Secret Server: 11.3.000001 Release Notes (GA)
Release Dates and Notes
Early Access: October 4, 2022 (On-Premises)
General Availability: October 25, 2022 (On-Premises)
The following release notes apply to both EA (11.3.000000) and GA (11.3.000001). The bug fixes that only apply to GA are prefaced with GA only.
The protocol handler version for this release is RDPWin_6_0_3_23.
New Features
Additional Custom Logo Variations
You can now upload more custom interface logos. This includes an optional larger logo for the login page. Each logo includes alternative images for light and dark modes. This results in six logo variations.
The settings are available in the configuration preview. Enable the configuration preview and then locate the new settings in the Administration > Configuration > General > User Interface area.
Advanced Session Recording Agent
The advanced session recording agent (ASRA) MSI is now self-contained and based on .NET Core, which does not need a .NET SDK installed; however, installing an ASRA from the advanced session recording page using the installer still requires that the .NET Framework redistributable components are installed.
To install or deploy the agent without the framework, follow the customization steps here: Installing the Advanced Session-Recording Agent .
Configurable Global Banner
You can now configure a multipurpose global banner for all users. You can use it for maintenance, security, or policy notifications. You can set the severity level, text, a hyperlink, and an in-theme color, which is determined by the severity.
The settings are available in the configuration preview. Enable the configuration preview and then locate the new settings in the Administration > Configuration > General > User Interface area.
Classic User Interface
We enhanced the new UI experience, and all new features only appear in that UI. The classic UI is deprecated and no longer maintained. For this release, the classic UI is disabled by default but temporarily still available. You can enable it at Administration > Configuration > General > User Interface settings. As of the next minor release, the classic UI will be permanently removed.
Disaster Recovery Synchronization Improvements
We improved the disaster recovery (DR) feature to synchronize additional items, including:
- Local and domain users
- Groups
- File attachments
- Secret and folder permissions
This enables replication of the permissions structure to the replica server, providing a readily available standby with permissions in place.
Event Pipeline Enhancements to Sending Emails
Users can now select an inbox email template in the event-pipeline send-email tasks. This gives the user access to event-pipeline and inbox tokens within the predefined email template.
Once the event pipeline is triggered, it sends an inbox notification and processes any inbox rules. The inbox rules send an email to the task recipients.
Protocol Handler Process Tracking
We renamed launcher settings from "Record Multiple Windows" and "Record Additional Processes" to "Track Multiple Windows" and "Track Additional Processes." These are now both used for process tracking, regardless of whether recording is enabled. This improves session termination, either triggered or automatic, applying to child and specified processes, per the launcher settings.
Refreshed Administration Page
We updated the administration page with a new categorized view where users can pin commonly used items to a list. To pin an item on the new administration page, hover over or focus it, revealing a pin icon. Click the icon to add the item for quick access.
Session Monitoring Page
We converted the session monitoring search page to the new UI. The functionality remains essentially the same; however, we removed role restrictions on filters. We also optimized both the front- and back-ends.
SFTP Tunneling
Added an SFTP tunnel setting to the SSH proxied process launcher for use with SFTP client custom launchers. This was tested with FileZilla and WinSCP.
SSH Cipher Suite Configuration
We added a configuration page that sets the Secret Server SSH ciphers used when making SSH connections for various tasks, such as heartbeat, password changing and discovery. This does not apply to SSH password changers using the "Legacy" runner type. This is at Administration > SSH Cipher Suite Configuration.
With this feature, users can set availability and application order for key exchange, MAC, and encryption algorithms via an easy-to-use list. To use the list, go to the configuration page for the site, and enable the SSH cipher suite setting.
Enhancements
Alerts, Auditing, and Logs
- Better error logging during disaster recovery.
- Added a "Session Recording Downloaded" audit event.
- Updated email templates with new brand headers.
- Added a saved history for TOTP fields on secrets.
- Converted the user audit report page to the new UI.
- Added support for Unicode characters in email addresses.
Authentication, Login, and Directory Services
- Renamed the "What computers in Active Directory no longer exist?" report to "What Computer Accounts found by Discovery are not managed?" to reflect the results more accurately.
