+1-202-802-9399 (US)

Release Notes

Release Notes 10.4.000000

Release Date: 1/17/2018 

Note: Customers with trail licenses in their Secret Server instance who upgrade to 10.4 will be required to activate those licenses.


  • Secret Server SDK
    • The Secret Server SDK replaces and improves upon the existing functionality of the Java API and .NET/Application API. Users can leverage this SDK to tokenize credentials in scripts and configuration files for .NET web applications. The SDK can also call for a REST Web Services authentication token for added functionality. Finally, the SDK has a local encrypted cache for every location it is installed in to allow for quicker transit times and resiliency in case communication with Secret Server is lost.
  • Session Monitoring Multiple Nodes
    • Clustered Secret Server environments will now automatically split the processing load for Session Monitoring events.
  • AD Credential Cache
    • Secret Server can create an encrypted storage for hashes of Active Directory users’ credentials that is updated on every successful authentication to Secret Server and allows for users to continue to access Secret Server even if communications are lost between Distributed Engine and the Domain Controller(s).
  • Secret Server now has a REST endpoint to manage Secret dependencies.
  • Secret Server now has a REST endpoint to manage groups.
  • Secret Server’s Firefox browser extension has been updated so it can continue to work with the latest versions of Firefox.
  • Secret Server can now communicate to SIEM tools using a TLS connection.
  • TLS connection successes and failures with Active Directory Synchronization and SIEM integration are now audited.
  • Secret Server can now send audits to Windows Event Logs.
  • Enhanced Dashboard search performance.
  • Enhanced Active Directory synchronization performance.
  • File uploads on Secrets now have file extension and size restrictions.
  • Added a Security Hardening report to indicate whether email communications are set to use HTTPS.

Bug Fixes

  • Fixed issue where SSH custom password changers failed Heartbeat when using SSH Key authentication.
  • Fixed issue where Discovery would incorrectly show as misconfigured despite having configured Discovery sources.
  • Fixed issue where random password generation may generate a password containing 2 consecutive characters contained in the Active Directory username.
  • Fixed issue where the login assist for Chrome would not work if an IP address was in the URL field of a Secret.
  • Fixed issue where numerous domains in Discovery could cause failures in communicating with the SQL database.
  • Fixed issue where Discovery would only use the correct Distributed Engine Site on the first dependency type when scanning for all dependencies across multiple domains.
  • Fixed issue where a significant number of Secrets that were failing a password change would freeze Distributed Engine.

Security Fixes

  • Fixed XXE issue on Web Launcher configuration page.
  • Fixed XXS issues on New Engines management page.
  • Fixed XSS issue on Secret Dependency Changers page.
  • Fixed issue where Secret Server upgrade logs written to the server hosting Secret Server were accessible via a URL.
  • Fixed issue where Remember Me for 2FA bypassed Duo’s deny logon security settings on users in some cases.
  • Updated PuTTY client for Session Launching to v0.70.
  • Fixed potential security issue where the RDP service port on the client machine could be used to open a concurrent RDP session to the target machine when RDP connections were proxied through Secret Server.
  • Fixed LESS Injection issue on Theme management page.
  • Fixed issue where language resource ASHX files in Secret Server could be accessed by any user with access to the application.
  • Fixed issue where default settings on PuTTY logging settings could expose the password of a user.

Release Notes 10.3.000015

Release Date: 9/25/2017 


  • Secret Server now supports SafeNet Luna Network HSM 7.

Bug Fixes

  • Fixed issue where Active Directory Synchronization may become slow or unresponsive when synchronizing a significant number of Active Directory groups.
  • Fixed issue where users may be removed from a group in Secret Server if that group contains users from multiple Active Directory domains and one of the domains cannot be reached during a synchronization.
  • Fixed issue where Secret Server Free customers could not manually add Active Directory users.
  • Fixed issue where selecting specific Organizational Units for an existing Active Directory discovery source may not work properly after a manual host range is added to it.
  • Fixed issue where Unix machines discovered using PowerShell may reflect an incorrect Organizational Unit.
  • Fixed issue where users were no longer forced to change their password upon first login if the Enable Local User Password Expiration configuration setting was enabled.
  • Fixed issue where using Discovery for dependencies over Distributed Engine may return incorrect results.
  • Fixed issue where multiple Discovery host range scans could cause redundant machine loads.
  • Fixed issue where using search in Secret Server while on the Notifications page may cause an application error.
  • Fixed issue where users who have an externally facing IP address that could not be resolved from the web server hosting Secret Server may experience performance issues throughout Secret Server.

