Secret Server Release Notes 10.4.000000

Release Date: 1/17/2018

Customers with trial licenses in their Secret Server instance who upgrade to 10.4 will be required to activate those licenses.


  • Secret Server SDK: The Secret Server SDK replaces and improves upon the existing functionality of the Java API and .NET/Application API. Users can leverage this SDK to tokenize credentials in scripts and configuration files for .NET web applications. The SDK can also call for a REST Web Services authentication token for added functionality. Finally, the SDK has a local encrypted cache for every location it is installed in to allow for quicker transit times and resiliency in case communication with Secret Server is lost.

  • Session Monitoring Multiple Nodes: Clustered Secret Server environments will now automatically split the processing load for Session Monitoring events.

  • AD Credential Cache: Secret Server can create an encrypted storage for hashes of Active Directory users' credentials that is updated on every successful authentication to Secret Server and allows for users to continue to access Secret Server even if communications are lost between Distributed Engine and the Domain Controller(s).

  • Secret Server now has a REST endpoint to manage Secret dependencies.

  • Secret Server now has a REST endpoint to manage groups.

  • Secret Server's Firefox browser extension has been updated so it can continue to work with the latest versions of Firefox.

  • Secret Server can now communicate to SIEM tools using a TLS connection.

  • TLS connection successes and failures with Active Directory Synchronization and SIEM integration are now audited.

  • Secret Server can now send audits to Windows Event Logs.

  • Enhanced Dashboard search performance.

  • Enhanced Active Directory synchronization performance.

  • File uploads on Secrets now have file extension and size restrictions.

  • Added a Security Hardening report to indicate whether email communications are set to use HTTPS.

Bug Fixes

  • Fixed issue where SSH custom password changers failed Heartbeat when using SSH Key authentication.
  • Fixed issue where Discovery would incorrectly show as misconfigured despite having configured Discovery sources.
  • Fixed issue where random password generation may generate a password containing 2 consecutive characters contained in the Active Directory username.
  • Fixed issue where the login assist for Chrome would not work if an IP address was in the URL field of a Secret.
  • Fixed issue where numerous domains in Discovery could cause failures in communicating with the SQL database.
  • Fixed issue where Discovery would only use the correct Distributed Engine Site on the first dependency type when scanning for all dependencies across multiple domains.
  • Fixed issue where a significant number of Secrets that were failing a password change would freeze Distributed Engine.

    Security Fixes

  • Fixed XXE issue on Web Launcher configuration page.
  • Fixed XXS issues on New Engines management page.
  • Fixed XSS issue on Secret Dependency Changers page.
  • Fixed issue where Secret Server upgrade logs written to the server hosting Secret Server were accessible via a URL.
  • Fixed issue where Remember Me for 2FA bypassed Duo's deny logon security settings on users in some cases.
  • Updated PuTTY client for Session Launching to v0.70.
  • Fixed potential security issue where the RDP service port on the client machine could be used to open a concurrent RDP session to the target machine when RDP connections were proxied through Secret Server.
  • Fixed LESS Injection issue on Theme management page.
  • Fixed issue where language resource ASHX files in Secret Server could be accessed by any user with access to the application.
  • Fixed issue where default settings on PuTTY logging settings could expose the password of a user.