Backup, DR, and HA
- Added file attachment fields to disaster recovery sync.
- GA only: Improved replication by adding extended data mappings.
Dashboard and UI
- Searches now work correctly for usernames with non-alphanumeric characters such as % _ and [].
- Updated Inbox page to allow for low screen resolution or high zoom settings.
Encryption, Passwords, and Certificates
- Generated SSH private keys are now saved with AES128 encryption instead of DES.
General
- Updated several third-party libraries to remediate vulnerabilities.
- Added DPAPI and SAML pages to the configuration preview.
-
Office 365 Template and Password Changer have been renamed to Azure AD Account and Azure AD respectively.
Heartbeats
- Office365 heartbeats now detects if you provide the domain in the username.
Launchers and Protocol Handlers
- We now include the required Visual C++ runtime with the protocol handler.
- Updated the PuTTY version distributed with the protocol handler from v0.74 to v0.77.
- Launcher mappings and restrictions are only validated when they have changed.
Localization
- Increased localization performance in Cloud by caching additional language files.
Remote Access and Proxies
- Added a "use SFTP tunnel setting" to the SSH proxied process launcher to support using SFTP client custom launchers. This was tested with FileZilla and WinSCP.
Reports
- Added "new report " and "add category " action buttons to the reports page.
- Moved reports audit to a tab for consistency, replacing the existing button.
Secrets, Policies, and Templates
- Added more tooltips to the secret template page.
- Added a new public endpoint for secret template conversion.
- Increased an individual secret list field to 500 characters.
- Secret erase now completes without errors when the secret has an associated list.
Session Recording
- Adjusted SSH keystroke recordings to not display VTY special commands to clean up the output and to show control commands used in the client output.
- Converted the advanced session recording agent to .NET Core.
- Advanced session recording agent will now only register if the latest agent is installed (or any future versions). This supports a change in the registration process.
Teams
- Added "include all users from domain" setting to the team configuration, which directly maps the users synchronized from a domain to that team.
Users, Groups, Roles, and Permissions
- Viewing the password requirement page now requires the "view password requirements " permission.
Web Password Filler
- Added a Safari link for Web Password Filler to the launcher tools page.
Bugs
Access Requests, Checkout, Secret Workflows, and Doublelocks
- Fixed an issue where no notification appeared if a secret view interval expires while the user was viewing the secret.
- Fixed the secret session extension to also extend launcher sessions and not just checkout sessions.
- Fixed an issue where adding a workflow to a secret could not be saved.
- Fixed an issue where users could not check out a secret when the internal site connector was unavailable, even if they did not have checkout hooks or pipelines actions that rely on the site connector.
- Fixed an issue where workflow items in secret policies would not save.
Alerts, Auditing, and Logs
- Fixed an issue where the secret-template password-type field-mapping audits were not recording the correct fields
- Fixed an issue where viewing a secret list would record that the password was displayed in the audit log.
- Fixed an issue where removing a user from a group did not show up in the event log.
- Fixed issue where "expire secrets on user audit report" was deactivating secrets.
API and Scripting
- Fixed an issue where secretPath in the API would not work with secrets having a single forward or back slash in their name.
- Fixed an issue where the diagnostics API showed an incorrect value for the upgradeAvailable property. We also added the latestVersion property.
- Fixed issue with secret search v1 API throwing a 400 error.
- Fixed issue where the secret policy SOAP API would throw an error when using the professional license.
Authentication, Login, and Directory Services
- Fixed an issue where SSH terminal authentication with RADIUS two-factor authentication would incorrectly audit login failure.
- Fixed an issue where SSH terminal authentication would not correctly process RADIUS logins.
- Fixed an issue where changing the distinguished name field on directory services displayed inaccurately in audit logs.
Background Services
- Fixed an issue where running a change-password bulk operation required an SSH key on secrets set up for both key and password changes.
- Fixed an issue where bulk operations would fail if too many target secrets were specified.
- Fixed an issue where a bulk change-password operation threw an "empty private key" error.
- Fixed an issue where the "set privileged account" bulk operation would display an error when attempting to set the "credentials on secret " option.
