Heartbeat Overview

Heartbeat, which can be integrated with RPC, allows Secret Server to verify if the credentials stored in a secret can successfully authenticate with the target system. This ensures that the credentials are still valid and have not been changed outside of Secret Server.

You can configure Event Pipelines to track whether an RPC has failed. Heartbeats allow you to check whether a password is incorrect and the machine is online.
If a guest account exists on the domain, an Active Directory secret's heartbeat will mistakenly report success. Microsoft disables the guest account by default for security reasons.

Here are the key aspects of heartbeat:

Automatic Credential Testing

Heartbeats allow secrets to have their credentials tested automatically to ensure they are accurate and up-to-date. This helps in managing secrets and preventing them from being out of sync.

SMB Fallback

  • To maximize compatibility across different versions of Windows, Secret Server can make a second attempt to use the secret via SMB if the initial heartbeat fails.

  • This fallback can be enabled or disabled based on the requirement.

Secret Server makes a second attempt to use the Secret via SMB when Use SMB heartbeat fallback is checked. When Use SMB heartbeat fallback is not selected this second attempt will not be made.

Heartbeat Flexibility and Useability

  • By default, heartbeat is turned off in Secret Server.

  • Administrators can enable heartbeat for specific secrets and run it manually if needed.

  • The status of the last heartbeat run is displayed in the secret's details, and administrators can manually trigger a heartbeat check from the Secret View page.

Heartbeat Status Codes

See Heartbeat Status Codes for details.

  • Success: Successful authentication.

  • Failed: Unsuccessful authentication.

  • Unable to Connect: Unsuccessful connection with target machine.

  • Unknown Error: Unknown error—see the heartbeat log.

Failure Response

  • If a heartbeat fails, the secret is flagged as "heartbeat failed" and will not be checked again until the secret items are edited by a user.

  • If the target machine is unavailable, the secret is flagged as "heartbeat unable to connect" and will continue to be checked at the next interval.