Secret Server 11.8.000001 Release Notes

Release Date: On-premises: May 7, 2025

Version Information

Component Versions

Distributed Engine and Advanced Session-Recording Agent: 8.4.51.0

Protocol Handler: 6.0.3.35

Important Technical Change for Secret Server 11.8

Overview

Prior to the 11.8 on-premises release, Secret Server On-Premises was delivered in a "dynamically-compiled" state. In this configuration, components of the website, particularly .aspx files, were compiled by IIS upon receiving the initial request.

Starting with the 11.8 release, the application is pre-compiled, which significantly enhances and accelerates application startup because it eliminates dynamic compilation.

As a result, some customers may experience startup issues. Please review the two items below prior to upgrading:

• Pre-compiled applications cannot run in IIS if there is an "App_Code" folder present. Therefore, the version 11.8 upgrade renames this folder automatically on start-up to avoid issues. Please note:

  • In some cases the application pool may not have the permissions to rename the "App_Code" folder, resulting in start-up issues, specifically, the Web page does not load.

  • If the application pool does not have the permissions, you must rename the "App_Code" folder or give the account running the application pool "modify" permissions to the application folder.

  • When finished, perform an iisreset to restart Secret Server.

• If you have manually modified any .aspx files, you will not be able to do so anymore, as those files are compiled already. Do not upgrade until you have verified you do not need the modifications going forward.

Support Articles

Please see the following technical articles for instructions:

• How to prepare for upgrade to Secret Server version 11.8 or higher

• After Upgrading to Secret Server 11.8, the Web Page is No Longer Loading

New Features

Azure Key Vault Integration

Azure Key Vault Integration (AKVI) simplifies management and governance of NHI's and secrets from the CSP's native vaults. With AKVI you can centrally manage and update secrets to one or more Azure Key Vaults and rotate passwords or values more frequently. With fine grained roles and permissions, audit and logging, AKVI provides increased governance, visibility, and awareness of secrets managed in Azure Key Vault without affecting development velocity or processes. AKVI is available on Secret Server Cloud, the Delinea Platform, and Secret Server On Premises.

Additional Approval Workflow Type

A new approval workflow type is available, allowing owners to bypass approval while ensuring approvers still require it. The "Standard Including Editors and Approvers (Owners do not need approval)" option offers more flexibility in approval processes to meet organizational needs.

Bulk RPC on Secrets with Checkout Enabled

Bulk RPC actions are available to secrets with checkout enabled. This feature uses random passwords during bulk operations, ensuring that passwords remain secure and hidden, even during bulk updates, without compromising secret integrity.

Bulk Update Secret Fields

Bulk updates for secret fields are now available, enabling users to edit and update multiple fields across secrets in the folder view. This simplifies importing and formatting secrets, streamlining secret management for large datasets.

Change Password on Checkin Configurable Limitation

"Change Password on Check In" is now more flexible. Users can now configure the system to retry password changes a specific number of times before allowing the secret to be checked in without a change, streamlining access when password changes fail.

Global Manual Approver Workflow for Ticketing Systems

A manual approval workflow is now available for scenarios where the primary ticketing system, like ServiceNow, is unavailable. This fallback option ensures that users can still gain access to secrets through a manual approval process, maintaining workflow continuity even during system outages.

PowerShell 7 Support for Scripts

Secret Server now supports PowerShell 7 scripts, allowing users to run both legacy PowerShell scripts and PowerShell 7 scripts. This update ensures compatibility with the latest thycotic.secretserver module and helps avoid disruptions from version conflicts.

PowerShell Ticket Integration—User Information Passed as Arguments

PowerShell ticket integration has been enhanced to pass user information (userID, username, and email) as arguments in scripts. This update provides greater flexibility for ticket validation, enabling more customized and user-specific logic in ticket-related actions.

Pre-Compiled Version of Secret Server On-Premises

All Secret Server On-Premises releases from 11.8 onwards are pre-compiled. This change significantly enhances and accelerates application startup by eliminating the time required for dynamic compilation.

Secret Icons

Secret Icons allows you to display icons for secrets in the secret list, and secret details page. Icons can be set at both the secret and secret template levels.

