeats.
- Fixed an issue where RDP proxy endpoints would respond as available even with an invalid configuration, causing proxy connection failures. Endpoints no longer respond as available if the configuration is invalid.
- Fixed an issue where SSH and RDP proxy connections failed due to Unicode characters in connection credentials.
- Fixed an issue where the jumpbox route connection forwarding could not forward across different network segments.
- Fixed an issue with SSH proxy performance related to the "hide passwords from SSH keystroke capture" setting.
- Fixed an issue where master encryption key rotation would fail if RDP proxy credentials were created but not used.
- Fixed an issue where the "hide Password from SSH keystroke capture" setting was always enabled.
- Fixed an issue where using GUI applications in an SSH session would not work with restricted command lists enabled.
- Fixed an issue where pressing the down arrow key in an SSH proxy session could crash the SSH proxy.
- Fixed an issue where SSH key authentication to SSH terminal would display incorrect prompts.
- Fixed an issue where the jumpbox route port range setting was not used correctly by engine proxies.
- (GA only) Fixed an issue where SSH key rotation would fail on the first attempt.
Reports
- Fixed an issue where the report "What folder permissions exist?" would not run on newer SQL Server versions.
- Fixed an issue with reports failing with a "not valid for reporting" error with older versions of SQL Server.
- Fixed issue causing the "reports" option to be incorrectly hidden.
- Fixed an issue with reports failing to send to email when no start date is defined but the stacked-column chart type is used.
- Fixed an issue where the "secrets with failed password change" report would show an incorrect value for DateRecorded.
- (GA only) Fixed an issue where reports could not be selected in the left navigation on some pages.
Secret Server Cloud
- Fixed a Secret Server Cloud issue where engines were incorrectly set to enable FIPS compliance, causing SSH cipher issues.
Secrets, Policies, and Templates
-
Fixed an issue where secret erase would not run on a secret that had a previously changed password.
-
Fixed an issue where user could not add a list field if the other non-list secret fields were not correctly configured.
-
Fixed an issue where editing a secret template launcher mapping would remove the port. To restore the port to affected launchers, edit the mapping and re-save it.
-
Fixed an issue where password fields would display as empty on the duplicate secret dialog box.
-
Adjusted timeout behavior with bulk operations to provide more accurate statuses.
-
Fixed an issue with exporting secret templates failing under some conditions.
-
Fixed an issue where long URLs would affect page layout in the secret details view.
Session Recording
- Fixed an issue with advanced session recording agent installs always showing as a new entry. The entry now persists between upgrades.
Users and Groups
- Fixed an issue where column headings would disappear on the group membership assignment page.
UX/UI
None
Web Password Filler
- Fixed an issue where web password filler would default to the username field, regardless of the field mapping template settings.
Future and Recent Deprecations
This section describes planned future deprecation of feature or platform support in Secret Server.