Thycotic Secret Server 10.6

13. Februar 2019

Seit Anfang Februar 2019 ist ein neuer Release für Secret Server verfügbar – Erfahren Sie hier, welche Neuerungen und Verbesserungen mit Secret Server Release 10.6 von Thycotic implementiert wurden.

Nebst neuen Features und Verbesserungen werden zusätzlich auch die üblichen Bug Fixes adressiert.

10.6.000000 Release Notes (Englisch)

Upgrade Notes

Manual Updates When Using Integrated Windows Authentication with Distributed Engine

Customers using the Integrated Windows Authentication (IWA) feature with a Distributed Engine need to perform a workaround when upgrading to Secret Server 10.6. IWA is the Windows feature where users log on their Windows domain only once—once logged on, any additional domain logons are done automatically without having to reenter a user name and password. Please see the Workaround for Integrated Windows Authentication When Upgrading to Secret Server.

Installing New Advanced Session Recording Agent**

Customers using Advanced Session Recording need to deploy the new agent when upgrading to Secret Server 10.6. Secret Server 10.6 does not support the RDP Monitoring Agent from Privilege Manager for recording keystrokes or process auditing.

New Features

Workflows

Added a new enterprise feature to allow multi-tiered secret approvals. Workflow Administrators can setup secret access to be granted to users only after meeting multiple layers of approver requirements. This feature is available in Secret Server’s new UI only. https://thycotic.force.com/support/s/article/SS-HOW-EXT-Workflows
Added two new Roles to support multi-tiered secret approval workflows:
- Workflow Administrator – Can administer workflow permissions.
- Workflow Designer – Can create new workflow templates

Advanced Session Recording

Enhanced speed and performance for both Basic Session Recording and Advanced Session Recording.
Added a new agent to Secret Server for Advanced Session Recording that captures metadata from launcher sessions to targets.
Customers using Advanced Session Recording need to deploy the new agent when upgrading to Secret Server 10.6. Secret Server 10.6 does not support the RDP Monitoring Agent from Privilege Manager for recording keystroke or process start data.
New Advanced Session Recording Agent includes functionality to uninstall themselves when deactivated from Secret Server.

Added new configuration setting for storing session recordings based on site. Navigate to Admin > Configuration > Session Recording tab > “Enable Moving to Disk” > “Archive Location Dependent on Site.”

Note: “Enable Moving to Disk” must be checked to reveal the new setting. You may then specify folder path locations based on each site that the Session Recording secret uses.

Secret Server must have appropriate permissions required to access all file paths listed for saving the configuration and recordings.
When creating a new site, a specific site-to-folder-path relationship won’t be created automatically, the secret will instead use the default path (i.e. whatever path is used for the local site).
When you edit, a row will show up with the default value per site already loaded.

Added a warning for Session Recording experiencing many unprocessed videos.

Teams

Added a new “Teams” feature so that Secret Server administrators can segment users and groups within one Secret Server instance. https://thycotic.force.com/support/s/article/SS-CFG-EXT-Teams
Designed as a convenience feature, users that lack an elevated role permission within a team will not be able to select users, groups, or sites that exists outside their team, including in dropdown options and searches.
Added three new roles to support teams:
- Administer Teams – Can create, edit, and view teams.
- Unrestricted by Teams – Can view all users, groups, and sites. The default User role in Secret Server now has this permission, so role permission customization is needed for Teams to take effect.
- View Teams – Can view all teams.

FIDO2 (YubiKey) Authentication

Added a new integration with Yubico. Secret Server can now be configured to use FIDO2 tokens (YubiKeys) as a method for multi-factor authentication.

Launcher Compatibility

Added backwards and forwards compatibility to the Secret Server Launcher Protocol Handler.

Telemetry

Added a new feature that sends anonymized usage data to help guide future research and development plans at Thycotic.

Remote Password Changing

Added the ability to use Secret Server’s API for Remote Password Changing on AWS secrets. That is, support for PowerShell script password and dependency changes for AWS IAM token rotation. Generated values are passed back for saving on the secret. This useful for tokens generated by an external system during rotation. Note: this is only the underlying architecture for use via PowerShell scripts, not a full password changer.

