Secret Server 11.7.000049 Release Notes
Release Date: On-premises: November 26, 2024
Version Information
Component Versions
Distributed Engine and Advanced Session-Recording Agent: 8.4.39.0
Protocol Handler: 6.0.3.31
If your protocol handler version is 6.0.3.26 or lower, you must manually upgrade to a higher version. Automatic upgrades will not work for versions 6.0.3.26 or below. However, if your protocol handler version is 6.0.3.27 or higher, the automatic upgrade will function properly.
Improvements
| 537407 | Improved: Sorting by a secret field for which there are no secrets now indicates such instead of just displaying an unknown column. |
| 541150 | Improved: When the Radius two-factor authentication login page loads for Secret Server, focus is now set to the password box, so you do not have to click it before typing. |
| 545215 | Improved: Unix discovery sources are now enabled by default when created successfully. |
| 551651 | Improved: Secret template fields can now be passed-in as arguments to ticket system scripts. |
| 554428 | Improved: Notification messages now disappear from the unread screen once marked read. |
| 554463 | Improved: Audit logging for user and group changes. |
| 569648 | Improved: Updated secret export to make it more resilient for larger environments. |
| 572584 | Improved: Added security hardening report and warnings to discourage or prevent password type changers that rely on JScape libraries due to security vulnerability. |
| 575586 | Improved: Upgraded audit notes for secret RPC settings changes. Added RPC_SCHEDULE_UPDATED and RPC_AUTOCHANGE_UPDATED secret audit actions. |
| 575589 | Improved: Disaster Recovery feature now replicates Open LDAP domain sync settings. |
| 578673 | Improved: Localization updates on the scripting pages. |
| 578682 | Improved: Inbox templates, rules, and resource grids converted to latest component grid. |
| 580088 | Improved: Azure Active Directory domains now use sync secrets yet remain backwards compatible for existing Azure Active Directory domains that still directly store the domain's client id, client secret, and tenant ID. |
| 580662 | Improved: Expanding the folder row in a secret grid informs the user inline if they lack access to see the folder owners instead of redirecting to a full access denied error page. |
| 582196 | Improved: Added a setting to redirect all users to log in through platform Platform integration settings. |
| 584486 | Improved: Removed case sensitivity from scriptable discovery lookup calls to find OUs for a computer. |
| 584579 | Improved: Site sorting is now in alphabetical order in dropdowns, lists, and more. |
| 584837 | Improved: Secret audits now have the ability to filter by audit action type via a multiselect filter. |
| 586768 | Improved: SQL editor dialog is now the full viewport height and width. |
| 586770 | Improved: Discovery accounts bulk action checkboxes removed on some pages where they were not necessary |
| 587667 | Improved: Secret Server custom URL is now being sent to Platform as an accepted redirect URL. |
| 588435 | Improved: Converted grids on three Automatic Export pages (Audit, Log and Storage) to thy-data-view for consistent look, feel, and functionality, such as allowing Notes field to be fully viewed in right panel on row click rather than via a tooltip. |
| 590053 | Improved: We now only show synchronized directory service groups in the list if active. |
| 590073 | Improved: OU column is now available on Discovery Network view. |
| 590111 | Improved: Discovery log and computer scan logs filter updated to latest component for accessibility. |
| 590933 | Improved: Discovery now has full detail pages for Entra entities, and they also appear in the new larger panel. |
| 591264 | Improved: Discovery network view now opens a larger panel with more information including the last error message. The large panel supports wider screen sizes as well to give side-by-side viewing of the grid and panel. |
| 591933 | Improved: Search performance improved for typical users. |
| 592094 | Improved: Bulk sync now does one insert SQL for a list of users and not one per user. |
| 592264 | Improved: Added a precheck to ensure we don't try to migrate native/hybrid users that are missing their extended mapping, which likely would have resulted in strange duplication behavior |
| 592499 | Improved: Groups created in Platform now default to being set as "Migrated" for their migration state. |
| 592713 | Improved: Category list converted to latest grid component. |
| 592715 | Improved: Azure AD Domains now use sync secrets. As part of this, searching for a suitable secret template to serve as the sync secret must have Client Id, Client secret, and Tenant Id fields mapped for its secret type. This applies to the Azure App registration secret template out of the box. |
