Support KB Article Summaries
This topic is a structured abstract of knowledge base articles from the Delinea Support portal related to Secret Server across all deployment models (On-Premises, Secret Server Cloud, and Delinea Platform). Each entry summarizes the original article's issue, cause, and resolution. The articles are organized into two sections:
-
Errors and Troubleshooting (118 articles) covers specific error messages, symptoms, and their resolutions.
-
How-To (25 articles) covers procedural and diagnostic guidance such as configuring integrations, collecting logs, and testing connectivity. Source links to the full articles on the Delinea Support portal are included with each entry.
Errors and Troubleshooting
Error: 0 × 80004005—"Validation of viewstate MAC failed" (IntuneClient login)
Source: View Article
Product: Secret Server Secret Server Cloud; Secret Server On-Prem
Known environments: Client"The server is unwilling to process the request."
Cause: Password requirements in Secret Server do not match Active Directory requirements.
Resolution: Update Password Requirements in Secret Server to match AD requirements via Settings > Secret Templates > Password Requirements.
Notes: —
Error: 10060—"Connection Failed" (password rotation)
Source: View Article
Product: Secret Server Cloud—Secret Server
Known environments: Secret Server
Issue: RPC failing with "Connection Failed - Connection error 10060."
Cause: Connection attempt timed out.
Resolution: Confirm port 22 is open from DE machines: Test-NetConnection
Notes: —
Error: 10060—RPC connection failure
Source: View Article
Product: Secret Server On-Premises
Known environments: Secret Server
Issue: Remote password change fails with "Connection Error 10060."
Cause: Connected party did not respond in time, or established connection failed.
Resolution: Select SSH server is running (systemctl status ssh), confirm IP and port (ssh -p 22), test port 22 connectivity (Test-NetConnection).
Notes: —
Error: 1325—AD Basic Password Change fails when password exceeds 63 characters
Source: View Article
Product: Secret Server Cloud; Secret Server On-Prem
Known environments: Secret Server, Windows Active Directory account Secrets
Issue: When the current or new password exceed 63 character length, the RPC fails with error 1325.
Cause: NetUserChangePassword in NetApi32 has a buffer limitation that returns result code 1325 when passwords exceed 63 characters.
Resolution: Ensure password requirement is less than 63 characters, or change the template's Password Changer mapping to LDAP (Active Directory), or implement Privileged password changing.
Notes: —
Error: 1326—"Logon failure: unknown user name or bad password" (Heartbeat)
Source: View Article
Product: Secret Server On-Prem—Secret Server
Known environments: Secret Server
Issue: Heartbeat fails with error 1326 when a local user account attempts a Heartbeat.
Cause: Beginning with Windows 10 1607 and Server 2016, default GPO denies remote SAM access with non-domain credentials.
Resolution: Confirm credentials, verify security policies, create custom group for SAM access, or use PowerShell workaround scripts.
Notes: Microsoft references for error 1326 and SAM remote calls restriction.
Error: 1329 (ERROR_INVALID_WORKSTATION)—Heartbeat on AD account
Source: View Article
Product: Secret Server—Secret Server; Secret Server Cloud; Secret Server On-Prem
Known environments: Secret Server Cloud, Secret Server On-Prem
Issue: Heartbeat returns ERROR_INVALID_WORKSTATION 1329—"This user isn't allowed to sign in to this computer."
Cause: The user account is only allowed to log on to specific computers via the Logon Workstations setting in AD, and the DE/server node is not on the list.
Resolution: In AD Users and Computers, edit the account's "Log On To" settings to include the DE/server node machines or select "All computers."
Notes: —
Error: 1331—ERROR_ACCOUNT_DISABLED (Heartbeat)
Source: View Article
Product: Secret Server Cloud—Secret Server
Known environments: Secret Server
Issue: Heartbeat Failure with error code 1331.
Cause: The account is currently disabled.
Resolution: Confirm the account is enabled.
Notes: Microsoft ERROR_ACCOUNT_DISABLED 1331 (0 × 533).
Error: 2146892983—Unexpected SSPI handshake return code (RDP Proxy)
Source: View Article
Product: Secret Server Cloud—Secret Server; Secret Server Cloud; Secret Server On-Prem
Known environments: Microsoft Windows, All versions
Issue: RDP Proxy fails when Validate Remote Certificates is enabled—error -2146892983.
Cause: RDP certificate template omits Server Authentication from application policy.
Resolution: Edit the Certificate Template to add Server Authentication to Application Policies. Regenerate RDP host certificates.
Notes: —
Error: 2147024784 (installation failure—insufficient disk space)
Source: View Article
Product: Secret Server On-Prem
Known environments: Secret Server setup.exe
Issue: "Installation failed with error code: -2147024784" when running setup.exe.
Cause: Not enough disk space to download, extract and install SQLEXPR_x64_ENU.exe.
Resolution: Ensure the machine has ample disk space.
Notes: —
Error: 2308—RDP Proxy launch failure
Source: View Article
Product: Secret Server; Secret Server Cloud; Secret Server On-Prem
Known environments: Secret Server Cloud, Secret Server On-Prem
Issue: Error 2308 when launching via RDP Proxy.
Cause: RDP Proxy requires NTLMv2 from launching machine to RDP Proxy machine.
Resolution: Set "Network security: LAN Manager authentication level" on both machines to an option that ensures NTLMv2 is used.
Notes: Distributed Engine Hardening guide contains policy recommendations.
Error: 413 Request Entity Too Large (ASRA session recording)
Source: View Article
Product: Secret Server On-Prem
Known environments: Secret Server On-Premise, Advanced Session Recording Agent, Windows Server
Issue: ASRA does not record/send session—413 Request Entity Too Large.
Cause: —
Resolution: Modify the web.config file on IIS servers to set maxAllowedContentLength to 2147483648, then restart IIS.
Notes: —
Error: 500—Discovery Domain Scope not loading
Source: View Article
Product: Secret Server—Secret Server Cloud
Known environments: Secret Server Cloud
Issue: 500 error on the Domain scope tab of a Discovery source.
Cause: Removing AD Organizational Units scanner then immediately removing AD User Accounts scanner causes the issue.
Resolution: Remove orphaned discovery scanners, then re-add: AD Organizational Units, AD User Accounts, AD Computers, Windows Service, Scheduled Task, Windows Local Accounts.
Notes: This is a product defect to be resolved in a future release.
Error: 500 HTTP responses after upgrading to 11.3.x
Source: View Article
Product: Secret Server On-Prem
Known environments: Secret Server On-Prem
Issue: When accessing Secret Server after upgrading a Secret Server instance that has Integrated Windows Authentication (IWA) enabled to version 11.3.x. After upgrading a Secret Server instance that has Integrated Windows Authentication (IWA) enabled to version 11.3.x, errors are encountered when accessing the application. The HAR file shows that API calls to Secret Server are getting 500 HTTP responses.
Cause: The authentication settings for Secret Server in IIS are misconfigured.
Resolution: Validate that all the required IIS settings are configured correctly, as per the Configuring Integrated Windows Authentication documentation.
Notes: —
Error: 800703fa—Illegal operation attempted on a registry key (DE update)
Source: View Article
Product: —
Known environments: Secret Server On-Prem, Secret Server Cloud, Distributed Engines run by a service account
Issue: Distributed Engine will not update with Error: 800703fa.
Cause: During the DE upgrade process, a logon/logoff occurs. Without the registry setting enabled, subsequent attempts at loading the user's registry fail.
Resolution: Open Group Policy editor, navigate to Computer Configuration > Administrative Templates > System > UserProfiles, enable "Do not forcefully unload the user registry at user logoff."
Notes: See Microsoft article on 800703fa error.
Error: 800703fa—Service instability after DE 8.4.54 upgrade
Source: View Article
Product: Secret Server On-Prem—Secret Server; Secret Server Cloud
Known environments: Distributed Engine 8.4.54, Secret Server Cloud, Secret Server On Premise
Issue: Service Instability after upgrading to DE version 8.4.54. Error: 800703fa Illegal operation attempted on registry key.
Cause: —
Resolution: Ensure DE Service Account is in Local Admin and has full access to DE folder. If that fails, enable "Do not forcefully unload the user registry at user logoff" in Group Policy.
Notes: —
Error: 96258—Unix account (SSH) secret RPC failure
Source: View Article
Product: Secret Server
Known environments: —
Issue: Unix SSH secret RPC fails with error 96258; password change commands succeed but verification fails.
Cause: Target Unix/Linux machine rejected the new password (e.g., didn't meet complexity requirements).
Resolution: Stop auto-change on the secret, grab the generated password, manually test SSH commands on the target. Review and align password requirements between Secret Server and the target machine.
