Secret Server 11.9.000006 Release Notes

Release Date: On-premises: August 4, 2025

Component Versions

Distributed Engine and Advanced Session-Recording Agent: 8.4.59.0

Protocol Handler: 6.0.3.39

Important Technical Change for Secret Server 11.8 and Later

Overview

Prior to the 11.8 on-premises release, Secret Server On-Premises was delivered in a "dynamically-compiled" state. In this configuration, components of the website, particularly .aspx files, were compiled by IIS upon receiving the initial request.

Starting with the 11.8 release, the application is pre-compiled, which significantly enhances and accelerates application startup because it eliminates dynamic compilation.

As a result, some customers may experience startup issues. Please review the two items below prior to upgrading:

• Pre-compiled applications cannot run in IIS if there is an "App_Code" folder present. Therefore, the version 11.8 upgrade renames this folder automatically on start-up to avoid issues. Please note:

  • In some cases the application pool may not have the permissions to rename the "App_Code" folder, resulting in start-up issues, specifically, the Web page does not load.

  • If the application pool does not have the permissions, you must rename the "App_Code" folder or give the account running the application pool "modify" permissions to the application folder.

  • When finished, perform an iisreset to restart Secret Server.

• If you have manually modified any .aspx files, you will not be able to do so anymore, as those files are compiled already. Do not upgrade until you have verified you do not need the modifications going forward.

Support Articles

Please see the following technical articles for instructions:

• How to prepare for upgrade to Secret Server version 11.8 or higher

New Features

Multi-Cloud Security and Integration

• AWS Secrets Manager Integration extends our distributed vaulting initiative beyond Azure, providing seamless integration with Amazon's AWS Secrets Manager. Administrators can centrally vault, manage, update, and rotate credentials in AWS Secrets Manager, further addressing secret sprawl challenges across multi-cloud environments. It enables centralized, seamless management of all secrets without sacrificing latency or developer or business agility while managing Non-Human Identities (NHIs) and Artificial Identities (AIs) with maintained security and governance.
• External vault automatic lists for Azure Key Vault and AWS Secrets Manager simplifies the vault linking process by automatically presenting available vaults, reducing configuration complexity and potential errors during setup.

Platform Upgrade Center (PIC) Enhancements

• Automated, secure Platform access transforms the previously manual two-step process into an automated workflow when Platform environmental conditions allow, reducing upgrade complexity and potential errors.
• Enhanced Platform Upgrade Center (PIC) with Entra ID Support streamlines the upgrade process for organizations using Microsoft Entra ID. The PIC now features automated upgrade steps and application account integration capabilities, making it easier for customers to use the full power of the Delinea Platform. This unblocks a key capability, ensuring customers who federated with Entra ID in Secret Server can seamlessly upgrade to the Delinea Platform via the PIC.
• Enhanced pre-checks and validation provide better error messaging and validation throughout the upgrade process, including username validation against Platform regular expression rules and improved group membership handling.
• Application account support enables seamless integration of application accounts to the Delinea Platform through the PIC, expanding the scope of automated upgrade capabilities.

Performance and Scalability

• API performance optimization addresses excessive launcher session polling that was generating over 120 million monthly API calls, significantly reducing server load and infrastructure costs while maintaining functionality.
• Secret search performance improvements deliver a 66% improvement in secret search speed compared to previous versions.
• Bulk operations performance enhancement significantly improves reliability and performance for large-scale secret operations. Enhanced secret imports and bulk operations now split large requests into smaller chunks, preventing failures due to message-size limits and boosting performance by up to 20% for operations involving tens of thousands of secrets.

Security and Compliance

• Security enhancements for auditing creates separate controls for password view, secret view, and comment-required auditing. This allows customers in higher security environments to audit password view events in real-time while managing business productivity by less aggressively requiring comments.
• Session management improvements include better RDP proxy session tracking, automatic session closure when checkout expires, and enhanced keystroke recording capabilities for SSH-tunneled connections. These improvements provide better visibility and control over privileged sessions.

