Thycotic Secret Server 10.9

Since the beginning of August 2020 a new release for Secret Server is available – Learn here which new features and improvements have been implemented with Secret Server Release 10.9 from Thycotic.

Besides new features and improvements, the usual bug fixes are also addressed.

10.9.000000 Release Notes

Upgrade Notes

  • Thycotic encourages all customers to upgrade at the earliest opportunity.
  • Secret Server now requires .NET 4.8 or later.

New Features and Enhancements

Alerts, Events, and Logging

  • Added an event subscription for when a backup event fails or another exception is encountered.
  • Changed log-level messaging in ClientToServerConnection to improve supportability.

API and Scripting

Added a parameter for an API endpoint to identify inactive users that may be members of a given group.

Authentication and Encryption

  • Added validators to prevent passwords using keyboard sequences and patterns, dictionary words, and usernames.
  • Added configuration setting to define the length of time to which users are locked out of SS after the maximum login failure configuration setting is met.
  • Created a more user-friendly experience when entering Time-Based One-Time Passwords (TOTP) generation keys.
  • Added a password display option when viewing secrets using SSH Terminal.

Azure AD Synchronization

You can now synchronize users and groups in Secret Server (SS) with user and groups in an Azure AD. Does not require an on-premises AD for synchronization.

Connection Manager

Replaced the MacOS protocol handler. Secret Server no longer includes a MacOS version of the protocol handler for session launching. Instead, the Connection Manager free version is packaged with Secret Server for MacOS users.

DevOps Secrets Vault Integration

Added integration to allow SS to create secrets in DSV and periodically push updates to those secrets. This allows customers to use DSV for fast API access and CI or CD pipeline integration while benefiting from the additional capabilities of SS, such as credential rotation.


  • Updated discovery of scheduled tasks to no longer require Windows version compatibility between target and SS’s machine Windows version.
  • Updated scriptable discovery to match all parameters to any field of a secret.
  • Discovery can now be performed on AWS instances. This allows for OUs to be pulled from the AWS region scanner, machine detection from AWS Windows machine scanner, and machine detection from AWS SSH machine scanner.

Event Pipelines for Groups

Added triggers, filters, and tasks for group events to event policy pipelines.

Google Cloud Discovery

Note: GCP account and instance discovery requires that projects belong to an organization.

Implemented discovery across Google Cloud infrastructure including:

  • Discovery and password changing of IAM service account users
  • Discovery of instances associated to the projects
  • Heartbeat and password changing of Google Cloud Platform (GCP) service accounts
  • Token rotation for GCP service accounts


  • Added two values to the Web node health check to indicate when a node is in the process of an upgrade.
  • Performance improvement: Added two advanced configuration settings for heartbeat consumer distribution across multiple nodes.
  • Significantly increased heartbeat and RPC message publishing rates by allowing distributing work across nodes.


ServiceNow integration now allows users to specify the ticket statuses that are accepted by SS.


Added a “Run Launcher using SSH key” configuration setting to secret policies. The selected secret will be applied to all PuTTY launchers attached to the secret.

LDAP Synchronization

Synchronize users and groups in Secret Server with users and groups in an LDAP directory.

Performance Improvements

  • Added a new advanced configuration setting for the background worker process that requires higher publish rates. Setting configures the minutes to wait for the background workers to publish the secret to the queue before retrying.
  • Improved efficiency of the expire secret background runner processes.
  • Created a generic pre-processor for publishing batched secret lists to background workers.
  • Implemented a performance enhancement to the FQDN lookup time per domain.
  • UI now caches localization files for up to one hour, saving up to five seconds when the UI initializes.


Significantly increased heartbeat and RPC message publishing rates by allowing distributing work across nodes.


Added a process to find lock keys that are over an hour old and subsequently remove them from the various caches.

Session Connector

You can now record video and keystroke data for sessions that do not use Thycotic components at the user’s client or target server.

Note: Removing the possibility of recording at a user’s client or target server means that connections must be routed through a jump host running Microsoft RDS as part of the deployed PAM infrastructure. Connection recording occurs at a jump host running Microsoft RDS and additional Thycotic software.