Added a new IBM iSeries Password Changer template to enhance 5280/IBM Series 7.1-7.3 Systems support including additional features like program functions.

Added the ability to use a $$Pause Command for the custom SSH Password Changer so that administrators have the option to prevent run commands executing immediately after login, which can cause failed executions.

Added support for VMWare Password Changing and Discovery to work with updated versions of PowerCLI up to 10.1.1. Increased default RPC Retry Interval to run every 15 minutes and to cap at 10000 consecutive tries. “Unlimited max attempts” is no longer an available option. Retry Interval can be manually configured by 5-minute increments. Heartbeat interval is also now capped at minimum of 15 minutes.

SDK

New version of the SDK released on nuget.org that supports targeting for .NET Framework 4.5.1 in all packages. The only external dependency is Newtonsoft.Json (v11.0.2). https://www.nuget.org/packages/Thycotic.SecretServer.Sdk

RabbitMQ Helper

Added Federation Support and Clustering functionality for RabbitMQ Helper.

Enhancements

Added the ability to download a recorded session from the API.
This new API call will not download metadata, only applies to Basic Session Recordings. The call is api/v1/recorded-sessions/{id}/session-recordings.

Added a PrefetchCount app setting to allow customization of engine response message processing and enhance processing speed.

Enhanced load performance for Discovery.
Added a cache for Session Configuration to prevent excessive callbacks to SessionRecordingConfigurationProvider.Load during Discovery scanning.

Added a new setting for configuring the SSH Remote Password Changing timeout interval to all applicable SSH Secret Template Settings’ pages.
Prior to this fix, users were not notified when a group name exceeded the maximum character length and instead experienced a web session hang.

Added a setting to Discovery that can check whether IIS is installed before scanning for Application Pools. The “Verify IIS is Installed” Setting can be enabled by navigating to Admin > Discovery > Edit Discovery Sources > [Select a source] > Scanner Settings > Scroll down to under the “Find Dependencies“ section and click the edit icon next to the “Application Pool” Scanner > “Settings – Application Pool” page.
In Extensible Discovery, scanners are setup to run in consecutive order across many organizational units within large environments. This setting was added to allow Secret Server to skip the process of scanning for application pools whenever a machine does not have IIS already installed to enhance performance and cut down on run times.

Added support for a RADIUS challenge in web services. Secret Server will now return a “RadiusUSAccessChallenge” error if an additional prompt is needed. To use this functionality, on-premises Secret Server needs to connect to the same node on both authentication calls.
Previously, Secret Server could only handle a single request from RADIUS’ authentication process. This enhancement uses caching, which means that authenticating scripts need to hit the same web node to use a challenge authentication. This fails when using REST + Secret Server On-Prem + Load Balancing + RADIUS Challenge Authentication combined. The workaround is to hardcode REST scripts by IP or FQDN.

Added various enhancements to the Upgrader. Enhancements will not take effect until your next upgrading process.
Upgrade enhancements include updated logging, the removal of unchanged files during the upgrade process, re-ordering of tasks to improve performance, and enhanced messaging.

Enhanced error messaging when Heartbeats fail due to an unavailable machine state.
Prior to this enhancement, when Heartbeats failed on a machine due to disconnection it flagged an “Unknown Error.” Now the machine will return an “Unable to Connect” status.

Added and enhanced the Custom SSH Password Changer’s console output logging for debugging.
Prior to this issue, command set logging was removed from Custom SSH Password Changers due to a security concern in the logging messages. To resolve this issue the original security messaging was addressed, then debug logging was reinstated.

Fixed an issue where Heartbeat failed when changing a AS/400 Mainframe secret due to versioning requirements.
When setting up an AS400 Password Changer for V7R1 or V7R2 systems, the page errored due to a timeout response from the password changing that failed to manage the WS3270 utility properly. Updated the supported versioning for the IBM iSeries Password Changer template to resolve this issue.

Added the option to include subfolders when configuring event subscriptions.
Users can now optionally apply event subscriptions to subfolders, previously folder subscriptions were limited to individual folders.