User Experience and Management

• Personal folder duplicate secret management provides granular control over duplicate secret names by allowing duplicates in separate personal folders while maintaining restrictions elsewhere. This enhancement uses an improved enumeration-based configuration system that eliminates conflicting Boolean settings.
• Request forced checkout enhancement builds upon the 11.8 feature with improved UI display and better handling of secrets in pending status, providing administrators with more control over secret access during incident response scenarios.
• Increased Windows password changer flexibility offers increased configurability for authentication methods and their order, with enhanced server message block (SMB) fallback options that provide more granular control over heartbeat and password change operations.

Licensing and Availability

Extended resilient secrets availability to Secret Server Professional resolves licensing issues that previously blocked this feature. Customers with a Secret Server Professional license can now access the resilient secrets pages without encountering license-required error messages.

Improvements

ID	Release Notes
524382	Improved: Updated UI for configuration export to highlight that only CSV and XML formats are supported.
527531	Improved: Users can now use regular expression to identify Sudo password prompts from UNIX in languages other than English.
550918	Improved: Updated the GCP service account to HB with a privilege account, when provided.
551474	Improved: The Referrer-Policy has been added as "no-referrer." The Permissions-Policy has been updated with a more restrictive set of permissions.
557027	Improved: A user with only "list" permissions for a given secret will no longer see a launcher button in the secret grid/list. A user with only "list" permissions on a secret will now be able to favorite that secret.
561827	Improved: Changed the handling of the domain field in RDP proxy credentials to avoid unnecessary Kerberos TGT DNS lookups.
595575	Improved: Migration Step 2, Secure Platform Access, was updated from a set of instructions for the user to an automated process, if the Platform environment allows it.
604531	Improved: Added advanced setting to pause RPC and heartbeat to help enable multi-day migrations.
604871	Improved: Plugin created to allow changing and resetting of QuantumLock passwords from Platform.
605155	Improved: Added application account migration to the Platform Upgrade Center.
608421	Improved: Group names now show their domain names when viewed on the Platform Group Synchronization page.
609118	Improved: Optimized the Inbox - Secret Access Requests query for better performance. Added clearer error messages for failures when approving or denying secret access requests.
612530	Improved: SSH-tunneled connections that are not encrypted, such as Telnet, can have keystrokes recorded based on a new setting on the custom launcher.
612647	Improved: Added a new informational card to the PIC. This card appears after unified mode is complete and provides helpful details along with links to related topics.
615870	Improved: Increased reliability when specifying the Platform Redirect URL.
617040	Improved: Secret search performance by merging two operations into one.
619399	Improved: Added an option on the Windows service discovery scanner to use the pre-Windows 2000 user logon name for discovered Windows services.
619452	Improved: Secret Server user audit logs from Platform are now more verbose.
620268	Improved: The api/v1/secret-extensions/web-secret-templates endpoint now returns templates that contain URL list fields as well as URL fields.
620615	Improved: Added a field to Active Directory account secrets that shows expiration date for that account's password in Active Directory, if available.
621245	Improved: Extended the OpenLDAP configuration to allow for optional exclusion of the paging control.
621586	Improved: Updated pipeline behavior for viewing secrets. Pipelines will always run no matter how frequently a secret is viewed.
624262	Improved: A validation error is now provided when a user attempts to orphan a quantumlock group by removing the only user assigned to the group.
626043	Improved: When an RDS session connector session is begun, the RDP file that is downloaded by the user can now be signed using a password-protected pkcs#12 certificate with a private key. This prevents the negative user experience of yellow security warning when opening an RDP file coming from Delinea.