Security Fixes

  • Fixed XSS issue on the Secret Template Permissions page.
  • RabbitMQ Helper has been updated to install RabbitMQ 3.6.12 which now supports Erlang 20. This patches Erlang 18’s vulnerability CVE-2016-10253. We do not believe that Erlang 18’s vulnerability has a direct impact on Secret Server’s use of RabbitMQ, but we recommend updating current Erlang and RabbitMQ deployments to these versions to keep systems patched.
    • More information on upgrading and where to get the new RabbitMQ Helper can be found here.
  • Fixed potential security issue with Secret Server’s scripting functionality. See this advisory for additional details.

Release Notes 10.3.000014

Release Date: 8/29/2017 


  • Secret Template Edit Launcher Configuration Enhancements for PuTTY Launchers
    • Added an option in the Advanced Settings where the launcher can reference any public key dependencies that have been added to a SSH Key Secret.
    • Added an option in the Advanced Settings where SSH sessions launched over the SSH proxy in Secret Server can use custom commands instead of only the su command.
  • Added a report in Secret Server to display what Secret Template permissions a user or group has.
  • Added an option in Secret Server to backup Privilege Manager.
  • Secret Access Requests can now be found under the Tools menu.
  • “Share Secret” Role permission has been renamed to “Own Secret”.
  • Upgraded the module responsible for Office 365 and Azure Active Directory password changes to ensure continued support.

Bug Fixes

  • Fixed an issue where pages involving groups could not be saved if there were 5,000 groups or greater in Secret Server.
  • Fixed an issue where Active Directory users in child domains may not be properly disabled in Secret Server when they are disabled or removed from Active Directory.
  • Fixed an issue where ambiguous errors were logged when the username or password is correct on any password changers, dependencies, or scripts using SSH.
  • Fixed an issue where the Share button would disappear on Secrets on the dashboard when a user does not have the Share Secret Role permission. Users should still be allowed to view the permissions on a Secret even if they cannot decide who that Secret is shared with.

Security Fixes

  • Fixed potential security issue where a formulae injection could occur on exports from Secret Server.

Release Notes 10.3.000000

Release Date: 7/12/2017 


  • SSH Key Management Enhancement
    • SSH Keys as Dependencies (May require an additional license)
      • Multiple Public keys that reference a single Private key can now be stored as dependencies on the Private key Secret.
      • For more information, please see the Remote Password Changing section of the Secret Server User Guide.
  • EMEA Cloud
    • Secret Server Cloud is now hosted out of Germany as well as the US.
  • Secret Template Granular Enhancements
    • Added ability to restrict Secret creation for users by Secret Template.
    • Added ability to set the allowed Secret Templates for a folder.
    • For more information, please see the Folders and Secret Templates sections of the Secret Server User Guide.
  • SAML
    • SAML Single Logout is now supported.
    • For more information, please see the following article: SAML Configuration.
  • UI Updates
    • The Dashboard load time performance has been optimized.
    • Add auditing for configuration changes.
    • Added a button to export all logs under Admin | Diagnostics.
    • Refined user experience around creating dependencies on Secrets.
    • Added bulk operations for Dependencies.
  • REST
    • Added endpoint for IP Address Restrictions.
    • Added endpoint for generating a password.
    • For more information on these REST endpoints, please see the 10.3 REST API Guide.
  • WARNING: Customers who are upgrading from 10.2.000018 and use Windows Integration Authentication to the database may see an error message titled “Login failed for user” during the validation step of the upgrade process. To bypass this error, please use the legacy installer by navigating to <Your Secret Server URL>/installer.aspx?patch=true&useLegacyInstaller=true

Bug Fixes

  • Fixed issue where Local Account Discovery used unnecessary calls.
  • Fixed issue where Secret Server removed dependencies that were not found by Discovery and would not re-add them if found again.
  • Fixed issue where the Thycotic RDP Launcher would not allow fullscreen mode.
  • Fixed issue where Discovery did not properly detected Scheduled Tasks on Windows 10 machines.
  • Fixed issue where testing a SSH script in Secret Server would only display an exit status when it failed.

