Secret Server 11.7.000000 GA Release Notes

On-premises: March 27, 2024

For convenience, this release note also contains items from the 11.7 EA release (11.6.000043), which constitutes most of the changes.

Component Versions

Distributed Engine and Advanced Session-Recording Agent: 8.4.24.0

Protocol Handler: 6.0.3.27

With this version, protocol handler has received changes to core internal functionality that prevents automatically updating to version 6.0.3.27 from a prior version. In environments with protocol handler automatic update enabled, the protocol handler will automatically update to version 6.0.3.26. To use the latest functionality and fixes of protocol handler, you must redeploy or install version 6.0.3.27 to end-user machines. Following that update, the automatic update will continue to work as before.
Step Upgrade Required (11.5.2). Versions prior to 11.5.2 need to first upgrade to 11.5.2. The automatic downloads in the product will get the right versions for the step upgrade and then allow the 11.6.x upgrade. But if offline and using the file upload method, versions prior to 11.5.2 will get an error message saying, "Integrity Check failed - Security Catalog is signed by thumbprint that is not specifically trusted." The remedy is to first upgrade to 11.5.2 and then do the upgrade to 11.6.x.
For instructions on upgrading in general, go to Upgrading.

New Features

QuantumLock

Secret Server's QuantumLock is a feature that provides an additional security layer by protecting secret data using asymmetric encryption (a public/private key pair) where the private key is a human-generated password. This feature is independent of regular permissions, Secret Server login access, or physical access to the machine running Secret Server.

A shortcut way of thinking about QuantumLocks is as an extra password for secrets that is held by a set group of users. In addition, both the password and the group of users are reusable for other secrets. In addition, QuatumLocks future-proof our digital security infrastructure against the advancing capabilities of quantum computing.

QuantumLock is an upgrade of the earlier doublelock feature. Besides the name change, the difference is QuantumLock offers the option to use a quantum-safe algorithm for encapsulation to protect the private key, specifically CRYSTALS Kyber-1024, which is designed to counter the potential threat from quantum computers to current encryption methods.

Usability Improvements

Left Navigation Panel

With this release, we have made several improvements to the left navigation sub-menu to provide a better user experience. Some of the most common configuration settings have been moved to the top of the menu. For more information about the latest changes, please see Main Navigation Drawers.

Improved Search

The main search is greatly improved. It now includes content search results as well as users. A status bar shows the full folder path for long secret-folder paths. Highlighted search categories include:

  • Content

  • Favorites

  • Folders

  • Secrets

  • Users

Form Usability Improvements

Overall form information density is improved—forms have less white space between rows.

Configuration Redesign

Our configuration redesign has been available as a preview feature for several versions, and is now fully released.

More content from standalone configuration pages is available directly within the configuration page, as well as section, setting and value search, and is available in Settings > Search configuration

Enhancements

New for GA:

  • Enhancement: Improved performance of Secret Search when searching within a folder.

  • Enhancement: Custom proxied launchers can now be mapped to a secret's list fields which behaves as an allow-list restriction. This is only allowed without the launcher's "Additional Field" enabled. Only one list field can be used in the mapping.

  • Enhancement: Applied several SSH Proxy optimizations to increase performance and throughput.

  • Enhancement: Added a warning because WPF allows launching to a freeform <user input> url, which is not recommended.

  • Enhancement: Users with "Force Check-in" Permission can now always force secret check in, including the secrets that failed a password change on check-in. Previously, that required "Force check-in" and owner permissions on the secret.

  • Enhancement: Password fields on a secret view now indicate if the secret has a password that is non-compliant.

  • Enhancement: Added two new password requirement rules that enforce the amount of character repetition allowed in passwords.

Carried over from EA:

  • Enhancement: Numerous grids were updated to used the enabled/disabled chip pattern.

  • Enhancement: The secret dependencies page was updated. In addition to improved usability, you can filter by groups and run bulk operations across those groups.

  • Enhancement: The Dependency Changers page was updated

  • Enhancement: The user management user-list grid was updated. It now allows you to perform a bulk action on all users, not just the visibly loaded ones.

  • Enhancement: The group list grid was updated.

