Secret Server: 11.5.000002 Release Notes

This release resolves an issue that was discovered shortly after we published the 11.5.000001 General Availability release. The 11.5.000001 release was rolled back, and this release supersedes it.
For convenience, this note also contains changes and features from the Secret Server: 11.5.000000 EA Release Notes and Secret Server: 11.5.000001 GA Release Notes release notes, not just the changes from 11.5.000002.

Release Dates and Notes

On-Premises: July 19, 2023.

Component Versions

Distributed Engine and Advanced Session-Recording Agent: 8.4.8.0

The minimum required engine version is 8.3.0.0.

Protocol Handler: 6.0.3.26

New Features

Checked Out Secret View

We added checked out secret view to Quick Access in the Secrets Folder panel. This is a quick view, showing users all of the secrets that are currently checked out to them.

RADIUS Silent Answer

Silent answer is a new configuration option for RADIUS that allows setting the RADIUS response to a defined string value. This is to support push notification and other interactive variations in advanced RADIUS authentication configuration. The new setting replaces "Attempt User Password" and allows for sending the user password or another predefined string.

Check Out Recovery

We adjusted the behavior of "Force Check In" to allow secret owners with the "Force Check In" role permission to force check in secrets that are set to "Change Password on Check in." The secret is automatically checkout to the owner who initiate the force check in. This helps in situations where a checked out secret with a failing RPC configuration will not check in and remains with a user who cannot remediate the issue. With this change, an owner can take ownership of the checkout session, remediate the secret configuration, and then complete a normal secret check in.

Syslog Metadata for Launched Sessions

For built in launchers on a launch event, the launch target host is included within the details of the Syslog message as an additional "Host" field. Previously, this was only sent for launchers requiring host selection but now includes launchers with a static host-target mapping.

Launcher Administration Page Conversion

We updated the Launcher Administration pages under Secret Templates to use our new UI patterns with a modern design. No functionality is affected, but the page is more responsive and intuitive.

SSH Key Authentication Passphrase Requirement

We added a new configuration setting to the login configuration page that allows administrators to enable a mandatory requirement for passphrases when users generate SSH keys for SSH Terminal key authentication.