626246	Improved: Support for keystroke-only recording in session connector.
628761	Improved: Added "request force checkout" feature.
631811	Improved: When clicking the All Secret Templates option inside of a user's secrets tab, you are now redirected to the Secret Templates settings page that lists all of the secret templates.
632693	Improved: A user with only the "List" permission on a secret no longer gets an "access denied" redirect upon clicking the launcher icon. They now see a descriptive error message instead.
632768	Improved: Added a banner to Azure AD secrets warns of Microsoft's pending retirement of a PowerShell module underpinnings the password changer for those secrets.
633084	Improved: Updated some Japanese translations.
634668	Improved: Updated Secret Server to use the new shared clipboard service. Updated shared clipboard service to use fallback when in non-secure contexts. Removed clipboard plugin use from clipboard service.
637109	Improved: Text for event pipelines secret email updated to indicate you can send the email to any role, not just owners.
637403	Improved: Directory services now enforces a maximum number of results for Active Directory group searches, reducing query times for customers with large group structures.
638247	Improved: Users with view-only permissions on a folder can now see which policy is applied on a folder.
638771	Improved: The Group Member grid now properly takes up the full height available instead of leaving a gap on large screens.
638911	Improved: Removed legacy CustomLauncherEdit/View.aspx pages.
638915	Improved: Legacy SimpleHome.aspx page was removed.
638928	Improved: Removed legacy secret access-request .aspx pages.
639164	Improved: The legacy license .aspx pages have been removed.
639773	Improved: Added a new report for active users and all users for secrets.
640087	Improved: Added option to allow duplicate secret names in separate personal folders.
640202	Improved: Performance when there are a great number of folders for the following : modifying folders. modifying user display names, or changing the personal folder root name (if personal folders are enabled).
640487	Improved: Added more configurability to the Windows password changer for the method and method order.
640554	Improved: LimitedMode no longer limits AD sync, creating and editing secrets, importing secrets, and web service use.
640556	Improved: UI banner now notifies admins of systems exceeding license limits.
640688	Improved: Scan Template Detail page: an unused scan template can now be deleted. Required Fields now change according to scan type selection.
640783	Improved: $SECRETID and $[x]$SECRETID are now available for scripting
641022	Improved: Folder-detail performance.
641879	Improved: The DR replica now handles events where the DR feature deletes folder(s) assigned to "automatic export" by disabling automatic export.
642042	Improved: Added a PIC pre-check error when a username in Secret Server does not match the regular expression rules defined in Platform.
642213	Improved: Check out, check out extended, and check in Syslog events now contain the UTC times of check out and check in.
642250	Improved: Platform Integration can no longer be disabled when unified mode is enabled and all users are sourced from Platform. This prevents users from locking themselves out of their instance. In the event that Platform Integration can be disabled, a dialog warns the user of the consequences.
643200	Improved: Added a data link between the SDK client account and onboarding rule so when an SDK onboarding rule is deleted all SDK client accounts created from that rule get their access revoked.
643381	Improved: Added a configuration setting under user experience to set the duration for the password mask to begin hiding input again.
643721	Improved: Secret access requests can now be published to the Delinea Platform for other services such as the intelligent authorization agent.
643739	Improved: Users can now use the Platform Upgrade Center to migrate Entra ID domains to Platform.
643793	Improved: The groups precheck in the PIC only warns of group membership and role changes
643866	Improved: Added a tab on the User Management page titled OAuth Expiration that lets users delete previously issued OAuth tokens.
644419	Improved: Added Automatic listing when adding an external vault link to Azure Key Vault added.
644548	Improved: DR button order swapped and grid fixed to have more uniform styling on the status chips.