| 593909 | Improved: Attempting to log into an application account through the UI will no longer add a successful login audit event for that user. Successful and failed login attempts are still logged. |
| 595158 | Improved: Secret Server reports can now be saved as a shortcut on the Platform desktop. |
| 595573 | Improved: The opt-in step allows a user to add a new Platform tenant. It is the first step to integrate from Secret Server to Platform. This step is a part of the redesign of the Easy Move integration tool. |
| 595730 | Improved: The team-members list page has been updated for easier adding and removing of members. The entire domain inclusion option has been moved to the team general tab. |
| 595732 | Improved: Roles mapped to the "All Vault Users" group in Secret Server are now be mapped to the "Everybody" group in Platform after migration runs if the "All Vault Users" group is selected for that migration. |
| 595945 | Improved: Report list page heading is now semantically correct. |
| 595948 | Improved: Secret quick-access page heading is now semantically correct. |
| 596411 | Improved: Updated Platform migration prechecks by adding new information precheck type. |
| 596413 | Improved: QuantumLock audit grid updated to latest component. |
| 596695 | Improved: Updated BouncyCastle.Cryptography package to a non-vulnerable version. |
| 596927 | Improvement. Added the ability to prompt for site selection when launching an SSH session through a DE proxy. |
| 597484 | Improved: You can now pick values less than four hours in the minimum Platform sync configuration. |
| 597621 | Improved: When on prem has a cluster issue, the license pages are now accessible from any web node. |
| 599089 | Improved: A new user experience setting has been added called, "Separate Secret Audit for Comment." When this is true, a secret that requires comment will have an additional audit entry with an action of "Comment." This allows a secret to be commented on and checked out but not viewed. Without this setting the secret audit will show a "View" action with the comment text and then the checkout. Now you will see "Comment," "Checkout," and then "View" only once they have actually viewed the secret. |
| 599421 | Improved: Creating a new Active Directory discovery source is now full page instead of in a modal. |
| 599481 | Improved: ITDR Service Accounts are now handled via messaging in Secret Server. |
| 599717 | Improved: Session monitoring routes were updated to no longer include /admin. |
| 599937 | Improved: Converted the disaster recovery audit to the new grid component. |
| 600029 | Improved: Converted the disaster recovery Log to the new grid component. |
| 600137 | Improved: Platform users metadata replicates fully to a disaster recovery replica instance. |
| 600425 | Improved: Converted directory services domain audit to the new grid component. |
| 600639 | Improved: Converted the export-import settings audit page to thy-data-view. |
| 600664 | Improved: For Secret Server Cloud customers integrated with Platform, disabled the underlying "Create Groups During Synchronization" setting, which was previously able to be enabled, and already disabled for the vast majority of customers. This setting would automatically create domain groups during synchronization, which we now require to be specifically created. Platform Cloud groups are already automatically created and this behavior is unaffected. |
| 600797 | Improved: Converted the secret-erase list grids to the new grid component. |
| 601395 | Improved: Discovery pages are now accessible at /discovery instead of /admin/discovery. This change also decreases the pack size of the admin and discovery modules. |
| 601455 | Improved: The toggle expand and favorite star in the global right panel widget now properly have aria-labels, aria-controls, and aria-expanded tags. |
| 601456 | Improved: Service users created in Platform are now mapped to application accounts in Secret Server. |
| 601459 | Improved: ITDR account created via OAuth token or messaging from identity. |
| 602245 | Improved: Updates to the opt-in flow: Platform region field is now read only by default, and regionEditable=true|false query parameter is available to override the default. |
| 602371 | Improved: Added security hardening report and warnings to discourage or prevent password type changers that rely on JScape libraries due to security vulnerability. |
| 602443 | Improved: Users can now navigate to and from licenses page to clustering pages. |
| 602663 | Improved: Resilient secrets now handle additional conflict scenarios between the source and replica. |