Security Fixes

  • Fixed potential security issue with multi-line files and Secret fields.

Release Notes 10.2.000019

Release Date: 6/19/2017 


  • Privileged accounts assigned on a Secret Template now take precedence over privileged accounts assigned on Secret Policy.
  • Secret settings are now able to be modified via the SOAP web services API when a Secret is checked out.

Bug Fixes

  • Fixed issue where Secrets with privileged accounts assigned for password changing could not be moved to a folder with a Secret Policy that contained a privileged account.
  • Fixed issue where Secret Server could delete recordings stored on a disk.
  • Fixed issue where users without the View Deleted Secrets role permission received errors when expanding the advanced search bar on dashboard.
  • Fixed issue where some accounts discovered by Discovery were not matched to existing Secrets.
  • Fixed issue where upgrade may fail when the database connection is configured to use Windows Authentication.
  • Fixed issue where “Show Proxy Credentials” on a Secret will fail when generating credentials for connecting to the SSH Proxy.

Security Fixes

  • Fixed XSS issue on Secret Share.

Release Notes 10.2.000018

Release Date: 5/17/2017


  • Added additional RDP Launcher type to facilitate future customization.
    • The connection bar text will show the target machine’s address in a tunneled RDP session.
  • Added the ability to search for a Secret Template by name using REST.
  • Added the ability to set Secret permissions using REST.
  • Added the ability to delete Folders using REST.
  • Added the ability for Secret Server to discover COM+ dependencies.
  • Added a new Secret Template and password changer for Watchguard Firewalls.
  • Distributed Engine site selection drop down will now autocomplete with 50 or more Sites.
  • Added option to specify whether a domain in Secret Server will be used for logging into Secret Server.

Bug Fixes

  • Fixed issue where the SSH Machine scanner would not use multiple Secrets or Filters for scanning.
  • Fixed issue where Discovery machine scanners set to authenticate did not throw errors when authentication failed.
  • Fixed issue where PowerShell dependency information was cleared when editing the dependency after initial creation.
  • Fixed issue where REST calls to update a Secret incorrectly bypassed Request Access.
  • Fixed issue where scheduled Report emails did not include the full URL to view the Report in Secret Server.
  • Fixed issue where PowerShell dependency arguments incorrectly referenced Secret field display names.
  • Fixed issue where creating a new PowerShell Ticket System would throw an error.
  • Fixed issue where the PowerShell script tester did not reference Distributed Engine if it was enabled on the Local Site.
  • Fixed issue where the Site list shown when creating a new Discovery source contains an invalid entry.
  • Fixed issue where users without the Share Secret Role permission were able to share Secrets.
  • Fixed issue where clicking the Back button on the View Audit page of a Secret and clicking the Back button again on the Secret view page would cause a redirect loop.
  • Fixed issue where converting a Secret to a new Secret Template does not recreate dependencies.
  • Fixed issue where resetting the database connection could throw an error.
  • Fixed issue where Discovery did not handle CredSSP and WinRM correctly on specific Organizational Units.
  • Fixed issue where session launchers would occasionally fail in a Secret Server environment where a Load Balancer was present.
  • Fixed issue where saving a Secret’s audit to a file would throw an error.
  • Fixed issue where Discovery rules occasionally created duplicate Secrets.
  • Fixed issue where Reports could be sent without specifying an email address.
  • Fixed issue where Engines did not display that they were offline after failing connection verification checks.
  • Fixed issue where using REST to delete a user threw an error.
  • Fixed issue where Secret Server could not be upgraded using Internet Explorer.
  • Added support for application account impersonation via SOAP web services.

Security Fixes

  • Fixed XSS issue on Discovery Network View.
  • Fixed XSS issue on Dashboard.
  • Fixed Frame Blocking issue on Dashboard.
  • Fixed potential security issue with the Chrome Login Assist Extension. See this advisory for additional details.

Release Notes 10.2.000001

Release Date: 4/25/2017

Security Enhancements

  • Fixed an issue in 10.2.000000 where a highly privileged Secret Server administrator could, in certain select circumstances, be inadvertently granted read access to Secret data that is protected by Secret Workflow. This issue was found during routine internal testing and review. See this advisory for additional details.
  • Enhanced security around various ajax calls.

