Secret Server Release Notes 10.6.000026
The second minor release after 10.6 for Secret Server On-Premises. Released on May 29, 2019.
Upgrade Notes
| • | After upgrading to 10.6.000026, the first admin who logs in to Secret Server is prompted with a wizard that walks through the new user interface (UI) configuration settings for their instance. Users can adjust these settings at any time from Admin > Configuration in the User Interface section. |
| • | Enterprise customers who use load balancing with RabbitMQ may want to delete queues after upgrading Secret Server from versions earlier than 10.6. If customers using RabbitMQ do not delete their queues, they will not lose functionality, but old queues that were renamed in a 10.6 architectural update will continue to fill up with messages. |
New Features
New User Interface
| • | In the 10.6.26, Secret Server's user interface was updated, featuring a black left-hand navigation pane. The look and feel and user experience updates were based on user feedback from the beta version. |
| • | As noted in the upgrade notes section, after upgrading the first admin who logs in to Secret Server is prompted with a wizard that walks through the new UI configuration settings for their instance. Users can adjust these settings at any time from Admin > Configuration in the User Interface section. After settings are saved, users with access to the new UI are shown a short demonstration of switching between new and classic user interfaces upon their first login. |
We are incrementally introducing feature parity between the new and classic UIs. In this upgrade the new UI added support for:
| • | Emailing reports to users. |
| • | Deleting reports. |
| • | Converting secret templates. |
| • | Uploading files to secrets. |
| • | Copying and converting file attachments. |
| • | Setting automatic password change rotations when creating new secrets. |
| • | Rotating SSH Keys and Passphrases for SSH secrets. |
| • | Rotating SSH Keys and SSH passwords using a bulk operation. |
| • | Displaying custom columns in the folder view. |
| • | Updated the Secret Picker to include a folder tree browser when selecting a privileged secret for Remote Password Changing. |
| • | Added a password complexity indicator that displays when editing a Secret's password. |
| • | Updated Search functionality to include folders. |
| • | Users can now "favorite" folders by clicking stars on folders in a table view or by right-clicking folders in the left navigation pane. |
| • | Additional "View" audits were added to the new UI to track users who view Next Passwords, SSH Keys, and Passphrases. |
| • | Optimized SQL queries when searching for secrets in the new UI. This includes: Faster searches, the paging and sorting is now performed in the database instead of the web server Ability to filter by secret permission, extended type id, password type id, RPC enabled, recently used date range Can now return extended fields Sorting by an invalid field now returns an exception instead of sorting by the secret ID |
Advanced Session Recording Without Launcher
| • | Added video recording capability to the Advanced Session Recording agent, with a new configuration setting that can enable recording of a video on an endpoint even when a launcher is not used to begin a session. |
| • | Advanced "headless" session recordings will show a 'Session Minimized' notification for periods during which the session was minimized, or otherwise hidden from the user such as during the final stages of logging out. |
| • | To prevent unnecessarily long session recording sessions, added a "Max Session Length" setting for recorded videos. The default for this setting for on-premises instances will stop a session after 24 hours of no activity. Administrators can set this to a maximum of 48 hours. |
New Secret Templates
| • | Added a new "No Password" template for SSH/Linux Key rotation. These templates allow users to rotate SSH and Linux keys without the password field requirement that exists on other Unix secret templates in Secret Server. When creating a new secret, select "Unix Account (SSH Key Rotation - No Password)" as the Template to use this new feature. |
| • | Added a native Amazon (IAM key) rotation template. When creating a new secret, select "Amazon IAM Key" as the Template to use this new feature. |
Integrations
| • | Added a new biometrics eWBM integration for FIDO2 authentication with Secret Server. eWBM's website at http://www.ewbm.com/. |
| • | A connector application is now available to link Secret Server to identity management tools using the System for Cross-Domain Identity Management (SCIM) standard. |
System Support Updates
| • | Secret Server now supports Azure SQL as its database server but only if the Web server is hosted in the same geographical datacenter as the Azure SQL database (because of latency issues). Secret Server does not support Azure SQL if the Web server is hosted on-premises. Note: Azure SQL users are unable to use the Secret Server database backup setting. For information about Azure SQL backup please see Microsoft documentation. (https://docs.microsoft.com/en-us/azure/sql-database/sql-database-automated-backups) |