| 602778 | Improved: Updated IBM dark mode left navigation for better accessibility experience. |
| 603115 | Improved: Reduced Redis calls for many operations for performance purposes. |
| 603328 | Improved: Added logging to capture specific failure codes from Entra ID when performing heartbeat. |
| 603363 | Improved: Refresh button was added to the migration audit tab of Platform integration center.Improved: Filters implemented on migration audit tab of Platform integration center. |
| 603364 | Improved: A filter of object type was added to the log tab of the Platform integration center. |
| 603978 | Improved: Password changers grid now includes columns for can edit and Secret usage count. Some additional filters were also added. |
| 603980 | Improved: VaultBroker updating a URL requires a valid connection with the Secret Server instance before allowing updates. |
| 604471 | Improved: Added security hardening report and warnings to discourage/prevent password type changers that rely on JScape libraries due to security vulnerability. |
| 604568 | Improved: Updated UI to only make one call to the "enable unified mode" endpoint. |
| 609745 | Improved: Performance of launcher session cleanup |
| 609923 | Improved: Added a check to Platform configuration in Secret Server that prevents synchronization of Platform data (users, groups, roles, etc.) to Secret Server while migration from Secret Server to Platform is running. |
Fixed Issues
| 451250 | Fixed: Addressed an issue where, when editing a user, the Duo multifactor authentication option would be missing when Radius and Duo had already been configured and the user had the Administer Users permission. Fixed: Addressed an issue where saving a User with the Duo Multifactor authentication option would throw an error when Radius and Duo had already been configured and the user had the Administer Users permission. |
| 477012 | Fixed: "What Secrets have failed heartbeat?" no longer shows secret with a failed heartbeat when their template has heartbeats turned off. |
| 513832 | Fixed: Sorting issue on the Groups tab in user management |
| 514188 | Fixed: Issue with MobaXterm launches and multiple credential-save prompts. |
| 517513 | Fixed: Not being able to add XML files where the key file folder is located because DPAPI read all XML files in that folder and did not find the correct and expected format, which caused an error and disconnected from the Secret Server instance. |
| 541011 | Fixed: Guide dialogs now properly focus the guide and trap tab. |
| 543702 | Fixed: Session recording processing no longer causes a false session recording view event |
| 544916 | Fixed: Corrected Cipher Suite connection issue to AWS EC2 instances with public keys only. |
| 544998 | Fixed: SSH key expiration in label description is displayed correctly now. |
| 547577 | Fixed: Event subscription language resource corrected for "Engine" and "Export Secrets" events. |
| 561895 | Fixed: Workflow Approval email "View this item" contained incorrect link, not directing users to a page where they could approve the request |
| 563019 | Fixed: "Minimum Required Character Count Rules" on password requirements reverts when updating other things on password requirements. |
| 563367 | Fixed: Addressed an issue where the video recording tab would display for session recordings that were keystroke only. |
| 563529 | Fixed: UI issue on report schedule page where unchecking "send email" for report distribution blocked saving. |
| 567824 | Fixed: SAML Log no longer opens a dialog and a preview panel. |
| 569536 | Fixed: Issue were using Secret Server SDK 1.5.7 or earlier after upgrading to 11.7 gave an "Object reference not set to an instance of an object." error when trying to retrieve a secret. The fix appears in version 1.5.9. |
| 570798 | Fixed: In the SDK Client Management > Client Onboarding Page, when viewing a user with an onboarding key required, if the key is visible in the side panel and you select another user with a key required, the key that is shown now updates to be the key associated with the most recently selected user. |
| 571356 | Fixed: Event queue not clearing. Adjusted the location of and query of the EventQueue cleanup process. |
| 572635 | Fixed: RPC errors for SAP template secrets, which were occurring with SAP "systemuser" user types, even when using a privileged account. |
| 575347 | Fixed: IBM code editor resources properly shared to allow editor to load. |
| 575767 | Fixed: Removed Thycotic.Ihawu.UnitTests.Web and Thycotic.Ihawu.UnitTests.Web.Rest from repository, which have not been active since 2018. |