Release Notes 10.2.000000

Release Date: 4/12/2017


  • Session Monitoring
    • Remote Desktop Metadata (May require an additional license)
      • New session monitoring agent records additional data from the RDP sessions including process activity, keystrokes, and more.
      • The Monitoring agent adds support for recording remote sessions on servers that were not launched directly from Secret Server.
    • Updated the session search UI to support cross session searching for data within the session and additional filtering options
    • Updated the session playback UI to support in browser playback and activity points in the session
    • Performance enhancements to session processing speed
    • NOTE: For more information, please see Configuring Session Recording
  • Discovery
    • Added out of box discovery to find Active Directory accounts on the domain
    • Added option to discovery import rules to limit the number of Secrets to import to prevent unexpected takeover of accounts
  • Upgrades
    • Added a Setup console to manage upgrades and core product configuration across different Thycotic installations
    • New Secret Server upgrade manager that gives more detailed messages and support upgrading multiple products from a single interface.
  • UI Updates
    • The Secret Server header has been modified for more logical grouping of menus
    • Moved user specific menu items under a new user icon header
    • Added a new Alert Notification Center header icon with a badge to show pending alerts.
    • Removed support for customer defined HTML help pages.
    • Added new in app help messages to page headers
  • REST
    • Added endpoint for Launcher lookups
    • Added Session Monitoring endpoints
  • SAML
    • Added support for SHA256 for SAML request signing
    • Added support for ForceAuth to support forcing credentials when first navigating to Secret Server even if logged into the identity provider.
    • Added support for signing SAML requests in a CNG Key Storage Provider
    • NOTE: The upgrade to 10.2 will migrate the saml.config to a new format to support added features, please see SAML Configuration for more information on the upgrade.
  • Running a script test from the UI now has an option to select the Site to run it on
  • Added an option to select a Secret to run a test script as
  • Added internal site connector for background message processing.
  • Added support for 2FA for SOAP winauth web services.
  • Added timeout setting for RADIUS authentication
  • Updated SSH Library for heartbeat and password changing to support more ciphers.
  • Added a $$CHECKNOTCONTAINS check to the SSH password changers
  • Added custom port support for SSH password changing and heartbeat
  • Added default mainframe password requirement
  • WARNING: SQL Server 2005 is no longer supported.
  • A new desktop client is available. For instructions and download links please see the Desktop and Mobile App Guide

Bug Fixes

  • Fixed issue where scheduled backup wasn’t working for Free edition
  • Fixed HSM session leaking for Safenet Luna PCI cards
  • Fixed upgrade issue that could cause database errors in some cases where discovered Dependencies were not able to properly map to a Scan Template.
  • Fixed issue where the default WinRM endpoint was not used by an engine if the WinRM endpoint was left blank on the Site configuration.
  • Fixed unnecessary logging in Discovery
  • Fixed issue with engines not upgrading after a Secret Server upgrade
  • Fixed locking errors that could occur on the file system when debug logging was enabled.
  • Fixed issue with scanning specific OU’s with a custom PowerShell Discovery script.

Release Notes 10.1.000023

Release Date: 2/22/2017


  • Added additional actions to user audit for when 2-factor is changed on the user.
  • Added status icon to the Heartbeat field on Secrets.
    • Going forward new Heartbeat and Password Change errors can be viewed in a Secret’s audit log for quicker diagnosis and reporting. Note that these error messages are not backfilled so only new errors will show in the log going forward.
  • Added support for multiple domain controller IP addresses in the domain field of an Active Directory Secret for cases when the domain name isn’t resolvable for heartbeat and password changing.
  • Updated behavior in the SOAP API for disabling Check Out on Secrets that are currently checked out to match bulk operations behavior. A Secret Owner can now call SetCheckOutEnabled to turn off check out on a currently checked out Secret.
  • Added a new role permission for creating application user accounts.
  • The SSH Proxy now restricts the default cipher suite for incoming connections.
  • SOAP API – Added new method for GetReport to get report data via the API

