Secret Server 11.6.000003 GA Release Notes
Release Date and Notes
On-premises: September 28, 2023 (September 26, 2023 GA)
Component Versions
Distributed Engine and Advanced Session-Recording Agent: 8.4.16.0
Protocol Handler: 6.0.3.26
Step Upgrade Required (11.5.2). Versions prior to 11.5.2 will need to first upgrade to 11.5.2. The automatic downloads in the product will get the right versions for the step upgrade and then allow the 11.6 upgrade. But if offline and using the file upload method, versions prior to 11.5.2 will get an error message saying, "Integrity Check failed - Security Catalog is signed by thumbprint that is not specifically trusted." The remedy is to first upgrade to 11.5.2 and then do the upgrade to 11.6.
Feature Enhancements
View Own Session Recordings Permission
A new permission has been added "View Own Session Recordings". With this permission, a user can be restricted to only viewing the recordings that they initiated. If the user with this permission clicks on a recording initiated and owned by another user, they will get an Access Denied window. In addition, the "View Session Recordings" permission has been renamed to "View All Session Recordings".
Session Monitoring Playback Page UI Conversion
The Session Recording playback page has been updated to the new UI, including a new video player with additional controls. The SSH keystroke-only playback page and the video playback page have been merged, and the available elements will be shown. The legacy player is still available as a link from the new video playback page.
The activity graph and download button have not yet been implemented for the new page, although they are available on the legacy page if needed.
Manual Password Change for Checked Out Secrets
Secrets with Change Password on Checkin configured now have the "Change Password Now" functionality available. This will enable the standard functionality of a password change, and the secret will also complete the automatic password change on checking in. This is to allow maintenance and testing of secrets protected in this manner, and a pending password change must be completed before the check-in process is allowed to begin in order to maintain a secure order of operations.
Updated User Selection Interface
Various locations around the product provide a user selection interface to provide the ability to select a user as the target of a particular configuration, such as the permissions, groups, and roles pages. These have been updated throughout the product to provide more data about the users in the list. You may now view, filter, and search for users by their Username, Display Name, or Email.
Automated Password Change on Import
An option has been added to the Import Secret function to mark each secret’s password to immediately change after import. With this option enabled, a user who has had access to view the list of secrets will no longer know the password of the secrets once they have completed the import. The option is available for CSV and XML and can be flagged via the UI and API.
Enhancements
11.6.000002 GA
-
Improvement: We made Web HTML elements IDs unique to prevent conflicts and keep buttons accessible.
-
Improvement: Enhanced the user experience when navigating Secret Server with no permissions
-
Improvement: Added filtering of the Description field of the Discovery Network View when entering search text.
-
Improvement: Increased the specificity of an exception when accessing the REST API without permission—it now returns AccessDeniedException instead of API_AccessDenied.
11.6.000000 EA
-
Improvement: User tooltips in both Secret Server and Delinea Platform now highlight the Platform Integration Types.
-
Improvement: (Disaster Recovery/Resilient Secrets):Data replication will now create personal folders for replicated users in cases where the replica blocks or does not allow personal folders to be replicated. This is only if personal folders are enabled on the replica.
-
Improvement: User tooltips in both Secret Server and Delinea Platform now highlight the Platform Integration Types.
-
Improvement: Fixed issues with user and group syncing between Secret Server Cloud and the Delinea Platform.
-
Improvement: Added a "Managed" field to the Discovery Network view to show when a discovery item is managed.
-
Improvement: The Password Requirement Audit has been converted to the new UI.
-
Improvement: The Secret Dependency Changers editor has been converted to the new UI.
-
Improvement: Dependency Templates are now available in the new UI.
-
Improvement: Session playback player UI has been updated.
-
Improvement: The Launcher Audits page has been migrated to the new UI.
-
Improvement: Discovery Service Accounts Detail Page now shows services that run as the directory account as well as the computers on which that service runs
-
Improvement: Added a Quick Access link to see all secrets you currently have checked out.
-
Improvement: Updated Createuser.aspx to redirect to the new user creation page.
-
Improvement: Updated the group role assignment UI.
-
Improvement: Group membership assignment UI updated.
-
Improvement: Group role assignment UI updated.
-
Improvement: Updated process for populating a forthcoming computer-centric view.
-
Improvement: Session recording search now uses updated filter pattern.
