Pre-Run Validation for Dependencies

Customers now have the option to add RPC Pre-run validation for dependencies. This allows the user to have the system check the validity of the dependency before running the password change. If the check fails the RPC action will not take place, preventing passwords from getting out of sync with dependencies.

Configuring Dependency Pre-Run Validation for a Secret

Dependency pre-run validation is disabled by default for all secrets and must be enabled on a per-secret basis.

To enable Dependency pre-run validation for a secret:

  1. Choose a secret you want to enable this feature for.

  2. Access the secret’s Remote Password Changing tab.

  3. Click Edit in the RPC/Autochange section.

  4. Select the checkbox for Enable pre-run validation on dependencies.

  5. Click the Save button.

Enabling Pre-Run Validation for Individual Dependencies

You can create or edit any eligible dependency. In the modal that pops up there is a drop-down for “Pre-run validation”. It contains a list of the available pre-run validation types and an option for None. Choose any one of these and save.

To remove pre-run validation for a dependency, return to the drop-down and select None and save.

Types of Pre-Run Validation

  • Ping Machine: This will attempt to make a connection to the machine listed in the Machine name field of the dependency.

    Available for Application Pool, Application Pool Recycle, COM+ Application, Remote File, PowerShell Script, SSH Script, SQL Script, Windows Service, and Scheduled Task dependencies.

  • Check Port: This will attempt to make a TCP Connection to an address using the port specified in the Machine name field of the dependency.

    Available for Application Pool, Application Pool Recycle, COM+ Application, Remote File, PowerShell Script, SSH Script, SQL Script, Windows Service, and Scheduled Task dependencies.

  • Login: This will attempt to verify that the credentials on the secret are valid for the dependency.

    Available for Application Pool, Application Pool Recycle, Remote File, PowerShell Script, SSH Script, SQL Script, Windows Service, and Scheduled Task dependencies.

  • Run PowerShell Script: This will attempt to run a PowerShell script using the credentials on the privileged account for the secret. If there is no privileged account, the Run As Secret on the secret’s site will be run instead.

    Available for Application Pool, Application Pool Recycle, Remote File, PowerShell Script, Custom PowerShell Script, SSH Script, SQL Script, Windows Service, and Scheduled Task dependencies.

    As with PowerShell script dependencies, you can add arguments to pre-run validation scripts including fields from the dependency, the secret or custom values.
    The Run PowerShell Script option only works with Windows machines. Other operating systems like UNIX/Linux are not yet supported.

Using Pre-Run Validation

Run Remote Password Changing on the secret you've selected as you normally would. Pre-run validation will automatically run on the secret before any other RPC steps are executed.

Pre-run validation will run for all dependencies on a secret when it is configured and a password change is requested regardless of which site the dependencies are on.

If it succeeds RPC will continue as normal. If it fails RPC will stop and the result of the pre-run validation will be shown in the secret’s RPC tab. RPC will be scheduled again for the next configured interval.

To prevent future password changing attempts from occurring, click the Stop Password Change button. To prevent pre-run validation from failing again either correct the condition listed in the error message that caused the failure or disable the pre-run validation on the dependency or the secret.

Save-Time Validation

When Enable pre-run validation on dependencies is turned on for a secret, pre-run validation also runs when you save a dependency. This prevents invalid dependencies from being saved in the first place.

When save-time validation is active, the dependency modal replaces the standard Save button with two options:

  • Validate and Save: Runs the configured pre-run validation before saving. If validation fails, the dependency is not saved and an error is shown.

  • Save Without Validation: Skips validation and saves the dependency immediately. Use this to bypass a failing check when you intend to resolve the underlying issue separately.

When Enable pre-run validation on dependencies is turned off, the dependency modal shows the standard Save button and no validation is performed on save.

Save-time validation is currently in Preview.

Running Pre-Run Validation On-Demand

To run Pre-Run validation on a dependency outside of a password change:

  1. Click on the title of the dependency you want to run from the Dependencies tab in the secret.

  2. Select the Validate option in the menu that comes up on the right. This will execute the Pre-Run validation type that has been selected for the secret.

    If no type is selected, the Login validation type will be used, and if it is not available, the Ping Machine type will be used. The result of the validation will appear in the dependency’s log.