Notes: —
Error: "A network-related or instance-specific error" (MSSQL password change)
Source: View Article
Product: Secret Server Int
Known environments: Delinea Secret Server, SQL Server password changer
Issue: Password change or heartbeat fails for SQL Server account—"A network-related or instance-specific error."
Cause: DE or Secret Server web node cannot establish network connection to target SQL Server. Common: incorrect server name, DNS failure, firewall blocking, SQL Browser not running.
Resolution: Run provided PowerShell connectivity test script on DE/web node. Tests No SSL, SSL-Validate, and SSL-Ignore. Compare results against password changer settings.
Notes: —
Error: AADSTS error codes (Microsoft Entra authorization and authentication)
Source: View Article
Product: Secret Server (Vaulting)—Platform; Secret Server; Secret Server Cloud
Known environments: Secret Server and Platform Entra password changing
Issue: Entra RPC or heartbeat fails with an AADSTS error code.
Cause: Entra authentication or authorization failure.
Resolution: Look up the AADSTS error code in Microsoft documentation to determine the specific cause and resolution.
Notes: Delinea docs on Azure/Entra password changer configuration.
Error: AADSTS7000215—Invalid client secret provided (Entra ID)
Source: View Article
Product: Secret Server (Vaulting)—Secret Server; Secret Server Cloud; Secret Server On-Prem; Vaulting (Secret Server)
Known environments: Secret Server, Entra ID, Azure AD Heartbeat
Issue: RPC and Heartbeats fail with error AADSTS7000215: Invalid client secret provided.
Cause: Incorrect password entered into the Secret Server Azure Application Registration Secret.
Resolution: Generate a new Client Secret in Azure portal, copy the Value field immediately, update the Delinea Secret, and test heartbeat.
Notes: Microsoft error code reference available.
Error: Access Denied (403)
Source: View Article
Product: Vaulting (Secret Server)—Platform; Secret Server Cloud; Secret Server On-Prem
Known environments: Delinea Platform, Secret Server Cloud, Secret Server On-Prem
Issue: When a user experiences an Access Denied 403 message, determining the missing Role Permission can be challenging. Use browser Developer Tools HAR to identify the issue.
Cause: —
Resolution: Use browser Developer Tools to capture a trace in the Network tab. Search for Status code 403, view the Request URL to determine which API is returning a permissions error, then locate the functional area and add the appropriate Role Permission.
Notes: General security best practice is to aim for the least-required access to perform the task successfully.
Error: "Access Denied" or RPC_S_CALL_FAILED_DNE (1727)
Source: View Article
Product: Secret Server On-Prem
Known environments: Secret Server On-Prem and Secret Server Cloud
Issue: Secret Server validates heartbeat but cannot rotate passwords—"Access Denied" or error 1727.
Cause: GPO in Microsoft Defender Exploit Guard—"Block credential stealing from LSASS" rule blocked password rotation.
Resolution: Disable "Exclude files and paths from attack surface reduction rules" and "Configure attack surface reduction rule" GPO settings.
Notes: —
Error: Access Denied—Remote Password Changes for Windows Local Accounts on Server 2025
Source: View Article
Product: Secret Server
Known environments: All Secret Server environments, Windows Server 2025 with Windows Local Accounts
Issue: Access Denied error when trying to perform Remote Password Changes on Windows Local Accounts on Windows Server 2025.
Cause: New security restriction defaults in Windows Server 2025—Legacy SAM RPC password change behavior.
Resolution: Preferred: Use a Domain account that is an administrator on the local machine as the Privileged Account. Alternative: Use a Windows Local Account that is an administrator as the Privileged Account. Optional: Change the "Configure SAM change password RPC methods policy" via Group Policy.
Notes: Existing documentation for Remote Password Changing on Windows Local Accounts still applies.
Error: Access Denied—Windows Local Account password change fails despite SAM access
Source: View Article
Product: Secret Server; Secret Server Cloud; Secret Server On-Prem
Known environments: Secret Server Cloud, Secret Server On-prem, Windows Server/Workstation
Issue: Remote password changing fails with "Access Denied" even after SAM policy changes.
Cause: UAC remote restrictions prevent non-built-in administrator accounts from receiving an elevated token.
Resolution: Disable "User Account Control: Run all administrators in Admin Approval Mode" on the target machine. Delinea recommends using domain or built-in administrator accounts.
Notes: —
Error: ACCESS_REFUSED—RabbitMQ authentication failure (PLAIN)
Source: View Article
Product: —
Known environments: Secret Server environments using RabbitMQ
Issue: DE and/or SS logs show ACCESS_REFUSED - AuthenticationFailureException for RabbitMQ.
Cause: Password and permissions for the user in RabbitMQ may not have been set properly.
Resolution: View Site Connector credentials in SS, log in to RabbitMQ UI (localhost:15672), update the Secret Server RabbitMQ user password, clear and re-set permissions, restart DE service.
Notes: —
Error: "Activation is Required"
Source: View Article
Product: Secret Server On-Prem
Known environments: Secret Server On-Prem
Issue: Error "Activation is required on X server(s)."
Cause: —
Resolution: Remove expired licenses in Settings > Licenses, then install and activate new license keys for all nodes (online or offline activation).
Notes: —
Error: AD expiration on secret shows "Could not be determined"
Source: View Article
Product: Secret Server Cloud
Known environments: Secret Server Cloud
Issue: When looking at the Active Directory Expiration value on a secret, it shows "Could not be determined."
Cause: Triggered when an AD Secret has a Computer ID but no matching Computer Account in Discovery, or the password expiration date is the minimum possible date.
Resolution: Select that the secret has a matching computer account in Discovery.
Notes: —
Error: AD user logins fail despite correct password when connecting to remote domain
Source: View Article
Product: Platform; Secret Server; Secret Server Cloud
Known environments: All Secret Server products connecting to Windows Active Directory using DE or web Nodes.
Issue: AD users logins fail despite entering correct password. Intermittent slow-to-fail then fast-to-succeed authentication.
Cause: —
Resolution: Validate DNS Resolution, test LDAP/LDAPS connectivity, verify CRLs are resolvable, confirm LDAPS certificates are trusted, and ensure login completes in under 30 seconds.
Notes: Microsoft LDAPS requires UDP/389 for essential services.
Error: API_DataReplicaCannotMatchDataSource—cannot re-enable DR
Source: View Article
Product: Secret Server On-Prem—Secret Server; Secret Server On-Prem
Known environments: Secret Server DR with on-premise Source and Replica
Issue: Error API_DataReplicaCannotMatchDataSource when re-enabling DR.
Cause: Same Custom URL on Source and Replica, or stale Data Source Key.
Resolution: On Source: disable DR and delete record, create new Outgoing Setup. On Replica: re-enable with new Data Source Key and URL. Ensure Custom URLs are different.
Notes: —
Error: "API_FolderIdRequired"—REST API call in PowerShell
Source: View Article
Product: Secret Server On-Prem—Secret Server; Secret Server Cloud; Secret Server On-Prem
Known environments: All Secret Server environments
Issue: REST API call throws error "API_FolderIdRequired"—"Folder is required."
Cause: —
Resolution: Go to Settings > Configuration > User Experience > disable "Require Folder for Secrets."
Notes: —
Error: "Associated Secret is inactive" (RPC)
Source: View Article
Product: Secret Server Cloud
Known environments: Secret Server - All versions, Remote Password Changing
Issue: RPC tab shows "Associated Secret is inactive."
Cause: Linked Privileged Account or associated Secret has become inactive, typically due to Secret Template conversion.
Resolution: Remove existing RPC privileged account and associated secrets, relink. Select Mappings for Default Privileged Account and reset if needed.
Notes: —
Error: Automatic User Management not disabling users
Source: View Article
Product: Secret Server On-Prem
Known environments: Secret Server On-Prem, Secret Server Cloud
Issue: Automatic User Management is configured to disable domain users after inactivity, but users are not being disabled.
Cause: Typically related to the Synchronization Secret no longer being valid.
Resolution: Navigate to Directory Services, select the domain source, select Groups tab, and correct any error. If no error, contact Delinea Support.
Notes: —
Error: "Cannot resolve the collation conflict"—SQL_Latin1_General_CP1_CI_AS vs Latin1_General_CI_AS
Source: View Article
Product: Secret Server On-Prem
Known environments: Secret Server On-Prem, MSSQL Server
Issue: Cannot upgrade Secret Server due to collation conflict between SQL_Latin1_General_CP1_CI_AS and Latin1_General_CI_AS.
Cause: Collation mismatch between two database columns or expressions.
Resolution: Change the MSSQL server collation to SQL_Latin1_General_CP1_CI_AS per the addressing MSSQL collation mismatches article.
Notes: See related article on how to select current MSSQL Server collation.