| • | Secret Server System Requirements have been updated to include Support for Windows Server 2019 and SQL Server 2017. |
Enhancements
Session Recording
| • | Updated the "View Session Data" feature for session recording to keep users from viewing session data on any ongoing session. |
| • | Added searching by date and time for session recording videos. |
| • | Updated the advanced session recording agent (ASRA) so that the SecretLauncherSessionMatchingService can now match the ShortName to the NETBIOS name of domain objects in Secret Server. * Windows terminal sessions report the pre-2000 domain NetBIOS name, which is relayed from the ASR agent to Secret Server and used for matching Windows terminal sessions to secret launcher sessions. This is an issue if the domain on the secret is the domain FQDN or friendly name and matching fails. For example: You have the ASR agent installed on a machine which is joined to a domain (mydomain.com) with a pre-2000 NetBIOS domain name "SOMETHINGELSE" Your secret has the domain name "mydomain.com" When you launch into the machine, Secret Server attempts to match "mydomain.com" (from the secret) with "SOMETHINGELSE" (the domain NetBIOS which the ASR agent relays) and fails. Secret Server resolves this issue by trying multiple methods to get the appropriate FQDN for the Windows terminal session and using the best result from those methods, which should result in matching correctly more frequently. |
| • | Updated advanced session recording matching by automatically mapping to the secret template's RDP fields automatically. Matching was improved by checking the secret template's RDP launcher mappings. Now, no matter what the fields are named on the secret template, the correct username and domain fields are used, based on the launcher mappings. |
| • | Advanced session recording can now match sessions using DNS resolution. When using an RDP launcher on a secret with a machine or computer name, instead of an IP address, the protocol handler does a DNS resolution of the hostname and reports the IP back to Secret Server, which is saved for the entry in tbSecretSession. This helps advanced session recording find additional matches when the hostname does not match the computer name, only if the hostname resolves to an IP address found directly on the target computer. If there is any NAT used, this will still fail to find a match because the NAT IP is not found on the target computer. |
Secret Folder Import and Export
| • | Added subfolder creation during secret importation. |
Secret Templates
| • | Updated launcher and password changing for the IBM iSeries secret template. |
Search
| • | Added default index separators to include the following characters: ? Question mark ! Exclamation point @ At symbol # Pound symbol ( left parenthesis ) right parenthesis [ left square bracket ] right square bracket { left brace } right brace ' apostrophe " double quotation mark - hyphen Configure indexing separators at Admin > Search Indexer. |
Discovery
| • | Updated the ESX discovery scanner to updated versions of the VMWare/VSphere SDK. |
Logs
| • | Enhanced verbose logging. Added additional logging for the Scheduled Task Scanner, Discovery Classes, Active Directory, and Password Changer logs. |
Bug Fixes
Launchers
| • | Fixed an issue where the Mac launcher was not automatically populating unique password prompts when connecting with PuTTY. |
| • | Fixed an issue where the Custom Launcher screen resolution setting for Mac Launchers was not properly applied. Previously, custom launcher sessions used full-screen resolution. Note: If there are no custom values set, session resolution will default to 1024x768. |
| • | Fixed an issue where using a Windows account launcher with a domain account would fail if the launcher was configured with an IP address in the machine field. The logic detected the computer name as an IP address and then returned before setting the domain field. |
| • | Updated the Mac Launcher to hide the session recording indicator for users when Configuration > Session Recording > Hide Recording Indicator is enabled for the launcher. The mac launcher now uses the "hideRecordingIndicator" variable stored in the sessionInfo object. Initially, there was no logic involving hiding the indicator. Added the "hideRecordingInidicators" function to the object ALaunchedTask. Updated logic under "refreshRecordingIndicator" under TaskMonitor to call "hideRecordingIndicators" when determining if it should show any icon for active watchdogs. Updated watchdog to contain a public property that is passed on instantiation—"hideWatchdogMessages". On watchdog start or stop, it now validates the "hideWatchdogMessages" is false before displaying alerts about the session being recorded. |
| • | Fixed a custom URL issue where launcher images did not properly display when accessing Secret Server from different sites. The custom URL was a different sub-domain from the URL that the site was accessed from. The images were served from the custom URL and our content security policy was blocking those requests. The content security policy is used to prevent cross-site scripting attacks. The solution uses the URL given instead of the custom URL. |
