Secret Server: 11.4.000000 EA Release Notes
Release Dates and Notes
On-Premises: February 21, 2023 Cloud: February 11, 2023
Component Versions
Distributed Engine and Advanced Session-Recording Agent: 8.4.3.0
Protocol Handler: 6.0.3.26
Known Issues
The distributed engine (DE) package that came with Secret Server (Cloud and On-Premise) 11.3.x prevents Secret Server from performing a DE auto-upgrade—making a manual upgrade necessary. See the Distributed Engine Auto-Upgrade Does Not Work bulletin for details.
New Features
User Interface Streamlining: Classic UI Removed
The classic UI is no longer available as an option, and can no longer be enabled. This followed notifications of phased deprecations in prior releases. Several improvements have been made to the UI based on feedback from customers regarding this change.
Checkout Extension Maximum Limit
We created a global configuration setting that allows administrators to set a maximum secret-checkout extension interval. This provides additional admin control by specifying granular limitations to users extending a checked out secret. The time limitation begins at the point of checkout extension and extension time defaults to the set checkout time
Disaster Recovery Enhancements
"Replicated User Status on Disaster Recovery Source" configuration can now be set to:
-
Mirror Source, which is the existing behavior
-
Disabled by default
New Synchronization Items:
-
Character sets
-
AD users and groups
Discovery User Experience Improvements
We updated the discovery user experience to reflect the style and design of the application. The legacy pages are still available; however; the new interface items are ready for use, and we welcome feedback on these items. The legacy pages can be accessed by browsing to the relevant new interface and clicking the "View Legacy Page" button. The improvements are:
-
Network view is available as a tab on the main Discovery Sources page.
-
Network view displays the same results as the legacy page, in a single filterable grid, as opposed to individual tabs for different types of scanners. The new page has the functionality of the legacy page but in a more-responsive and updated design.
-
There is a new filter menu, allowing extensive filtering options of this data.
-
Each item in the network view list links to a details page allowing review of the discovered data, as opposed to being viewed inline.
-
The grid data is exportable as a CSV, similar to other grids.
-
Scanner, scan template, command set and search filter configuration are available from the Discovery Configuration Options > Scanner Definition button on the Discovery Configuration page.
-
Source scanner configuration is available in the Discovery Source Configuration page as a tab.
-
We extensively redesigned the scanner configuration UI to make this experience more intuitive, and scanners are now displayed in a workflow view.
Generated and Created Password Improvements
Password Complexity Indicator
There is a new visual indicator in the password complexity rules that provides the user with a better understanding of the strength of their password. The combined score considers both entropy score (brute force defense) and character limitations (social engineering defense). In the case that the score is deemed too low, the UI provides recommendations to the user on how to increase password strength.
New Password Rules
We introduced character rules to password complexity selection to enhance the strength of generated and created passwords, if enabled. The new rules provide flexibility in the granularity of the rules. Each selection impacts both entropy and overall strength score. The rules include minimum characters from:
- Lowercase letters
- Symbols
- Numerals
- Uppercase letters
Opt-In Engine Upgrades
Distributed engine upgrades are no longer mandatory for every release. We added a new setting to the Distributed Engine Configuration page to set the minimum required engine version. Modifying this will trigger an automatic update for any engine below this version.
In the action menu for an engine on the Sites page, a manual upgrade can be triggered for individual engines below the latest version, which prompts the engine to update when it next calls in.
When changes are made needing an upgrade, the minimum required version is updated during the update process, and all engines update immediately.
"Run Scripts" Role Permission
We created a new "Run Scripts" role permissions to separate privileges in script management. Holders of the "View Scripts" role permission cannot execute test runs of scripts, and the new role permission must be assigned to perform this task.
Administer Scripts remains unchanged and allows view, edit, and run permissions.
Syslog Timestamps
There is a new setting in Syslog configuration allowing the selection of timestamp formatting. The standard for Syslog indicates that ISO timestamps should be used; however, some consumers use the legacy format. There is now a selection between Syslog and ISO format. Syslog will be the default for upgrades to allow current configurations to retain their behavior, and ISO format is the default in new instances.
