Secret Server Cloud Release Notes for March 31, 2023

Release Dates and Notes

Cloud: March 31, 2023 (including April 4, 2023 update)

Component Versions

Distributed Engine and Advanced Session-Recording Agent: 8.4.6.0

Protocol Handler: 6.0.3.26

Enhancements

  • Secret MFA: Block indirect API calls (Updated secret access logic for MFA).
  • Updated disaster recovery data integrity checks to prevent replication when the replica is a higher version than the primary. In this scenario, the replica may have different schema and system data than the primary, causing replication issues.
  • During disaster recovery replication, secret items from the source are combined with ones from the replica when they have matching SecretIDs and SecretFieldIds.
  • "Save" buttons are no longer disabled when a form is invalid. Clicking the button will now show and trigger form validation messages.
  • Color palette updated to improve accessibility and brand.
  • Added option to duplicate a discovery scanner.
  • Added the ability to sort in the new Discovery Scanner UI.
  • Added credential validation message for the new Discovery scanner page.
  • Launcher icons updated on secret general and inline secrets.
  • Updated the new scripts UI to allow testing of remote scripts.
  • Updated Delinea Platform opt-in flow to allow region selection and have explicit confirmation.
  • Secret panel is now always open when on any secret section page. My Secrets page added to give a quick overview or dashboard of secrets, including favorites, recent, and search secrets and folders. My Secrets has a session secrets section which will show any secrets that have been opened during the web session. Favorites, recent, most used, and shared with me are now linked in the secret panel. Pinned folders now show a scoped version of My Secrets and only search within that pinned folder. New folder icon is always on top of the secret panel. A guide walkthrough will appear the first time a user goes to secrets. Folder URL path is now contained in /secrets/folder... Secret detail URL is now plural to be consistent and prevent reloading of the secret panel.
  • A new checkbox has been added which enables requiring all users who log in through the Delinea Platform to have used Platform's multi-factor authentication when logging in.
  • Unlimited Admin notification now appears in the header instead of floating as a transparent block.
  • Unlimited admin page in configuration preview now has a link to open the unlimited admin audit.
  • CreateUser.aspx now indicates that provisioning is in progress if accessed during the unified trial (platform) provisioning flow.
  • When pages still using the legacy UI underpinnings, the Unlimited admin notice will show on .aspx pages when it is enabled.
  • Added a Discovery import rule to the new network viewer.
  • SDK Client Management pages have been converted to the new UI page format.
  • The password changers list/grid has been updated to the new UI design.
  • Converted list options ss-grid to thy-grid. Allows for resizing of columns.
  • Discovery rules and dependencies grid can now be filtered by discovery source. Rule grid now also has discovery source available as a column.
  • The secret detail page now includes a button to copy the current URL to the clipboard with rich text, including the secret ID and secret name. Plain text copy will just include the URL.
  • Read-Only mode can now be enabled in Secret Server Cloud on the Disaster Recovery Configuration page.
  • Local Admin column added to the new Discovery network view.
  • Secret template name on the secret general tab is now a direct link to the template.

Bug Fixes

  • Fixed a bug that caused launcher session failure on secrets that were expired on checkout but then disabled checkout via policy. Also, fixed this situation on secrets retroactively.

  • Fixed issue so that when a PBA URL is configured through the UI, the host and certificate are now validated.

  • Updated file-attachment selection process for data replication so that file attachments for secrets in the root folder are selected when the user has specified a folder block list.

  • Fixed a problem with Azure AD / OpenIDC in April 1st monthly release prevented login.

  • The report CSV download now encodes specific Turkish characters and has an updated mime type of text/csv.

  • The sessions monitoring page used to purge inactive sessions longer than three minutes, disregarding the SSH proxy timeout. Now, it abides by the specified timeouts.

  • The export secrets feature has been changed into an asynchronous job. The export process starts a job and continues polling until completion. Users should remain on the page until the job finishes to avoid timeout issues.

  • An issue was resolved where a secret dependency with a run condition would not execute when it was the first secret dependency in its group or moved to a new group. Now, updating a secret dependency to the first sort order or a new group clears the run condition.

  • The all secrets CSV download now correctly shows the folder name instead of the folder ID.

  • Folder permission now correctly shows "None" in secret role drop down when in edit mode.

  • Dates in the report export no longer include the "Z" for UTC when server time is used and ISO date format is selected, since the date/time is the server configured time and not necessarily UTC. This means the date is in ISO format and the server configured time, but does not include the offset. In some specific configurations when user format was selected, the time zone offset would be applied based on the actual server time zone and not the configured time zone.

