Secret Server 11.6.000025 GA Release Notes

On-premises: January 24, 2024

Component Versions

Distributed Engine and Advanced Session-Recording Agent:

Protocol Handler:

With this version, protocol handler has received changes to core internal functionality that prevents automatically updating to version from a prior version. In environments with protocol handler automatic update enabled, the protocol handler will automatically update to version To use the latest functionality and fixes of protocol handler, you must redeploy or install version to end-user machines. Following that update, the automatic update will continue to work as before.
Step Upgrade Required (11.5.2). Versions prior to 11.5.2 need to first upgrade to 11.5.2. The automatic downloads in the product will get the right versions for the step upgrade and then allow the 11.6.x upgrade. But if offline and using the file upload method, versions prior to 11.5.2 will get an error message saying, "Integrity Check failed - Security Catalog is signed by thumbprint that is not specifically trusted." The remedy is to first upgrade to 11.5.2 and then do the upgrade to 11.6.x.
For instructions on upgrading in general, go to Upgrading Secret Server.

New Features

HSM PKCS #11 API Support and AES256 Key Integration

We are pleased to announce a significant enhancement in the Hardware Security Module (HSM) functionality. This enhancement marks the integration of support for the PKCS #11 APIs, achieved through the use of vendor-provided DLLs. This development not only extends our compatibility with a broader range of cryptographic tokens and HSMs that comply with the PKCS #11 standard but also ensures optimized performance across HSM models and manufacturers.

Moreover, this update provides the capability to leverage Advanced Encryption Standard (AES) 256-bit keys within the HSM, affording security and performance benefits, bringing our HSM integration in line with the majority of cryptographic functions used elsewhere in our products. This underscores our commitment to providing top-tier security features, crucial for safeguarding sensitive data in high-security environments.

The integration of PKCS #11 API support and AES256 not only enhances our security landscape but also offers increased flexibility and compatibility. This update enables users to more effectively use their existing HSM more effectively and provides an expanded array of cryptographic operations options, meeting diverse security needs.

Detailed information on configuring and utilizing the new HSM functionalities can be found in our updated documentation See Hardware Security Modules for details.

You will need to disable the HSM first to switch to the new PKCS11 API type. See Hardware Security Modules for details.


  • Enhancement: Added a link to configuration audits on the Remote Password Changing page.

  • Enhancement: Added a running log to disaster recovery so progress and duration per table can be tracked during replication.

  • Enhancement: Added an event subscription called "Disaster Recovery Replication Success."

  • Enhancement: Added auditing of password change schedules.

  • Enhancement: Folders in favorites quick access are now filtered when searching.

  • Enhancement: Improved HSM cryptography by adding support for AES 256 encryption. This ensures that all keys protecting the secret key will be at the same strength for organizations requiring this level of encryption.

  • Enhancement: If an Azure Active Directory configuration in directory services becomes corrupt, you can now view and update the credentials to fix it.

  • Enhancement: improved internal security checking around launchers.

  • Enhancement: Improved SSH proxy block-command handling in VIM.

  • Enhancement: Launching a secret now opens in a dialog allowing launch to occur without leaving the grid or current page. Restricted actions like checkout can be performed in the dialog.

  • Enhancement: On the Proxying Configuration page, you can now automatically generate new SSH proxy host keys.

  • Enhancement: Platform configuration settings were added to disaster recovery.

  • Enhancement: Secret search performance improvements. The secret grid now only requests extended fields that are showing. When column selections are updated, a new request is made only if the extended field choices have changes.

  • Enhancement: Secrets grid modal on the Secret Erase Requests search page now auto-scrolls.

  • Enhancement: The login policy now supports line breaks.

  • Enhancement: The secret search API now has a comma-delimited filter parameter for template IDs, which allows searching beyond IIS URL limits compared to the existing array version. Both are still available.

  • Enhancement: The user profile allows for date and time format setting.

  • Enhancement: Updated the toast message displayed when saving user preferences to accommodate screen readers.

  • Enhancement: Users are no longer redirected from the licensing page.

  • Enhancement: When Secret Server Cloud is Platform integrated, there is now an "Add from External Directory" option in secret sharing that allows searching directory sources from Platform to add users or groups.

Bug Fixes

  • Added "view all folders" link that appears when folders are filtered in a pin view.

  • Added a download button for session recording to Secret Server. The change does not appear for vault sessions in Platform.

  • Added aria labels to the notification bell to support screen readers.

  • Added new REST API patch method to controller which calls pre-existing latestversion.txt processing code.

  • Added protocol handler step-up upgrade. Protocol handler will not try to upgrade versions to newer versions as they must be updated manually. Released new version which will be able to upgrade to future versions.