| • | Updated the Mac launcher to include support of TLS versions 1.2 and 1.3. |
| • | Changed the default launcher setting for RDPUseComputerForDomain to "True" to allow the launcher to work on all Windows versions currently supported by Microsoft upon install. This was tested on Windows 8.1, 10, Server 2008, Server 2012, Server 2016, as well as on MacOS 10 Sierra, High Sierra, and Mojave. It prevents launchers from failing unintentionally when connected to some Windows OS versions. |
| • | Updated launchers to accept upper case characters in URL strings on a Web password secret. Previously, launchers set all uppercase characters to lowercase before launching, which caused launch failures for URLs that are case sensitive. |
| • | Fixed an issue where a user launched a session recording but then immediately exited, Secret Server still attempted to record the session, resulting in inaccessible videos that were 00:00 seconds long. To resolve, zero-length sessions are no longer turned into videos and now returns the error: "Session too short - no video." |
New User Interface
| • | Fixed a bug in Internet Explorer for the new UI where the Download File button threw an "access denied" error. |
| • | Fixed a bug where the dependency log view did not sort correctly on the Date Recorded column. |
| • | Fixed a bug in the new UI where users with "edit" and "administer folders" permissions were unable to create subfolders within a parent folder. |
| • | Fixed a bug in the new UI where users without the "Assign Secret Policy" role permission were unable to create new secrets in a folder. The internal logic for validating whether a user may assign a secret policy to a secret did not consider the special case of secret creation. The user's personal permission to assign a secret policy should be ignored during the creation process if they did not assign one, but the code acted as if the user had assigned the policy, not that the policy was assigned by the folder. |
| • | Fixed a bug in the new UI where breadcrumbs for the Workflow and Teams audit pages displayed "audit" instead of the component's name. This issue also caused breadcrumbs to reload when switching between tabs on the page. |
Time Conversion
| • | Fixed a date-time issue where abbreviations for the month of the year in languages other than English were not properly logging to Syslog. |
| • | Fixed an issue where records in custom reports were logging as the UTC time zone rather than a user's local time zone. |
Scripting
| • | Updated REST API call "Get Folder Permissions" parameter for filter.userId to return all user permission information. |
| • | Added enhanced error logging for Oracle scripts. |
| • | Fixed a bug where the API incorrectly required Owner permissions on a secret to change the password on that secret. Edit permissions are now required when changing a password through the API. |
| • | Fixed an issue where the "Webservice Password Displayed" audit was logged incorrectly when non-password-related API calls to "Get Secret Fields" occurred. The REST endpoint GET /secrets/{id}/fields/{slug}, when used to view a non-password secret's field was incorrectly recording an audit stating "WEBSERVICE PASSWORD DISPLAYED." This was due to the endpoint's implementation using the existing GetSecret REST logic, which manages the creation of this audit. This logic assumed you would respond or display to the user with the secret's fields (items and data) when getting a secret that contains a password, recording an audit. To correct this, the GetSecret logic now supports an optional parameter that specifies which of the secret's fields (items or data) you will be responding with (displaying) to the user. If the items supplied to this method do not contain a password field, then the password displayed audit is not recorded. The corresponding GET /secrets/{id}/fields/{slug} endpoint was then updated to supply this method with the requested secret field, fixing this bug. |
| • | Fixed a bug where Web services incorrectly returned SecretDependencyTemplateIDs as null. The SecretDependencyTemplateId is now returned with every dependency found by GetDependencies in SSWebServiceHandler. |
| • | Fixed a bug where an "Application Account License limit has been reached" error was incorrectly displayed after editing existing application accounts, instead of only when creating new user accounts. This bug was due to a flaw in the user license logic where application account licenses were incorrectly returning the API_MetApplicationAPILimit error code when editing and attempting to save an existing application account user, while at the current application account user limit. Specifically, the logic assumed the addition of a new application account user—it did not support editing an existing user. The error occurred at the application account user limit where adding a new user is not permitted. The fix was to check if users were adding a new application account user or editing an existing user when determining whether to return the error code, API_MetApplicationAPILimit. |