  • Enhancement: Discovery analysis now includes scan results since last run, which is useful for seeing what has succeeded or had an error since the last run.

  • Enhancement: A discovery computer-scan results tab was added that allows for searching local computer-scan successes and failures.

  • Enhancement: Session recording agent pages were updated.

  • Enhancement: ticket system pages were updated.

  • Enhancement: Launching a secret now users a dialog flow. This allows launching without having to leave the grid. For example, you can launch and checkout a secret in the launcher flow.

  • Enhancement: Diagnostics pages were updated.

  • Enhancement: Bulk actions in grids now shows bulk actions at the top of the grid.

  • Enhancement: Added search text filter to launcher grid.

  • Enhancement: Simplified legacy pages' left navigation design. Removed obsolete setup left navigation menu.

  • Enhancement: Secret Server's disaster recovery can now replicate teams, sites, metadata, and secret history.

  • Enhancement: Platform users can now use step-up MFA to validate their identity when resetting QuantumLock passwords.

  • Enhancement: Added a new setting to the ticket system configuration to optionally avoid prompting for a comment when "Comment not required" is configured.

  • Enhancement: Added support for near-real-time processing of Platform user and group updates in Secret Server.

  • Enhancement: Added a link to configuration audits on the Remote Password Changing page.

  • Enhancement: Added a running log to disaster recovery so progress and duration per table can be tracked during replication.

  • Enhancement: Added an event subscription called "Disaster Recovery Replication Success."

  • Enhancement: Added auditing of password change schedules.

  • Enhancement: Folders in favorites quick access are now filtered when searching.

  • Enhancement: Improved HSM cryptography by adding support for AES 256 encryption. This ensures that all keys protecting the secret key will be at the same strength for organizations requiring this level of encryption.

  • Enhancement: If an Azure Active Directory configuration in directory services becomes corrupt, you can now view and update the credentials to fix it.

  • Enhancement: improved internal security checking around launchers.

  • Enhancement: Improved SSH proxy block-command handling in VIM.

  • Enhancement: Launching a secret now opens in a dialog allowing launch to occur without leaving the grid or current page. Restricted actions like checkout can be performed in the dialog.

  • Enhancement: On the Proxying Configuration page, you can now automatically generate new SSH proxy host keys.

  • Enhancement: Platform configuration settings were added to disaster recovery.

  • Enhancement: Secret search performance improvements. The secret grid now only requests extended fields that are showing. When column selections are updated, a new request is made only if the extended field choices have changes.

  • Enhancement: Secrets grid modal on the Secret Erase Requests search page now auto-scrolls.

  • Enhancement: The login policy now supports line breaks.

  • Enhancement: The secret search API now has a comma-delimited filter parameter for template IDs, which allows searching beyond IIS URL limits compared to the existing array version. Both are still available.

  • Enhancement: The user profile allows for date and time format setting.

  • Enhancement: Updated the toast message displayed when saving user preferences to accommodate screen readers.

  • Enhancement: Users are no longer redirected from the licensing page.

  • Enhancement: When Secret Server Cloud is Platform integrated, there is now an "Add from External Directory" option in secret sharing that allows searching directory sources from Platform to add users or groups.

  • Enhancement: Added new optional parameter "nobus=true" to the healthcheck endpoint. This allows a faster response in situations where no lookup of the bus status is required.

  • Enhancement: Adjusted the password compliance validation job to process more secrets on each run.

  • Enhancement: Discovery port scanner now aborts if elapsed time expires prior to windows TCP handshake. Discovery port scanner will now also log a helpful message if the windows TCP stack aborts due to reaching the windows internal max syn retry count.

  • Enhancement: The schedule pipeline task in event pipeline policies now supports using a variable for the schedule delay input.

  • Enhancement: Unlimited Admin can now check in checked out secrets by other users.

  • Enhancement: Added a Computer Scan Results tab to discovery.

  • Enhancement: Added a new option to the Distributed Engine page for configuring "pending engines" that allows a pending engine to be assigned to a site without activation.

  • Enhancement: Added a note to audits when the system disables a Secret Server user.