Fixed Issues

Ticket	Description
405016	Fixed: The RPC by Day report is now formatted to user's time zone.
527950	Fixed: Addressed an issue where cloud customers using PBA would see an erroneous error message indicating that the PBA site was not ready.
530294	Fixed: Key rotation failure. We now allow a particular password type to be set for account take-over when importing an account into Secret Server.
537916	Fixed: The folder-permission API now requires view or administer folder permissions to query by a folder ID. Previously, you could also do this with the personal folders role permission.
539187	Fixed: Secret access request viewing very slow. Bug fixed with loading large numbers of secret access requests.
546108	Fixed: Add a "Matches" tab on discovery account rules to show computer accounts that match the defined rule condition. This replaces the account rule filter on the network view that has been removed.
549816	Fixed: Fixed an issue where when using the Advanced Session Recording Agent, in certain situations the recording process would not be stopped.
556742	Fixed: An issue that prevented empty dependency groups from being deleted.
557774	Fixed: Errant heartbeat every five minutes. When creating a new secret template with heartbeat enabled, if you do not change the interval value it will now correctly assign heartbeat interval of 60 minutes.
559102	Fixed: An issue where large-item-count folder searching was broken.
560138	Fixed: The secret template fields grid would not always load all records properly if there were more than 60 fields on a template.
564689	Fixed: User appearing locked out after the lockout period. On the User General page (admin page), added an Unlock User button and chips and messages to reflect lockout interval for user locked out by failed logins.
566423	Fixed: Resolved an issue where downloaded report names appeared garbled when the language was set to Japanese or Simplified Chinese. Fixed: An issue in the Platform where downloaded reports were incorrectly named "null." Reports now display the correct filenames based on the selected language.
567596	Fixed: Resolved an intermittent issue during DR replication where foreign-key constraint errors occurred with categorized lists, ensuring successful replication across supported versions.
571212	Fixed: Test Script page not working. SQL parameters now work in the new UI.
571231	Fixed: Role audit log error. The Action field of role audit logs now display correctly when the log is created in a language that uses Unicode characters
572558	Fixed: api/v1/one-time-password-code call getting a 500 error.
575503	Fixed: A dependent library used in SAML in has been updated to close potential security vulnerabilities. It uses a different version of a saml.config when using the legacy SAML configuration, and a conversion process to update saml.config has been added to the upgrade system. Please see documentation "Troubleshooting SAML Configuration Errors After Upgrading" if using a saml.config file and having issues.
578291	Fixed: Session recording search times out.
578890	Fixed: Removing a launcher having multiple secrets linked will no longer fail.
580156	Fixed: Handled a case where cached Secure TPC connections to a Syslog server connected via domain name were not removed when no longer active.
580299	Fixed: An issue with /api/v1/launchers/secret endpoint throwing errors with complex URLs.
581180	Fixed: An error when checkout had expired, switching to the settings tab on a secret would throw a red banner error instead of redirecting the user to the checkout page.
582171	Fixed: Double email notifications for access approval request. Access request emails will now indicate a status of the workflow. Viewing a workflow online will also render a visualization of the workflow status.
582538	Fixed: An issue where session messages sent from would not show during RDP Proxy sessions.
582728	Fixed: An issue where users who had permission to edit secrets could not toggle auto-change using the bulk action on secrets that should have allowed it, based on the permission set in the secret's template.
583939	Fixed: Incorrect active session display. Secret active launcher sessions now updates list when a session is launched from the page.
585609	Fixed: error when removing scanners from a discovery source. Added a custom exception for "scanner X already added" and UI refresh to stay in synch with back end.
591272	Fixed: An issue with the Launcher template when modifying the field "Use SSH Tunneling with SSH Proxy."
591708	Fixed: Issue with scan template parent field where it showed a number instead of name.
593801	Fixed: An issue with SSH key integration expiration configuration.
595169	Fixed: An issue where there was no option to add a step in a workflow. It is no longer possible to delete the last step from a workflow. Existing workflows with no steps will now display a default starting step when opened to edit.
595565	Fixed: An issue where dependency changers in SSC were not passing arguments to scripts, resulting in empty output files. Dependency changers now correctly pass arguments, and the status no longer incorrectly shows as disabled.
