Secret Server: 11.5.000000 EA Release Notes

Release Dates and Notes

On-Premises: June 9, 2023.

Component Versions

Distributed Engine and Advanced Session-Recording Agent: 8.4.8.0

Protocol Handler: 6.0.3.26

New Features

Checked Out Secret View

We added checked out secret view to Quick Access in the Secrets Folder panel. This is a quick view, showing users all of the secrets that are currently checked out to them.

RADIUS Silent Answer

Silent answer is a new configuration option for RADIUS that allows setting the RADIUS response to a defined string value. This is to support push notification and other interactive variations in advanced RADIUS authentication configuration. The new setting replaces "Attempt User Password" and allows for sending the user password or another predefined string.

Check Out Recovery

We adjusted the behavior of "Force Check In" to allow secret owners with the "Force Check In" role permission to force check in secrets that are set to "Change Password on Check in." The secret is automatically checkout to the owner who initiate the force check in. This helps in situations where a checked out secret with a failing RPC configuration will not check in and remains with a user who cannot remediate the issue. With this change, an owner can take ownership of the checkout session, remediate the secret configuration, and then complete a normal secret check in.

Syslog Metadata for Launched Sessions

For built in launchers on a launch event, the launch target host is included within the details of the Syslog message as an additional "Host" field. Previously, this was only sent for launchers requiring host selection but now includes launchers with a static host-target mapping.

Launcher Administration Page Conversion

We updated the Launcher Administration pages under Secret Templates to use our new UI patterns with a modern design. No functionality is affected, but the page is more responsive and intuitive.

SSH Key Authentication Passphrase Requirement

We added a new configuration setting to the login configuration page that allows administrators to enable a mandatory requirement for passphrases when users generate SSH keys for SSH Terminal key authentication.

Enhancements

  • Improvement: Added a Managed field to the Discovery Network view to show when a discovery item is managed.
  • Improvement: Added a Password Age column for display on the reworked Discovery Network View
  • Improvement: Added a Quick Access link to see all Secrets you currently have checked out.
  • Improvement: Added filters to the secret search API endpoint to filter the results by checked out status: paging.filter.showSecretsCheckedOutByUser and paging.filter.showCheckedOutSecrets
  • Improvement: Added info to logs to indicate why users cannot match or create users in SSC. Find this at Secrets > Admin > Platform Integration > Logs tab. Common notifications include DuplicateUserMappedToDifferentProviderName: The user was initially setup to a different Platform source, the URL or userid (provider key) changed, indicating the original use was deleted. MaxLicensedUsersException: All licenses are taken so additional users cannot be added.
  • Improvement: Added integration support for Platform users matching local SS users that do not have an @ in their name. If platform user is username@local or username@tenantname then the username portion will be used to match local users on the SS side.
  • Improvement: Added support for LDAP RFC2307 group membership, used in OpenLDAP.
  • Improvement: Added the option to require a passphrase for user public SSH keys.
  • Improvement: Added validation messages to password requirement rules for when password requirements are too complex to reliably generate a password.
  • Improvement: Discovery service accounts detail page now shows services that run as the directory account as well as the computers on which that service runs
  • Improvement: Distributed engines no longer need directory services enabled to perform discovery.
  • Improvement: Introduced a new Launch Secret role permission, which is needed to use launchers. This permission is automatically granted to roles with the View Secret permission, which previously controlled this behavior.
  • Improvement: Removed the secretitemvaluetransitionhistory.aspx page and replaced it with an API endpoint, removing the possibility of bypassing the Hide Launcher Password control.
  • Improvement: RPC heartbeat and password change logs are now full screen instead of a dialog box.
  • Improvement: The PowerShell script timeout no longer defaults to 90 seconds. Instead, it now uses the value from the Event Pipelines Maximum Script Run Time (Minutes) setting in advanced configuration.
  • Improvement: The new folder icon in the secret panel no longer shows if the user does not have the Administer Folders role permission.
  • Improvement: The user audit report now has a filter panel and a description for how rotated secrets are calculated for this report.
  • Improvement: There is now a pending RPC screen and a timer that checks you back in, blocking seeing secret info indefinitely.
  • Improvement: Users can no longer access secrets that have failed processing a password change. Instead, they are shown a message stating the change failed.
  • Improvement: We now initially load 60 secrets when viewing a grid to support 4k monitors. This was previously 30.
  • Improvement: Within the details of the syslog message, there is now a username field that contains the mapped username for the launcher on a launch event. It appears as Username: [<username>] for the built in launchers.
  • Improvement: Within the details of the syslog message, there is now a Host field with the value of the mapped host for the launcher on a launch event. It appears as Host: [<host>] for the built in launchers.

Bug Fixes

  • Fixed an issue to improve Platform integration user sync if duplicate usernames were already in Secret Server.
  • Fixed an issue where a secret template could be saved without RPC mappings configured.
  • Fixed an issue where all event subscriptions did not fire for secrets in subfolders of the target folder.
  • Fixed an issue where DR email alerts were not sent out.
  • Fixed an issue where extended fields were not properly exported to CSV files.
  • Fixed an issue where keystroke data from the advanced session recording agent did not appear in the keystroke activity details area of the playback page.
  • Fixed an issue where large messages from distributed engines to engine workers would not process. Engine workers may have crashed especially frequently in environments having four or more workers, including Secret Server Cloud.
  • Fixed an issue where LDAP sync via distributed engines would not work when the base DN was different from DC.
  • Fixed an issue where links on the Session Monitoring page while in grid mode would not correctly link to Secret Server Cloud with authentication.
  • Fixed an issue where the API endpoint api/v1/secrets/{id}/fields/{slug}/ logged an audit that the password was displayed when the actual password was not returned to the user due to hide launcher password being enabled.
  • Fixed an issue where the Confirm Action button in the bulk operation dialog box would remain active while the operation is processing. This is now correctly disabled to prevent initiating the action multiple times.
  • Fixed an issue where the SubscriptionName condition for a notification rule would display the event subscription ID instead. It now correctly uses the name when the user has the appropriate roles to list the subscriptions.
  • Fixed an issue where the terminate session mouseover tooltip displayed incorrect text.
  • Fixed an issue with a secret template name validation message not showing.
  • Fixed an issue with negative numbers exporting incorrectly when exporting a CSV.
  • Fixed an issue with new Platform trials not creating personal folders in Secret Server.
  • Fixed an issue with secret search producing SQL errors for customers with a lot of secret templates.
  • Fixed an issue with stacked dialog boxes. The CSS styles for the Platform Opt In dialog box have been adjusted to align with Angular15.
  • Fixed conditions that prevented users from being removed from a group due to the system incorrectly identifying that they would be unable to complete the same operation.
  • Fixed issues with user and group syncing between Secret Server Cloud and Platform.
  • Fixed usability on specific UI areas for a better user experience.
  • Updated Createuser.aspx to redirect to the new user management.

Future and Recent Deprecations

This section describes planned future deprecation of feature or platform support in Secret Server.