- Fixed an issue where applying a bulk operation checkout would also enable "change password on check In."
Backup, DR, and HA
- GA only: Fixed an issue where pre-existing non-replicated folder ACLs were deleted on replication.
- GA only: Fixed an issue where during DR ProtoObjectCollectionServiceBase.SaveDtos (secret launcher) threw a fatal error when too many characters were inserted.
- GA only: Fixed an issue where PasswordRequirementConsumer threw errors during replication when bringing in large numbers of secrets.
Bulk Operations
- Fixed an issue where running a change-password bulk operation required an SSH key on secrets set up for both key and password changes.
- Fixed an issue where bulk operations would fail if too many target secrets were specified.
- Fixed an issue where a bulk change-password operation threw an "empty private key" error.
- Fixed an issue where the "set privileged account" bulk operation would display an error when attempting to set the "credentials on secret " option.
- Fixed an issue where applying a bulk operation checkout would also enable "change password on check In."
Cloud
- Fixed an issue where cloud pages were returned in a previously cached language.
Dashboard and UI
- Fixed an issue where changing the address bar from one secret ID to another would not update the display of the associated secrets list.
- Fixed an issue where the "Restrict SSH Commands Edit" link was not showing.
- Fixed an issue where the password on a secret was not displayed when "Edit Requires Owner" was set on the field and the user had edit permissions.
- Fixed an issue where the script editor on various pages would act as a keyboard trap, and there was no way to change focus without a mouse. Enabled an escape combination and detailed it alongside the editor.
- Fixed an issue where the script editor on various pages would represent a tab with a single space. Changed to 4 spaces.
- Fixed an issue where text formatting was not displaying on the in-line secret preview in the secret grid.
- Fixed an issue where breadcrumbs were not displaying on several pages.
- Fixed an issue where custom Logos would not display correctly.
- Fixed an issue where a long secret field name would overflow the label area and obscure the value in the secret preview panel.
- Fixed an issue where page layout would change the location of buttons on the password changer configuration page.
- Fixed an issue where setting the UI inactivity timeout value to 0 caused an exception. This value now disables UI inactivity as expected.
- Fixed an issue where the secret list view would not scroll to the bottom of the list.
- Fixed an issue where secrets view would not remember the last setting between grid or list options.
Discovery
- Fixed an issue where you could not set a discovery source to inactive if the sync secret was no longer valid.
- Fixed an issue where discovery rules would not function correctly when organization units had brackets in their names.
- Fixed an issue where secret search filters were not saved to a discovery scanner when searching "All Folders."
Distributed Engines and Site Connectors
- Fixed an issue where a site connector could not be disabled if it was assigned to the local site when it is configured for website processing.
Encryption, Passwords, and Certificates
- GA only: Fixed an MEK rotation error when rotating deleted session recordings.
- Fixed an issue that could cause an index error during master key rotation.
- Fixed an issue where a password rules validation message did not appear when exceeding the maximum allowed characters for a ruleset.
- Fixed an issue where some validator options were not visible when creating a new password requirement.
Event Subscriptions and Pipelines
- Fixed issue where users could not click pipeline buttons when in unlimited admin mode.
- Fixed an issue where the "Move to Folder" event pipeline task would throw an error when editing.
- Fixed an issue where event subscriptions could only target secrets with view permission or higher. Secrets with list view are now selectable.
Folders
- Fixed issue that allowed sharing personal folders when using "Username and Domain" as the display name.
- Fixed an issue where a new pinned folder view would default to all secrets instead of the expected default active secrets.
- Fixed an issue where folders would unintentionally display in reverse alphabetical order in the secrets list.
- Fixed an issue where expanding the details of a folder would sometimes display the details for a secret in the secrets grid view.
- Fixed an issue where the folder picker would not display when selecting from a list of collapsed folders in secret list view. When there are many subfolders, they collapse into a single item showing the number of subfolders. Clicking this opens a folder picker to choose the desired folder.
- Fixed an issue where the last viewed secret folder was not retained when the user preference was set to remember it.
- Fixed an issue where secret policy inheritance would not propagate down the folder structure when importing folders.
