Secret Server: 11.4.000030 Release Notes

Release Dates and Notes

On-Premises: May 2, 2023.

Component Versions

Distributed Engine and Advanced Session-Recording Agent: 8.4.7.0

Protocol Handler: 6.0.3.26

Important: We rolled back release 11.4.000030 to 11.4.000002 after discovering some bugs that can significantly affect a minority of customers. See the first two Known Issues for details. We apologize for any inconvenience, especially for the delay in releasing the new, resilient secrets and other enhancements. It is a top priority for engineering to fix this. An updated release should be available by May 20th, 2023.

Known Issues

  • Very large messages sent from distributed engines back to Secret Server are not processed due to a bug in the message processing code. This can include messages related to Active Directory synchronization, discovery, and keystroke recording. See the note at the top of this topic.

  • In installations with multiple nodes, launched sessions that are RDP or SSH proxied and recorded may cause the engine worker on a node to crash. The probability of a crash increases with each additional node running, becoming nearly certain at eight or more nodes. See the note at the top of this topic.

  • The distributed engine (DE) package that came with Secret Server (Cloud and On-Premise) 11.3.x prevents Secret Server from performing a DE auto-upgrade—making a manual upgrade necessary. See the Distributed Engine Auto-Upgrade Does Not Work bulletin for details.

    Note: This is not required for admins who already completed a manual upgrade for any version of 11.4.

Enhancements

Secret Folder Panel Redesign

We reworked the secret folder panel for additional functionality and a more streamlined user experience. Direct access to the folder panel from outside of the secrets view was found to unnecessarily clutter the navigation menu, and the panel is now visible on the Secrets page. In addition, we enhanced the following:

  • We added a "Quick Access" section to the folder panel, which offers a single page combining the following sections:

    • Search

    • Favorite Secrets

    • Most Used Secrets

    • Session Secrets—Secrets accessed this session, allowing the user to return to a secret they have accessed in this browser session

    • Recent Secrets—Most recently accessed secrets, within this session or others

    • Shared With Me—Secrets that are shared with you but not in folders that you may view

  • Added a "New Folder" button to the top of the folder tree.

  • Pinned folders are now placed at the top of the tree instead of listed in a dropdown. Pinned folders give easier access to your favorite folders. When a pinned folder is selected, the displayed folder tree is based on the that pinned folder rather than the entire tree. The same applies to the content of "Quick Access," which displays secrets in the selected, pinned folder.

  • A guide now displays for new users the first time they view the secrets page, introducing components and changes.

Other Enhancements

  • DR: Created more robust data ambiguity handling when data replication processes a table where there is a multi-field unique key. These included giving precedence to source data when applicable or throwing an error when an ambiguity cannot be resolved.
  • DR: Added an advanced configuration setting (defaulting to 3 hours) so that a long-running DR process will detect the configured amount of elapsed time and end the DR process, forcing the end user to manually run it again.
  • DR: Read-only mode can now be enabled in Secret Server Cloud on the disaster recovery configuration page.
  • Added a discovery import rule to the new network viewer.
  • Added a link to the public SSH keys, when enabled, on both the user preference page and the administration tools section.
  • Added a knowledge base link for Platform regions as part of the Platform Optin Experience.
  • Added support for LDAP RFC2307 group membership, used in OpenLDAP.
  • Discovery rules and dependencies grid can now be filtered by discovery source. Rule grid now also has discovery source available as a column.
  • Local Admin column added to new discovery network view.
  • Secret template name on the secret general tab is now a direct link to the template.
  • The "Send Test Email" button now functions in read only mode.
  • The report CSV download is now encoded so that certain Turkish characters appear, and the mime type was changed to text/csv.
  • The unlimited admin page in configuration preview now has a link to open the unlimited admin audit.
  • HSM Integration—RSA OAEP Padding Support. We added OAEP padding as a new configurable option when enabling or rotating the HSM integration. This is in anticipation of the planned deprecation of PKCS padding by NIST. Current configurations are unaffected, but this option is available when rotating the HSM key, or configuring a new integration.

Bug Fixes

Disaster Recovery

  • Fixed an issue where DR email alerts were not being sent out.
  • Fixed issues for password-requirement character-set data replication in the DR feature.
  • Fixed an issue with disaster recovery replication where replicated custom launchers were not visible on their associated secrets.
  • Fixed an issue with the disaster recovery logging process so that only error-free data replications are marked as successful.
  • Fixed issue when replicating data for disaster recovery where pre-existing users on the replica that do not exist on the source could lose their All Vault Users group membership.
  • Fixed replication to allow duplicate names to be replicated individually during disaster recovery. Groups with the same name will still be consolidated during replication when they share values for AD Guid, IsPersonal, IsPlatform, and DomainId.
  • Password requirements are now replicated from source to replica as part of disaster recovery.

