Enabling Launchers

Introduction

By default, the launcher is enabled by the Enable Launcher setting on the Configuration page.

The launcher (protocol handler) can be deployed in two ways—with the Protocol Handler MSI installer (recommended) or ClickOnce. This can also be set in the configuration settings. The MSI installer allows the launcher to be used in virtualized environments or any environment in which the user does not have access to a Windows Temp directory. The Protocol Handler can be downloaded by clicking one of the links under the Protocol Handler section: 

MSI Installer

To use the MSI installer (protocol handler installer) following steps below:

  1. Select Settings.

  2. In the Tools and Integrations section, click Launcher Tools.

  3. In the section labeled Protocol Handler Installer, select the Download Protocol Handler MSI link for the operating system you want to install on.

  4. Run the MSI file with admin privileges.

The session is kept in check for security reasons with the session process pinging back to Secret Server to ensure it is still valid. This checks secret settings, such as checkout and secret access. If that check fails or the callback times out, Secret Server errs on the side of security and kills the sessions, ensuring access is not allowed.

Installing by Group Policy

The Protocol Handler application runs without requiring any input from the user. The installation may be pushed to your network without any special configuration. For details, see Installing Protocol Handler Through Group Policy.

Securing the Protocol Handler

Protocol Handler security is a frequent topic in penetration tests and vulnerability assessments. The following mechanisms help ensure that only trusted Secret Server URLs can trigger launches.

First-Time URL Verification

When the Protocol Handler connects to a Secret Server URL for the first time, it prompts the user to confirm whether the URL is legitimate.

  • If the user confirms the URL is legitimate: The launch proceeds normally. The URL is trusted for future launches on that machine.

  • If the user rejects the URL: The URL is blocked on that machine. All subsequent launch attempts from that URL will fail with an error message.

Administrative Control via Registry Key (Allowed Domains)

Administrators can manage allowed Secret Server URLs centrally using a registry key, bypassing the per-user prompt entirely. This is the recommended approach for enterprise environments.

Registry key path:

HKLM\Policies\Thycotic\ProtocolHandler\AllowedDomains

To configure allowed domains:

  1. Navigate to the key above (create it if it does not exist).

  2. Add one or more string values under the key, where each value is the URL of an allowed Secret Server site.

Behavior:

  • If any values are present in this key, only the URLs listed will be permitted. All other URLs will be blocked.

  • If the key is empty or does not exist, the per-user prompt (described above) is used instead.

ClickOnce (Legacy)

ClickOnce has not been the default installation method for several years and is not available in Secret Server Cloud environments. For most users, the Protocol Handler installer is the recommended approach.
A ClickOnce application is any Windows Presentation Foundation (.xbap), Windows Forms (.exe), console application (.exe), or Office solution (.dll) installed with ClickOnce technology in one of three ways: from a Web page, from a network file share, or from media. See ClickOnce Security and Deployment for details.