  • Enhancement: Added an SDK link.

  • Enhancement: Added the table tbTerminalConnectionHistory to the list of tables that is handled by the database cleanup consumer. It will periodically delete any records over a certain age, which can be customized by the user.

  • Enhancement: Custom proxied launchers can now be mapped to a secret's list fields which behaves as an allow list restriction. This is only allowed without the launcher's "Additional Field" enabled. Only one list field can be used in the mapping.

Bug Fixes

New for GA:

  • Fixed an issue when a syslog server is configured to use a DE and is having connection issues, it can trigger a restart of the DE, interrupting proxy sessions. Now, the syslog circuit breaker does not trigger a restart of the DE.

  • Fixed issue with SecureCRT failing to connect to terminal with public key and 2FA on.

  • Adjusted the endpoint `/api/v1/secret-access-requests` for better performance.

  • Fixed an issue where going to Platform groups and removing (disabling) a group and then searching Platform and re-adding that group made a duplicate instead of enabling the existing group. Additionally, Platform group synchronization now ignores all disabled groups when making membership changes.

  • Fixed an issue where a DE unhandled exception disconnected all SSH Proxy users.

  • Fixed an issue where if a group has been imported from Platform from an AD source and was then added into directory synchronization as an AD group, it re-used that Platform group rather than creating a new group.

  • Fixed an issue where the launcher icon could show when launchers were not allowed.

  • Fixed Start Date and Queue Date on "pipeline activity" when viewing an individual run.

  • Reduced the frequency of pre-audit validation errors.

  • Improved the handling of duplicate platform permissions and added a delta to clean up existing duplicates.

  • Fixed an issue where in some configurations secrets could not be created.

  • Fixed back-end errors when publishing audits to the audit service.

  • Fixed an issue where sorting did not work in card view.

  • Explicitly mentioned the Integrated windows authentication requirement on the Database page.

  • Fixed an issue where there was no option to select "none" as a default role in Platform/Configuration preview.

  • Fixed an issue where encryption-related fields, which are not replicated, were not being populated on replicated sites. These fields were not populated when sites are first saved to the replica.

  • Made UI adjustments to ensure that extended fields should be properly requested when column preferences is setup or when using the defaults with extended fields.

  • Fixed an issue where the expanded state of the left navigation pane was not preserved correctly.

Carried over from EA:

  • Fixed an issue where a distributed engine would not start when proxying was enabled.

  • Fixed an issue where the "Add Scanner" Button was not displayed on the Discovery Scanner page.

  • Updated installer EULA.

  • Fixed an issue where terminating all sessions except the current one would log the user out and report an error.

  • Fixed the secret permissions API to handle an edge case that could incorrectly return null when the userid filter parameter was specified.

  • Fixed UI to only call secret-detail RPC API when RPC is enabled.

  • Fixed the secret-key re-encryptor with a multithreaded lock to prevent an IndexOutOfRangeException while using an HSM.

  • Fixed an issue where users checking out a secret with a failed remote password change would potentially see a loading icon indefinitely.

  • Fixed an issue where users were redirected to the Secret Server start page instead of the activation center page when using the offline method for license activation.

  • Fixed an issue where pre-checkout created an extra pipeline policy activity entry that stayed in a pending state.

  • Fixed an issue where "Administer Secret Templates" permission was erroneously required to add a dependency to a secret. "View Secret Templates" is now sufficient.

  • Fixed a DR issue where deleting items connected to MetadataItemData orphans it.

  • Fixed a session recording issue where a launch would show two records.

  • Fixed an issue where Secret Server On Premise launchers list duplicates some items and other launchers do not show up.

  • Fixed an issue so the SSH Proxy's processing delay is now respected and defaults to 0, no delay.

  • Fixed permission issues with the "View Session Recording" and "View Session Monitoring" roles.

  • Fixed an issue where maximum consecutive character rules for passwords did not work and were enforced as expected in the password field.

  • Fixed an issue where the group members page was incorrectly showing a maximum of 59 users.

  • Fixed a duplicate personal group name when a user got deleted and re-added during disaster recovery replication.

  • Fixed when roles were assigned, sometimes no audit record was made.