  • Adjusted license tracking for session-recording-enabled secrets so that secrets that have no launchers are excluded.

  • Adjusted organization of some administrative menu items in the configuration preview.

  • Adjusted permissions on Session Monitoring page so that users with "View Own Session Recordings" permission will only see their own recordings.

  • Adjusted the display of administrative items from Platform to avoid perceived duplication.

  • Adjusted the log level downward for certain engine messages for syslog to avoid overloading the engine log table.

  • Applied a more reasonable default SQL timeout.

  • Clarified explanatory information on the Secret Import page to highlight that file fields are ignored.

  • Converted dependency template management section to new UI.

  • Converted Initial User page to the new UI.

  • Corrected an issue where the Distributed Engine page did not respect the "Deleted" filter.

  • Disabled the legacy bookmarklet pages.

  • Disaster recovery now migrates teams.

  • Fixed a client-side error on the Secret Settings page when viewed from Platform.

  • Fixed a display issue on the IP Address restrictions page.

  • Fixed a missing localization-key issue.

  • Fixed a visual bug on secret templates so the password type dropdown no longer appears as "None" if a password type has been set.

  • Fixed an edge case that could result in duplicate disabled usernames, possibly causing DR conflicts.

  • Fixed an error that could occur on the Advanced Session Recording page.

  • Fixed an HTML-encoded document link in discovery scanner.

  • Fixed an issue an erroneous warning popup appeared saying a distributed engine is required for Active Directory when the SSC cloud instance has "Azure AD Domain" as the only domain.

  • Fixed an issue on the Admin Roles page where the edit button for role permissions was mistakenly requiring "Administer Role Assignment" instead of "Administer Role Permission."

  • Fixed an issue that could cause an incorrect error message to display when using the SQL report editor.

  • Fixed an issue that could cause the secret picker to display with a horizontal scroll bar.

  • Fixed an issue when searching in Secret Share with the "Add from External Directory" option with results of more than 2100 groups would throw an error.

  • Fixed an issue where a proper validation message may not display when trying to give a duplicate name to a group.

  • Fixed an issue where a secret erase request could no longer be canceled.

  • Fixed an issue where banner text referenced only "engine," which was potentially confusing. It now mentions "distributed engine" explicitly.

  • Fixed an issue where created hooks would not display on the secret.

  • Fixed an issue where enabling RPC on a template through the API could impair the template's functionality.

  • Fixed an issue where existing linked groups under the Platform Integration area on the Groups tab would not load.

  • Fixed an issue where if a non-local site was used to send syslog to the syslog server any failure was queued back into the database (tbsyslogfailedmessage) and resent indefinitely. This has been resolved. Additionally, we implemented a syslog circuit-breaker system if a non-local site is used to prevent flooding the message queues with syslog messages when failure is expected.

  • Fixed an issue where localization load requests would await indefinitely in some cases.

  • Fixed an issue where pinned folders would not be removed when the corresponding folder was deleted.

  • Fixed an issue where Platform synchronization was running too frequently in some cases.

  • Fixed an issue where renaming or copying the "Oracle Account (Template Ver 2)" secret template caused password changes to fail.

  • Fixed an issue where Resilient Secrets (DR) sent secret field launchers across the wire for every replication.

  • Fixed an issue where selecting Generate New SSH Key on a secret would not generate a new SSH key.

  • Fixed an issue where sorting the launchers list by name could display duplicates.

  • Fixed an issue where the checkout screen could briefly show while a secret is loading.

  • Fixed an issue where the child launcher type was not always visible on the new custom launcher page.

  • Fixed an issue where the Everybody group from Platform would not match up properly with the Everybody group from Platform User sync. Corrected the display name of the Platform "Everybody" group.

  • Fixed an issue where the light mode collapsed toolbar showed the dark mode logo.

  • Fixed an issue where the notification bell could show when there were no notifications.

  • Fixed an issue where the Preserve SSH Client Process setting did not correctly display as checked.

  • Fixed an issue where the SSH custom cipher was not applied when missing a value from the section.

  • Fixed an issue where the synchronized groups displayed could sometimes return all the groups from the domain.

  • Fixed an issue where the web launcher would not respect the mapped URL field when multiple URL fields existed on the secret.

  • Fixed an issue where unnecessary audits could be written. Fixed an issue where DR Secret Server instances were ignoring licensing updates from Cloud Manager.

  • Fixed an issue where upgrade banner was always showing when auto-update was off. Now shows only if at least one engine is lower version than latest.

  • Fixed an issue where users could click New Secret multiple times when also uploading files.

  • Fixed and incorrect launcher edit field description.

  • Fixed buttons that should be grayed out. Run RPC Now can no longer be run when RPC is disabled. Run heartbeat Now can no longer be run when heartbeat is disabled.