Error: "Connection Timeout"—Unix SSH password change
Source: View Article
Product: Secret Server On-Prem
Known environments: Secret Server Unix Password changes
Issue: "Connection Timeout" errors during SSH password changes.
Cause: Target machine is not responding before the timeout for connecting (default 7-second timeout).
Resolution: Best: Resolve the connection delay on the target. Workaround: Create a custom password changer and increase the delay on the first Password Change Command.
Notes: —
Error: Corrupted session recordings—Event ID 30900
Source: View Article
Product: Secret Server On-Prem—Secret Server; Secret Server On-Prem
Known environments: Secret Server On-Prem, Session Recording to disk/temporary archives, network target
Issue: Some session recordings may be corrupt and unplayable when "Save videos to Disk" or "Use temporary archives" is configured. Windows logs SMBClient Event ID 30900 warnings.
Cause: File server/appliance accepts persistent handle request but does not grant persistence.
Resolution: Enable SMB multichannel on the target fileserver, or disable SMB multichannel on all Secret Server webservers.
Notes: —
Error: "Could not load assembly file VMware.Vim.dll"
Source: View Article
Product: Secret Server Cloud—Secret Server Cloud; Secret Server On-Prem
Known environments: Secret Server RPC (Remote Password Changing)
Issue: VMware ESX/ESXi secret's RPC and HB are failing with "Could not load file or assembly file VMware.Vim.dll".
Cause: Loading of the VMware.Vim module binaries are being blocked by Windows.
Resolution: Run the Unblock-File PowerShell command on all files in the VMware.Vim module folder.
Notes: —
Error: Database failover events not logged to Secret Server
Source: View Article
Product: Secret Server On-Prem
Known environments: Secret Server, MSSQL
Issue: Database failover configured but no logging or alerting on the Secret Server side.
Cause: —
Resolution: The ADO.NET client library handles failover transparently. Secret Server does not have built-in awareness of HA/DR events. Monitoring should be managed by IT operations or database monitoring tools.
Notes: —
Error: Database or Binary Version Mismatch
Source: View Article
Product: Secret Server—Secret Server On-Prem
Known environments: Secret Server On-prem
Issue: The web node displays "The version of your database does not match the version of your application" or "Binary Version Mismatch."
Cause: Application files not properly copied, insufficient permissions, or newly upgraded node not communicating properly with the cluster.
Resolution: Download the matching Secret Server application files, stop the IIS application pool, copy files to the Secret Server folder, restart the application pool.
Notes: —
Error: DE behaves inconsistently in load balanced scenarios
Source: View Article
Product: Secret Server
Known environments: —
Issue: DE is unable to connect consistently through a load balancer. Fails to start or proxy operations fail.
Cause: DE is not cookie aware. Communication goes to different nodes during startup, causing authentication failures with different RSA keys.
Resolution: Configure load balancer for sticky sessions using IP address, or configure DE callback to individual Secret Server URLs separated by semicolons.
Notes: —
Error: DE logs not updated—"Arithmetic overflow error converting IDENTITY to data type int"
Source: View Article
Product: Secret Server—Secret Server On-Prem
Known environments: Secret Server On-Prem
Issue: DE logs are not getting updated in Secret Server. Error: "Arithmetic overflow error converting IDENTITY to data type int."
Cause: The identity value of tbEngineLog table has reached the maximum integer value (2147483647).
Resolution: Run SQL command: DBCC CHECKIDENT ('tbEngineLog', RESEED, 0) against the Secret Server database.
Notes: —
Error: DE stuck in upgrade loop
Source: View Article
Product: Secret Server—Secret Server Cloud; Secret Server On-Prem
Known environments: —
Issue: Distributed Engines get stuck in an automatic upgrade loop after Secret Server upgrade.
Cause: Old version of Delinea Distributed Engine Service Limited Updater cannot be removed.
Resolution: Navigate to %windir%\installer, identify associated.msi files, find PREVIOUSVERSIONSINSTALLED values in SSDEUpdate logs, delete orphaned registry keys, then allow upgrade to proceed.
Notes: —
Error: DE workloads not processing—queue buildup
Source: View Article
Product: Secret Server Cloud—Secret Server; Secret Server Cloud
Known environments: Secret Server Cloud customers running DE version 8.4.37.0 or higher
Issue: DE workloads (RPC, Heartbeat, Discovery, Syslog) not being processed. Message buildup in Azure Service Bus queues. Lock renewal failures in logs.
Cause: Running below minimum physical CPU Cores requirements (2 cores instead of 4).
Resolution: Validate DE is running with at least 4 physical CPU Cores. Use PowerShell to select CPU/memory stats.
Notes: See system requirements documentation.
Error: Delinea Platform connection status reports "Connection Issue"
Source: View Article
Product: Vaulting (Secret Server)
Known environments: Delinea Platform, Secret Server Cloud
Issue: Delinea Platform Secret Server connection page reports "Connection Issue" status.
Cause: Client (browser) connection issue to the Secret Server Cloud tenant.
Resolution: Resolve browser connectivity to the test-integration API endpoint. If Imperva error, raise a support request.
Notes: The Platform test page triggers 2 calls to the Secret Server tenant.
Error: Distributed Engine errors—connection status successful but engine errors displayed
Source: View Article
Product: Vaulting (Secret Server)—Secret Server
Known environments: Secret Server, Distributed Engine
Issue: Distributed Engines display "Engine errors" but "Connection Status" shows successful.
Cause: Distributed Engine machines are out of sync with time servers.
Resolution: Confirm Distributed Engine machines are in sync with time servers.
Notes: —
Error: Error banner when accessing a user on Settings > Users page
Source: View Article
Product: —
Known environments: Secret Server
Issue: Error banner appears when clicking a user on the Settings > Users page.
Cause: Active Directory Sync was interrupted while adding a new user—user and personal group were created but the connection between them was not.
Resolution: Verify user exists in tbUser, select personal group exists in tbGroup, create connection in tbUserGroup if missing, then recreate the user via Directory Sync.
Notes: For Secret Server Cloud, open a case with Technical Support.
Error: "Error while requesting Package Part"—Resilient Secrets replication failure
Source: View Article
Product: Vaulting (Secret Server)
Known environments: Secret Server - All versions, Resilient Secrets
Issue: Resilient Secrets not backed up to replica—"Error while requesting Package Part" in logs.
Cause: System time on source or replica is incorrect (even a few seconds off).
Resolution: Select and correct system time on all on-prem servers. Use PowerShell to compare against time.windows.com.
Notes: —
Error: "Expected to find a valid X509Certificate2"
Source: View Article
Product: —
Known environments: Secret Server On-Prem or Cloud
Issue: Error indicates LDAPS connection cannot locate or validate the required X.509 certificate.
Cause: Missing, invalid, or improperly configured certificate for LDAPS.
Resolution: Use certutil to verify installed certificates and certificate chain. Use OpenSSL for additional verification of LDAPS communication.
Notes: —
Error: Failed login despite correct credentials—domain dropdown missing
Source: View Article
Product: Secret Server Cloud
Known environments: Secret Server OnPrem
Issue: Failed login error despite correct credentials; domain dropdown missing.
Cause: —
Resolution: Log in with a local administrator account and review license status under Settings > Licensing. The license may need reactivation.
Notes: —
Error: "Failed to connect to port 5432" (PostgreSQL RPC)
Source: View Article
Product: Vaulting (Secret Server)—Secret Server
Known environments: Secret Server
Issue: PostgreSQL RPC error "Failed to connect to port 5432."
Cause: —
Resolution: Confirm Sites (Local or DE) can connect to PostgreSQL on port 5432: Test-NetConnection xx.xx.xx.xx -Port 5432.
Notes: —
Error: "Failed to create HTTP Redirect URL"—SLO initiation with IDP
Source: View Article
Product: Secret Server On-Prem
Known environments: Secret Server On-Prem and Secret Server Cloud
Issue: Secret Server is unable to initiate Single Logout with the Identity Provider.
Cause: Single Logout is enabled but the SLO URL is missing or incorrect.
Resolution: Configure the SLO URL from your Identity Provider, or disable Single Logout if not needed.
Notes: Single Logout is only required if logging out of Secret Server should also log users out of the IDP.
Error: "Failed to verify one time pass code" (401)
Source: View Article
Product: Secret Server
Known environments: —
Issue: New user gets error 401 "Failed to verify one time pass code" after clicking invite link.
Cause: One time pass code expired (timeout period exceeded or registration not completed after clicking Proceed).
Resolution: Resend an invitation email to the user.
Notes: —
Error: "Folder Must Have Owner"
Source: View Article
Product: Secret Server On-Prem—Secret Server Cloud; Secret Server On-Prem; Vaulting (Secret Server)
Known environments: Secret Server
Issue: "Folder Must Have Owner" error displayed when adding a user to folder permissions.