| • | Fixed a bug where API group membership changes were not properly audited. This bug was due to a lack of auditing logic in the CreateGroupUser and DeleteGroupUser REST endpoints. The fix was to observe what audits the UI were doing upon adding and removing users to and from groups, then applying that same logic to the CreateGroupUser and DeleteGroupUser REST endpoints. Some extra logic was added to prevent recording audits if no operation was executed, such as moving a user to a group it already belonged to or removing a member from a group it was not a member of. |
| • | Fixed a bug where users were unable to create subfolders that inherit folder permissions through the REST API, despite the user having "Edit Folder" permission. |
Authentication
| • | Fixed a SAML login issue that could cause login failures if multiple users had the same User Principle Name (UPN) in Secret Server. The account that was created first would be prompted for SAML authentication even if that account was in a disabled state. This caused login failures with an error saying the user's account was disabled. Updated GetUserByUserPrincipalName to return a user only if there was exactly one user found with that UPN that was active. If there is not exactly one, it returns null. Handled a few logic flows where a GetUserByUserPrincipalName request is followed with a request to GetUserbyUsername. In cases where a valid UPN is entered, an error is produced at GetUserByUsername. These errors are now handled and logged. |
| • | Fixed a bug where if an instance had two users with the same username (one active user, one disabled user) across different domains two-factor authentication (2FA) enabled for login, a user trying to reset their login might get a validation error because the reset code they entered would be checked against the code of the other user with the same name. Secret Server now checks the domain of the user who is trying to login when determining which user account should be used for the 2FA reset request. This removes ambiguity when users in different domains have the same username, thus ensuring the correct 2FA validation is used. |
| • | Fixed an issue where 2FA failures were not showing up in the "Failed login attempts" report. The 2FA failure message was different from a normal login failure message. The report SQL was changed to display any login failure message. |
| • | Corrected a configuration error that changed the 'Disable Radius NAS-IP-Address Attribute' setting to have the opposite effect. The logic using the DisableRadiusNasIpAddressAttribute setting was set to return if false instead of true. This was an old application setting that would normally be false for most customers. When it was added to the UI configuration pages, the setting was implemented incorrectly, reversing the logic. In versions 10.5.14, 10.6 and 10.6.1, it is being disabled by default due to the backwards logic. This release corrects the configuration setting to work as described in the UI. |
| • | Fixed a bug where the authentication function for the "Attempt User Password" Radius setting did not work when using the REST API. |
Discovery
| • | Updated the PowerShell local account and dependency scanners to timeout after a set timeout. The application settings DiscoveryScannerTimeout and DependencySearchTimeout have been moved to settings on the individual scanners. If this setting was only set in an application setting, it needed to be reset on the scanner setting. Wrapped the PowerShell dependency and local account scanners in a System.Task to cancel after a timeout period. |
| • | Fixed an issue where out-of-the box dependency scanners (scheduled tasks, application pools, and service accounts) were not correctly copying as the same specified scanner's type. |
| • | Fixed an issue where discovery imported group-managed service accounts (gMSAs) as new computers and subsequently attempted to scan them for accounts. |
Password Changing
| • | Fixed an issue with Oracle privileged password changers. Before this update, Oracle password changing logic for privileged accounts was not correctly using the designated privileged secret to perform password rotations, leading to failed password change attempts. |
| • | Fixed an issue where missing parameters in the Sonic Wall password changer resulted in multi-factor-authentication (MFA) failure. The info sent to the Sonic Wall password changer now includes default values for MFA code and future MFA codes so those do not reference null. The PhantomJS script for Sonic Wall now looks for the host name at a different place in the parameters list. |
| • | Fixed a bug where the IBMi mainframe password changer timed out during process cleanup. IBM iSeries password changer has two threads during a session, the primary thread processing the session or request and a subsequent one that is spooled up during the process to ensure the interface framework (ws3270) does not get stuck in the wait state when the wait command is called. The second thread may detect false stuck wait states and attempt to close the session. If this happens after the primary session has completed the wait and has already closed, an "Access Denied" exception occurs. That exception can still be due to permissions, so it is worth checking, but most of the time this is the error thrown by the .Net Process framework when attempting to exit a process that has already exited. |