  • Added a warning added because WPF allows launching to a free-form <user input> url, which is not recommended.

  • Added "view all folders" link that appears when folders are filtered in a pin view.

  • Added a download button for session recording to Secret Server. The change does not appear for vault sessions in Platform.

  • Added aria labels to the notification bell to support screen readers.

  • Added new REST API patch method to controller which calls pre-existing latestversion.txt processing code.

  • Added protocol handler step-up upgrade. Protocol handler will not try to upgrade versions 6.0.3.26 to newer versions as they must be updated manually. Released new 6.0.3.27 version which will be able to upgrade to future versions.

  • Adjusted license tracking for session-recording-enabled secrets so that secrets that have no launchers are excluded.

  • Adjusted organization of some administrative menu items in the configuration preview.

  • Adjusted permissions on Session Monitoring page so that users with "View Own Session Recordings" permission will only see their own recordings.

  • Adjusted the display of administrative items from Platform to avoid perceived duplication.

  • Adjusted the log level downward for certain engine messages for syslog to avoid overloading the engine log table.

  • Applied a more reasonable default SQL timeout.

  • Clarified explanatory information on the Secret Import page to highlight that file fields are ignored.

  • Converted dependency template management section to new UI.

  • Converted Initial User page to the new UI.

  • Corrected an issue where the Distributed Engine page did not respect the "Deleted" filter.

  • Disabled the legacy bookmarklet pages.

  • Disaster recovery now migrates teams.

  • Fixed a client-side error on the Secret Settings page when viewed from Platform.

  • Fixed a display issue on the IP Address restrictions page.

  • Fixed a missing localization-key issue.

  • Fixed a visual bug on secret templates so the password type dropdown no longer appears as "None" if a password type has been set.

  • Fixed an edge case that could result in duplicate disabled usernames, possibly causing DR conflicts.

  • Fixed an error that could occur on the Advanced Session Recording page.

  • Fixed an HTML-encoded document link in discovery scanner.

  • Fixed an issue an erroneous warning popup appeared saying a distributed engine is required for Active Directory when the SSC cloud instance has "Azure AD Domain" as the only domain.

  • Fixed an issue on the Admin Roles page where the edit button for role permissions was mistakenly requiring "Administer Role Assignment" instead of "Administer Role Permission."

  • Fixed an issue that could cause an incorrect error message to display when using the SQL report editor.

  • Fixed an issue that could cause the secret picker to display with a horizontal scroll bar.

  • Fixed an issue when searching in Secret Share with the "Add from External Directory" option with results of more than 2100 groups would throw an error.

  • Fixed an issue where a proper validation message may not display when trying to give a duplicate name to a group.

  • Fixed an issue where a secret erase request could no longer be canceled.

  • Fixed an issue where banner text referenced only "engine," which was potentially confusing. It now mentions "distributed engine" explicitly.

  • Fixed an issue where created hooks would not display on the secret.

  • Fixed an issue where enabling RPC on a template through the API could impair the template's functionality.

  • Fixed an issue where existing linked groups under the Platform Integration area on the Groups tab would not load.

  • Fixed an issue where if a non-local site was used to send syslog to the syslog server any failure was queued back into the database (tbsyslogfailedmessage) and resent indefinitely. This has been resolved. Additionally, we implemented a syslog circuit-breaker system if a non-local site is used to prevent flooding the message queues with syslog messages when failure is expected.

  • Fixed an issue where localization load requests would wait indefinitely in some cases.

  • Fixed an issue where pinned folders would not be removed when the corresponding folder was deleted.

  • Fixed an issue where Platform synchronization was running too frequently in some cases.

  • Fixed an issue where renaming or copying the "Oracle Account (Template Ver 2)" secret template caused password changes to fail.

  • Fixed an issue where Resilient Secrets (DR) sent secret field launchers across the wire for every replication.

  • Fixed an issue where selecting Generate New SSH Key on a secret would not generate a new SSH key.

  • Fixed an issue where sorting the launchers list by name could display duplicates.

  • Fixed an issue where the checkout screen could briefly show while a secret is loading.

