Secret Server: 10.9.000064 Release Notes

10.9.000065 is a retroactive patch for this release. Please see Secret Server 11.7.000001 Release Notes for details.

Release date:

  • April 13, 2021 (on-premises version)
  • April 3 - May 15th, 2021. Release date is dependant on region (cloud version)

Important: These notes cover the General Availability release of version 10.9.000064. The general release is not till April 13, 2021 for the on-premises version and between April 3rd and May 15th 2021, depending on region, for the cloud version. If you are not part of the early release program, or are in a Secret Server Cloud region that has not yet received the 10.9.00064 release, please use the Secret Server: 10.9.000005/33 Release Notes notes instead.


  • April 3rd: 10.9.000064 released to Secret Server Cloud in the Canada and Southeast Asia regions. Secret Server
  • April 10th: 10.9.000064 released to Secret Server Cloud in the Australia region.
  • April 13th: 10.9.000064 On-Premises is released.
  • April 24th: 10.9.000064 released to half of the United States region customers.

Important: If you installed Secret Server as your default or top-level website and you have Privilege Manager (PM) and Secret Server installed together, you may experience the following issues after upgrading to .NET Framework 4.8:

  • PM agents will not register.
  • When a PM agent updates itself (using the agent utility), it states that there are zero policies to download.

If you believe this scenario applies to you, please contact Delinea Support before performing a .NET, Secret Server, or PM upgrade.

Upgrade Notes

Delinea encourages all customers to upgrade at the earliest opportunity.

New Features and Enhancements

SSH Command Blocklisting

SSH command blocklisting allows administrators to configure lists of commands that a user may not enter during a proxied SSH session.

Pre-Check-in Pipeline Trigger

An additional trigger condition is available for secret event policy pipelines. Pre-check-in triggers apply when a secret check in is requested, before the check in occurs. The trigger can stop the pipeline with an error message or run commands.

Configuration Management

Configuration management adds export and import of Secret Server configuration settings.

This facilitates transferring configurations from test to production environments. It also makes setup and configuration of new Secret Server instances easier for customers and partners with multiple installations.

Timeouts for Tiered Workflow

Workflow templates have new timeout configuration options. They allow a workflow to automatically advance to the next step if insufficient responses are received during a configurable period.

Selectable Workflow Steps

Workflow approvals now allow an administrator to choose the next action when a step of the workflow is approved. Available actions are:

  • Approving the entire workflow, disregarding any later steps
  • Moving to the next step of the workflow
  • Moving to a later step in the workflow

CSV Scheduled Reports

Scheduled report configuration now includes the option to attach the report to the scheduled email in a spreadsheet-friendly comma-separated value (CSV) file.

User Interface

  • Migrated to an Angular framework which better supports usability and accessibility.
  • Left navigation menu is now a menu role, which helps accessibility and quickens keyboard navigation.
  • Updated color palette for accessibility.
  • Updated numerous buttons and links that were previously inaccessible with keyboard to improve keyboard navigation and accessibility.
  • Fixed an issue that caused selection and drop-down components to clip behind scrollable elements.
  • Improved labeling and tool tips for Connection Manager configuration.
  • Added a column in the new UI for admins in the users grid for 2FA. The same was added to API user search results.
  • The secret detail side menu now stays present in the UI after navigating away from secret.


  • Added user-defined metadata sections and field values on users, groups, folders, or secrets.
  • Updated and expanded the "custom launcher arguments" field character limit to prevent impact on scripted launchers.
  • Added a redirect service to direct Secret Server internal hyperlink traffic to the updated Delinea documentation portal.
  • Clarified the heartbeat status message on the secret page.
  • Added additional license key support for the Privilege Manager Unix/Linux Server.
  • Improved user data entry input security during Connect As sessions.

Bug Fixes


  • Fixed an issue when creating workflow steps due to the template step stub not being available for the configuration object.
  • Fixed an issue returning a 500 error when getting the triggers for an event pipeline (/api/v1/event-pipeline/{id}/trigger).
  • Corrected the documentation on the endpoint for OAuth to obtain a refresh token.
  • Corrected the documentation to properly cite that a description is required for ReportCreateArgs to create reports.

Heartbeat and RPC

  • Fixed an issue with heartbeat on an AD Sync that prompted an exception.
  • Fixed an issue where the test action of SSH RPC configuration could not handle a dollar sign as the first character of the password.
  • Fixed an issue with a RPC and heartbeat PowerShell script that failed when a privileged account lacked additional permissions.
  • Fixed an issue that caused RPC to have "invalid" failures if values in the password changer were blank, even though the fields were not mandatory according to the configuration.

SSH Terminal

  • Fixed an issue where the SSH terminal did not honor host restrictions for secret launches.
  • Fixed an issue where SSH command menu commands through the SSH terminal did not reset the SSH proxy's timer, causing an inactivity timeout.
  • Fixed an issue where the UI component for the SSH terminal blocklist settings was not visible when the SSH terminal setting was set to "No."
  • Fixed an issue that locked Secret Server user accounts when Unix connections to SSH terminal were made with a keypair and no passphrase. Authentication prompts are determined by Secret Server > Admin > Config > Login > Enable SSH Key Integration (for SSH terminal). If this check box is left unchecked (assuming SSH proxy and terminal are enabled), the user is prompted for a password after trying to SSH into Secret Server. If the box is checked, no attempts to log on with a private key are allowed if "Password Only" is selected. If one of the three other Unix authentication methods are selected, the private key is attempted first (or exclusively, in the case of "Public Key Only").

