Protocol Handler Administrative Settings

The Secret Server protocol handler has several administrative settings that you can configure through Microsoft's Group Policy Objects (GPOs) or through Secret Server itself.

We strongly recommend using GPOs instead of Secret Server.

Available Settings

Allowed Secret Server Domains

This setting controls which domains or IP addresses the protocol handler installation may connect to.

Behavior prior to Protocol Handler 6.0.3.48: If the setting is not set or disabled, the protocol handler can connect to any domain. If one or more comma-separated values are provided, then the protocol handler is blocked from accessing any domains or IP addresses not included in the list.

Behavior in Protocol Handler 6.0.3.48 and later: When Group Policy (GPO) settings for Allowed Secret Server Domains are present, only those domains are allowed. When GPO settings are not present, the first Secret Server domain the protocol handler successfully contacts is automatically added to the local allow list. Subsequent attempts to contact other domains are rejected.

To support multiple different Secret Server instances, configure Allowed Secret Server Domains via GPO.

It is important to note that the protocol handler performs a string match against the URL it receives. It does not attempt to resolve domain names to IP addresses. Values in the allow list should match only the domain or IP address portion of the actual URL used to access Secret Server.

For example, if users access your installation via https://example.com/SecretServer, then example.com should be added to the list. If example.com resolves to the IP address 192.168.1.5, then adding that IP address will not allow access to the domain if users actually access it via example.com.

Wildcards are not supported, but subdomains do matter. Continuing with the example used above, the entry for example.com would not allow www.example.com. The two may need to be added separately depending on your configuration.

Ports and protocols are also unnecessary—only the domain portion is checked. For example, do not include an entry in the list like https://example.com or example.com:885 as both are invalid. Simply using example.com covers these scenarios.

Disable Auto-Update

This setting ensures the protocol handler will never auto-update itself, even if told to by the Secret Server installation that it connects to.

When this setting is enabled, protocol handler installations need to be updated either manually or as part of your organization's regular program-update process.

Configuration Methods

If your domain is configured to use GPOs, we strongly recommend using that to configure the protocol handler.

Choosing a Configuration Method

Why use GPOs instead of Secret Server?

GPOs are more resilient, as Windows reapplies settings if they are deleted from the registry. Settings applied through Secret Server have no such resilience.
GPOs are centrally managed along with other settings for machines in your domain.
For security reasons, Secret Server's configuration can only be applied during the initial installation of Secret Server. If you change these settings within Secret Server, users must reinstall the program before they will be applied. GPOs do not have this restriction.

Configuring through GPOs

You can download GPO definitions for your version of Secret Server by searching for Launcher Tools in the UI. For details about using these policy definition files, see How to create and manage the Central Store for Group Policy Administrative Templates in Windows.

Settings are available in the group policy editor under (Computer/User) Configuration > Administrative Templates > Secret Server Protocol Handler.

Both machine and user configurations are supported. Machine configurations, however, override user configurations. If a machine configuration exists, the user configuration is ignored.

Configuring Settings During Secret Server Installation

If you do determine that using Secret Server's settings is necessary, you can configure them by accessing Settings > All Settings > Configuration > Launcher Settings > Protocol handler installer. The Protocol Handler Settings (Install-Time) page will load where you can edit and enable the Enable install-time settings option.

Enabling these settings causes downloads to generate a zip file rather than an MSI file. The zip file contains a batch file that configures the install-time settings. These settings only update when the protocol handler is manually reinstalled or updated—changing them later on through Secret Server has no effect on protocol handlers that are already installed on user machines.

Timeouts and Launch Behavior Issues

When launching a secret, you may see the alert Protocol Handler Failed to Launch. The launcher application may not be installed. This message is a false positive—the launcher still starts successfully after a short delay (3–5 seconds).

The timeout that triggers this alert is set to 15 seconds, which is the amount of time Secret Server waits for the Protocol Handler to launch. If it fails to launch within this time, the user will be prompted to download the Protocol Handler.

This timeout is hardcoded within the application and cannot be adjusted through the user interface or configuration settings.