Enhanced performance of the Event Subscriptions’ page.
Page performance on the event subscription page in Secret Server was increased by rearranging the logic and ordering of the event subscription processes.

Increased default LDAP processing throttling limit on Distributed Engine from 100 to 1000.
Distributed Engine’s performance was slowed down by the low throttling threshold. Increasing the limit allows faster performance for Engine tasks like heartbeat or password changing.

Enhanced audit logging messages when viewing and displaying secrets and Passwords.
Unmasking a password or viewing a password’s History is only logged in Secret Server every five minutes when the same user performs the same action on a secret within a short period of time. Prior to this update the description of behavior on the Audit View page did not include the action for “Password Displayed.”

Two-Factor Authentication now supports the User Principal Name (UPN).
Two-Factor Authentication now supports using the User Principal Name (UPN) as a default for usernames when logging into Secret Server. Configure this setting in Admin > Configuration > Login > RADIUS Default Username when RADIUS is enabled.

Renamed the “Google Authenticator” dropdown option for Multi-Factor Authentication to “TOTP Authenticator” (Time-based One-time Password algorithm) for accuracy.

Updated Distributed Engine to use REST instead of Windows Communication Foundation (WCF) when using HTTP to contact Secret Server. WCF is no longer a prerequisite installing Distributed Engines.

Added log message buffering.
By default, log messages are not buffered and are written to logs immediately. For very active systems, log message buffering can increase performance. In the web-log4net.config file, the Thycotic.BufferingForwardingAppender parameter should be uncommented and then IIS reset. Buffer size can be configured using the bufferSize parameter in that configuration file.

Bugs Fixed

Fixed a bug where manually added fields in custom templates would not display in the table view.
Prior to this fix, when creating a custom template with the “expose for display” option selected the field would not display in the table as a new column.

Corrected error messaging when deleting a dependency on secrets with large numbers of dependencies.
When a secret had 1000+ dependencies, deleting one of them resulted in a “Failed to Execute” error prior to this fix.

Fixed error reporting when a user enters a group name that exceeds the max character length.

Fixed an issue where background threads could go into wait mode indefinitely during a manual upgrade.
Added detection for when the “upgrade in progress” indicator remains active after a completed manual upgrade. This could cause background tasks to remain paused indefinitely during a manual upgrade. Now, the user is notified and can reset the indicator, allowing background tasks to resume.

Resolved an issue with Amazon secret heartbeats and rotations because of a change in Amazon login page layout and flow. To create a new Amazon Web Services (AWS) secret: create a new web password secret, then select Remote Password Changing tab > Password Type (Amazon, Google, and Salesforce options).

Fixed an issue where a RADIUS Authentication timeout would block other RADIUS requests from authenticating to Secret Server, causing login delays for RADIUS users.
Prior to this update there was a lock in the RadiusUSRequest.GetResponse() that only allowed one connection at a time. This fixes an issue when making more than one UDP connection to the same client port.

Removed unnecessary logging on the OperationCanceledException in the System Log.

Fixed a bug where SSH Key rotation commands were not properly authenticating.
The “Verify” command for password changing was ignored if no “Post Change” command existed in a Custom SSH key rotation template, resulting in being able to use the same key to connect for the verify command and the password change in certain cases.

Fixed a broken documentation link on the Server Nodes page.

Fixed a bug where duplication errors occurred if scheduling a report with the same name as another, already disabled, report in Custom Reports.
The workaround for this issue was to undelete the original report and rename it before deleting it, but users are now able to delete and create reports with the same name, if the duplicated reports are not both active.

Fixed an issue that prevented users from creating or editing an SSH Command Menu on individual secrets.

Fixed an issue where the “Allowed” and “Available” Secret Templates’ columns did not populate on the “Create New Folder” page when restricting secret templates.

Fixed a bug where editing checkout hooks saved changes instead of allowing users to cancel out of the edit page.
After clicking cancel on the checkout hooks edit page, the updated data was not saved to the database but was updated on the page behind the UI modal.

Edited PUT /secrets/{id}/fields/{slug} parameters in API documentation to use Secret ID instead of the secret name.