-
Improvement: The built-in "Everyone" group was renamed "All Vault Users."
-
Improvement: Enhanced new Discovery Area to include some additional fields and added logic for the error chip being displayed
-
Improvement: Added a Copy button for Data Source URL on Disaster Recovery - Outgoing Setup Steps modal.
-
Improvement: New Vault User Details in the Platform overview for Users tab. It requires a Vault to be successfully connected and configured for the details to appear, otherwise the section does not appear.
-
Improvement: Added banners to various Roles/Permissions pages in Secret Server Cloud and Platform with links to help navigate between the two.
-
Improvement: Secret Share tab UI has been updated to match the permission setting experience for setting folder permissions. Domain name is now displayed for users on the secret share tab.
-
Improvement: Fixed an issue where the folder permissions tab would load slowly with large numbers of users.
-
Improvement: Updated group membership management pages to use new design patterns.
-
Improvement: The display name of the secret Vault is now set via the Platform. The Vault subcategories for Reporting, Inbox, and administration have been updated to reflect Secret Server.
-
Improvement: Analysis tab of Discovery no longer includes disabled Discovery Sources in managed/unmanaged counts.
-
Improvement: Administration Configuration Launcher Settings now displays the Enable Protocol Handler Auto-Update setting in cloud.
-
Improvement: View Log was hidden for Directory Accounts since there's no computer associated to show the log of.
-
Improvement: Added Application from tbAuditSecret to session search results model and session model.
-
Improvement: When discovery is running the network view performance would timeout depending on SQL locks. This should no longer happen.
-
Improvement: Discovery scanners added an option to "Add child scanner" which filters available scanners to show only applicable child scanners.
-
Improvement: Disaster Recovery Add-On Licensing handling added.
-
Improvement: Secret template fields table has been updated and has an improved drag and drop experience.
-
Improvement: Secret panel is more mobile friendly.
-
Improvement: Syslog/CEF logging enhanced to capture more detailed metadata for secrets that contain fields/data that map to the following SIEM fields: Account Name, Account Domain, Target Server, Request ID (that is from Ticketing System). Additionally, failed attempts to access secrets due to Ticket Validation errors are now also logged to Secret Audits.
-
Improvement: New inbox notification bell with panel, allows for viewing and approving inbox items without having to navigate through the site.
-
Improvement: The Security Audit Log page has been converted to the latest UI.
-
Improvement: A donut chart showing different Operating Systems in discovery has been added to the Analysis tab of discovery.
-
Improvement: Live viewing has been added to the new session monitoring.
-
Improvement: The new UI Discovery Rules page now shows the correct Secret Template name.
-
Improvement: Secret policy now links to the policy on the secret general tab.
-
Improvement: A loading indicator now shows when opening the discovery add scanner dialog.
-
Improvement: The main top left logo will link to the users preferred login home if it is the dashboard or all secrets.
-
Improvement: The COM+ scanner will be able to be added, but there will be a note in the preview panel letting the user know that the scanner will not work for a site that is set to UseWebsite.
-
Improvement: A preview chip has been added to Multifactor Authentication on Secrets and its supporting configuration pages.
-
Improvement: A new field "Full Name" has been added to the discovery network view to give a more detailed version of the item's name.
-
Improvement: Default columns have been added per Item Type in the discovery network view.
-
Improvement: Dependency Tokens are now available on the dependency edit screen.
-
Improvement: Enhanced loading times of Secret Server elements in Delinea Platform.
-
Improvement: REST API documentation has links to individual services that load quickly.
-
Improvement: Added filter on recorded-sessions endpoint to filter out applications, particularly 'RemoteAccessService' when in platform
-
Improvement: Implemented a message shim in the Vault Broker to inform Secret Server that a user's platform permissions have changed.
-
Improvement: Updated the Vault Settings and Vault User Detail Tabs with some UI changes.
-
Improvement: Converted the creation of a Password Changer when Create Password Changer is selected from the Password Changers list in Remote Password Changing.
-
Improvement: Added a filter of secretIDs to the Secret Search endpoint to that Secrets can be filtered by SecretID.
-
Improvement: Terminate, limit to 5 minutes, and message only have been added to live viewing in the new session monitoring
-
Improvement: The heading for Vault within Platform User Management details has been updated to read its value from within Platform.
-
Improvement: The text for page title, breadcrumbs, and navigation for Secret Server Reporting have been updated in Platform to match.
