Heartbeat Overview

Heartbeat, which can be integrated with RPC, allows Secret Server to verify if the credentials stored in a secret can successfully authenticate with the target system. This ensures that the credentials are still valid and have not been changed outside of Secret Server.

You can configure Event Pipelines to track whether an RPC has failed. Heartbeats allow you to check whether a password is incorrect and if the machine is online.
If a guest account exists on the domain, the heartbeat of an Active Directory secret will mistakenly report success. Microsoft disables the guest account by default for security reasons.

Automatic Credential Testing

Heartbeats allow secrets to have their credentials tested automatically to ensure they are accurate and up-to-date. This helps in managing secrets and preventing them from being out of sync.

SMB Fallback

To maximize compatibility across different versions of Windows, Secret Server can make a second attempt to use the secret via SMB if the initial heartbeat fails.

This fallback can be enabled or disabled based on the requirement.

Secret Server makes a second attempt to use the Secret via SMB when the Use SMB heartbeat fallback checkbox is selected. When this option is not selected, the second attempt will not be performed.

Heartbeat Flexibility and Usability

  • By default, heartbeat is turned off in Secret Server.

  • Administrators can enable heartbeat for specific secrets and run it manually if needed.

  • The status of the last heartbeat run is displayed in the secret's Overview page, under the Expiration and heartbeat section.

  • Administrators can manually trigger a heartbeat check by accessing a secret and selecting the Heartbeat button from the top right of the page.

Heartbeat Status Codes

See Heartbeat Status Codes for details.
  • Success: Successful authentication.

  • Failed: Unsuccessful authentication.

  • Unable to Connect: Unsuccessful connection with target machine.

  • Unknown Error: Unknown error—see the heartbeat log.

Failure Response

  • If a heartbeat fails, the secret is flagged as heartbeat failed and will not be checked again until the secret items are edited by a user.

  • If the target machine is unavailable, the secret is flagged as heartbeat unable to connect and will continue to be checked at the next interval.