  • After changing field properties on a secret template, the UI cache is cleared to allow selectable columns in grids to be updated without requiring a browser refresh.

  • Corrected a bug where converting or duplicating a secret with an assigned secret policy would cause launcher settings to apply multiple times, causing a UX constraint violation.

  • An audit entry is now made for the user that enabled maintenance mode during an upgrade (on-premises only).

  • Event subscription now publishes the event for when a user is enabled or disabled.

  • Discovery logs will now export more than 250 records.

  • Logging into Terminal with an Azure Active Directory account using SSH Key Integration is now possible. AAD logins to Terminal via password cannot be done.

  • License server activation grid updated to resolve layout clipping issues.

  • Secret dependency API variable name changed from id to secretDependencyId to help clarify which parameter is needed.

  • Deleting folders will now also indicate that subfolders will be removed as well.

  • Due to security reasons, we are removing the GET endpoint for /secretserversettings/export and replacing it with a POST endpoint where we can transmit the password securely. The contents of the payload are the same, except for the addition of "password" and "doubleLockPassword" fields, and containing the entire payload within a parent "data" object.

  • Lookup folders (api/v1/folders/lookup) and search folders (api/v1/folders) will now return only direct children when searching by parent ID. They will no longer return grandchildren.

  • Enabling heartbeat for the first time on a secret template will no longer subtract 1 minute from the heartbeat duration.

  • The duration field on session monitoring now shows as a friendly time duration instead of just total seconds.

  • "Automatic sudo or su privilege elevation" was fixed to work with Solaris OS.

  • Connect using SSH key on another secret now works with SSH key only secrets.

  • Addressed issues where secrets configured for checkout on the source could cause errors on the replica.

  • Added documentation in a tooltip to point users to audit on proxy page (proxy audit).

  • FOLDERPATH parameter now works with report schedules and running a report.

  • The secret search API endpoint now accepts a filter param called extFieldsCombined, which is a comma delimited list of all extended fields to include in the results. This field is now used by the secret grid to help reduce the size of the URL when many secret fields are exposed for display to avoid the IIS URL length restriction on GETs of 2,048 characters.

  • Inline row added to secret dependency log dialog to expand the row.

  • Edit inbox rule condition dialog title now says "Edit condition" instead of "Add condition."

  • Fix to allow heartbeats even if the secret has checkout enabled.

  • Addressed an issue with disaster recovery replication where replicated custom launchers were not visible on their associated secrets.

  • The report SQL editor no longer has options to download or configure columns on the report as it is not supported in that mode.

  • Disaster recovery data replication errors caused by out of sync encryption keys are now automatically resolved properly.

  • The "Most used secrets" grid on dashboard overview now downloads the folder path instead of the folder ID.

  • The secret search API now returns the folder path on the secret. Secret grid download now includes folder path on all records accordingly.

  • Fixed issues related to RabbitMQ channel and queue growth. Channel and queue growth should no longer be experienced.

  • Resolved an issue with disaster recovery folder synchronization selection. Personal folders can now be selected for either allow or block lists.

  • Fixed an issue with folder name collisions during disaster recovery data replication sync.

  • Fixed older character sets that failed to replicate when running disaster recovery.

  • Handled issue when replicating data for disaster recovery where pre-existing users on the replica that do not exist on the source could lose their All Vault Users group membership.

  • Descriptive text added on web launcher mapping for restricting input fields.

  • Fixed an issue with the secret log length validation in the UI.

  • Fixed issue where secret field data over a certain length may be rejected by the database upon replication.

  • Corrected an issue where when created as part of the unified trial flow for Platform, the first user created did not have admin access to Secret Server Cloud.

  • Folders in the tree will now be limited to only show 125 folders per tree. Once there are 125+ subfolders, a "Browse all folders" option will appear in the folder tree. This link will take the user to a grid that only shows folders with a search. The grid has paging, so it will load 30 folders at a time as the user scrolls. This will help support instances when users have thousands of subfolders. If there are more than 30 subfolders in a folder, the secret grid will show a link to the new folder browser. This used to open a dialog to the folder tree which would also run into performance issues when users had over 1,000 subfolders.

  • Fixed issues for password requirement character set data replication in the DR feature.

  • Corrected the default timestamp format for CEF.

  • Expanded the user setting size to resolve issue for some customers with lots of columns for a grid.

  • Left navigation maximum folders default limit increased to 1,000. Setting dialog added to set the user preferred limit, folder browser now loads 100 records at a time on scroll instead of just 30.

Future and Recent Deprecations

This section describes planned future deprecation of feature or platform support in Secret Server.