-
Improvement: Added Search Groups column to Discovery Network View.
-
Improvement: Added more instructions regarding Disaster Recovery's data storage path configuration setting.
-
Improvement: Added configuration setting to determine which secret permission is required to change Remote Password Changing settings on a Secret. Owner or Edit.
-
Improvement: The breadcrumbs within the RPC administration pages have been standardized. The links within Platform Vault Configuration Overview no longer cause the page to reload.
-
Improvement: Added a WMI Service Timeout setting to the cloud advanced configuration page to help with dependency changes that take more time than the allotted 60 seconds.
-
Improvement: The PowerShell script timeout no longer defaults to 90 seconds. Instead, it now uses the value from the Event Pipelines Maximum Script Run Time (Minutes) setting in advanced configuration.
-
Improvement: Improved performance of Secret Search for customers with large numbers of Secrets.
-
Improvement: Updated data type to support frequent users of session recording that was crashing the encoding process.
-
Improvement: Secrets with text field based URL lists are now searchable.
-
Improvement: Platform users can login to Terminal using SSH Key Integration.
-
Improvement: Added validation messages to password requirement rules for when password requirements are too complex to reliably generate a password.
-
Improvement: When Platform integration is active the integration page will now have a button to reset mappings from Delinea Platform.
-
Improvement: AD Privilege Password changer now has Remote Password Change timeout minutes Advanced Setting.
-
Improvement: Better handling of unexpected heartbeat behavior to mitigate reported Distributed Engine stalling.
-
Improvement: Connect As Credentials on Secret works better with SSH Keys for su user switching.
-
Improvement: Updated links on the Security Hardening Report to new UI pages
- Improvement: When creating a new send to syslog task you no longer get a default schedule. Most of the templates didn't create a schedule, now they're all consistent.
- Improvement: Session monitoring search now supports searching by a single secret.
- Improvement: When a Secret is assigned to a site the user does not have access to due to Teams restriction, they will see the word "Restricted" instead of "Site Name (Inactive)".
- Improvement: Mitigated issue in large bulk secret actions.
- Improvements: The "Synchronization Running" message for DR will now only appear if there is a recorded start time for DR in the past and a finish time that is in the future.
- Improvement: Added Secret Field validation on the Template level to ensure users cannot create a "Secret Name" field on a template.
- Improvement: Default values for Secret Fields such as port will now be replicated for Disaster Recovery.
-
Improvement: A user with only direct access to a report and the "browse reports" role permission can add that report to the dashboard.
-
Improvement: The breadcrumbs within the RPC administration pages have been standardized. The links within Platform Vault Configuration Overview no longer cause the page to reload.
-
Improvement: Report column preferences will be saved and applied when viewing a report.
-
Improvement: The Secrets grid now updates displayed data and selected columns simultaneously.
-
Improvement: Improved error logging and efficiency for calls coming from Delinea Platform.
-
Improvement: Quick access filters now both apply when updated.
-
Improvement: Knowledge base links within Platform Vault now link to their intended location.
-
Improvement: Corrected edge case that could result in a session view audit being placed on the incorrect Secret.
-
Improvement: The Parent Scan Template will be filtered to the type and will default to the first item in the list on create. The proper fields will be shown based on the type.
-
Improvement: If a secret is inactivated after initially viewing the secret, a user that cannot view inactive secrets will no longer get an error from secret heartbeat.
-
Improvement: Clicking cancel when editing folder permissions will clear any active filters.
-
Improvement: Editing folder permissions now has a split button that allows for directly entering edit or add group/user mode.
-
Improvement: The Secrets Quick Access link when collapsed, now targets the correct destination.
-
Improvement: The Platform Opt In modal styling has been adjusted to no longer display with scroll bars.
-
Improvement: Secret Share and Folder Permissions: Show disabled edit button until filters are loaded since split button does not yet support disabled.
-
Improvement: API calls to /v[1/2]/secrets/{id} now update the Recents secrets data source.
-
Improvement: When viewing Event Pipeline Activity details, selecting an Activity Detail record from the grid now displays the selected Activity's details.
-
Improvement: Added query parameter for PipelineId to pass back when viewing specific pipeline activity
-
Improvement: Discovery Scanner will not allow deletion until Secret selection is changed.
-
Improvement: Remote Password Changing: Check for DNS Mismatch now visible and functional in Cloud.
