Heartbeat Status Codes

  • AccessDenied: Account does not have the rights to log into the resource. Example: Remote login is not enabled for a Windows local account.
  • AccountLockedOut: Account is locked out in the domain or on the workstation for Windows local accounts or Linux accounts.
  • ArgumentError: Incorrect arguments have been provided to complete the Heartbeat. Example: Trying to use the new Entra ID secret template without a privileged secret mapped.
  • Disabled: Heartbeat is disabled because the secret used QuantumLock, does not exist, is disabled, or does not have the correct license level activated.
  • DnsMismatch: secret-server connected to an unexpected host when trying to complete a heartbeat, likely a DNS or network problem.
  • Failed: The credentials are either incorrect or the account does not have permission to log in.
  • Failed Unknown: Catch-all for any responses we don't recognize.
  • IncompatibleHost: An incompatible function was applied to the device or source. Example: Trying to use a Linux password changer for a Windows account.
  • NeedsImmediateRetry: The heartbeat feature uses PowerShell, and the MaxShellsPerUser amount was exceeded and will be tried again.
  • Pending: The secret is set to be processed during the next batch of processing.

  • PrivilegedAccountRequired: Secrets that require a pprivileged account to run a heartbeat, but the account was not linked or was missing when the heartbeat was queued.

  • Processing: The heartbeat was sent to the engine for processing and secret-server is awaiting a response.

  • Success: Successful credential validation.

  • UnableToConnect: Secret Server was unable to contact the target system. Ensure that the domain, IP address, or hostname is correct and resolvable from the server that Secret Server is installed on.

  • UnableToValidateServerPublicKey: The Linux key-based credentials are incorrect.

  • UnknownError: Check the heartbeat log on the Remote Password Changing page for details, and contact Support for assistance. This error typically refers to other cases where we could not determine the reason for the failure but reached a resource such as Active Directory. Example: "User Name could not be found."

Please keep in mind the pipeline appears to log a heartbeat failure if it receives any status other than: "Success", "Pending", "Disabled", or "Unable to Connect". This means that "Processing" will also be treated as a failure.

Enabling the built-in guest user in Active Directory can cause confusion because heartbeat returns a "success" status for non-existent accounts. To avoid this, disable the guest user when setting up AD.