Session Recording

Changed behavior so viewing a session recording no longer opens a new tab in the browser from the UI.

User Interface

  • Enhanced the new UI to present Admin > Folders via the left navigation panel and context menus. The dedicated Folders page is no longer available in the new UI.
  • Added the ability for admins to set the default view used on the Admin page.
  • Backup configuration tool and page now displays in the new UI.
  • Launcher tool and page now displays in the new UI.
  • Indexing Service page now displays in the new UI.
  • Audit tab of the Admin Group Assignment page now displays in the new UI.
  • About page now displays in the new UI.
  • Discovery tool now displays in the new UI.
  • New UI can no longer be disabled.
  • Admin page can now preserve view selection.
  • Discovery is no longer directly associated with the Active Directory page in the UI. Admin > Discovery is the updated location for discovery. “Directory Services” is the retitled page to manage Active Directory domains, as well as other directory services supported by Secret Server 10.9.

Bugs Fixed

Alerts, Events, and Logging

  • Fixed an issue where an event subscription is not triggered when a copy to clipboard event occurs.
  • Fixed an issue where event subscriptions did not send a message when a login failure occurred due to two factor authentication failure.
  • Fixed a verbose logging statement to correctly list “Windows Service” rather than “Scheduled Task” for service dependency scanning.
  • Fixed an issue affecting the system event log entries for when Windows Authentication is enabled in IIS but is not enabled in SS.
  • Fixed an issue that displayed username (PII) in event logs when a password change was aborted.
  • Fixed an issue that displayed incomplete information in the system logs when showing the Windows Account Login Failure error message.
  • Fixed an issue where an Event Subscription or Event Pipeline did not trigger an event when copying a password to clipboard in the UI. Trigger is modified to be Password Displayed.

API and Scripting

  • Fixed an issue with the SOAP API that could add permissions when InheritPermissionsEnabled is set. The call now removes inheritance when the permissions are updated.
  • Fixed an issue that caused a 400 error when attempting to activate a license using API calls.
  • Fixed an issue where the API was returning a server error rather than an access denied statement when making the call without the proper role assignment.
  • Secret Server Cloud: Fixed an issue causing a failure when creating a secret in a folder via REST with a Secret Policy assigned.
  • Fixed an issue with the API audit record statement for a password displayed event.
  • Fixed an issue with the SSH exit command not working as expected.
  • Updated tokens used for SSH fields in secret template extended mappings to match tokens used by the corresponding password changer fields: $PRIVATEKEY, $PUBLICKEY, and $PASSPHRASE. Properties on associated secrets can be consistently referenced using these tokens, regardless of whether the fields are mapped on the associated secret’s password changer or on its template’s extended mappings.

Authentication and Encryption

  • Fixed inconsistent login issue when using SAML and two-factor authentication.
  • Fixed an issue causing ‘remember me’ function to fail, prompting login after closing a browser window.


  • Fixed secret check in to no longer check password compliance immediately after check in. System now sets the compliance to pending, and the next time the compliance check happens it will be updated.
  • Fixed an error in the workflow template for secret checkout when the reason field contained a large amount of characters.


Fixed an issue with SQL not connecting due to high frequency schedules causing a timeout. Added a retry message to assist when a lock cannot be cleared.


  • Fixed an issue where the wrong field is passed to the dependency changer when a template field has a space in its name.
  • Fixed an issue where the discovery host scanner was not substituting a token from an associated secret. Now, Discovery will try to match all parameters to any field of a secret.
  • Secret Server Cloud: Fixed a sorting issue in the new UI on the discovery network view.
  • Fixed an issue where accounts without an OU would be processed and removed by another discovery source.
  • Fixed an issue where the Discovery page displays “please wait” if the site it is set to is disabled.
  • Fixed an issue where some discovery dependency scanners were unable to be deleted within a domain.
  • Fixed an issue that caused stack trace on discovery pages when making a copy of a template that has an inactive RCP mapping field.