| 575896 | Fixed: Enabled Entra ID Password Changer to appropriately handle heartbeat on accounts where MFA is applied through a Conditional Access Policy. |
| 576164 | Fixed: Added DelayBackgroundStartupMilliseconds to fix a race condition during the PKCS #11 login after integrating with the Entrust HSM. This will delay the background workers so the web node can log in to the PKCS #11 library first. |
| 580552 | Fixed: Group sharing with Secret Server secrets for groups would not trigger a sync for all existing users in Secret Server. |
| 581752 | Fixed: Custom report names with double quotations in them no longer throw an error when downloading a report to a .csv and will download successfully. The .csv will not contain the quotations, but they will remain in the name on Secret Server. |
| 581802 | Fixed: Some edge cases related to Platform Federation could result in a group losing its members in Secret Server. |
| 585612 | Fixed: A duplicate role assignment during migration was fixed so that the migration matches what was in SS. |
| 586300 | Fixed: When a date is downloaded from a grid, it now properly formats according to the selected download date format. |
| 586526 | Fixed: Card and grid mode "last connected" field now shows the correct time and match. |
| 586528 | Fixed: Resolved an issue where attempting to use a Session Connector launcher with "Open with Remote Access" would throw an error when attempting to launch |
| 587596 | Fixed: NVDA now displays the correct labels for the tree component. |
| 587768 | Fixed: A bug where the password changing field of discovery rules would not update. The password changing settings now persists for all discovery rules. |
| 588849 | Fixed: Addressed Null Ref errors in SyncSessionToPlatformMessage. |
| 588873 | Fixed: Corrected impacts on user access by enabling or disabling DTC. |
| 589002 | Fixed: Token name-wrapping issue fixed on secret dependency dialog. |
| 589194 | Fixed: A bug where the source field of discovery rules would not update. Source settings now persist on all discovery rules. |
| 589245 | Fixed: When Secret Server was integrated with Platform and a federated user logs and connects to an AD user in Secret Server, the Platform sync could remove AD groups (from Secret Server AD Synchronization) because that was not a supported configuration. Now, we prevent the removal of AD groups from a Secret Server user during Platform synchronization if the connected Platform user source is Federation. Platform synchronization of groups when a Platform user source is Active Directory/connector and the Secret Server user is an Active Directory user will work as before. We are doing this as harm reduction until the configuration in Platform is set up to be compatible with supported scenarios. |
| 589332 | Fixed: Creating an access request with custom dates or times displayed an incorrect warning or had incorrect dates or times when approved. |
| 589821 | Fixed: Addressed a very rare edge case where a synchronized AD or Azure AD group flagged as "SynchronizeNow" that is also inactive could block synchronization from running indefinitely. |
| 589824 | Fixed: Issue where Entra ID accounts could be mistakenly identified as directory accounts in the discovery network view. |
| 589974 | Fixed: Issue that prevented creating empty discovery sources. |
| 589977 | Fixed: Addressed red banner issue on session monitoring page when using v2 grid filters. |
| 590058 | Fixed: Azure AD synchronization did not handle groups with null ADGuid fields. Added filter criteria in Thycotic.ActiveDirectory to filter out cases causing errors. |
| 590449 | Fixed: An issue where active users in inactive domains (an exceedingly rare edge case that we do not natively support) caused groups to fail importing valid users. |
| 591870 | Fixed: Migration work now considers users that have come from Platform (either Platform Native or Hybrid users) when migrating. It was indirectly ignoring them before under certain circumstances |
| 591954 | Fixed: Issue with connections remaining open with Windows local account RPC. |
| 592169 | Fixed: A duplicate group was created when Platform syncs back to SS after a group is migrated. |
| 592877 | Fixed: The product link for installing browser extensions led to the documentation home rather than the proper page. Clicking OK now takes you to https://docs.delinea.com/online-help/secret-server/launcher-protocol-handler/launchers/procedures/web-launchers/wpf/index.htm?cshid=ChromeExtV2. |
| 592981 | Fixed: Password dictionary uploads no longer fail due to Unix line endings. |
| 593023 | Fixed: Saving ticket system as publicly available now saves properly. |
| 593302 | Fixed: Changed Entra ID discovery scanner so it returns UPN for account name instead of display name. |