User Interface

  • Fixed an issue where the UI would freeze when attempting to edit the manual host range on the discovery scanners page.
  • Fixed an issue where in the UI it did not properly display a site after being disabled from a discovery source on a domain.
  • Fixed an issue where the UI would not automatically adjust to display scrolling in modal windows.
  • Fixed an issue in the new UI where moving a folder would not correctly inherit the new parent folder's permissions as displayed.
  • Fixed an issue in the new UI where a validation error was not displayed when a folder was moved to a folder containing a folder of the same name. The fix provides an error message to notify the user and allows the user to pick a new destination.
  • Fixed an issue in the new UI where a group search was not restricted by owner.
  • Fixed an issue with the RPC's associated secrets table hiding columns after a column was resized beyond the workspace.


  • Fixed an issue impacting proper display of last login record in audits for OpenID Connect.
  • Fixed an issue that could cause discovery logs to take longer than usual to load and display.
  • Fixed an issue in Active Directory domain settings that caused the synchronization secret to revert to a previous entry.
  • Fixed an issue that prevented using some identifiers on the distinguished name in directory services. Added a base distinguished name code in the LDAP field configuration to ensure some identifiers do not cause an error.
  • Fixed an issue for Okta SAML login failures due to accounts being re-enabled.
  • Fixed an issue for RDP proxying where the remote host name was not being passed to the protocol handler for the RDP client to display.
  • Fixed an issue where additional DLL files were removed when a distributed engine was upgraded. A data directory "ignore list" file was added to list files that shall not be deleted during the upgrade process.
  • Fixed an issue that prevented a secret's security settings from being edited when an event pipeline policy was set through a secret policy.
  • Fixed an issue that prompted a file upload error on a folder when attempting to attach a file. This occurred when the folder included a secret policy with an event pipeline policy.
  • Fixed an issue with protocol handler where an encoder was initializing even if session recording was disabled. Now the encoder is loaded only if screenshots are taken.
  • Fixed an issue with the C# SDK returning a null after the cache has expired for CacheThenServerAllowExpired.
  • Fixed an issue that could prevent users from logging in using SAML.
  • Fixed an issue in the new UI that prevented domain selection when creating a new user.
  • Fixed an issue where the site connector for a local site would not accept changes to the configuration in the UI. This only applied to system sites.
  • Fixed a permissions issue that occurred when enabling "view requires edit" on a password field that caused a user with only view permissions on a secret to no longer view the one-time password.
  • Fixed an issue with the SAML log on workflow that caused an invalid login page redirection loop with OpenID Connect.
  • Fixed an issue when using the move folder command causing removal of secret policy settings and inherit permissions.
  • Fixed an issue with SDK client management in client onboarding improperly displaying disabled application accounts when editing a user.
  • Fixed an issue with session recording the caused inactivity timeouts when activity timeout was not enabled.
  • Fixed an issue that caused SMTP send failures when the mail server was configured for implicit SSL.
  • Fixed an issue affecting 2FA login when OATH was not properly configured for the user. Log on now redirects to an error page with indication of the configuration issue.
  • Fixed an issue when disabled users were removed from local groups when new members were added to the group.
  • Fixed an issue where browsers can become unresponsive when producing long-running reports.
  • Fixed an issue where Secret Server was not sending metadata to PBA when assigned to a site with a distributed engine, preventing SSO.
  • Fixed an issue where a permissions error is incorrectly prompted when setting a favorite folder.
  • Fixed an issue with SecureBlackbox TISSHClient not being compatible with -etm MAC algorithms. An update for SecureBlackbox has resolved this.
  • Fixed an issue where in SSC where the SSH proxy port was not being accepted.
  • Fixed an issue in 10.9 Upgrade where SQL was missing the DBO schema when creating the table tbEngineServerCapabilties, producing an "object not found" error when verifying the deltas.
  • Fixed an intermittent issue causing an error when using RDP proxy session recording with keystroke recording enabled. The error was intermittent based on which engine handled the connection.
  • Fixed an issue where custom logos set in Secret Server did not display correctly caused by browser-level caching.
  • Fixed an issue where secrets were not checking in after the launcher is closed while using RDP proxy.
  • Fixed an issue where setting the "Allow Duplicate Secret Names" permission option to "No" caused a bulk delete action to produce an error.

Fixes made since Early Adopter Version 10.9.000063

  • Fixed an issue where execution times were longer than expected (waiting for a full timeout) for SSH scripts via the password changers (heartbeat and RPC), discovery, or checkin and checkout hooks.
  • Fixed an issue in the Early Adopter 10.9.000063 version where possible memory leaks could occur.

Pending Deprecations

This section describes planned feature or platform-support deprecations in Secret Server.

  • Internet Explorer 11: Support for Internet Explorer 11 will end on 31 August 2021. Secret Server releases after that date will not support Internet Explorer 11.
  • Secret Server Classic UI: The Classic UI option in Secret Server is scheduled for removal in Q1 2022. After the announced date, the New UI will be the only on in Secret Server.