| • | Resolved issues with error handling, command pause handling, and session termination / logoff when using remote password changing (RPC) with IBM z/OS and IBM iSeries. IBM z/OS and IBM iSeries utilize the same base architecture within RPC to manage and execute commands. In some cases the password change process did not correctly resume after a pause command. In others the pause did not take effect, causing commands to execute prematurely and showing incorrect fails. Code was also added to clean up failed RPC / Heartbeats once a user is logged in. An identifier to the logoff command now informs RPC of the correct command to kill sessions in cases where it needs to terminate prematurely. |
| • | Fixed an issue after a Google update where changing Google account passwords returned incorrect messaging whether a password change failed or succeeded. Important Notes: The Google RPC only works if the user has previously logged into the Google account from the IP address that is trying to change it. In other words, the user needs to log into their Google account from a Web browser and allow the sign-in from an unrecognized IP address before attempting to rotate the password from that IP. If there are too many failed login attempts, Google may block the login for some time. If Google prompts a reCAPTCHA field to verify a human is changing the password, the RPC for the Google account will fail. Technical Details: Updated the URL check for the password changed test to fix the failed password change when it was a success. Updated the missing error code to fix the successful password change when it was failing. Also added better error checks to inform the user of the specific password change error. |
| • | Added logging to provide details when password change attempts for Google accounts fail, including: NewPasswordLengthTooShort NewPasswordLengthTooLong InvalidCharactersInNewPassword NewPasswordNotComplex IsAPreviousPassword SameAsCurrentPassword |
Secret Import and Export
| • | Fixed an issue where a user was able to edit the error message in the "Import Secrets' dialog box after importing a secret. |
| • | Fixed an issue where secrets were not displaying for users when a left bracket appeared in the parent folder name. We replaced any instance of [ in a LIKE clause with [[] The first [ opens the character comparison list. The second [ is the character we allow for comparison. Finally, the closing ] closes the character comparison list. It is unnecessary to replace additional instances of ] because they mean nothing without a matching [ |
| • | Fixed an exportation issue where the double quotation mark (") was not included in CSV files. |
Security
| • | Resolved a security issue in the protocol handler. |
| • | Fixed a security issue where users retained Unlimited Admin permissions for a short time after the Unlimited Admin Mode was turned off, due to a caching issue in the background worker. The issue was related to caching configuration data for 5 minutes and how the cache was being managed by the ServiceLocator used by the background worker. Turning Unlimited Admin Mode on or off would clear the configuration from the cache used by the UI, but the background worker had its own cache, which did not get cleared. The fix was to reinitialize the cache provider on the ServiceLocator whenever starting a bulk operation or secret importation to ensure these functions get a fresh copy of the configuration and Unlimited Admin setting. |
| • | Resolved inconsistent behaviors in role-based permissions. |
Other Bug Fixes
| • | Updated Session Recording to address an issue where video recordings intermittently returned black frames during the session's video playback. This was observed on older laptops running Windows 7 (either 32-bit or 64-bit) with integrated Intel graphics. Neither metadata nor keystroke logging (for advanced session recordings) were affected by this issue, only the viewing experience of the video, which could be interrupted by black frames. The fix was to use a different Windows API call as a fallback whenever a black frame is returned from the original screen capture attempt. A drawback to this approach is that fallback API simply captures the whole window including whatever might be on top of it. To counter this, logic was added to ensure that the RDP window is topmost during image capture. There remains a small possibility of capturing an isolated black frame or two if another window is moved on top of the maximized RDP window when an image is captured. |