644589	Improved: Now, during provisioning, we retry validation of Secret Server credentials. If upon retry validation still fails, it notifies the orchestrator that provisioning has failed.
644596	Improved: Performance of session monitor search when HasKeystrokes is enabled.
644755	Improved: Converted the update status endpoint to use a PATCH to prevent unnecessary value changes.
644783	Improved: Consistency of the PIC UI steps.
644847	Improved: A banner now reminds admins when their usage license is exceeded.
644887	Improved: Added QuantumLock actions to the user profile.
645147	Improved: When a user lacks access to a session recording, they see a more informative error page.
646302	Improved: The legacy bookmark pages are now disabled by default. They can be re-enabled from settings > user experience > Disable legacy bookmark pages. These pages will be completely removed in an upcoming release.
646932	Improved: Updated design for adding widgets to the desktop.
647178	Improved: Attempting to create an Active Directory discovery source when discovery is disabled now informs you that discovery is disabled and needs to be enabled.
647190	Improved: Admins now receive a reminder in the UI when license usage has exceeded licensing limits.
647689	Improved: HSM process: When enabling and disabling the HSM or rotating the HSM key a backup of the encryption.config is created. To prevent a bad state where the database has updated and the encryption.config was not, the database changes are rolled back to the prior state. Also, when rotating the HSM key with PKCS11, if selecting the current DLL, the system will prevent changing the token label and user pin. Since the PKCS11 library already has an open session and cannot close, this prevents potentially saving the wrong information.
647936	Improved: Added capability to select from multiple settings with distinct behaviors to set how duplicate secret names are handled in the Permission Options section.
648752	Improved: Performance of resilient secrets excluding all data related to QuantumLocked secrets.
649210	Improved: Protocol handler parameter checking when using install options was extended to address CVE-2024-12908.
649708	Improved: Resilient Secrets now falls under "Professional" licensing without need of an add on.
649863	Improved: Updated workflow and secret approvals to use the template arguments for the ticket system.
649955	Improved: Reduced the likelihood of an incorrect query returning too many results.
650476	Improved: Increased flexibility for the Windows Password Heartbeat. The Enable SMB Fallback option, previously on the remote heartbeat configuration options, has been replaced with options directly under the advanced settings under Windows Password Changer. This allows you to toggle RPC and SMB heartbeat attempts and determine the order. Previous Enable SMB Heartbeat configuration has been translated to the new settings. The new options for flexibility do require DE version 8.4.56.0.
650658	Improved: Legacy bookmarklet pages were removed.
650720	Improved: The legacy session recording search and viewing pages were removed.
650755	Improved: Several legacy message pages, such as a read only mode description, have been removed and replaced with newer versions.
650853	Improved: Reduced CPU use within the website and background worker.
651149	Improved: Added text to the Unified step of the Platform Upgrade Center.
651315	Improved: Removed the HSM legacy .aspx pages.
651333	Improved: Password type audit grid updated to angular.
652518	Improved: Added more prechecks in the PIC for a user with a domain whose AD Guid or UPN is NULL in Secret Server.
653208	Improved: Drop down options added for email configuration.
653299	Improved: The secret view that opens in the right panel has been cleaned up to make the copy icons more visible and keyboard access has been enhanced.
653422	Improved: Added a throttle: "Max Number of Passwords That Can be Changed at One Time setting for Entra ID password changer."
653719	Improved: Adjusted MDI partner API URLs to match the new URL.
655545	Improved: Platform is now running on angular 20.
659980	Improved: Legacy discovery .aspx pages were removed.
661443	Improved: Manage Directory Groups button was removed from the Groups page. It just linked to directory services, which is easily accessed in the left navigation panel.
661831	Improved: The legacy discovery .aspx pages have been removed.