Bug Fixes

  • Fixed issue where password changing through Distributed Engine would not run in Professional Edition
  • Fixed localization issues in logs
  • Fixed engine upgrade error when upgrading from the legacy agent to distributed engine.
  • Fixed issue where the database field tracking when the Secret expiration field was initially set using the server time instead of UTC
  • Fixed issues with the Secret Search Filter for Discovery
  • Fixed issue where getting redirected to the Logged in at other Location could cause the user to be logged out at both locations.
  • Fixed issue in AD sync where an error was logged in some cases if the client was accessing from behind a load balancer.
  • Fixed issue where using the Folder Slider on dashboard and deleting the currently selected folder would break dashboard search.
  • Fixed issue where you could set an approval group that only contained an application account user
  • Fixed exception that could occur in the system log for license expiration checks.
  • Fixed issue where the only privileged account options in Secret Policy were for LDAP or Active Directory Secrets.
  • Fixed issue where the Configuration Edit Event Subscription didn’t fire if email settings were modified
  • Fixed issue where a large custom expiration data, such as 12/1/9999 on a Secret caused 500 errors on Dashboard search
  • Fixed SQL Replication issues where web server nodes connected to subscribers redirected to replication page and audit insert errors could occur.

Security Fixes

  • Fixed XSS issue on Discovery Scanners.
  • Fixed XSS issue on Secret View for certain launcher configurations.

Release Notes 10.1.000000

Release Date: 1/18/2017


  • SSH Key Management (May require an additional license)
    • Added ability to automatically generate new public / private key pairs and rotate the public key on servers.
    • See this KB for a walkthrough of managing SSH Key Pairs
  • z/OS RACF Support (Requires Premium Edition or higher)
    • Added support for automatically manage IBM z/OS RACF credentials
  • Dual Control
    • Added options to enforce dual control when viewing recorded sessions, shadowing sessions, and running reports to enforce 4 eyes principle for potentially sensitive audit information.
  • New Built in Reports
    • Unlimited Administrator Activity: Shows actions done by users with the unlimited administrator permission when break the glass mode is enabled.
    • What Secrets Changed Passwords in Last 90 Days: Shows Secrets that have had their passwords changed in the last 90 days.
    • What Secrets Have Not Had Passwords Changed in Last 90 Days: Shows Secrets that have not had a password change in the last 90 days.
    • What Folders Have Policies Assigned: Shows what Secret Policies are assigned to folders.
    • What Secrets Have Different Policies Than Their Folders: Shows Secrets that aren’t inheriting their policies from their Folder.
    • What Secrets have Policies Assigned: Shows what policies are assigned to each Secret.
    • User Activity Report: Added User’s current locked out status to the user activity report.
  • Added ability to auto enable Google Authenticator, Duo, and email two factor as part of domain synchronization.
  • Dependencies on Secrets can now be grouped so they can be assigned to different Sites when a service account is used across segregated networks.
  • The Delete Secrets role permission has been split into separate permissions for delete secrets and delete secrets from reports.
  • When session recordings are stored to disk rather than in the database there is now an option to encrypt the videos.
  • Renamed Domain Friendly Name to NetBIOS name on Active Directory administration page.
  • Application API Accounts can now log in directly to both the SOAP and REST API’s
  • REST API – See this KB for examples in PowerShell
    • Token Expiration: New expiration endpoint to invalidate an issued token
    • File Upload / Download: Upload and download files from Secrets
    • Field Update / Get: Get or update a specific Secret field value with a single call rather than getting the full Secret object and posting an updated Secret object
    • SSH Keys: Added options to change password and create Secret for generating new SSH keys and passphrases.
  • Note: As of 10.0 the REST API and SOAP API tokens are not interchangeable due to added support for OAUTH. Each API requires its own authentication call and token.