Enhancements

  • Improvement: Upgraded error logging and efficiency for calls coming from Delinea Platform.
  • Improvement: A user with only direct access to a report and the "browse reports" role permission can add that report to the dashboard.
  • Improvement: Added a "Managed" field to the Discovery Network view to show when a discovery item is managed.
  • Improvement: Added a Quick Access link to see all secrets you currently have checked out.
  • Improvement: Added a refresh button to the Discovery Network view to refresh the data without having to refresh the entire page, losing the selected filtering.
  • Improvement: Added a WMI Service Timeout setting to the cloud advanced configuration page to help with dependency changes that take more time than the allotted 60 seconds.
  • Improvement: Added new tab to Discovery with overall metrics of discovered items and their statuses.
  • Improvement: Added two columns to the Secret Grid—Checked Out User Id and Checked Out User. These show who has the secret checked out if the secret has check out enabled.
  • Improvement: Added validation messages to password requirement rules for when password requirements are too complex to reliably generate a password.
  • Improvement: Clicking on graph elements in discovery analysis now links to a filtered network view.
  • Improvement: Disaster recovery date replication now syncs all SecretFieldLauncher items each time instead of just the updated ones.
  • Improvement: Discovery Service Accounts Detail Page now shows services that run as the directory account as well as the computers on which that service runs
  • Improvement: Enhanced the User Audit report to also exclude manually changed passwords.
  • Improvement: Group membership assignment UI updated.
  • Improvement: Group role assignment UI updated.
  • Improvement: Implemented "select all" for the Discovery Network View.
  • Improvement: Recently viewed secrets are now tracked within Platform. Configuration settings are now refreshed via navigation within Vault in Platform.
  • Improvement: RPC heartbeat logs are now combined into a tabbed view with run buttons.
  • Improvement: The breadcrumbs within the RPC administration pages have been standardized. The links within Platform Vault Configuration Overview no longer cause the page to reload.
  • Improvement: The built-in "Everyone" group was renamed "All Vault Users."
  • Improvement: The Delete folders function in disaster recovery can now delete more than 2100 folders or subfolders on the replica.
  • Improvement: The Delinea Platform integration configuration now has additional validations for Login URL.
  • Improvement: The PowerShell script timeout no longer defaults to 90 seconds. Instead, it now uses the value from the Event Pipelines Maximum Script Run Time (Minutes) setting in advanced configuration.
  • Improvement: Updated Createuser.aspx to redirect to the new user creation page.
  • Improvement: Updated group membership management pages to use new design patterns.
  • Improvement: Updated the folder permission assignment UI.
  • Improvement: Updated the group role assignment UI.
  • Improvement: Updated the text and product descriptions used during the Platform opt-In experience.
  • Improvement: Added a Managed field to the Discovery Network view to show when a discovery item is managed.
  • Improvement: Added a Password Age column for display on the reworked Discovery Network View
  • Improvement: Added a Quick Access link to see all Secrets you currently have checked out.
  • Improvement: Added filters to the secret search API endpoint to filter the results by checked out status: paging.filter.showSecretsCheckedOutByUser and paging.filter.showCheckedOutSecrets
  • Improvement: Added info to logs to indicate why users cannot match or create users in SSC. Find this at Secrets > Admin > Platform Integration > Logs tab. Common notifications include DuplicateUserMappedToDifferentProviderName: The user was initially setup to a different Platform source, the URL or userid (provider key) changed, indicating the original use was deleted. MaxLicensedUsersException: All licenses are taken so additional users cannot be added.
  • Improvement: Added integration support for Platform users matching local SS users that do not have an @ in their name. If platform user is username@local or username@tenantname then the username portion will be used to match local users on the SS side.
  • Improvement: Added support for LDAP RFC2307 group membership, used in OpenLDAP.
  • Improvement: Added the option to require a passphrase for user public SSH keys.
  • Improvement: Added validation messages to password requirement rules for when password requirements are too complex to reliably generate a password.
  • Improvement: Discovery service accounts detail page now shows services that run as the directory account as well as the computers on which that service runs
  • Improvement: Distributed engines no longer need directory services enabled to perform discovery.
  • Improvement: Introduced a new Launch Secret role permission, which is needed to use launchers. This permission is automatically granted to roles with the View Secret permission, which previously controlled this behavior.
  • Improvement: Removed the secretitemvaluetransitionhistory.aspx page and replaced it with an API endpoint, removing the possibility of bypassing the Hide Launcher Password control.
  • Improvement: RPC heartbeat and password change logs are now full screen instead of a dialog box.
  • Improvement: The PowerShell script timeout no longer defaults to 90 seconds. Instead, it now uses the value from the Event Pipelines Maximum Script Run Time (Minutes) setting in advanced configuration.
  • Improvement: The new folder icon in the secret panel no longer shows if the user does not have the Administer Folders role permission.
  • Improvement: The user audit report now has a filter panel and a description for how rotated secrets are calculated for this report.
  • Improvement: There is now a pending RPC screen and a timer that checks you back in, blocking seeing secret info indefinitely.
  • Improvement: Users can no longer access secrets that have failed processing a password change. Instead, they are shown a message stating the change failed.
  • Improvement: We now initially load 60 secrets when viewing a grid to support 4k monitors. This was previously 30.
  • Improvement: Within the details of the syslog message, there is now a username field that contains the mapped username for the launcher on a launch event. It appears as Username: [<username>] for the built in launchers.
  • Improvement: Within the details of the syslog message, there is now a Host field with the value of the mapped host for the launcher on a launch event. It appears as Host: [<host>] for the built in launchers.