  • Fixed dark mode IBM password tooltips and banner color-contrast issues.

  • Fixed edge case bug if SSH Block Listing causes duplicate sessions that break SSH Proxy.

  • Fixed error that could occur when creating a new folder with the folder panel minimized.

  • Fixed inconsistent logs between source and replica on partial success. Fatal error is now persisted across the wire so the replica is aware that the source had a fatal error

  • Fixed incorrect logging error in AuthenticateWithAdConsumer.

  • Fixed issue in directory sync where a search result with an attribute containing an empty list could cause an error.

  • Fixed issue where the upper right search bar would not always switch to the selected secret when a selected secret was on a tab other than the General tab.

  • Fixed issue with a test script modal where reopening the modal would show the selected secret's ID instead of its name.

  • Fixed issue with folder permission editing when updating a path directly.

  • Fixed link to dependency templates on the Secret Dependency tab.

  • Fixed logic error where the RAS flag was not being referenced before deciding to delete the database entry that reflected additional users.

  • Fixed long secret-template names to wrap better in folder edit.

  • Fixed missing option. System group in Secret Server Cloud can now have metadata deleted.

  • Fixed Platform permissions cached on Secret Server to replicate so they will be respected on a replica instance.

  • Fixed query for obtaining services for a directory account in discovery. Fixed check on discovery source name when creating an empty discovery source.

  • Fixed secret policies not showing as deleted after deleting a secret. Secret names on the RPC tab of a secret policy will now include "Inactive" if a secret is not active.

  • Fixed text alignment. Left aligned the comment text on the MFA security view. The icon and button remain centered.

  • Fixed the link to the subscription page from the banner.

  • Fixed the REST API token endpoint path. The documentation generator, in removing the "api" string from the beginning of all routes, was also removing embedded occurrences. It now removes it only from the start of the route strings.

  • Fixed the secrets grid on the Secret Erase Request Approval page (in a modal opened via a link button) that was obscured in dark mode and nearly indistinguishable in light mode. This is now an inline grid with auto-scroll.

  • Fixed visual bug when removing current user's folder owner permissions.

  • Folders in "Shared with Me" Quick Access menu are now filtered when searching.

  • If a user's encrypted TOTP reset Guid gets corrupted, an administrator is now able to reset their TOTP.

  • Improved error handling on the OpenId Configuration page.

  • Improved the UI on the Collections Management page for advanced session recording agents.

  • In the prior upgrade file set for 11.6.3, fixed an issue with SQL Delta 11.5.000006. Removed a SQL hint on the SQL index that was incompatible with non-Enterprise editions prior to SQL Server 2016 SP1 due to a compatibility issue with data compression. The incompatible hint was not necessary, so the delta was updated. Hashes for upgrade were updated for this change.

  • Legacy RPC admin page removed.

  • Legacy user and group management aspx pages removed.

  • Limited Mode now goes to the correct link in SSC.

  • Made performance improvements for the "What Secret Permissions Exist?" report.

  • Prevented Thycotic One sync from syncing Platform Native users. This allows Platform native users to log in in the rare situation they synced with Thycotic One. Then the administrator clears the system Platform User mappings.

  • Queries executed in the chart and SQL editor for custom reports will now take the Use Database Paging setting into account so that the result is the same as if the query was being saved as a report.

  • Removed legacy ASPX pages for secret templates.

  • Removed link for managing licenses from the Cloud Subscriptions page.

  • Secret server was updated to use the same player for session recordings as platform.

  • Set the GET SDK Client Account, SDK Client Audit, and SDK Client Rule API calls to set the operator parameter to 1 if it is not supplied by the caller when a User ID filter is specified.

  • Switching pinned folders now resets the text search.

  • Updated auditing for users modifying allowed cipher suite algorithms.

  • Updated diagnostics page and licensing expiration checks to correctly handle non-US date patterns.

  • Updated event subscription and workflow grids.

  • Updated password requirement audits to correctly audit missed fields.

  • Updated the action-handler secret-launch dialog layout to reflect design changes.

  • Updated the Cloud Subscription page to the new UI.

  • Updated the Dependency Changes List page to the new UI.

  • Updated the Diagnostics page to the new UI.

  • Updated the display for secret locked pages to address a wrapping issue with DoubleLock.

  • Updated the distributed engine log UI updated. It now remembers your last selected site, system log grid UI updated, and the last selected log level.

  • Updated the EventDetails token within Event Subscriptions to correctly capture secret comments.

  • Updated the logout.aspx page to avoid errors being generated in rare cases when executing the SAML SLO flow.

  • Updated the ticket system list page to the new UI.

  • Updated user preferences page for better accessibility.

  • web.config now allows explicit definition of allowed HTTP verbs.