596179	Fixed: Known issues around adding fields. Cancel button now works correctly.
597088	Fixed: Working as designed—no code changes.
599173	Fixed: In active sessions inside a launched secret, when the username that launched the secret contains Unicode characters, they displayed incorrectly.
599511	Fixed: When submitting a secret access request with a custom duration, start values that are in the past are no longer permitted.
601706	Fixed: Intermittent Azure message loss. Implemented retry logic for publishing to Azure service bus queues.
602389	Addressed performance issues by optimizing database handling to resolve high deadlock rates (over 8,000 per hour) affecting the tbSecret and tbUser tables under heavy load.
603681	Fixed: Resolved a password display Issue (with "comment required" enabled) where, after waiting on the Overview tab for 5+ minutes, the password was displayed as [object Object] instead of prompting for a comment again. Users are now correctly required to re-enter a comment when accessing the password.
603721	Fixed: Enhanced Resilient secrets log text information and added operation progress percentage estimation Fixed issue where Resilient secrets operation was not interrupting on operation timeout
603779	Fixed: An issue with category and report permissions showing 0 items when permissions are assigned to users.
605053	Fixed: Heartbeat and password reset failures. Added more support for expired AD account password changers. Secrets that use an AD privileged password changer to rotate the password for an expired AD account will successfully complete the rotation process. Previous behavior involved rotating successfully and then failing the verify step, resulting in the new password not being saved on the side. Subsequent heartbeats may fail for the secret since the account is expired. Password Changes using a secrets own credentials may fail as well.
607434	Fixed: Discovery analysis SQL timeouts. The query that populates the discovered account metrics has been made more efficient. It should no longer have timeout issues.
608342	Fixed: PRA launcher shows on favorite and recent panel.
608395	Fixed: Columns that should have been hidden were selectable in the column selector. If selected, they would (incorrectly) display until page reload. The conditionally available columns are now correctly set visible or hidden in the column selector.
612930	Fixed: Fixed issue where users could select HSM settings without the “Administer HSM” permission
614002	Fixed: Turkish not displaying correctly in email. Turkish characters should publish correctly in email HTML.
614465	Fixed: Tooltip location on the Launcher Configuration page.
616185	Fixed: Resolved an issue where users could add members to a migrated group in SSC via individual user modifications. Now, all membership changes must be managed in the Platform, ensuring proper access control.
616221	Fixed: In SSC the from email address field in email configuration settings is restricted to the secretservercloud domain and the TLD excludes .co.uk as a valid option. On premises instances will only validate that it is a valid email address format but will allow any domain to be input.
617344	Fixed: An issue with password that contains username and added a new item to the local-user password configuration area that optionally prevents the password containing the username.
617429	Fixed: Issue where an invalid version number could cause Secret Server to become unresponsive.
617445	Fixed: Updated command sets to no longer add extra spacing between lines, and added validation around comments in command sets, instead of auto-removing extra comments, to reduce confusion on save.
617607	Fixed: Discovery services grid did not sort. Added computer Services API endpoint so the computer services component now has paging and sorting.
618528	Fixed: Resolved an issue where secret policy settings were not properly inherited by secrets, causing discrepancies in the Approval page. Additionally, the "Language Resource Not Found: OnlyOptionViaPolicy" message has been fixed. Secret policy settings now correctly apply as expected.
618869	Fixed: An error with "Default Only" on RPC schedule on an active secret policy.
619554	Fixed: On-Premises instances with PRA will now get emails to Secret Server instead of the Platform instance.
620165	Fixed: Display to show .delinea.app when opting into a prod instance.
620268	Fixed: The api/v1/secret-extensions/web-secret-templates endpoint now returns templates that contain URL list fields as well as URL fields.
620338	Fixed: An issue with "minimum required character count" rules options containing an invalid choice.
621226	Fixed: Resolved an issue where repeated execution of Entra ID secret heartbeats would cause a "Headers too long" error.
621573	Fixed: When running in Platform, the breadcrumb link on the platform group and configuration page is now correct.
621935	Fixed: Resolved an issue where viewing a secret with MFA enabled incorrectly logged "Password Displayed" in audit entries. Now, the audit log correctly records the action as "View" when no other interactions occur.
622254	Fixed: Resolved a bug where—when Platform is integrated with Cloud and Open ID Connect Platform login is used—in some situations, the redirected Platform login page would be incorrect.