-
Improvement: EventTime token is available in pipeline scripts. $EventTime - event date and time of the event ("yyyy'-'MM'-'dd'T'HH':'mm':'ss").
-
Improvement: The preview chips for Multifactor on Secrets have been removed.
-
Improvement: Creating a User SSH Key in Platform downloads the private key with a proper filename.
-
Improvement: Cipher Suite Configuration now allows configuration of allowed Host Key Algorithms.
Bug Fixes
11.6.000002 GA
-
Placed part of the "secret save" process into a transaction so that changes would be rolled back if a timeout occurred.
-
Fixed a bug that prevented expanding a secret created using a custom template on All Secrets View.
-
Added a bulk operation to set password requirements on multiple secrets.
-
Added a "password displayed" audit when viewing a secret transition history.
-
Allowed AutoChangeSchedule to be usable when CheckoutChangePassword is enabled.
-
Fixed the Inbox link in the left navigation panel.
-
Extended the "secret hook" timeout from 30 seconds to 2 minutes. Hooks now use the "Event Pipelines Maximum Script Run Time (Minutes)" advanced setting to extend beyond 2 minutes.
-
Fixed a localization issue when a discovery item has a scan item template that is not out of the box.
-
Fixed issue with secret permissions displaying incorrectly on the Secret Share page.
-
11.6.000000 EA
- On-premise only: Fixed logic issue for on-premise instance that was using the wrong minimum heartbeat interval. Minimum heartbeat interval set back to 5 minutes.
Fixed an issue where Viewing Session Connector Custom Launchers without access to the RDS Credentials secret would show an error.
-
Fixed an issue where unplayable session recording videos would display an infinite load instead of the appropriate error.
-
Fixed an issue where a secret template could be saved without RPC mappings configured.
-
Fixed an issue where Pause times for ODBC Remote Password Changers were not adhered to. If you feel your RPC's are running slowly, check the pause times and remove them if they are not needed for the RPC action.
-
Fixed an issue where Web Password Filler didn't work in certain instances due to an ambiguity in interpreting the Secret Server URL.
-
Fixed an issue where setting custom expiration dates in all time zones did not work correctly.
-
Fixed an issue where all event subscriptions did not fire for secrets in subfolders of the target folder.
-
Fixed an issue where the secret name would incorrectly display on the New Discovery Import Rules page.
-
Fixed an issue with negative numbers exporting incorrectly when exporting to a CSV file.
-
Fixed an issue where a large number of SSH terminal connection history records causing timeouts.
-
Fixed an issue with hidden days until deletion field when enabling deletion in the retention schedule. Added localization to error when trying to submit days less than or equal to the archive retention value.
-
Fixed an issue with passwords being uneditable if RPC is set to use a Privileged Secret to which the user has no access to. Restored explanatory banner.
-
Fixed an issue where secrets aren't synced with DevOps in cloud with when triggered by pipelines.
-
Fixed issue in discovery where computer scans were sometimes throwing string truncation exceptions.
-
Fixed an issue where TOTP Secret Settings edit button was available to users who could not edit the settings.
-
Fix an issue with editing Session Connector Custom Launcher Port.
-
Fixed a UI issue with the launcher popup window showing an option the user didn't have permission for.
-
Fixed an issue where configuring a new session connector launcher might not show all available launcher types.
-
Fixed an issue where configuring "Use Additional Prompt" on launchers might prevent save.
-
Fixed an issue with the TemplateCreateSecret role link.
-
Fixed an issue with View Launcher Password.
-
Fixed an issue where users with only 'View' access on a Secret would be unable to view the Password if there was a custom launcher with arguments configured for that Secret Template.
-
Fixed an issue with DSV sync for secret with file type fields and no file set.
-
Fixed an issue with localization on folder Metadata page.
-
Fixed an issue with sorting for Checkout User Id and Checkout User.
-
Fixed an issue with ODBC password changing that broke postgres and mySQL changing.
-
Fixed a logging issue with Dependency changes ran through Distributed Engine being skipped due to conditions.
-
Fixed an issue where the generate SSH key returns a 500 exception.
-
Fixed an issue where the SSHCipherSuiteModel GetAsync returned a 500 exception.
-
Fixed an issue where the CreatePublicSSHKey returned a 500 Exception.
-
Fixed an issue where Discovery Scanners could not be removed until the associated secrets had been edited.