Bug Fixes

  • Fixed issue where emailing reports wouldn’t use the selected date range.
  • Fixed issue where a backslash in the dashboard search wouldn’t return any results.
  • Fixed issue where scheduled backups were not available in Free edition.
  • Updated the Windows Password Changer to support changing the built in administrator accounts without having to specify a privileged Secret due to Microsoft Patches 3177108 and 316769.
  • Fixed issue where an admin could convert the only local admin account to an Active Directory Account.
  • Fixed foreign key error in Discovery when an OU is deleted that is part of a discovery import rule
  • Fixed issue where testing PowerShell scripts failed when a PSObject was returned by the script.
  • Fixed issue where reports did not email with the correct date range.
  • Removed special characters from SSH Proxy one time credentials to prevent issues with some custom launchers where special characters break command line arguments.
  • Fixed issue where SSH Command Sets were not available in Professional Edition for Discovery.
  • Fixed issue where Discovery could return an error when matching found accounts against Secrets with an inactive Secret Type.
  • Fixed issue where adding an Active Directory Domain with the same name as an SSH based Discovery Source would cause an error.
  • Fixed issue with REST tokens that could occur in some environments when FIPS mode was enabled.
  • Fixed issue where the Database verify step fails in the web installer when Maintenance Mode is enabled. Note that since this is a change to the installer it will not take effect during the upgrade to 10.1 because the upgrade is running off of the current version.
  • Fixed issues with the Mac Session Launcher when running on Sierra.
  • REST API: Fixed permission check issues in the REST API where editing a Secret with check out enabled was improperly allowed.
  • REST API: Fixed permission check issues in the REST API where users with View access could see the AutoChangeNextPassword field

Release Notes 10.0.000006

Release Date: 10/20/2016


  • Added Secret Search Filter to Discovery Scanners to dynamically find a Secret to authenticate to a machine for scanning. See this KB for instructions on creating Secret Search Filters.
  • Custom PowerShell password changers are now configured and defined in Remote Password Changing rather than on the Secret Template. See this KB for updated instructions on creating PowerShell Password Changers
  • Added option for matching Dependencies to Secrets based on a remote machine in addition to a domain for better support of database links and other local account type Dependencies
  • Scan Item Template has been renamed to Scan Template in the Scriptable Discovery Admin UI
  • Added Scan Template column to the Discovery Network View results view

Bug Fixes

  • Fixed issue where launchers could periodically fail in a load balanced environment because session information was only stored on the web server the session was started from.
  • Fixed issue where UNIX host ranges were not removed in the Discovery Network View after they were removed from the Discovery Source.
  • Fixed issue where testing PowerShell scripts that returned PowerShell objects on the Admin Scripts page could return a 500 error from the server.

Security Fixes

  • Fixed issue in REST web services discovered during internal review. Only customers running 10.0.000000 are affected. See this advisory for more information

Release Notes 10.0.000000

Release Date: 10/13/2016

  • Scriptable Discovery (Enterprise Plus or Advanced Scripting Add-On)
    • Administrators can create PowerShell scripts to customize Discovery for local accounts and service accounts
    • Domain specific settings for service accounts, remote connection type, and extended account information have been moved to the relevant scanner on the Discovery Source page
    • NOTE: Custom SSH, SQL, and PowerShell script Dependencies are now managed as Dependency Templates for simplification of administration and integration with custom Discovery sources. Custom scripts will no longer be directly assignable as Dependencies on Secrets.
    • See the Scriptable Discovery Overview KB article for more information and example usage
  • Distributed Proxying
    • Distributed Engines can be set to proxy Secret Server sessions as an alternative to the Secret Server web server.
  • Privilege Manager for Windows
    • Secret Server and Privilege Manager for Windows can be co-deployed and share authentication and management
    • Requires separate purchase of Privilege Manager for Windows (formerly Application Control Solution)
  • Added Secret as an option for the Domain Synchronization credential
  • Added CAPTCHA support for logins
  • Added configuration setting to prevent password re-use when changing a Secret’s password.
  • Added support for AES-CTR with SSH password changers when running in FIPS mode.
  • Added support for MFA tokens with AWS password changing
  • NOTE: Secret Server 10.0.000000 requires configuring integrated pipeline mode on the Secret Server Application Pool Please see this KB for details on configuring integrated pipeline mode in IIS. If using Integrated Windows Authentication you will also need to update IIS authentication settings as detailed in this KB.
  • Step Upgrade: Upgrading to 10.0.000000 requires that you first upgrade to 9.1.000001, which has changes to the upgrader to support moving to 10.0.000000.
  • NOTE: As of Secret Server 10.0 REST and SOAP API tokens are not interchangable. Each API requires it’s own authentication call and token.