622479	Fixed: Error during opt-in in PIC for Europe region.
626465	Fixed: Audit with no notes. Secret policies should no longer create an empty audit log when modifying launcher settings but reverting changes before saving.
626702	Fixed: An issue with users not being re-enabled when logging in through Platform after being disabled by automatic user management.
627109	Fixed: Launchers filter was incorrectly labeled was "Template."
627246	Fixed: The field header example on secret import now wraps correctly.
627291	Fixed: The "All launchers" option of the launcher filter now returns all results as expected.
627619	Fixed: Changed database cleanup logic which was causing some heartbeat/RPC audit records for inactive secrets to be removed before the "Max Secret Log Length" was reached.
627650	Fixed: Addressed issue where an error would be thrown when editing a command set with an empty command field.
627731	Fixed: If an Entra discovery source is created in Secret Server, and Platform integration is configured with Inventory Forward enabled, there was a bug if deleting any roles from the Discovery Network View in Secret Server. It would cause Entra roles to show up in Platform inventory.
628439	Fixed: Corrected a typo on Launcher Mapping page.
629517	Fixed: Resolved an issue from the previous update where toggling an Active Directory account's expiration status could prevent verification after a password change.
629584	Fixed: An issue with the password compliance check notification on a secret.
630728	Fixed: A bug where saving an approval method for a secret does not persist correctly.
631133	Fixed: An issue introduced in engine version 8.4.47 where AD privileged password changing would erroneously report failure for accounts that had null values for the "accountExpires" attribute.
632269	Fixed: Secret Server API endpoint /v1/secrets/{ID}/settings now responds with TOTP values if conditions are correct.
632693	Fixed: A User who has only the List permission on a secret will no longer get an access denied redirect upon clicking the launcher icon. They will now see a descriptive error message instead.
634286	Fixed: Issues with dropdown options causing enum values to be displayed for the Secret Security Approval Type so that correct localized strings are displayed.
634484	Fixed: Excessive CPU usage by correcting the SessionKey parameter to varchar, eliminating implicit conversion.
635135	Fixed: The "Ignore permission errors" checkbox is now available without a page refresh.
635550	Fixed: Addressed erroneous exception in the background worker when updating valid redirect URIs.
637136	Fixed: Do not include azure domains or inactive AD domains in group-type precheck.
637139	Fixed: Users missing their ExtendedUserMapping will register as a warning in the precheck instead of an error.
637373	Fixed: Corrected regression where secrets were counted twice in some scenarios. Secrets grid count functionality restored. Count ("# Items") is the sum of the number of first-child subfolders and the number of secrets in the current folder.
637690	Fixed: Incorrect GUI label. Updated Log Level filter label from "Site" to "Log Level."
638073	Fixed: A bug that prevented the secure-Platform-access step in the PIC from auto-skipping.
638238	Fixed: Fixed NG0203 error preventing folder selection dialog from popping up .
638317	Fixed: In the Data Sync step of the PIC, a new column (pre-check) was added to the 'Add exclusions' and 'Select data' dialogs. In the 'Select data' dialog, you may no longer select and synch a group with a pre-check error.
639151	Fixed: Resolved issue with PostgresSQL password change functionality.
640235	Fixed: Corrected a regression which caused the secrets grid to show "999,999,999 Items".
640554	Fixed: LimitedMode no longer blocks functionality related to AD sync, creating and editing secrets, importing secrets, use of web services.
640601	Fixed: Grid now adds the file extension when it does not exist, so files are properly downloaded as .csv
640808	Fixed: Request force checkout button is now displayed while the secret is in a pending status and the request force checkout feature is enabled
641566	Fixed: The dates of tbPlatformIntegrationStep were either not being set or being reset in certain scenarios. This has been fixed for all of the steps except the Unification step which will be fixed in a separate card.
641879	Fixed: Replica now handles event where Disaster Recovery feature deletes folder(s) assigned to Automatic Export by disabling Automatic Export.
642042	Fixed: A PIC precheck error was added when a username in Secret Server does not follow the regular expression rules defined in Platform.
642286	Fixed: Addressed issue that could cause errors forwarding computers to inventory.
643304	Fixed: The status of the customize branding step in the PIC no longer resets from Skipped to Ready to start when the page is refreshed.
643677	Fixed: AFT token validation errors will now return an error code instead of just a 500 status code with no body.
643841	Fixed: A fix was made for the opt-in step of the PIC if the user refreshes the page once the opt-in process has begun.