  • Fixed an issue where the child launcher type was not always visible on the new custom launcher page.

  • Fixed an issue where the Everybody group from Platform would not match up properly with the Everybody group from Platform User sync. Corrected the display name of the Platform "Everybody" group.

  • Fixed an issue where the light mode collapsed toolbar showed the dark mode logo.

  • Fixed an issue where the notification bell could show when there were no notifications.

  • Fixed an issue where the Preserve SSH Client Process setting did not correctly display as checked.

  • Fixed an issue where the SSH custom cipher was not applied when missing a value from the section.

  • Fixed an issue where the synchronized groups displayed could sometimes return all the groups from the domain.

  • Fixed an issue where the web launcher would not respect the mapped URL field when multiple URL fields existed on the secret.

  • Fixed an issue where unnecessary audits could be written. Fixed an issue where DR Secret Server instances were ignoring licensing updates from Cloud Manager.

  • Fixed an issue where upgrade banner was always showing when auto-update was off. Now shows only if at least one engine is lower version than latest.

  • Fixed an issue where users could click New Secret multiple times when also uploading files.

  • Fixed and incorrect launcher edit field description.

  • Fixed buttons that should be grayed out. Run RPC Now can no longer be run when RPC is disabled. Run heartbeat Now can no longer be run when heartbeat is disabled.

  • Fixed dark mode IBM password tooltips and banner color-contrast issues.

  • Fixed edge case bug if SSH Block Listing causes duplicate sessions that break SSH Proxy.

  • Fixed error that could occur when creating a new folder with the folder panel minimized.

  • Fixed inconsistent logs between source and replica on partial success. Fatal error is now persisted across the wire so the replica is aware that the source had a fatal error

  • Fixed incorrect logging error in AuthenticateWithAdConsumer.

  • Fixed issue in directory sync where a search result with an attribute containing an empty list could cause an error.

  • Fixed issue where the upper right search bar would not always switch to the selected secret when a selected secret was on a tab other than the General tab.

  • Fixed issue with a test script modal where reopening the modal would show the selected secret's ID instead of its name.

  • Fixed issue with folder permission editing when updating a path directly.

  • Fixed link to dependency templates on the Secret Dependency tab.

  • Fixed logic error where the RAS flag was not being referenced before deciding to delete the database entry that reflected additional users.

  • Fixed long secret-template names to wrap better in folder edit.

  • Fixed missing option. System group in Secret Server Cloud can now have metadata deleted.

  • Fixed Platform permissions cached on Secret Server to replicate so they will be respected on a replica instance.

  • Fixed query for obtaining services for a directory account in discovery. Fixed check on discovery source name when creating an empty discovery source.

  • Fixed secret policies not showing as deleted after deleting a secret. Secret names on the RPC tab of a secret policy will now include "Inactive" if a secret is not active.

  • Fixed text alignment. Left aligned the comment text on the MFA security view. The icon and button remain centered.

  • Fixed the link to the subscription page from the banner.

  • Fixed the REST API token endpoint path. The documentation generator, in removing the "api" string from the beginning of all routes, was also removing embedded occurrences. It now removes it only from the start of the route strings.

  • Fixed the secrets grid on the Secret Erase Request Approval page (in a modal opened via a link button) that was obscured in dark mode and nearly indistinguishable in light mode. This is now an inline grid with auto-scroll.

  • Fixed visual bug when removing current user's folder owner permissions.

  • Folders in "Shared with Me" Quick Access menu are now filtered when searching.

  • If a user's encrypted TOTP reset Guid gets corrupted, an administrator is now able to reset their TOTP.

  • Improved error handling on the OpenId Configuration page.

  • Improved the UI on the Collections Management page for advanced session recording agents.

  • In the prior upgrade file set for 11.6.3, fixed an issue with SQL Delta 11.5.000006. Removed a SQL hint on the SQL index that was incompatible with non-Enterprise editions prior to SQL Server 2016 SP1 due to a compatibility issue with data compression. The incompatible hint was not necessary, so the delta was updated. Hashes for upgrade were updated for this change.

  • Legacy RPC admin page removed.

  • Legacy user and group management aspx pages removed.