Fixed Issues

ID	Release Notes
527950	Fixed: Cloud customers using PBA would see an erroneous error message indicating that the PBA site was not ready.
556437	Fixed: A user without "force check in" permissions is no longer be offered a check out button in the inline view or checkout page. This was for a secret that was in a failed RPC state and not currently checked out to any other user. Instead, the user sees an error making them aware of the RPC failure. An admin or user that does have those permissions is still shown a check out button as they need to be able to see the secret even in a failed state to fix it.
557815	Fixed: The Test Slack configuration button on the Slack Integration page did not work correctly when the form was not in edit mode.
562377	Fixed: Accounts that did not have local logon privileges could not be used to run application pool dependencies.
563476	Fixed: Sessions were not automatically closed when the secret checkout expires.
569459	Fixed: On the SAML Identity Providers page, we display the date and expiration status of the identity-provider-configured certificate. We can also log if an expired certificate is used for a login in the SAML log. We added an explanation of why expired certificates continue to work to the Identity Providers page.
572558	Fixed: The "api/v1/one-time-password-code" call throwing a 500 error.
578291	Fixed: Session recording search times out.
578885	Fixed: Enhanced secret imports and bulk operations, enabling large requests to be split into smaller chunks, to prevent failures due to message-size limits. This change improves reliability for bulk operations with tens of thousands of secrets and boosts performance by up to 20%.
588963	Fixed: The "IsDeleted" field for Active Directory groups was not processed when syncing through a distributed engine.
596179	Fixed: Known issues around adding fields. Cancel button now works correctly.
612930	Fixed: Issue where users could select HSM settings without the Administer HSM permission.
616850	Fixed: Resolved issues where debug log messages could be read as errors when displaying group members in directory services.
618947	Fixed: The password type for a secret template is no longer removed when both RPC and heartbeat are turned off.
619161	Fixed: Email PIN code loop with federated login. Resolved issue where browsers using SAML authentication with email-based MFA would send a new PIN email every 5 minutes due to automatic page refresh. Added audit logging for PIN requests to improve troubleshooting capabilities.
624185	Fixed: Automatic user management would not reenable users on login.
627425	Fixed: Maximum file size allowed decimal values in Security File Restriction page.
627910	Fixed: Missing Add Member button on the Teams page.
628730	Fixed: If using Integrated Windows Authentication with web services, there could be a failure from an unrelated SSH Proxy Terminal SSH key Unix authentication method if set to "Password or Public Key."
630656	Fixed: Legacy password changers were disabled in new installs and could not be modified
634234	Fixed: Event pipeline "increment/decrement variable" task had issues accepting string values in an event pipeline.
635932	Fixed: When adding associated secrets in a bulk operation, the remove link would not always show for a secret you just added.
638045	Fixed: Approval settings for non-secret policies.
638256	Fixed: An inaccurate error message for session recordings when launch is not detected.
638964	Fixed: RDP proxy session tracking. Resolved an issue where RDP proxy sessions that were opened using proxy credentials (not protocol handler) were not being marked as launched, causing them to be missing from session search results.
639151	Fixed: Resolved issue with PostgreSQL password-change functionality.
640392	Fixed: DR replication data loss when the replica encounters save errors. Resolved issue where running "new data since last replication" could result in permanent data loss if the replica encountered errors during save, causing subsequent replications to skip the failed data entirely. Fixed replication state tracking to ensure failed items are retried in future partial replications.
640808	Fixed: Request Force Checkout button is now displayed while the secret is in a pending status and the "request force checkout" feature is enabled
640978	Fixed: The bulk secret field update now works when MFA is enabled on any secret that is selected.
641375	Fixed: Adding and removing fields did not work correctly if none of the new or existing fields were edited.
641376	Fixed: Export CSV on reports and the auto export storage download now work in Platform.
641566	Fixed: The dates of tbPlatformIntegrationStep were either not being set or being reset in certain scenarios. This has been fixed for all of the steps except the Unification step that will be fixed in a separate card.
641630	Fixed: Secret audits did not correctly link to the new session recording UI.
642223	Fixed: A total count issue when searching subfolders and secrets and then checking and unchecking items.