| 593348 | Fixed: Entra ID discovery can now identify members of a role who are assigned to that role through a group. |
| 593359 | Fixed: Issue that prevented Entra ID Roles from being automatically scanned by discovery. |
| 593531 | Fixed: In Platform, the browse all link in the folder tree that appeared after 1000 folders were shown was missing /vault in the URL. |
| 593702 | Fixed: An issue where the Entra ID discovery scanner flow could not be applied from the dialog that appears when creating an Entra ID discovery source. |
| 593947 | Fixed: When you launch a secret that requires checkout, you are no longer redirected to the secret detail page. |
| 594073 | Fixed: Discovery scanner text had a typo in the scanner CID notation example text. |
| 594094 | Fixed: An issue that prevented a resilient secrets (DR) replica from updating Secret Server after the source has been updated with 11.7.31. |
| 594680 | Fixed: Typo in Secret Erase Request. |
| 594732 | Fixed: DE Vulnerabilities cleaned up and verified removed. |
| 595541 | Fixed: Typo in bulk record selection dialog. |
| 595553 | Fixed: Some single-edit dialog fields were not properly linked to their label. |
| 595556 | Fixed: Inbox breadcrumb was going to a 404 error and has been removed. |
| 595758 | Fixed: Secrets with checkout and require comment will now have a combined option in the secret grid options menu for a secret. You can configure these to be separate as prior to this release in admin/user experience. |
| 596124 | Fixed: In the SDK Client Management > Client Onboarding Page, when viewing a user with an onboarding key required, if the key is visible in the side panel and you select another user with a key required, the key that is shown now updates to be the key associated with the most recently selected user. |
| 596363 | Fixed: Directory services will no longer appear in search when running in Platform. |
| 596370 | Fixed: Discovery computer scan results now properly defaults to showing the last hour. |
| 596663 | Fixed: An issue where certain usernames were unable to automatically sudo with SSH Proxy. |
| 596721 | Fixed: Resolved a case where event pipeline activity records were not being cleaned up according to the retention settings. |
| 596851 | Fixed: Secret template fields grid in reorder mode had an empty column heading. |
| 597021 | Fixed: Resolved an edge case of unmigrated users from Secret Server to Platform and ability to change usernames. |
| 597482 | Fixed: Addressed issue where a secret policy with an inactive user in an approver group could cause downstream issues when modifying related secrets. |
| 598013 | Fixed: Addressed a case where URI's were compared before normalization and canonicalization potentially leading to over matching against the approved list. Added additional validation that the downloaded installer's batch file was in the expected format. |
| 598083 | Fixed: An issue where failed video conversions would not clean up temp files. |
| 599034 | Fixed: Resolved accessibility issues on workflow and custom SSH cipher suites. |
| 599078 | Fixed: Corrected validation on tenant customization page. |
| 599386 | Fixed: Issue with updating workflow step names. |
| 599798 | Fixed: Folder searches now work when search text is in uppercase. |
| 599966 | Fixed: Platform/SSC to Onprem SS DR was unable to login as a Platform user. Added code to copy the custom URL from secret server every five minutes and send it over to platform as a valid redirect URL |
| 600132 | Fixed: An issue where users were unable to create secret policy via API with jumpbox site ID not set. |
| 600415 | Fixed: Entra ID heartbeat can now handle accounts that are pending MFA Enrollment. Added enhanced error handling to Entra ID account heartbeat. |
| 602238 | Fixed: IBM code editor resources properly shared to allow editor to load. |
| 602673 | Fixed: Two logic errors (one in the Easy Move path and one in the External User Mapping path) that were causing a null ref when trying to create a new user incorrectly. Domain users that are disabled by AutomaticUserManagement will no longer incorrectly cause a duplicate local user to be generated during migration and no null ref audit will be generated. |
| 603148 | Fixed: Addressed an issue where an exceptionally large foreign key in tbStatusMessage could cause errors when inserting records. |
| 605472 | Fixed: Addressed an issue that could prevent user creation and mapping of users from Platform when pre-existing users had been disabled by automatic user disabling. |
| 610193 | Fixed: Issue for creating vendor users when instance is already at maximum user licensed count. |
Known Issues
None at this time.