Cause: Original folder owner was made inactive with no other owners set.
Resolution: Re-enable the inactive user, add new "Owner" permissions for another user, remove the inactive user from permissions, save, then deactivate the user.
Notes: —
Error: "Folder name is too long" (CSV secret import)
Source: View Article
Product: Secret Server Cloud—Secret Server Cloud; Secret Server On-Prem
Known environments: Secret Server secret import function
Issue: Error "The folder name is too long" when importing secrets via CSV.
Cause: CSV format has a 50-character limitation for folder name and path.
Resolution: Use XML format (supports up to 128 characters) or shorten the folder name and path.
Notes: —
Error: "Global catch:[object Object]" (Console Diagnostics)
Source: View Article
Product: Secret Server Cloud
Known environments: Secret Server (all supported versions where web console is used)
Issue: Users may encounter a Console Diagnostics error displaying "Global catch:[object Object]".
Cause: Corrupted or stale browser cache data conflicting with updated application components.
Resolution: Clear Browser Cache using Chrome DevTools: Press F12, click and hold the Reload button, select "Empty Cache and Hard Reload."
Notes: —
Error: Heartbeat and RDP Proxy fail using Windows Local account with FQDN
Source: View Article
Product: Secret Server Cloud
Known environments: Secret Server and Windows target machines using a FQDN
Issue: Heartbeats fail and RDP Proxy produces error code 2308.
Cause: When connecting with FQDN, authentication assumes domain select instead of local SAM.
Resolution: Configure the user name in.\
Notes: NTLMv2 settings still required per RDP Proxy documentation.
Error: HTTP 401.3 Unauthorized
Source: View Article
Product: Secret Server On-Prem
Known environments: IIS
Issue: Secret Server UI showing HTTP Error 401.3 Unauthorized.
Cause: —
Resolution: In IIS Manager, select root server node > Authentication > edit Anonymous Authentication > select 'application pool identity' > Stop/Start application pool.
Notes: —
Error: HTTP 403.14 Forbidden after login
Source: View Article
Product: Secret Server On-Prem
Known environments: All Secret Server on-prem environments
Issue: HTTP Error 403.14 - Forbidden after logging in.
Cause: Default Document configuration is disabled in IIS Manager.
Resolution: In IIS Manager, navigate to Secret Server site > Default Document > Enable. Run IISRESET.
Notes: —
Error: HTTP 404.17 Not Found after.NET Framework upgrade
Source: View Article
Product: —
Known environments: —
Issue: HTTP Error 404.17 after upgrading to Secret Server 8.5+ and changing CLR version.
Cause: ASP.NET 4.5 not correctly registered on the server.
Resolution: For Server 2012/R2: Install ASP.NET 4.5 via Server Manager. For Server 2008/R2: Run aspnet_regiis.exe -i. Then ensure ASP.NET 4.0 is allowed in IIS.
Notes: DEPRECATED—see updated article.
Error: HTTP 404—launcher failure
Source: View Article
Product: Secret Server On-Prem—Secret Server; Secret Server On-Prem
Known environments: All Secret Server On-prem environments
Issue: "The request failed with HTTP status 404: Not found" when using a launcher.
Cause: Custom URL field not updated after Secret Server URL changed.
Resolution: Update the Custom URL in Settings > Application > Edit > Custom URL field.
Notes: —
Error: HTTP 404—"The request failed with HTTP status 404: Not Found" (launcher)
Source: View Article
Product: Secret Server On-Prem—Secret Server
Known environments: Secret Server
Issue: HTTP 404 error when starting a launcher.
Cause: Custom URL has not been set properly in Secret Server.
Resolution: Go to Settings > Application > Edit > set Custom URL (e.g., https://>/SecretServer/) > Save.
Notes: Custom URL is important for load balanced/clustered environments.
Error: "Incorrect MAC received on packet" or "Session no longer active"
Source: View Article
Product: Secret Server Cloud—Secret Server Cloud; Secret Server On-Prem
Known environments: Secret Server Cloud (resolved Oct 30 2024), Secret Server On-Prem 11.7.00031, PuTTY, WinSCP
Issue: After 60 minutes of use or transferring 1 GB of data, the Protocol Handler session ends with "Incorrect MAC received on packet" or "Session no longer active."
Cause: Known issue with Proxying and SSH key re-exchange.
Resolution: Upgrade DE to 8.4.38+ (Cloud) or 8.4.39+ (On-Prem). Workaround: In PuTTY, set Max minutes/data to 0 under Connection > SSH > Kex. For WinSCP, set ReKeyBytes = 0.
Notes: Work item released in SSC.
Error: "Internal Error"—Session Connector launch
Source: View Article
Product: Secret Server Cloud
Known environments: Secret Server - All versions, Session Connector
Issue: "Internal Error" prompt when launching Session Connector session. Event log shows svchost.exe/TermService faulting.
Cause: —
Resolution: Uninstall and reinstall both the Protocol Handler and Session Connector on the RDS machine. Restart if prompted.
Notes: —
Error: Internal Server Error (Session Connector with web proxy)
Source: View Article
Product: Secret Server On-Prem—Secret Server
Known environments: Secret Server on premise/cloud, Session connector, web Proxy
Issue: Launching RDS sessions throws Internal Server Error when web proxy is configured.
Cause: WinINET uses proxy but WinHTTP does not.
Resolution: Run netsh winhttp set proxy
Notes: —
Error: "Jscape.Ssh.SshException: no equal algorithms found"
Source: View Article
Product: Secret Server On-Prem—Secret Server Cloud; Secret Server On-Prem
Known environments: Secret Server Cloud, Secret Server On-Prem
Issue: When attempting to RPC/HB an SSH Secret, errors like "no equal algorithms found" appear in logs.
Cause: Legacy Runner type uses old ciphers that may not be supported by the endpoint.
Resolution: Change the Password Changer's Runner Type from Legacy to Standard.
Notes: See Delinea docs for cipher support details.
Error: "Limited mode is currently enabled"
Source: View Article
Product: Secret Server On-Prem
Known environments: Secret Server On-Prem
Issue: Pop-up window with "Limited mode is currently enabled" appears upon login.
Cause: License keys expired, activation failure, or enabled users exceed license count.
Resolution: Remove expired license keys, activate all keys, confirm licensed users match enabled users.
Notes: In Limited Mode, you can view passwords but many features are restricted.
Error: "Loading chunk failed" / ChunkLoadError
Source: View Article
Product: Secret Server Cloud—Secret Server; Secret Server Cloud; Secret Server On-Prem
Known environments: Secret Server Cloud, Secret Server On-Premise
Issue: Errors like "Loading chunk 216 failed" or "ChunkLoadError."
Cause: —
Resolution: Clear browser cache and do a hard refresh.
Notes: —
Error: Login Failure—"Authentication Failed Blocking call timed out"
Source: View Article
Product: —
Known environments: Secret Server configured with Active Directory Authentication
Issue: Login failures even when credentials entered are correct.
Cause: Delays in Active Directory Authentication causing the login process to exceed the 30-second timeout.
Resolution: Authentication requests must be sent, processed, and response received in under 30 seconds. Investigate and resolve AD authentication delays.
Notes: PowerShell script provided for testing LDAPS authentication timing.
Error: "Missing configuration parameter E2S.OrganizationId" (DE log after install)
Source: View Article
Product: Secret Server On-Prem—Secret Server; Secret Server Cloud
Known environments: All Distributed Engine versions
Issue: After installing a Distributed Engine, it is not showing as pending. The DE log shows "Missing configuration parameter E2S.OrganizationId".
Cause: Installing Distributed Engine using the.msi file instead of the setup.exe.
Resolution: Uninstall the DE service, download new DE installation zip, extract and run setup.exe as Administrator.
Notes: —
Error: MSSQL collation mismatch
Source: View Article
Product: Secret Server On-Prem
Known environments: Secret Server, MSSQL Server
Issue: The MSSQL server collation must be SQL_Latin1_General_CP1_CI_AS. Mismatches lead to errors and block upgrades to 11.7.16+.
Cause: MSSQL server collation mismatch.
Resolution: Change the SQL Server collation or move the database to a new correctly-collated server. For database collation issues, reinstall Secret Server with correct collation.
Notes: See related article on how to select current MSSQL Server collation.
Error: "No provided server could be reached" (DE registration)
Source: View Article
Product: Secret Server On-Prem—Secret Server
Known environments: Secret Server Distributed Engine (DE)
Issue: DE not showing in Secret Server and logs show "No provided server could be reached."
Cause: —
Resolution: Uninstall "Delinea Distributed Engine Service," rename DE folder to _OLD, run setup.exe from the downloaded zip.
Notes: Confirm you ran setup.exe, not the.msi file.