Site-Specific FIPS Configuration
Individual sites are now configurable for FIPS compatibility. The setting is available on the Administration > Distributed Engine > Site configuration page, in the Engine Default Settings dialog box. All engines on a site will use this setting, overriding the global setting, which is configured at Administration > Configuration > Security.
Enhancements
-
Added a configuration option to disable the SMB heartbeat fallback check.
-
Added a secret policy setting to control "Change Password Upon Check-In" behavior. Previously, this was automatically enabled if "Require Check Out" was enabled.
-
Added additional debugging output for SSH proxy when using the "ALL" logging level.
-
Added audits for emailing and downloading reports.
-
Added endpoints for Update Password Type Auth, Get Password Type Auth, and Create Password Type Auth. These allow you to create and update records for the command arguments on RPC command set up.
-
Added the configuration setting "Allow Files without Extension" to the configuration preview.
-
Added the internal site connector configuration to the configuration preview.
-
Added the User parameter to the IBM iSeries Mainframe connection for launching, password changing, and heartbeat.
-
Bulk edit share now has a "None" permission which allows removing permissions.
-
Changed IIS web.config configuration to disallow access to the file uploads folder.
-
Enabled more connection classes to use read-only mode.
-
Enhanced secret export logging.
-
Improved performance of dependency matching within discovery.
-
Improved performance of the role assignment page and added a user panel on the same page.
-
Improved performance of the secret to computer matching operation that runs as part of discovery.
-
In the data replication summary log now lists in alphabetical order, success and version number will appear before the list of items and any errors are appended at the end.
-
Optimized application caching.
-
Updated the new UI to allow newly generated SSH keys to have a blank passphrase, which matches legacy UI functionality.
Bug Fixes
-
Fixed a memory leak in SSH proxy.
-
Fixed a SAML audit error.
-
Fixed an error that occurred when multiple identical domains were created.
-
Fixed an error where the new SSH proxy custom SSH cipher suite settings were not picked up by distributed engines.
-
Fixed an issue in the heartbeat status by day report that would cause the same secret to be counted twice on days where the secret transitions between heartbeat failure and success.
-
Fixed an issue where "Days Until Expiration" value on the secrets grid would show a large negative number if expiration is forced. This now displays "Expiration forced."
-
Fixed an issue where "requires approval type" could not be set by policy.
-
Fixed an issue where a user with edit permissions could not rename a folder.
-
Fixed an issue where an "invalid SQL error" was incorrectly displayed when a report timed out.
-
Fixed an issue where an error was displayed in an edit field dialog box.
-
Fixed an issue where an inbox notification was not clearing in Secret Server Cloud.
-
Fixed an issue where completed master encryption key rotation would not show as such.
-
Fixed an issue where converting a secret in a folder with a launcher settings policy threw an error.
-
Fixed an issue where deleted Active Directory groups were not correctly marked as inactive when synchronized.
-
Fixed an issue where disaster recovery would log many password requirement errors.
-
Fixed an issue where failing Syslog/SIEM messages did not respect updated Syslog Server configuration.
-
Fixed an issue where file contents during SFTP/SCP file transfers were included in the session keystroke recordings.
-
Fixed an issue where installation on specific dates on servers with a dd/mm/YYYY localization configuration would prevent some configuration settings from being read.
-
Fixed an issue where Local site could not be configured to use Custom SSH Cipher Suite settings when set to process on the Web Site.
-
Fixed an issue where manual backup did not work in maintenance mode.
-
Fixed an issue where master encryption key rotation would fail due to discovery import rules running at the same time.
-
Fixed an issue where missing file attachments caused DR replications to fail.
-
Fixed an issue where monitoring and termination of live sessions was not displayed in the UI. This now takes the user to the regular session playback page, which displays the live session.
-
Fixed an issue where PowerShell-based dependency changers would not correctly pass arguments.