Distributed Engine and Clustering

Fixed an issue where Distributed Engine would not reestablish a new connection after encountering an exception.

Export and Import

  • Fixed an issue with CSV secret import using regex name patterns that caused import failures.
  • Fixed an issue with importing secret to provide a more detailed error message to reflect the SS environment used.
  • Fixed an issue when exporting the user list where the exported CSV file did not contain a column for DisplayName data.
  • Fixed an issue when exporting personal folders for users that had the same name. The fix introduces a toggle setting in the admin configuration of folders to allow the user to change their personal folders to either their display name or username and prefix.


  • Fixed an issue with inactivity timeout.
  • Fixed an issue in diagnostics where the internet connectivity check was still performed when disabled.
  • Fixed a permissions issue for assigning secret policies to folders.
  • Fixed an issue that caused an error when running asynchronous calls when reading and writing to CacheClient.
  • Fixed an issue with secrets where proxying was enabled on secrets when RDP proxying was disabled.
  • Fixed an issue where RDP proxy did not allow custom ports. Secret Server now checks the port number as appended to the computer name and uses the supplied port, if present.
  • Fixed an access error for users with “view deleted secrets” role permission when converting a secret to a different template the original secret is not deleted.
  • Fixed an issue where favorited secrets could not be removed from favorites after the user’s access to the secret was downgraded to “list.”
  • Re-posted the clipboard Utility extension for Secret Server in the Chrome Web Store after policy changes made it temporarily unavailable.
  • Added a setting to support web password filler’s ability to autofill on multiple login page sequences and remediate users being redirected to the wrong URL. This launcher setting, by default, will send an extra parameter in the call to assist with multiple URLs.


  • Fixed an issue where users with the edit permission were unable to perform a bulk operation to enable or disable heartbeat.
  • Fixed an issue that displayed a misleading error on heartbeat failure. System now returns underlying error message when custom PowerShell password changer fails instead of a generic PowerShell error message.


  • Fixed an issue that caused issue with the TwoSense integration which causes Attempt User Password to fail.
  • Fixed an issue with the scheduling task for the Quartz monitor.
  • Fixed an issue where the site URL was not accepted on ConnectWise configuration if using http or https on the URL.

Installation and Upgrade

Updated the installer to configure worker roles to automatically start after a restart of Secret Server or IIS.


  • Fixed an issue where a secret containing a field named “Port” does not pass the value to the launcher.
  • Fixed an issue that causes the browser to crash when a secret has a process launcher associated with session recording.
  • Fixed an issue with the protocol handler not recording multiple processes when using the Web UI.
  • Fixed an issue where protocol handler launched sessions stopped shortly after launch when recording was enabled.

Remote Password Changing

  • Fixed an issue with RPC not changing a dependency when running as a local admin.
  • Fixed an issue with RPC where background tasks in the default task scheduler met a limit on active background tasks, causing a queue for new background tasks.
  • Fixed an issue affecting new installations of SS 10.7—the setting for “Change Password Using Privileged Account” did not appear in the new UI.
  • Fixed an issue that could cause a duplicated password change when RPC is set to only change password when secret is expired.
  • Fixed an issue when using a complex set of SSH commands for executing a password change by providing additional settings to accommodate various customer command needs.
  • Fixed an RPC failure caused by replication latency for large Active Directory environments. Fix provides two additional advanced password types settings that allow for delaying and bypassing verification upon successful password change.
  • Fixed an issue where Azure password changing failed during verification. Added two advanced password type settings for every password changer.


Fixed a display issue with pie charts not displaying correctly when the chart needed to display a large number of unique values.

Session Recording

Fixed an issue with session recording for SSH and RDP proxied secrets.

User Interface

  • Fixed an issue in the new UI where the Secret List failed to reload and show values when adding a column containing a space.
  • Fixed an issue where an error was produced when navigating from the Upgrade Secret Server page to the System Log page.


Resolved IIS header conflicts for the X-Frame-Options header.


→ You can find these release notes and other versions quickly and easily with us:

Delinea specializes in password management and endpoint security solutions.
FYRE Consulting is an official authorized partner of Delinea.