  • Limited Mode now goes to the correct link in SSC.

  • Made performance improvements for the "What Secret Permissions Exist?" report.

  • Prevented Thycotic One sync from syncg Platform native users. This allows Platform native users to log in in the rare situation they synced with Thycotic One. Then the administrator clears the system Platform User mappings.

  • Queries executed in the chart and SQL editor for custom reports will now take the Use Database Paging setting into account so that the result is the same as if the query was being saved as a report.

  • Removed legacy ASPX pages for secret templates.

  • Removed link for managing licenses from the Cloud Subscriptions page.

  • Secret Server was updated to use the same player for session recordings as platform.

  • Set the GET SDK Client Account, SDK Client Audit, and SDK Client Rule API calls to set the operator parameter to 1 if it is not supplied by the caller when a User ID filter is specified.

  • Switching pinned folders now resets the text search.

  • Updated auditing for users modifying allowed cipher suite algorithms.

  • Updated diagnostics page and licensing expiration checks to correctly handle non-US date patterns.

  • Updated event subscription and workflow grids.

  • Updated password requirement audits to correctly audit missed fields.

  • Updated the action-handler secret-launch dialog layout to reflect design changes.

  • Updated the Cloud Subscription page to the new UI.

  • Updated the Dependency Changes List page to the new UI.

  • Updated the Diagnostics page to the new UI.

  • Updated the display for secret locked pages to address a wrapping issue with DoubleLock.

  • Updated the distributed engine log UI updated. It now remembers your last selected site, system log grid UI updated, and the last selected log level.

  • Updated the EventDetails token within Event Subscriptions to correctly capture secret comments.

  • Updated the logout.aspx page to avoid errors being generated in rare cases when executing the SAML SLO flow.

  • Updated the ticket system list page to the new UI.

  • Updated user preferences page for better accessibility.

  • web.config now allows explicit definition of allowed HTTP verbs.

  • Addressed an issue where discovery rules would not correctly display the selected secret template or password type.

  • Adjusted discovery scanning to minimize potential SQL deadlocks during the scanning process.

  • Adjusted Secret Server and distributed engine to support 3.x versions of SAP .NET Connector.

  • Converted HSM to a new UI page with a new PKCS11 API type. This new option enables you to protect your MEK and secret keys with an AES 256 key, bringing the strength of all keys to AES 256. After setting up PKCS#11 with your HSM vendor, you use the vendor cryptoki library (dll), token label and user pin to integrate with Secret Server. NOTE: You will need to disable the HSM first, to switch to the new PKCS11 API type. See the Hardware Security Module for more details.

  • Enable Audit Integration on the Platform Configuration page can now be turned on.

  • Extended timeout for some indexing steps for customers with over one million secrets.

  • Fixed an issue that caused folder permissions to not update under specific circumstances.

  • Fixed an issue where long column names did not wrap in the column selector.

  • Fixed an issue where searching for a secret name using a substring within a single word would not always return results.

  • Fixed an issue where the Dashboard Overview tab was not selected by default.

  • Fixed an issue where the main search did not return content and updated the search design.

  • Fixed an issue where the New Folder button would be incorrectly hidden in certain situations when displayed from Platform.

  • Fixed an issue where the system log filter preference had an error when all was selected as the last used filter.

  • Fixed an issue where the folder tree disappeared when there were more than 1,000 folders accessed and UAM was enabled.

  • Fixed an issue with the discovery splash image margin.

  • Fixed bug where changing the client ID did not update unless the client secret was updated as well.

  • Fixed display issue for Secret edit modal on Discovery scope page.

  • Fixed issue with QuantumLock Assign Users grid not displaying correctly after editing then canceling.

  • Fixed the folder audit download to show the correct title.

  • Improved exception logging for certain scenarios related to launching.

  • License requirement message for secret policies updated to Pro Edition or higher.

  • Removed no-longer-used bookmarklet login pages.

  • Updated API documentation for updating team membership.

  • Updated the Secret Import to handle a trailing whitespace in the folder path to prevent bug where created the child folder at the root level.

  • Updated the ticket system detail page to the modern UI framework.