Other Bug Fixes

  • Corrected logic that allowed password requirement consumers to bypass non-replicated secrets
  • Dates in the report export no longer include the "Z" for UTC when server time is used and ISO date format is selected because the date/time is the server configured time and not necessarily UTC. That is, the date is ISO format and the server-configured time but does not include the offset. In some specific configurations when user format was selected, the timezone offset would be applied based on the actual server timezone and not the configured timezone.
  • Discovery-specific OUs now returns results when the page is initially loaded.
  • Due to security reasons, we removed the GET endpoint for /secretserversettings/export and replacing it with a POST endpoint where we can transmit the password securely. The contents of the payload are the same, except for new "password" and "doubleLockPassword" fields, and the entire payload is contained within a parent "data" object.
  • Fixed a bug that caused launcher session failure on secrets that were expired on checkout but then disabled checkout via policy. Also, retroactively fixed this situation on secrets.
  • Fixed a string truncation error. Expanded the user setting size to resolve issue for some customers with lots of columns for a grid.
  • Fixed a timing problem where secret favorites might not initialize if the secret grid loads very quickly.
  • Fixed an CSS issue where clicking the "Browse all folders" button caused folder names to overlap.
  • Fixed an issue that had platform logout redirecting to a different tenant.
  • Fixed an issue where "Web Launcher requires Incognito Mode" was not being respected when enabled. Descriptive text added on web launcher mapping for restricting input fields.
  • Fixed an issue where a bulk action was applied to all secrets when select all is checked but a template or folder filter was applied.
  • Fixed an issue where a default error page was presented when accessing certain URLs as opposed to a more technical error.
  • Fixed an issue where a dependency fails to work when moved to another group or order due to the run condition. When a secret dependency is updated to the first sort order or to a new group, the run condition is cleared. This addresses an issue where a secret dependency with a run condition would not run when it was the first secret dependency in its group.
  • Fixed an issue where a Get Folders API call did not returns all descendants, breaking some customer integrations. To retrieve direct children only, use the new LimitToDirectDescendents parameter.
  • Fixed an issue where an HSM could not be disabled.
  • Fixed an issue where Azure domain accounts were unable to access Secret Server SSH Terminal with a public key. You can now log into Terminal with an Azure Active Directory account using SSH Key Integration. AAD logins to Terminal via password cannot be done.
  • Fixed an issue where changing the time zone on the secret audit page did nothing and refreshing the page returned to the default time zone. When the server time zone is different, the time zone picker should show and the date column for audit should render in the selected time zone.
  • Fixed an issue where connecting using an SSH key on another secret did not work with "SSH key only" secrets.
  • Fixed an issue where data retention under PII removed monitored recordings or user audits related to monitored recordings. Data retention under database size management will still remove monitored recordings and related user audit records.
  • Fixed an issue where duplicate user names were throwing an error. When logging in as a local user, we now ignore any Platform native users that may have the same login name, instead of erroring.
  • Fixed an issue where event pipeline email notifications were not sent if the email task had an email template selected.
  • Fixed an issue where exported computer scan logs were incomplete. Discovery logs now export more than 250 records.
  • Fixed an issue where folders and sub-folders were missing secrets with UAM enabled. Left nav max folders default limit increased to 1,000. Setting dialog added to set the user preferred limit. Folder browser now loads 100 records at a time on scroll instead of just 30.
  • Fixed an issue where GET /internals/secret-detail/{id}/launcher/{launchertypeid} threw an exception. We now show a friendly error message when launching a secret With Jumpbox Route with RDP that it is missing an SSH launcher
  • Fixed an issue where OpenLDAP directory services group-search filter was not working.
  • Fixed an issue where PowerShell dependency changer arguments were not being passed into the script.
  • Fixed an issue where secret field data over a certain length may be rejected by the database upon replication.
  • Fixed an issue where Secret PasswordComplianceCode was not updated after password field/PasswordReq change.
  • Fixed an issue where secret template fields of type file no longer showed the drop down options when editing the field.
  • Fixed an issue where session monitoring grid view showed the system and not the Secret Server. The secret session search date in the grid and card both now show in the selected time zone and the grid has the timezone picker when relevant.
  • Fixed an issue where the folder list disappeared if UAM is enabled and when the "All Folders" toggle is selected in the sidebar. Folders in the tree will now be limited to only show 125 folders per tree. Once there are 125+ subfolders a "Browse all folders" option will appear in the folder tree. This link will take the user to a grid that only shows folders with a search. The grid has paging so it will load 30 folders at a time as the user scrolls. This will help support instances when users have thousands of subfolders. If there are more than 30 subfolders in a folder the secret grid will show a link to the new folder browser. This used to open a dialog to the folder tree which would also run into performance issues when users had over 1,000 subfolders.
  • Fixed an issue where the folder tree disappeared when there were more than 1,000 folders accessed and UAM was enabled.
  • Fixed an issue where the pipeline activity status stopped updating after the "Send to Email" task
  • Fixed an issue where the Preserve Client SSH Process did not appear for process launchers
  • Fixed an issue with heartbeat failures if a secret had checkout enabled.
  • Fixed an issue with secret search would produce an excessively long URL that would sometimes throw an HTTP 404 error. The secret search API endpoint now accepts a filter param called ExtFieldsCombined, which is a comma delimited list of all extended fields to include in the results. This field is now used by the secret grid to help reduce the size of the URL when many secret fields are exposed for display to avoid the IIS 2k length restriction on GETs.
  • Fixed an issue with SSH proxy "Tunnel RDP Connections" performance degradation (high CPU usage).
  • Fixed an issue with the data retention page background color.
  • Fixed discovery network view to ensure when searching you should be able to find all items under your current levels. However, when looking at a level you only see that level.
  • Fixed issue with the password compliance report updating very slowly or not refreshing after either a template or direct PasswordRequirement password field change.
  • Fixed issues related to RabbitMQ channel and queue growth and corruption-related issues due to connection interruption causing premature queue deletion.
  • Fixed the default timestamp format for CEF.
  • The "All Secrets" CSV download now correctly shows the folder name instead of the folder ID.
  • The secret policy approvers "default only" option now displays correctly when updated.
  • Updated the advanced session recording agent version label on the agent issues page to correctly state that it is the minimum required version, not the current version.
  • Fixed an issue where a purge of inactive sessions longer than three minutes was occurring when the Sessions Monitoring page was displayed. It did not take into account the SSH proxy timeout. The page now obeys the timeouts.

Future and Recent Deprecations

Note: This section describes planned future deprecation of feature or platform support in Secret Server.