Improved

460275	Improved: Updated session recording logic to allow already running processes to be recorded from after the point of the session launch if said process was listed in the "Additional Processes" list for the launcher.
546156	Improved: Logging in when MFA setup is required now immediately redirects the user to configure MFA.
561827	Improved: Changed methodology for handling the domain field in RDP Proxy credentials to avoid unnecessary Kerberos TGT DNS lookups.
566484	Improved: Reports page size minimum has increased to 60.
569459	Improved: On the SAML Identity Providers page, we display the date and expiration status of the Identity Provider configured certificate. We also log if an expired certificate is used for a login in the SAML log. An explanation of why expired certificates will continue to work has been added to the Identity Providers page.
575905	Improved: Updated scanner template creation UI to combine both OU Input templates and non-OU Input templates into the same dropdown in categories.
580253	Improved: No dynamic update for active sessions. Active launchers section on secrets now updates every 30 seconds to show an updated list of active launchers.
582378	Improved: Updated grids using timestamps to use datetime in order to properly respect user preferences.
586608	Improved: Password validation failures for dictionary now indicate, "Dictionary words including common number substitutions."
593543	Improved: Removed time zone tooltips from reports to reduce confusion when time zones are set by the report.
594323	Improved: Empty pinned folders now inform users of the empty sections.
595169	Improved: It is no longer possible to delete the last step from a workflow. Existing workflows with no steps will now display a default starting step when opened to edit.
603721	Improved: Resilient secrets log text information and added operation progress percentage estimation. Fixed: An issue where resilient secrets operation was not interrupted on operation timeout.
605210	Improved: Performance of discovery scanner delete. Increased timeout to 24 hours, lowered isolation level where possible, and added logging for each delete operation.
609101	Improved: Added a non-configurable 30-second secret password timeout to improve security and reduce stale password issues. The timeout applies to: Show password—hides after 30 seconds (previously visible forever). Copy password—password value cached for 30 seconds only. Copy password icon clicks after that will trigger a fresh API call (to reduce stale password conflicts). Note that this does not affect the value that was already copied to the clipboard, only what will be copied when the user clicks the copy password icon.
610739	Improved: Performance improvements were made to the "Shared with me" Secret View, and the "Browse All Folders" view for customers with many folders in a highly nested structure.
611190	Improved: In the secret template list field, list and URL list now have their "dispose for display" boxes checked by default to denote the data's plaintext status. The expose for display control is also disabled so that it can not be unchecked by accident.
611573	Improved: Updates to Discovery Scan Status Report Query.
612177	Improved: Error handling for Platform credentials that become invalid.
612739	Improved: A new setting, "Disable Legacy Bookmark Pages," has been added the admin/user experience section. This setting is false by default. When true, the legacy bookmark pages used by legacy WPF will be disabled. This allows administrators to disable the setting and ensure they do not have any of these legacy clients that require it. This setting will default to disabled in a future release.
614508	Improved: Added the ability to view the Active Directory group type. This is displayed under the General tab of a group. If a group does not have a type, it will display as a hyphen. Otherwise, it will show one of the following: Global, Universal, or DomainLocal.
615870	Improved: Improve reliability when specifying the Platform Redirect URL.
616620	Improved: Secret export will now audit the current "Export" action and a new "Export retrieved" action to indicate that the user retrieved the file. Previously, you could close the browser window before retrieving the export file.
618004	Improved: Through the user experience settings, a user can use a new "COMMENT" audit action to separate the VIEW action of a checkout (or ITMS) protected secret from the required comment.
619399	Improved: Added an option on the Windows Service Discovery Scanner to use the Pre-Windows-2000 user logon name for discovered Windows services.
619512	Improved: Event pipeline set-custom-value tasks can now increment or decrement pipeline variables by custom values.
619515	Improved: Added additional group type validation (empty group types and DomainLocal group types) for the Data Sync step in the PIC. If empty group types are detected, users are prompted that there are empty group types and are instructed to run the directory services sync. For any DomainLocal groups found, an error message appears in the pre-check table within the Data Sync step stating that DomainLocal groups are not supported.
620202	Improved: Added additional response information when autofilling values.
621513	Improved: Grid columns are now all set to a fixed width at their current width when a user resizes any column. This makes resizing columns easier.
626041	Improved: Modifications to build pipeline to precompile, copy and overwrite precompiled assets to webroot folder. Packaging and installer remain as they were prior to PR.