643226	Fixed: Password changes now trigger an external key-vault push for the linked secret.
643304	Fixed: The status of the Customize branding step in the PIC no longer resets from "skipped" to "ready to start" when the page is refreshed.
643492	Fixed: Discovery but where EntraID users or roles would not display properly in "Network TreeView" under the root EntraID tenant node.
643677	Fixed: AFT token validation errors now return an error code instead of a 500 status code with no body.
643715	Fixed: An issue with the "maximum login failures" shortcut leading to the wrong configuration area.
643815	Fixed: TOTP codes from the favorite dashboard in Platform now work.
643841	Fixed: An error with the opt-in step of the PIC if the user refreshed the page once the opt-in process had begun.
643869	Fixed: Save button was enabled when modifying file attachments before any change was made.
644593	Fixed: Corrected workflow email links for Platform to point to Platform URLs not SSC URLs.
644921	Fixed: Discovery source ID was not being read correctly for Entra ID Members, which led to problems viewing and importing accounts.
645106	Fixed: Issue that could sometimes prevent validation of the Platform URL from the Secret Server configuration page.
645923	Fixed: The "ThycoticSystem" internal user now has the display name "Delinea System."
646732	Fixed: Issue where Entra ID discovery would cause errors when field names in the Privileged Secret template were changed.
646957	Fixed: Periodic error when retrieving favicons.
647271	Fixed: Active Directory invites did not get created in Secret Server
647291	Fixed: A new version install could cache old en.json localization files. Language files now include cache-busting tags.
647351	Fixed: Locked users in Platform were not disabled in Secret Server.
647639	Fixed: An issue that could block OIDC authentication.
647691	Fixed: Account scan template was not display after saving on the Scan Template Detail page.
647852	Fixed: A localization issue on the Discovery Rules List page.
648239	Fixed: Template selection issue on discovery rules.
648534	Fixed: Long secret names did not wrap properly when shown as credentials for a discovery scanner.
648665	Fixed: The Validate Connectivity button was not visible when configured to use processing location as the website.
648769	Fixed: 404 error when loading the application load. To prevent this, custom language resources are only loaded if the files exist.
648844	Fixed: The CSV report download button did not work in Platform.
648998	Fixed: The Preview panel, once closed, would not reappear until opened again.
649098	Fixed: Anti-forgery token logic caused pages to refresh in some circumstances.
649167	Fixed: Secrets did not show inherit permissions properly when searching in the grid. Folders now show the inherits permissions column when shown in the grid.
649273	Fixed. The date range filter could be removed from the discovery computer scan results tab.
651907	Fixed: Resolved an upgrade failure to 11.7.25-11.8.1 for on-premises Windows customers using a non-en-us locale.
651955	Fixed: A fresh on-prem install got stuck at the Create Initial User page.
652482	Fixed: Scan template names were not populated in a dropdown on the PasswordChangerEditScanItemTemplateEdit.aspx page.
652648	Fixed: The Edit button is now visible but disabled on non-editable scan templates.
652697	Fixed: in the PIC for the Secure Access step where polling was not occurring in certain situations after the button was pressed leaving the step stuck in the In Progress state.
652855	Fix: Tunneled RDP proxy data could be stored in the database erroneously under certain conditions. This data is encrypted by the RDP protocol and therefore is not useable as keystroke data and should not be stored.
653644	Fixed: Secret policy launcher tab clipped the far right side of the form selects.
654670	Fixed: Secret share no longer adds groups to the Platform Allowed group list when adding from external groups.
655397	Fixed: On-premises edge case where if the web role had a cached valid license the disaster recovery process was allowed to begin but the background worker could not see a valid license and would do nothing. Now a log is generated.
655439	Fixed: Bug where the SAML Metadata Download XML button did not work.
659912	Fixed: The script editor (report, scripts) would sometimes show an error with the text "canceled."
660018	Fixed: A WRONGTYPE issue caused by calling redis.GetList on a "List<string>" type object. Caching once again applies for this value.

Known Issues

• After upgrading to version 11.8, users might see "Language Resource Not Found (admin.external-secrets)" on the Secrets tab. This was caused by old language files that were cached and not updated for the new menu item. The solution to this issue is to:

  • Clear their cache for the Secret Server URL or for their entire browser.

  • Incognito can also be used if the cache can't be cleared.

  • A "hard refresh" (CTRL + Shift + R) that bypasses the cache does not fix this issue

  Refer to the following support article for more information.