Error: 'Not Suitable for Session Recording' (Connection Manager)
Source: View Article
Product: Connection Manager
Known environments: Connection Manager (Windows 11), Secret Server
Issue: When Session Recording is enabled in Connection Manager, users may encounter an error that the process is not suitable for session recording.
Cause: Certain applications are not compatible with session recording when they are already running.
Resolution: Before launching the secret via Connection Manager, close any applications that will be used by the connection.
Notes: —
Error: "Only one usage of each socket address is normally permitted"—port 22 conflict (DE)
Source: View Article
Product: Secret Server Cloud—Secret Server; Secret Server Cloud; Secret Server On-Prem
Known environments: Secret Server
Issue: SSH Proxy error—port 22 blocked by another process (commonly sshd.exe/OpenSSH on Windows Server 2025).
Cause: Another process (sshd.exe) is blocking port 22.
Resolution: Use netstat to identify the process using port 22, kill/disable it (e.g., disable OpenSSH service), or choose a different port. Restart the DE.
Notes: —
Error: Password change failing—"Credentials on Secret" lacks permissions
Source: View Article
Product: Secret Server Cloud
Known environments: Secret Server Cloud
Issue: Many Secrets failing password change because they don't use a Privileged Account.
Cause: Account on the Secret lacks permissions to change its own password, or has incorrect password.
Resolution: Use provided PowerShell script to bulk-update Secrets to use a Privileged Account for RPC.
Notes: —
Error: "Payload exceeds the maximum length"—secrets not indexing
Source: View Article
Product: Secret Server On-Prem
Known environments: Secret Server On-Prem (All known versions)
Issue: Not all secrets are indexing—payload exceeds maximum length of 253952.
Cause: Indexing batches secrets together; large secrets cause payload to exceed limit.
Resolution: In advanced config settings, reduce the Secret Indexing Batch Size (e.g., from 200 to 100). Rebuild index under Settings > Secret search indexing.
Notes: —
Error: RabbitMQ {inconsistent_database, running_partitioned_network}
Source: View Article
Product: Secret Server On-Prem
Known environments: Secret Server on-prem with RabbitMQ
Issue: RabbitMQ cluster breakdown—inconsistent_database error.
Cause: Network partitioning, split-brain, improper cluster config, unclean shutdowns, Mnesia conflicts, clock skew, firewall rules, VM host issues, or inconsistent Erlang cookies.
Resolution: Use Reset and Rejoin Procedure (stop_app, reset, join_cluster, start_app). Sync clocks via NTP. Verify ports (25672, 5672, 5671). Ensure identical Erlang cookies.
Notes: —
Error: RDP launch via Secret Server proxy fails with generic Windows error
Source: View Article
Product: Secret Server On-Prem—Secret Server
Known environments: Secret Server
Issue: Launching Remote Desktop via Secret Server Proxy fails with a generic error.
Cause: RDP proxy can be enabled/disabled per engine when there are 2+ Engines in a Site.
Resolution: Confirm RDP Proxy ports are listening (netstat -ano | findstr 3390). Confirm RDP Proxying is enabled for each DE in the Site.
Notes: —
Error: RDP Proxy cannot connect to Server 2003
Source: View Article
Product: Secret Server On-Prem
Known environments: Secret Server On-Prem, Cloud, Windows Server 2003 ÷ 2003 R2
Issue: RDP Proxy fails to connect to Server 2003 target.
Cause: Secret Server RDP Proxy does not support connections to Server 2003.
Resolution: Option 1: Disable proxying on the Secret. Option 2: Switch to SSH Tunnel for RDP Connections (global change).
Notes: Server 2003 EOL was 2015. SSH Tunnelling loses keystroke recording functionality.
Error: RDP Proxy negotiate failure—"TLS not allowed by Server"
Source: View Article
Product: Secret Server Cloud; Secret Server On-Prem
Known environments: Secret Server, RDP Proxy
Issue: Negotiate fails—"TLS not allowed by Server" in packet capture.
Cause: Misconfiguration of Network Level Authentication (NLA)—SecurityLayer not set to 2 (SSL TLS).
Resolution: Select and set SecurityLayer registry value to 2 on both DE and Target machine. Review Group Policy for RDS Security settings.
Notes: —
Error: "RDPWin is not in the list of authorized programs" (Session Connector)
Source: View Article
Product: Secret Server
Known environments: Secret Server, Secret Server Session Connector (RDS)
Issue: RemoteApp Error—"RDPWin is not in the list of authorized programs."
Cause: —
Resolution: On the Session Connector machine, open Server Manager > Remote Desktop Services > Collections > Session Connector > right-click RDPWin > Edit Properties > Parameters > select "Allow any command-line parameters."
Notes: —
Error: "Request is Invalid"—Rescan button for Entra ID user account
Source: View Article
Product: Secret Server On-Prem
Known environments: Secret Server environments using Discovery
Issue: "Request is Invalid" error when clicking Rescan for an Entra ID user in Discovery Network View.
Cause: —
Resolution: The rescan button should not be an option for Entra ID accounts (scan is for entire domain). To be addressed in a later version.
Notes: —
Error: RPC tab shows "Manual" password type instead of "Randomly Generated"
Source: View Article
Product: Secret Server Cloud
Known environments: Secret Server Cloud and On-Prem
Issue: Secrets with RPC enabled show password as "Manual" instead of "Randomly Generated."
Cause: If RPC fails, the state changes to "Manually generated" to preserve the attempted password.
Resolution: Correct the underlying RPC issue. Once RPC succeeds, the state returns to "Randomly generated."
Notes: —
Error: "SAML Login is Required"
Source: View Article
Product: Secret Server Cloud
Known environments: SSC, On-prem Secret Server
Issue: User gets "SAML Login is Required" when trying to log in as a local user.
Cause: User is missing the role needed to log in locally.
Resolution: Assign the user to a role that has "Bypass SAML Login" permission.
Notes: —
Error: "Secret Server unavailable"—PRA integration with On-Premises
Source: View Article
Product: Secret Server (Integration)—Platform; Secret Server On-Prem
Known environments: Windows, IIS, Privilege Remote Access (PRA), Secret Server On-Premises
Issue: Error "Secret Server unavailable" when integrating RAS with On-Premise Secret Server.
Cause: Client certificates setting is set to Accept in SSL Settings in IIS on Secret Server.
Resolution: In IIS, navigate to the Secret Server site > SSL Settings > Set Client Certificates to Ignore > Apply.
Notes: —
Error: "Secret Server URL is not approved for launch" (Protocol Handler)
Source: View Article
Product: Secret Server Cloud—Secret Server
Known environments: Secret Server Protocol Handler
Issue: Pop-up "The Secret Server Launcher stopped because the following Secret Server URL is not approved for launch."
Cause: User clicked "No" on the initial approval pop-up, preventing further connections.
Resolution: Delete the SSUA.dat file from C:\Users<user name>\AppData\Roaming\Delinea, re-launch, and approve the URL.
Notes: —
Error: Secrets not visible after creating new Secret Template
Source: View Article
Product: Secret Server; Secret Server Cloud; Secret Server On-Prem
Known environments: Secret Server environments
Issue: Secrets created with a new template cannot be viewed, even with Unlimited Administration.
Cause: Some password changers are locked behind licensing. A template created from another that uses a locked changer causes a "No Permissions" error.
Resolution: Navigate to Settings > Secret Templates > Mapping tab. Choose a password type or clear the checkbox Remote Password Changing.
Notes: —
Error: "Security Catalog is not properly signed. Signature Status: HashMismatch" (upgrade)
Source: View Article
Product: Secret Server On-Prem
Known environments: Secret Server On-Prem
Issue: Upgrade fails with "Security Catalog is not properly signed. HashMismatch."
Cause: —
Resolution: Select SHA256 hash of the upgrade file against docs. If incorrect, redownload. If correct, select hash on the webnode's temp directory. If still corrupt, manually extract upgrade files to the AppData\Local\Temp\SecretServer\unzip directory.
Notes: —
Error: Session recordings not visible despite "View Own Session Recordings" permission
Source: View Article
Product: Vaulting (Secret Server)
Known environments: Platform and Secret Server Environments
Issue: Users with "View Own Session Recordings" permission still get an error accessing recordings.
Cause: The "View Session Monitoring" role permission is also required.
Resolution: In Secret Server > Settings > Roles > select role > Permissions > Edit > change Scope to Unassigned > select "View Session Monitoring" > Save.
Notes: —
Error: SFTP file transfers not working despite OpenSSH installed
Source: View Article
Product: Secret Server Cloud—Platform; Remote Access Service
Known environments: Platform, Privilege Remote Access
Issue: PRA SFTP file transfers not working—"No SFTP or SMB services are available on this target machine."