626668	Improved: With Platform Integration, support for the setting "Create Groups during synchronization" is completely deprecated. Now, all Platform native groups will be created automatically and any directory groups through Platform need manual linking.
626881	Improved: Updated discovery import rules to prevent duplicate account creation and unintended unlinking of service and Active Directory accounts. Added broader test coverage, including integration tests, to ensure correct matching, unmatching, and unchanged behavior when re-running imports.
627169	Improved: Updated discovery analysis layout to emulate dashboard styles and to better accommodate large datasets.
627297	Improved: Added a new date and time range filter to Session Monitoring.
627303	Improved: Added a new state flag to indicate whether the Delinea enablement code has been entered.
627304	Improved: Added a new state flag to indicate the customer has completed the Platform integration.
627344	Improved: The inbox template editor now includes options to select message properties by selecting which message. This helps clarify that only message properties on the targeted message are available to merge into the template.
627607	Improved: Added Computer Services API endpoint; Computer Services component now has paging and sorting.
628034	Improved: Removed Transloco dependency.
628761	Improved: Added request force checkout feature
628801	Improved: Delinea's new code signing certificate is now trusted when validating upgrade versions for the future. Protocol handler releases before 6.0.3.34 will upgrade to 6.0.3.34 before newer versions to ensure the auto upgrade process will work.
631776	Improved: The application picker that appears when both Secret Server and Privilege Manager are installed has an updated design. This slightly increases the speed of the login process.
631811	Improved: When clicking the option inside of a user's secrets tab you will be redirected to the Secret Templates settings page that lists all of the secret templates.
633054	Improved: Optimized memory management to reduce latency buildup in the US BGW, preventing performance degradation over time. Restored ASP.NET metrics for better visibility into garbage collection and CPU usage.
633244	Improved: Additional logging added during the enabling of unified mode in the PIC .
633996	Improved: PowerShell Core (6+) support added to the scripts page.
634022	Improved: A new bulk secret action was added to allow for updating a field across multiple secrets. The value can be prepended, appended, or replace the existing value.
634158	Improved: Improved memory utilization of the background worker in Cloud.
634668	Improved: Updated Secret Server to use the new shared clipboard service. Updated shared clipboard service to use fallback when on non-secure contexts. Removed clipboard plugin use from clipboard service.
635475	Improved: Enhancements to ticket system configuration, allowing for more nuanced interactions between ticket validation and require approval flows.
635732	Improved: Added PasswordTypeIds as a filter on the api/v1/secret-templates-list endpoint.
635803	Improved: Only the users that are migrated are validated.
635963	Improved: Added an Advanced Configuration setting that will restrict the amount of secret Item History that will be replicated due to the sheer size of that table with relation to the value of replicating a history beyond a certain point. The default number of item histories to be replicated is set to 3.
635970	Improved: Updated libraries to achieve more control when inter-operating with Platform users.
636130	Improved: When enabled, "Show secret icons" in User Experience will display icons for secrets in grid, card, and detail view.
638653	Improved: Secret components on Dashboard (Favorites, Recent etc.) will now only cache Secret passwords for 30 seconds on copy to clipboard, as in other Secret views.
638678	Improved: Administrators can configure the DCM experience for non-business users
638730	Improved: Updated platform integration center TOTP message to clarify which users TOTP information will be migrated.
638911	Improved: Removed legacy CustomLauncherEdit/View.aspx pages
638915	Improved: Legacy SimpleHome.aspx page removed
638928	Improved: Removed legacy secret access request aspx pages.
639164	Improved: The legacy license aspx pages have been removed.
639851	Improved: Added caching to improve container configuration, API performance and reliability.
640213	Improved: legacy discovery, secret import, and script pages now have a note indicating they will be removed in a future release.
640556	Improved: Admins of systems exceeding licenses limits will be notified via UI banner.
640783	Improved: $SECRETID / $[x]$SECRETID are now available for scripting
642250	Improved: Platform Integration can no longer be disabled when unified mode is enabled and all users are sourced from Platform. This prevents users from locking themselves out of their instance. If Platform Integration can be disabled, a dialog warns the user of the consequences.

Known Issues

• After upgrading to version 11.8, users might see "Language Resource Not Found (admin.external-secrets)" on the Secrets tab. This was caused by old language files that were cached and not updated for the new menu item. The solution to this issue is to:

  • Clear their cache for the Secret Server URL or for their entire browser

  • Incognito can also be used if the cache can't be cleared

  • A "hard refresh" (CTRL + Shift + R) that bypasses the cache does not fix this issue

  Refer to the following support article for more information.