| • | Fixed an issue where some Secret Server background threads attempted to perform tasks when Secret Server was disconnected from its database. The issue was that some background threads would exit their continuous monitoring loop. Specific conditions caused new SQL server connections to time out, but the open connections continued working. This resulted in Secret Server working normally but caused the monitoring loop to exit and fail to restart, breaking the monitoring of the thread. This was fixed by catching the error that caused the loop's exit, allowing the monitoring process to continue. |
| • | Fixed a bug where removing an event subscription item deleted the wrong item. When editing the events to trigger the event subscription, the ID of the event stored in the database identified which event to remove when an item was deleted. If an item was added, but the updated event subscription had not been saved, that ID was not generated yet. This caused the first event in the list to be deleted every time a newly added event was removed while editing. A temporary ID is now generated when a new item is added to the list so that if the item has not been saved to the database, the correct item in the list can now be identified. |
| • | Resolved an issue where backups were unable to complete if a Web application file was in use by a worker process. When looping through the files to be backed up, we now catch errors for any files that cannot be accessed by the backup process due to being locked by another process. When an error is caught, the issue is logged, and the backup process continues to the next file. |
| • | Fixed a bug in the old UI where a Safari browser repeatedly prompted Mac users to download and install the plug-in when attempting a copy-to-clipboard action. The old UI prompts for our Safari plug-in to be downloaded for using the user's clipboard. This is no longer used in the new UI. The link to the plug-in was removed. Now, the user loads the password by clicking the "load" image and then can copy the secret's value to the clipboard by clicking the copy image. |
| • | Fixed an issue where a Distributed Engine would return "Unknown Error" for a secret heartbeat if there was a transient error publishing the real secret heartbeat result back to Secret Server. |
| • | Fixed a bug where sorting groups by the "Created" field did not properly order groups in the table. |
| • | Improved page size restrictions when assigning roles and editing groups for customers with large numbers of users. |
| • | Fixed a bug where searching from a tab did not correctly output search results until the user navigated back to the Home Dashboard. To fix this bug, users now are automatically redirected to the Home tab when performing a search. |
| • | Fixed a bug that allowed Secret Server Professional Edition users to set a Workflow Access Request secret policy that should be unavailable in Professional Edition, causing an error when adding secrets to folders using that policy. |
| • | Lengthened the default maximum value for the transaction timeout on the installer from 10 to 90 minutes to prevent installs from failing due to longer database setup. The issue was caused by lengthy transaction times when running the installer against an Azure SQL database. The default maximum value for a transaction timeout is 10 minutes. We added code to allow us to make the transaction larger and set the timeout to 90 minutes. |
| • | Fixed a bug where converting a secret to a different template created two active copies of the secret: one converted, one unconverted. Inside the SecretDataCopier, when setting permissions, the code did not know it was due to a conversion. It then copied the folder permissions down onto the secret, instead of using the secret permissions that were on the secret originally. This meant that in the scenario above, the user did not have edit rights, throwing an "Access Denied" error. |
| • | Fixed an issue where launcher-based sessions were not displaying proper messaging during session recording. Message boxes are now correctly bound to their parent process (the launched process), and message box behavior has changed. Before this update, message boxes launched without a proper parent process would be minimized and would not display or block input if you restored the launched process, because they did not belong to the launched process. After this update, message boxes are launched with a proper parent process always appearing on top of that process and preventing input to that process until the message box is acknowledged. |
| • | Fixed a bug where Distributed Engines configured to callback to multiple Web servers did not work if the server names were separated by semicolons. |
| • | Fixed an issue where after an SSH key expiration occurred, uploading a new key remained in an expired state instead of properly updating the key. |
| • | Resolved an exception error that occurred when closing an RDPWin session window after a secret-checkout session ended. |
| • | Fixed an issue in customer environments configured with ticketing systems where approving a request from an event notification email caused an exception error to occur, rather than completing the approval. |
| • | Fixed an issue where reports containing the #CUSTOMTEXT dynamic parameter failed to send emails. |