Edited /secrets/{id}/check-in REST API call in API documentation.
In this script, “Force Checkin” could bypass the Access responses, then successfully check-in the secret, before attempting to return the access responses it previously skipped. This failed.

Fixed a bug where ProcessShouldScanComputers resulted in collation conflicts after running Discovery on OUs with incorrect server collation settings.
Specifically, this occurred if a server’s default collation was set to “Latin1_General_CI_AS” because it conflicts with “Latin1_General_CI_AS” collation on Secret Server SQL database’s collation settings when running SQL commands on specific tables.

Fixed an issue where ExpiredSecretMonitor stopped running in certain conditions due to a session recording call.
Users were experiencing several days in between these issues. The SessionRecordingBlobWriter registered an exception error that stopped background threads from processing. This SQL call was irrelevant, and its elimination allowed the ExpiredSecretMonitor to update every minute as normal.

Fixed an issue where “Language Resource Not Found” errors were thrown on the Themes page under the Advanced section.
This issue resulted from missing resource strings on the page.

Fixed an issue where the SSMS launcher did not send the correct password if a caret symbol (^) was in the password.
This issue was specific to SQL Server Management Studio (SSMS.exe). The fix for this involved updating the SSMS process launcher configuration to allow for an optional escape character to be added, now configurable in the advanced section when setting up a launcher for a SQL Server Account secret.

Fixed a bug where failed password changes on custom SSH secrets would not stop processing when CheckContains command failed.
This issue stemmed from the CheckContains command script in the Custom SSH password changer.

Fixed a bug where environments using geo-replication threw errors when attempting to re-send failed syslog messages.
Prior to this fix, geo-replication environments with failed Syslog messages resulted in large numbers of error messages because Syslog created triggers on the tables and would try to update the items repeatedly.

Fixed an issue where items could be imported into the root personal folder.
Prior to this fix, administrators were able to migrate secrets into the Personal Folder (root) using the upload XML tool, which allowed all users to see the imported items.

Fixed an issue where a language setting caused errors.
Some language settings could cause an IIS crash with HTTP Error 503: The Service is Unavailable.

Edited tooltip wording for the advanced “Auto Change Schedule Interval” setting.

Fixed an issue where SSH key rotations were not properly rotating and then deleting the old SSH key at endpoint when the SSH Custom Password Changer was configured in a specific way.
Key rotations for Linux SSH keys failed to cleanup old SSH keys on target machines after a key rotation occurred due to a missing command in the success script.

Fixed an issue where users were unable to delete Reports.
Deleting and undeleting Reports threw an exception error due to a database ReportCategoryId mismatch.

Fixed an issue where the API call “GET /secret-templates” did not support the inactive filter (“filter.includeinactive”).

Updated API Rest documentation to not label a Dictionary object (enumerated KeyValuePair) as an object[].

Fixed an issue where scheduling Reports failed if the time zone was set to time zones ahead of UTC.
Prior to this fix, any time zone that was UTC+x failed to properly populate ScheduleCustomReportEdit.aspx “Recurrence Scheduled Start Time.”

Fixed an issue with the API Folder Create method where folders created through the API would error when trying to access permissions.
After creating a new folder via the REST API, a Get command for the new folder would return null permissions prior to this fix.

Fixed a bug where Basic Users were not able to use the “Create New” secrets template when Active Directory template permissions were revoked.
In Basic User mode the “Create New” secret templates drop down list incorrectly started with <Active Directory>, causing permissions errors when the Active Directory Template was revoked for Basic users. The drop-down list now starts with <Select> in all user modes.

Fixed a bug where searching for a subfolder would not return results when the user did not have permissions to view its parent folder.

Fixed a bug where the bulk operation mode did not move multiple secrets to a folder.
This issue specifically involved the search feature on the bulk operation dropdown when filtering for the folder location. Users were required to manually select the folder rather than being able to find it through search.

Fixed issue where “Require Approval Access” on a secret policy did not follow default settings to not enforce the policy.

Fixed a bug where a user’s display name could be left null when creating new users.

Fixed an issue where Discovery Computer Scans using a “machine only” resolution type resulted in an exception error rather than completing the scan.
A null exception was thrown when scanning for machine names rather than using the “Use Fully qualified name (recommended)” setting in Discovery.