Cause: Port 22 is being used by another service (Core FTP Server).
Resolution: Select Task Manager for Core FTP Server. Select listening ports: netstat -ano | findstr:22. Identify the process: Get-Process -Id
Notes: —
Error: "Software caused connection abort" (SSH Proxy / PuTTY)
Source: View Article
Product: Secret Server On-Prem—Secret Server
Known environments: Secret Server
Issue: PuTTY launcher produces "Network Error: Software caused connection abort" over SSH proxy.
Cause: Client is Block Listed.
Resolution: Navigate to Administration > Proxying > SSH Proxy. Validate SSH IP Block Listing settings and select if the IP is listed.
Notes: Block listing feature adds IPs that fail to authenticate across a defined time period.
Error: "Specified user could not be found in the search context" (password change)
Source: View Article
Product: Secret Server Cloud—Secret Server; Secret Server Cloud; Secret Server Online; Secret Server On-Prem
Known environments: Secret Server Cloud and On-Prem
Issue: Password change fails—"Specified user could not be found in the search context."
Cause: User name or domain is incorrect, user is disabled in AD, or user doesn't exist.
Resolution: Validate User name and Domain on the Secret. Select AD to confirm user exists and is enabled.
Notes: —
Error: SSL certificate thumbprint error after upgrading certificate
Source: View Article
Product: Secret Server On-Prem
Known environments: Secret Server, SSL, thumbprint, certificate
Issue: SSL certificate error for old/expired thumbprint after upgrading certificate. Unable to see Use SSL in Site Connector page.
Cause: —
Resolution: Create a new Site Connector with Use SSL enabled and the new thumbprint, then update Sites to use the new Site Connector. Validate connectivity.
Notes: —
Error: "SSL Error: WINHTTP_CALLBACK_STATUS_FLAG_CERT_REV_FAILED" (Session Connector)
Source: View Article
Product: Secret Server On-Prem—Secret Server
Known environments: Secret Server, Secret Server Session Connector
Issue: "SSL Error: WINHTTP_CALLBACK_STATUS_FLAG_CERT_REV_FAILED" when validating SSSC RDS Application account.
Cause: Certificate CRL revocation checking failed.
Resolution: Ensure CRL/OCSP revocation addresses are accessible. Use provided verification articles to select.
Notes: Certificate itself may still be valid; the error is about revocation checking.
Error: System.Security.Cryptography.CryptographicException—RDP Proxy launch
Source: View Article
Product: Secret Server On-Prem
Known environments: IIS, Secret Server On-premise
Issue: RDP session remains pending; logs show CryptographicException: The system cannot find the file specified.
Cause: Load User Profile set to False in IIS Application Pool.
Resolution: In IIS Manager, set Load User Profile to True in the Secret Server Application Pool Advanced Settings, then perform an iisreset.
Notes: Secret Server requires Load User Profile enabled and will report a critical alert if not.
Error: TCP 10061—Connection Actively Refused (vaulting service accounts)
Source: View Article
Product: Secret Server On-Prem
Known environments: Secret Server On-Prem
Issue: TCP Error Code 10061 when manually vaulting a service account.
Cause: RabbitMQ service is not running or required ports are not accessible.
Resolution: Verify RabbitMQ service is running and ports 5672, 5671, 25672-25682, 15672 ÷ 15671 are open and accessible.
Notes: —
Error: "The certificate chain was issued by an authority that is not trusted" (RDP Proxy)
Source: View Article
Product: Secret Server On-Prem—Secret Server
Known environments: Secret Server Distributed Engine
Issue: Error in RDP proxy handshake: "The certificate chain was issued by an authority that is not trusted."
Cause: The certificate is issued by a certificate authority that is not trusted.
Resolution: Add the issuing certificate authority to the trusted root certification authorities store on the proxy host.
Notes: Proxy logs in SS.log (web nodes) or SSDE.log (distributed engines).
Error: "The license name and key are not valid"
Source: View Article
Product: Secret Server On-Prem
Known environments: Secret Server on-prem
Issue: Error when installing a new license key stating the name and key are not valid.
Cause: Error entering the key—extra characters, spaces, or outdated Secret Server version.
Resolution: Copy license to notepad first, ensure no extra spaces, ensure Secret Server is up to date.
Notes: License keys come in five sets of 5-digit alphanumeric characters separated by hyphens.
Error: "The provided anti-forgery token failed validation"
Source: View Article
Product: Secret Server Cloud
Known environments: Secret Server Cloud
Issue: "The provided anti-forgery token failed validation" error.
Cause: Discrepancies in browser session cookies after login, commonly caused by a proxy server stripping or modifying cookies.
Resolution: Clear browser cache. Contact proxy administrator to select if cookies are being altered.
Notes: —
Error: "The request is invalid"—sharing secret permissions
Source: View Article
Product: Secret Server On-Prem—Secret Server; Secret Server Cloud; Secret Server Online; Secret Server On-Prem; Vaulting (Secret Server)
Known environments: Secret Server - All versions, Share Secrets
Issue: Error "The request is invalid" when altering permissions to share a secret.
Cause: Invalid payload data—secretAccessRoleId is null for some entries.
Resolution: Use browser developer tools to inspect the API payload, identify entries with null secretAccessRoleId, correct permissions or remove invalid entries.
Notes: Alternatively, recreate the secret to resolve.
Error: "The SQL that was provided is not valid for reporting"
Source: View Article
Product: Secret Server—Secret Server Cloud; Secret Server On-Prem
Known environments: Secret Server Cloud, Secret Server On-Prem
Issue: Error "The SQL that was provided is not valid for reporting" when saving a custom report.
Cause: SQL query contains blacklisted protected words or incorrect syntax.
Resolution: Avoid protected words (e.g., "user" as column alias). Use alternative naming.
Notes: —
Error: "The supplied credential is invalid" (Directory Services)
Source: View Article
Product: Secret Server On-Prem
Known environments: Secret Server using Directory Services to synchronize with Active Directory
Issue: Cannot save changes to Directory Services configuration—"The supplied credential is invalid."
Cause: Credentials were changed outside of Secret Server, or the Secret Template was changed creating a new secret.
Resolution: Navigate to Directory Services, select the Synchronization Secret, validate credentials, perform a heartbeat.
Notes: —
Error: "This computer can't connect to the remote computer" (RDP Proxy)
Source: View Article
Product: Vaulting (Secret Server)—Connection Manager; Platform; Secret Server; Secret Server Cloud; Secret Server On-Prem
Known environments: Secret Server on-prem, Cloud, Platform, Connection Manager, Protocol Handler
Issue: RDP launcher fails. DE logs show "Password is incorrect" in RDP handshake.
Cause: LM and NTLM methods do not support RDP Proxy security requirements.
Resolution: Set LAN Manager authentication level to "Send NTLMv2 response only" (or higher) on client computers and DEs via Local Security Policy, Group Policy, or Registry.
Notes: See RDP Proxy technical notes and troubleshooting KB.
Error: "This field requires an email address in the following format"
Source: View Article
Product: Secret Server (Vaulting)
Known environments: Secret Server Cloud
Issue: When editing the SSC "From" email address, an error appears requiring a region-specific email format.
Cause: Instances are provisioned with admin@secretservercloud.com, but the update process expects a region-specific domain.
Resolution: Enter the email address in the format: admin@secretservercloud.com.
Notes: This can also cause errors when exporting/importing settings between regions.
Error: TLS Error Detected—Remote certificate name does not match remote host
Source: View Article
Product: Secret Server Cloud—Secret Server Cloud; Secret Server On-Prem
Known environments: Secret Server Cloud, Secret Server On-Prem, Microsoft Active Directory
Issue: When enabling Use LDAPS in Active Directory Sync, certificate validation fails due to a mismatched hostname.
Cause: Missing required _sites SRV records when syncing a separate domain with no trust.
Resolution: Mirror the remote domain's _msdcs entries for _ldap SRV records in local DNS.
Notes: Reference: Delinea docs on configuring DNS records.
Error: TMS-related errors in Secret Server System logs
Source: View Article
Product: Secret Server On-Prem—Privilege Manager; Secret Server On-Prem
Known environments: Secret Server on Premise
Issue: TMS-related error codes in system logs: "Unable to retrieve alert messages from TMS" and "Cannot use a leading. to exit above the top directory."
Cause: —
Resolution: Run SQL: UPDATE tbConfiguration SET TmsRootUrl = NULL. Wait 3-5 minutes for settings to update.
Notes: Applies when TMS is no longer in use or Secret Server was installed with Privilege Manager.
Error: "Too Many Redirects"
Source: View Article
Product: Secret Server On-Prem
Known environments: Secret Server On-Prem (Any Version)
Issue: "Too Many Redirects" error in the browser when navigating to Secret Server.