-
Fixed an issue where PuTTY would close immediately following a session error. This was due to a default setting change in PuTTY, which is now explicitly set to remain open on installation or update of the protocol handler. This requires a protocol handler update.
-
Fixed an issue where reports generate an application error if users navigated away from the report while it was loading.
-
Fixed an issue where scrolling the secrets grid view would deselect items.
-
Fixed an issue where Secret Server did not correctly react when two templates have the same field if one had spaces that the other did not.
-
Fixed an issue where secrets would not open when users have folder view and secret list permissions. The secret audit within that folder should be accessible.
-
Fixed an issue where session recording would sometimes show a 500 error, even though the client would retry. Replaced this with a HTTP 429 response, explicitly informing the client to retry.
-
Fixed an issue where session recordings could not be saved to a UNC file path due to missing permissions on the root of the path.
-
Fixed an issue where sorting by folder path in the secret grid view would return an error.
-
Fixed an issue where SSH dependencies would not process on distributed engines.
-
Fixed an issue where SSH Proxy would not allow a launcher to connect in maintenance mode. This is now possible in non-recorded sessions—recording is not possible in maintenance mode.
-
Fixed an issue where the advanced session recording agent would attempt to make many reconnections in a short time span.
-
Fixed an issue where the 64-bit protocol handler would not function when "Enable Protocol Handler Auto-Update" was enabled.
-
Fixed an issue where the folder picker would not populate when adding folders in event pipeline policies while in unlimited admin mode.
-
Fixed an issue where the IBM iSeries password changer was not properly adding the model value to the connection string.
-
Fixed an issue where the light/dark mode toggle displayed "Enable Dark Mode" even though the UI was already in dark mode. This was due to a dark mode browser preference and no explicit user preference having been set.
-
Fixed an issue where the SAML AuthnRequest was sending a blank RequestedAuthnContext when Authentication Context was set in the Identity Provider Configuration.
-
Fixed an issue where the Secret Server website would not load if the internal site connector is unavailable at startup.
-
Fixed an issue where the terminate option on the session playback page was missing.
-
Fixed an issue where the test buttons would not function for the Oracle Account Ver. 2 password changer.
-
Fixed an issue where the UI session monitoring search required additional permissions to load.
-
Fixed an issue where the unlimited administrator watermark could block interaction with some page elements.
-
Fixed an issue where the wrong error message would be shown when trying to apply an invalid data source key under data replication.
-
Fixed an issue where user permissions on replica instances were removed erroneously when data replication ran.
-
Fixed an issue with check in when the "Check In Secret on Launcher Close" and "Close Launcher on Check In Secret" settings were both false.
-
Fixed an issue with DR replication where some operations would give an error "The incoming request has too many parameters."
-
Fixed an issue with excessive CPU usage for RDPWin.exe. Protocol handler and session connector no longer track or record processes using WMI. Now they use native Windows calls, reducing CPU usage of the Windows WMI Provider. The exception is when "Run as secret credentials" is used—it still uses the WMI process tracking.
-
Fixed an issue with replicating domain users. This now correctly links the user with the replicated domain.
-
Fixed an issue with slow loading sessions failing to load when using session connector. This required an update to the latest protocol handler (RDS) on the session connector server.
-
Fixed an issue with the group filter in event pipelines to ensure precise name matching is correctly used.
-
Fixed an issue with the SearchSecretsByFieldValue SOAP API function that caused it to return a 500 error.
-
Fixed bug where email filters click through approval links.
-
Fixed an issue where OIDC platform connection failed for previously imported users after a domain change.
-
Mitigated the possibility of an error in SSH Proxy command processing.
-
Removed parameters from ASRA installer to accommodate long secret URLs.
-
Resolved an issue with RADIUS challenges in Secret Server Cloud.
-
Session recordings which are invalid due to no data are now recorded as an error to prevent failure upon playback.
-
Updated discovery SSH scanners to handle messages coming back without the stdout marker.
-
Updated logging around Azure AD Sync to make it clearer when the sync stops due to configured groups missing in Azure AD.