Enhanced error messaging when running Dependency scans in Discovery.

Error message fixes included:
- If all scanners worked but did not find anything: “No Dependencies.”
- If one scanner fails, then it shows a failure message for the scanner.
- If multiple scanners fail, it only has room to show one failure.
- If a scan fails but no failure message exists, it will show “Unknown Error.”

Updated two collation settings in session recording tables to allow case insensitivity on table names and prevent collation errors when the SQL server collation mismatches.

Fixed an issue from a patch update where scanning for scheduled tasks in Discovery failed due to an auto-appended domain in the authentication string.
This issue only affected customers who deployed the December Patch, v 10.5.14.

Fixed a bug where the “Only change password when Secret is expired” checkbox would not save if Auto-Change Schedule was set to None.

Fixed an issue where SAML authentication check could not be disabled.
Prior to this fix, some accounts would receive an ‘Invalid Relay State’ error when logging in. This had to do with disabling the “SAML authn context” in Secret Server.

Enhanced error messaging when Heartbeat is not assigned to a Powershell Script Password Changer.

Fixed a bug where log file exports were not downloading from the Manage Secret Access Request page.

Fixed a bug where the “Use Custom Window Size” Launcher setting was not implementing the correct resolution.
Prior to this fix, when attempting to launch at a smaller 1024 x 768 resolution, a session launched instead as full screen.

Fixed an issue where if the Response Bus Site Connector disconnected, it prevented the web site from loading.
Updates were made to BackgroundScheduler, BackgroundWorker, and the EngineWorker. If a role cannot connect to its response bus an error will now be logged and the site will still load.

Fixed a bug where Heartbeat on local administrator accounts on Windows Server 2012 pre-R2 was not compatible with Powershell v3.0.
Added output logging to file and operating system information.

Fixed a bug where reports were saved in UTC time rather than in local server time.

Fixed a bug where API calls against restricted secrets threw an object reference error.
This fix allows accessing “require comment,” checkout, or other restricted secrets through the API. These secrets were returning errors due to a null reference linked to a “ViewTracker” secret attribute.

Fixed an issue where a WinRM warning message displayed even when WinRM is running and correctly configured on a server if authentication account did not have access to running services.
Prior to this fix the WinRM warning message saying the service isn’t running displayed on the PowerShell maintenance window even though WinRM was running and correctly configured on the server according to instructions. PowerShell scripts ran successfully, but the misleading message remained.

Fixed an issue where Web Password secrets caused Bookmarklet JQuery Exceptions when the Web Password Filler was used in the IE11 browser.

Fixed a bug where EnableFrameBlocking was not respected on certain pages in Secret Server.
Middleware was added to send X-Frame-Options / SameOrigin header for everything but the bookmarklet if not installed, no one was logged in, or FrameBlocking was enabled. MainLayout also changed for MVC pages so that they will render with the frame blocking script.

Fixed a bug where email configurations were not properly saving applied settings.
Prior to this fix, changes to Email configuration page did not properly update the database.

Fixed workflow issue where users were directed to the Setup Home page after saving changes on the Email configuration page.

Fixed an issue where AD users were not receiving approval emails after an access request for a secret in some environments.

Fixed a bug which caused audit tables to display date and time in UTC rather than the configured time zone.

Fixed a bug that could cause bulk operations to fail in environments using geo-replication.

Fixed a bug that could cause a “Failed to load history” error when viewing the history data for a secret.

Fixed a timeout on secret audit when there are very many audit entries.
Audits with very large result sets only display the top 1000 entries.

Resolved an error reporting issue with Unix Account (SSH) and Unix Account Custom (SSH) account types so that connection failures and login failures are correctly reported.
Previously, Unix Account (SSH) would report login failure as UnknownError and Unix Account Custom (SSH) would report login failure as UnableToConnect.

Schnell gefunden

→ Diese Release Notes und weitere Versionen finden Sie bei uns schnell und einfach:
schnell-gefunden/delinea

Delinea ist spezialisiert auf Passwort Management und Endpoint Security-Lösungen.
FYRE Consulting ist offizieller autorisierter Partner von Delinea.