- Fixed an issue where moving a child folder to a location with a subfolder of the same name would throw an error.
General
- Fixed an issue where Secret Server On-Premises unsuccessfully attempted to connect to our cloud monitoring platform.
- Fixed an issue where dependency scan messages would not expire when not consumed, causing a large queue to form.
Heartbeats
- Fixed an issue where heartbeats intermittently failed when run while storing account details for multiple Office 365 tenants.
- Fixed an issue where heartbeat could be queued while a remote password change operation was still in progress. This would cause the heartbeat to fail.
- Fixed an issue where Oracle usernames with the hyphen character would fail to heartbeat. This now wraps the username in quotes, as is required by Oracle.
Import and Export
- Fixed an issue where automatic export would not run every day as configured.
- Fixed an issue where secret export did not trigger the appropriate event subscriptions or pipelines.
- Fixed an issue where extended fields in the secrets view grid would not be present in the export.
Launchers and Protocol Handlers
- Fixed an issue where the protocol handler for session connector download would fail.
Licensing and Activation
- GA only: Fixed an error during license activation.
Localization
- Fixed an issue with slow page loading when the browser language was set to a language that is not an available localization option.
- Fixed an issue with localization not applying to some labels on inbox notifications.
Remote Access and Proxies
- GA only: Fixed an issue with SSH proxy where WinSCP in SCP mode with block lists did not connect as expected. In addition, the session recording log no longer records file content.
- Fixed an issue where system tray notifications would not show in session connector sessions.
- Fixed an issue where duplicate jumpbox route options were sometimes shown.
Remote Password Changing
- Fixed an issue where custom PowerShell password changers would not evaluate the $CURRENTPASSWORD token.
- Fixed an issue where changing the remote password changing schedule by policy would not happen until after the next previously configured schedule attempt. This now immediately takes effect.
- Fixed an issue where monthly remote password changing schedules could not be saved.
- Fixed an issue where remote password changing schedules would display time in an incorrect time zone.
Reports
- Fixed an issue where built-in remote password changing reports were excluding items without configured expiry fields. Added a new field to the secret table to track the last password change and updated the reports.
- IBM Only: Fixed an issue where the report editor was not usable.
- Fixed an issue where report results could not be downloaded from the view report page.
Secrets, Policies, and Templates
- GA only: Fixed an error where rendering secret list pages threw a SQL error.
- GA only: Fixed an error where a user could create a secret using a secret template the user does not have access to.
- GA only: Fixed an issue where the secrets reporting card description was missing.
- Fixed an issue so only secret owners can see the test option for a dependency.
- Fixed an issue where service dependency changers failed because Windows used a different naming format from the secret. We added more-robust handling for several cases.
- Fixed an issue where an imported dependency would persist even if the machine no longer existed.
- Fixed an issue where a user could change the active state of a secret template when not authorized to do so.
- Fixed an issue where you could save a secret with no owner set.
- Fixed an issue where setting permissions on a secret would result in an error.
- Fixed an issue where converting a secret to a template would remove metadata.
- Fixed an issue where an error occurred when changing the autochange schedule on a policy from default to enforced.
Session Recording and Monitoring
- GA only: Fixed an issue where session monitoring did not save a column preference.
- Fixed an issue with the advanced session recording agent installer generation.
- Fixed an issue where large numbers of recorded keystrokes would affect performance in the secret audit page.
Ticketing System
- Added better logging and error handling for ticket system integrations.
Users, Groups, Roles, and Permissions
- Notification: System roles are no longer editable. If you need to enable a system role, please contact Delinea Support.
- Fixed an issue where the inactive message would show when a user had view only permission on a secret.
- Fixed an issue where users could not access the secret settings page without the "view advanced secret settings" role permission.
- Fixed an issue where users could not define a domain when creating a user.
- Fixed an issue where only 30 of the user management IP restrictions would load.
- Updated secret share to not show users without permission on the secret.
Web Password Filler
- Fixed an issue where forward slashes were removed from Web Password Filler URLs. This broke redirect URLs.
Future and Recent Deprecations
This section describes planned future deprecation of feature or platform support in Secret Server.