Bug Fixes

  • Addressed an issue where users with only "view" access on a secret were unable to view the password if there was a custom launcher with arguments configured for that secret template.
  • Fixed an issue where "Close launcher on check in" on the replication source would prevent sessions from being launched on the replica.
  • Fixed an issue where a secret template could be saved without RPC mappings configured.
  • Fixed an issue where all event subscriptions did not fire for secrets in subfolders of the target folder.
  • Fixed an issue where discovery import would incorrectly assign a secret as an associated account, as opposed to a privileged account.
  • Fixed an issue where existence of secrets set to expire over a hundred years in the future would cause expiration reports and event subscriptions to stop triggering.
  • Fixed an issue where heartbeat and RPC log downloads would save without an extension. Now correctly saves with a .csv extension.
  • Fixed an issue where launching secrets with URL List and session recording enabled displayed a "Bad Request" message.
  • Fixed an issue where OpenID Connect or SAML accounts could not export secrets as they did not have a password and were not licensed for doublelock. DoubleLock is now available in professional licenses.
  • Fixed an issue where the API endpoint api/v1/secrets/{id}/fields/{slug}/ logged an audit that the password was displayed when the actual password was not returned to the user due to "hide launcher password" being enabled. This could happen from some UI actions.
  • Fixed an issue where the Edit button for User Management => Groups appeared when you did not have "Administer Role Assignment" permission. The action was denied in the API, so this was a cosmetic change.
  • Fixed an issue where the folder audit page would unexpectedly show an access denied message.
  • Fixed an issue where the folder permissions tab would load slowly with large numbers of users.
  • Fixed an issue where the German localization for "Password Should Exclude" was incorrect.
  • Fixed an issue where the new Discovery Network View UI would display a license error in the Professional Edition.
  • Fixed an issue where secret name would incorrectly display on the New Discovery Import Rules page.
  • Fixed an issue where the SubscriptionName condition for a notification rule would display the event subscription ID instead. It now correctly uses the name when the user has the appropriate roles to list the subscriptions.
  • Fixed an issue where TOTP Secret Settings edit button was available to users who could not edit the settings.
  • Fixed an issue where unplayable session recording videos would display an infinite load instead of the appropriate error.
  • Fixed an issue with negative numbers exporting incorrectly when exporting to a CSV file.
  • Fixed an issue with pinning a folder returned a "Folder not Found" error.
  • Fixed an issue with secret search producing SQL errors for customers with a lot of secret templates.
  • Fixed an issue where the SSH Proxy would stop processing new incoming connections.
  • Fixed conditions that prevented users from being removed from a group due to the system incorrectly identifying that they would be unable to complete the same operation.
  • Fixed issues with user and group syncing between Secret Server Cloud and the Delinea Platform.
  • Fixed the TemplateCreateSecret role link.
  • Updated links on the Security Hardening Report to new UI pages.
  • Fixed an issue to improve Platform integration user sync if duplicate usernames were already in Secret Server.
  • Fixed an issue where a secret template could be saved without RPC mappings configured.
  • Fixed an issue where all event subscriptions did not fire for secrets in subfolders of the target folder.
  • Fixed an issue where DR email alerts were not sent out.
  • Fixed an issue where extended fields were not properly exported to CSV files.
  • Fixed an issue where keystroke data from the advanced session recording agent did not appear in the keystroke activity details area of the playback page.
  • Fixed an issue where large messages from distributed engines to engine workers would not process. Engine workers may have crashed especially frequently in environments having four or more workers, including Secret Server Cloud.
  • Fixed an issue where LDAP sync via distributed engines would not work when the base DN was different from DC.
  • Fixed an issue where links on the Session Monitoring page while in grid mode would not correctly link to Secret Server Cloud with authentication.
  • Fixed an issue where the API endpoint api/v1/secrets/{id}/fields/{slug}/ logged an audit that the password was displayed when the actual password was not returned to the user due to hide launcher password being enabled.
  • Fixed an issue where the Confirm Action button in the bulk operation dialog box would remain active while the operation is processing. This is now correctly disabled to prevent initiating the action multiple times.
  • Fixed an issue where the SubscriptionName condition for a notification rule would display the event subscription ID instead. It now correctly uses the name when the user has the appropriate roles to list the subscriptions.
  • Fixed an issue where the terminate session mouseover tooltip displayed incorrect text.
  • Fixed an issue with a secret template name validation message not showing.
  • Fixed an issue with negative numbers exporting incorrectly when exporting a CSV.
  • Fixed an issue with new Platform trials not creating personal folders in Secret Server.
  • Fixed an issue with stacked dialog boxes. The CSS styles for the Platform Opt In dialog box have been adjusted to align with Angular15.
  • Fixed conditions that prevented users from being removed from a group due to the system incorrectly identifying that they would be unable to complete the same operation.
  • Fixed issues with user and group syncing between Secret Server Cloud and Platform.
  • Fixed usability on specific UI areas for a better user experience.
  • Updated Createuser.aspx to redirect to the new user management.

Future and Recent Deprecations

This section describes planned future deprecation of feature or platform support in Secret Server.