Cause: The.NET Authorization Rules at the server level in IIS was not enabled to allow all users.
Resolution: In IIS Manager, click server name >.NET Authorization Rules > Add Allow Rule for All users.
Notes: —
Error: "Unable to establish a secure SSL/TLS channel" (script/API)
Source: View Article
Product: Secret Server Cloud
Known environments: Any Secret Server environment using scripting with the API
Issue: Script using the API fails—"Unable to establish a secure SSL/TLS channel."
Cause: PowerShell does not send information using TLS 1.2 by default, which is required (always for Cloud).
Resolution: Add to script top: [Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12
Notes: —
Error: "Unable to find one or more data replication package parts" (DR sync)
Source: View Article
Product: —
Known environments: Secret Server environments using Disaster Recovery (Resilient Secrets)
Issue: DR sync shows "Unable to find one or more data replication package parts, verify all system clocks are synchronized."
Cause: Server times are off by a second or more.
Resolution: Ensure times on all involved servers match. For Cloud, match time at time.gov.
Notes: —
Error: "Unable to find the requested.Net Framework Data Provider" (MySQL RPC/Heartbeat)
Source: View Article
Product: Vaulting (Secret Server)
Known environments: Secret Server, MySQL Remote Password Changer
Issue: RPC and Heartbeat fail with error about missing.NET Framework Data Provider.
Cause: MySQL.data.dll alone is insufficient; the full MySQL Connector/NET installer is required.
Resolution: Download and install MySQL Connector/NET, update DE ignore file, restart DE service. For web nodes: install, restart IIS.
Notes: —
Error: Unable to remove synced group after Azure AD group deletion
Source: View Article
Product: Secret Server
Known environments: —
Issue: Synced group cannot be removed from Secret Server after the Azure AD group was deleted.
Cause: Secret Server only shows active groups as valid sync options.
Resolution: Recreate the group in Azure with the identical name, run Sync Now, then remove from sync, then delete in Azure.
Notes: —
Error: Unable to save Discovery Import Rule—"Invalid" for takeoverSecretIds
Source: View Article
Product: Secret Server Cloud
Known environments: Secret Server Cloud
Issue: Unable to save changes to a Discovery import rule. HAR shows "Invalid" for takeoverSecretIds and passwordChangingPrivilegedAccountSecretIds.
Cause: —
Resolution: Go to the Secret Template used by the Takeover Secret and Privileged Account > Mapping tab > ensure "Enable remote password changing" is set to Yes.
Notes: —
Error: "Unknown User name or Bad Password"—Heartbeats via DE for local Windows accounts
Source: View Article
Product: —
Known environments: Secret Server environments using Distributed Engines
Issue: "Unknown User name or Bad Password" error on Heartbeats/password verification.
Cause: —
Resolution: Upgrade to Distributed Engine version 8.4.71.0+.
Notes: —
Error: "Value cannot be null. Parameter name: address" (email send)
Source: View Article
Product: Secret Server On-Prem
Known environments: Secret Server and Secret Server Cloud
Issue: Error "Value cannot be null. Parameter name: address" when sending an email.
Cause: User Account does not have an email address associated with it.
Resolution: Open User Preferences, add an email address in the General Tab.
Notes: —
Error: "Value cannot be null. Parameter name: address" (test email)
Source: View Article
Product: Secret Server On-Prem—Platform; Secret Server; Secret Server Cloud; Secret Server On-Prem
Known environments: All Secret Server/Platform versions
Issue: "Error Value cannot be null. Parameter name: address" when testing email.
Cause: User profile does not have an email configured.
Resolution: Select your user profile and add a valid email address.
Notes: "Send Test Email" uses the email from the logged-in user's account.
Error: "Value cannot be null. Parameter name: v1" (Site Connector validation)
Source: View Article
Product: Secret Server On-Prem
Known environments: All Secret Server on-prem environments
Issue: Site Connector validation fails with "Value cannot be null. Parameter name: v1."
Cause: Site Connector credentials in RabbitMQ are incorrect, or load balancer adds headers that RabbitMQ cannot process.
Resolution: Verify credentials in RabbitMQ Management Interface. For load balancer: add proxy_protocol = true to rabbitmq.conf. For TLS: verify certificate validity.
Notes: Once proxy_protocol is enabled, RMQ will only accept connections through the proxy.
Error: "Your licensing is not up to date"
Source: View Article
Product: Secret Server On-Prem
Known environments: Secret Server on-prem
Issue: Users see a banner error stating "Your licensing is not up to date."
Cause: Licenses have expired, are missing, or there are more active users than licensed.
Resolution: Select Settings > Licenses to ensure licenses haven't expired, user count doesn't exceed licenses, and all licenses are installed.
Notes: —
Error: "Your session has expired" (Netskope IP change)
Source: View Article
Product: Secret Server—Secret Server Cloud; Secret Server On-Prem
Known environments: —
Issue: "Your session has expired, please log in again" error upon login.
Cause: Netskope changes the IP address, causing session key to be used from a different IP.
Resolution: Contact Netskope support to resolve the IP address changing issue.
Notes: Verify by checking user Audit Logs for LOGIN SUCCESS followed by LOGIN FAILED with IP mismatch.
Error: "Your session has expired, please log in again"
Source: View Article
Product: Platform; Secret Server; Secret Server Cloud
Known environments: All Secret Server products connecting to Active Directory.
Issue: AD users logins fail despite correct password; intermittent authentication failures.
Cause: —
Resolution: Validate DNS resolution, test LDAP connectivity, verify CRLs, confirm LDAPS certificates, ensure login completes in under 30 seconds.
Notes: —
How-To
1 articles
Adding Secret Fields to a Report in Secret Server
Source: View Article
Product: Secret Server—Secret Server Cloud; Secret Server On-Prem
Known environments: Secret Server Cloud, Secret Server On-Prem
Issue: Need to show encrypted secret field information in reports.
Cause: Secret field data is encrypted in the database by default.
Resolution: Enable "Expose for Display" on each required field in the Secret Template, then create a custom report using SQL that joins tbSecret, tbSecretItem, and tbSecretField.
Notes: —
Capturing a HAR File from a Browser Extension
Source: View Article
Product: Secret Server Cloud; Secret Server On-Prem
Known environments: Environments using Delinea Credential Manager or web Password Filler browser extensions
Issue: —
Cause: —
Resolution: In Chrome/Edge: right-click extension > Manage Extension > Developer mode > Inspect views > Network tab > Preserve log > Reproduce issue > Save HAR. In Firefox: Manage Extension > Debug Add-Ons > Inspect > Network tab.
Notes: HAR files may contain sensitive data including cookies and passwords.
Changing an MSSQL Local Account Password Using a Domain Account as a Privileged/Service Account
Source: View Article
Product: Secret Server On-Prem
Known environments: 11.8.000001
Issue: Unable to change the MSSQL Local Account password using a Domain Account as the Privileged/Service Account.
Cause: —
Resolution: Use Windows Authentication instead of SQL Authentication for the Domain Account. Follow the RPC for SQL accounts documentation. Select SQL Server Authentication mode, Privileged Account Securables, and SQL Account settings.
Notes: Tested with Domain Account and SQL Local Account as Privileged Account; both work.
Collecting Troubleshooting Information for Secret Server Cloud and On-Premises
Source: View Article
Product: Secret Server; Secret Server Cloud; Secret Server On-Prem
Known environments: Secret Server On-Premise, Secret Server Cloud
Issue: What common information does Delinea Support need when a support case is opened?
Cause: —
Resolution: Collect: concise problem description with error messages, logs (SS logs, DE logs, IIS logs, RabbitMQ logs), screenshots, number of affected users/endpoints, timestamps with time zone, product versions, server/client logs, network traces, architecture overview, SQL traces where applicable.
Notes: —
Configuring a Sybase Client to Work with Secret Server
Source: View Article
Product: Secret Server—Secret Server Cloud; Secret Server On-Prem
Known environments: —
Issue: Sybase heartbeat/RPC fails—DLL not found error.
Cause: Sybase ADO.NET client DLL missing from application directories.
Resolution: Download SAP Adaptive Server Enterprise ADO.NET Data Provider, copy the DLL to Secret Server bin and/or Distributed Engine directory.
Notes: —
Configuring and Troubleshooting Oracle Database 19c for Heartbeat and RPC
Source: View Article
Product: —
Known environments: Secret Server 10.7, DE 10.7, Oracle Database 19c
Issue: —
Cause: —
Resolution: Install ODAC OUI matching the database version, copy Oracle.DataAccess.dll to Secret Server bin and DE directories, add DbProviderFactories entry to machine.config. Troubleshoot: select ODAC version match, database field (SERVICE_NAME), machine.config formatting.
Notes: —
Configuring the Required User name Format for Secret Server SAML Authentication
Source: View Article
Product: Secret Server Cloud; Secret Server On-Prem; Vaulting (Secret Server)
Known environments: Secret Server On-Premise, Secret Server Cloud
Issue: "No user was found for your SAML account" error during SAML login.
Cause: User not in tbUser, IDP doesn't provide user name in expected format, or UPN mismatch in database.
Resolution: Configure IDP to pass user name in 'domain\user name' format or UPN format matching Secret Server records.
Notes: If UserPrincipalName is blank, Secret Server defaults to 'tbdomain.domain\tbuser.user name' for matching.
Creating a Custom Windows Service to Run PowerShell Like Secret Server
Source: View Article
Product: —
Known environments: Secret Server (and other products), PowerShell scripts
Issue: —
Cause: —
Resolution: Use NSSM to create a Windows Service that runs PowerShell scripts with the same account context as the DE or IIS service account. This isolates Secret Server from testing.
Notes: —
Creating a New Dependency Changer for Synchronizing Passwords During RPC
Source: View Article
Product: Secret Server On-Prem—Secret Server
Known environments: Secret Server, Active Directory
Issue: —
Cause: —
Resolution: Create a PowerShell dependency script to update child secrets after parent secret's password is changed. Configure parent secret with child secret IDs in Notes, create dependency changer, attach script.
Notes: The process begins with rotation of the parent secret's password, then the dependency script updates child secrets.
Exporting a Website Certificate and Validating Using certutil
Source: View Article
Product: Secret Server On-Prem
Known environments: Secret Server
Issue: —
Cause: —
Resolution: Export certificate from browser (padlock icon > Certificate > Details > Export), then run: certutil -verify secretserver_cert.crt > certutil_verify_output.txt. Review output for CRL, OCSP, revocation errors.
Notes: Common causes include untrusted CAs, missing intermediate certificates, expired certificates, proxy/firewall interception, CRL/OCSP endpoint unreachable.
Forcing Kerberos Heartbeat Method for an Active Directory Account
Source: View Article
Product: Vaulting (Secret Server)—Secret Server Cloud; Secret Server On-Prem
Known environments: Secret Server Cloud, Secret Server on-prem, Microsoft Active Directory
Issue: Active Directory heartbeat fails with error 1385 for protected user accounts.
Cause: domain\user name format causes Windows to attempt NTLMv2 which may be restricted by policy.
Resolution: Specify user name as UPN format (user name@domain.com) to force Kerberos authentication.
Notes: Protected Users in AD require Kerberos authentication.
Generating a Self-Signed Certificate for Secret Server Using PowerShell
Source: View Article
Product: Secret Server—Secret Server Cloud; Secret Server On-Prem
Known environments: Secret Server Cloud, Secret Server On-Prem
Issue: —
Cause: —
Resolution: Use provided PowerShell script with New-SelfSignedCertificate cmdlet, SHA256 ÷ 4096-bit, Microsoft Enhanced RSA provider. Export as PFX.
Notes: Subject name is irrelevant. For Cloud, use instance name (e.g., example.secretservercloud.com).
Locating IIS Log Files
Source: View Article
Product: Secret Server On-Prem
Known environments: Secret Server On-Prem environments
Issue: —
Cause: —
Resolution: In IIS Manager, click server name > Logging > copy Directory value. Logs are in W3SVC folders; ID column corresponds to folder numbers.
Notes: —
Locating Remote Password Change and Heartbeat Logs for a Secret
Source: View Article
Product: Secret Server Int
Known environments: Secret Server, Remote Password Changing
Issue: —
Cause: —
Resolution: Open the Secret, note the Secret ID, identify the site, review the Audit tab. Search logs for "request for Secret Id
Notes: Use Notepad++ Find in Files (Ctrl+Shift+F) for searching across multiple log files.
Outputting PowerShell Script Variables When Troubleshooting a Script in Secret Server
Source: View Article
Product: Secret Server On-Prem—Secret Server; Secret Server Cloud; Secret Server On-Prem
Known environments: Secret Server
Issue: —
Cause: —
Resolution: Add a transcript logging block to the script that writes arguments to a text file using Start-Transcript. Navigate to Settings > Scripts, edit and test.
Notes: Assumes scripting is already configured (WinRM/CredSSP).
Setting Up and Troubleshooting Custom Process Launchers
Source: View Article
Product: All editions of Secret Server
Known environments: —
Issue: —
Cause: —
Resolution: Create custom process launcher via Admin > Secret Templates > Configure Launchers > New. Set Process Name, Process Arguments (using $ fields), Run As options. Add to Secret template via Configure Launcher.
Notes: Common errors include "process not found" (install app/add to PATH), "stub received bad data" (wrong credentials), and Error 740 (use cmd.exe wrapper for elevation).
Setting Up and Troubleshooting VMware ESXi with Secret Server
Source: View Article
Product: —
Known environments: Secret Server, VMware ESXi
Issue: —
Cause: —
Resolution: Follow the VMware ESXi configuration documentation for Secret Server integration, including PowerCLI module installation and password changer configuration.
Notes: —
Testing Proxy Connections Using Proxy Credentials
Source: View Article
Product: Vaulting (Secret Server)
Known environments: Secret Server Cloud, Secret Server On-Prem
Issue: —
Cause: —
Resolution: From the client machine, access the secret > More > Show Proxy Credentials > select launcher > enter proxy server > use the proxy credentials to test a direct RDP connection.
Notes: The Show Proxy Credentials option requires the View Secret Proxy Credentials role permission. The permission is included by default; if it has been removed from the user's role, the option will not appear. See View Secret Proxy Credentials.
Testing Syslog Functionality
Source: View Article
Product: Secret Server On-Prem—Secret Server; Secret Server Cloud; Secret Server On-Prem
Known environments: Any Secret Server environment
Issue: —
Cause: —
Resolution: Enable Syslog output in Settings > Application, set server IP to the web server or DE, then use provided TCP or UDP PowerShell listener scripts and click "Test System Log."
Notes: —
Testing the Secret Server Session Connector API
Source: View Article
Product: Secret Server Cloud
Known environments: Secret Server, Secret Server Session Connector
Issue: —
Cause: —
Resolution: Download SessionConnectorAPITest.zip from GitHub, extract, run SecretServerRestClientTest.exe with credentials and URL. A successful connection returns an API token.
Notes: Avoid special characters that are shell escape characters when entering passwords.
Testing WinRM and CredSSP in Secret Server
Source: View Article
Product: —
Known environments: Secret Server Cloud or On-Prem
Issue: —
Cause: —
Resolution: Navigate to Settings > Scripts > Test Script. Select PowerShell - WinRM, choose site, select secret for the running account. Successful output shows "Remote PowerShell test successful."
Notes: —
Troubleshooting Error 96258 for SSH Password Changes
Source: View Article
Product: Vaulting (Secret Server)
Known environments: Secret Server On-Prem, Secret Server Cloud, Linux/Unix Servers
Issue: Error 96258 is a common generic error for SSH password changes.
Cause: —
Resolution: Enable All level logging for DE. Navigate to Settings > Password Changers > select changer > Test Action for Password Change Commands > then Test Action for Verify Password Change. Review errors and contact Support if needed.
Notes: —
Troubleshooting RDP Proxy Connection Issues
Source: View Article
Product: Secret Server Cloud—Secret Server; Secret Server Cloud; Secret Server On-Prem
Known environments: Secret Server Cloud, Secret Server On-Prem
Issue: General RDP proxy connectivity issues—launch fails without clear error message.
Cause: —
Resolution: Verify prerequisites (NTLMv2, NLA, CredSSP), test connectivity from launching machine to proxy (Test-NetConnection), verify proxy to target via MSTC. Select proxy ports, logs, certificate validation, protocol handler version.
Notes: Glossary: Launching machine, Proxy machine, Target machine, Site.
Using Fiddler Classic as a Proxy to Trace Traffic for a Secret Server web Server
Source: View Article
Product: Secret Server On-Prem—Secret Server; Secret Server On-Prem
Known environments: Secret Server on-prem
Issue: —
Cause: —
Resolution: Install Fiddler Classic, enable HTTPS Decryption, trust root certificate. Configure Firefox manually (127.0.0.1:8888). Chrome/Edge use system proxy by default.
Notes: —
Verifying CRLs (Certificate Revocation Lists) and OCSP (Online Certificate Status Protocol) Using certutil
Source: View Article
Product: Secret Server On-Prem—Secret Server
Known environments: Secret Server
Issue: —
Cause: —
Resolution: Run: certutil -f -urlfetch -verify example.crt > certutil-results.log. Review the log for errors related to certificate verification.
Notes: CRLs are lists of revoked certificates; OCSP allows real-time verification.