Bug Fixes

  • Fixed issue where discovery would return an error if there was a duplicate deleted user on a windows machine.
  • Fixed issues where 2-factor remember me and inactivity timeout could conflict
  • Fixed issue when synchronizing cross domain groups
  • Fixed issue where Remote Password Changing and Heartbeat would fail on the same machine as a Distributed Engine
  • Fixed issues with checking empty fields in REST API
  • Fixed issue where the REST API folder search permissions were too restrictive
  • Fixed impersonation error when running a SQL Script Dependency
  • Fixed issue in Audits when using mapped IPv4 addresses that exceeded 40 characters.
  • Fixed issue where Password Changing, Heartbeat, and Discovery did not consistently work on the same machine as a Distributed Engine
  • Fixed issue where the Syslog RT field did not respect the UTC time setting.
  • Fixed issue with engine licensing enforcement.
  • Fixed issue where a foreign key constraint from a deleted Discovery Rule could stop Discovery
  • Fixed issues with SonicWALL password chanagers
  • Fixed incorrect text warning when creating an Application Account
  • Fixed impersonation issue with SQL Dependencies
  • Fixed issue where the delete action on Event Subscriptions could delete the incorrect row.

Security Fixes

  • Fixed Open Redirect issues on multiple pages
  • Fixed XSS issues on multiple pages
  • Added an upper limit to local user passwords to prevent a denial of service attack with extremely long passwords
  • Fixed issue where Distributed Engine did not work when restricted to TLS 1.2
  • Fixed issue with MS SQL password changing where the new password showed in SQL Trace on the target database server

Release Notes 9.1.000001

Release Date: 10/13/2016


  • It is required to upgrade to 9.1.000001 before Secret Server will upgrade to 10.0.000000
  • Added installer enhancements to support the 10.0.000000 release.

Release Notes 9.1.000000

Release Date: 7/13/2016


    • REST based web services API for managing Secrets, Users, and Groups.
    • For more information see the REST API Guide on the Secret Server documents page
  • Web Password Filler
    • A new Chrome extension for website logins is available, for more info see this KB article.
    • NOTE: After upgrade, Chrome users will be prompted automatically to install this extension. Firefox and Internet Explorer users will continue to use the existing add on or bookmarklet.
  • Site per OU in Discovery
    • Assign an Engine Site at the OU level in Discovery
    • Set a different Secret per OU in Discovery
  • Added option to set owners on user accounts to delegate account management
  • Added support for SCP through the SSH proxy
  • Added additional options to the Secret Expiration event subscription
  • Disabled dependencies are hidden by default on the Secret Dependency page
  • Added additional option for windows password changers to help handle multiple IP addresses in DNS for a single machine
  • Editing a password field on a Secret with password changing enabled now gives the user a dismissable prompt to help prevent mistaken password edits
  • Domain user accounts can now be marked as Application Accounts for integrated auth web service access only

Bug Fixes

  • ConnectWise integration now uses the API rather than database table integration. See this KB for information on setting up API access to ConnectWise.
  • Fixed issue where multiple syslog destinations using the FQDN did not work
  • Fixed issue where a user viewing a Secret after a password change within the Secret View interval after their last Secret View did not result in an audit.
  • Fixed issue where Oracle error ORA-12170 was treated as heartbeat failed rather than unable to connect.
  • System log truncation notification email goes to users with Administer System Log permission rather than Administer Configuration
  • Fixed issue where commas in group names were not parsed correctly on AD Sync
  • Fixed issue with AD sync when a group had more than 1500 members
  • Fixed issue with AD sync when the OU has asterisks in the name
  • Fixed issue where Session launchers did not trim spaces from username and machine fields
  • Fixed syslog error when the event details exceeded 4000 characters
  • Performance updates for the Recents Secrets widget and Secret Load when there are a large number of audit records on a Secret
  • Check In web service method now respects the Force Checkin role permission.
  • Fixed access denied message when doing a bulk operation for convert secret template without the view deleted secrets role permission
  • Fixed potential licensing error when running the PowerShell password changer
  • Fixed issue where setting AutoChange schedule through Secret Policy would not use UTC
  • Added support for HMAC-SHA2-256 and HMAC-SHA-512 ciphers for SSH Heartbeat and Password Changing
  • Fixed issue with SSH dependencies on Cisco devices where the setenv command was not available
  • Added additional information to the Subscription Dependency failure email to include machine name and dependency name that failed
  • Added additional logging for Heartbeat and Password Change monitors

Mobile Updates

  • The Thycotic PAM Android app has been republished. Existing Android users will need to uninstall and re-install to get the new version.

Release Notes 9.0.000000

Release Date: 4/13/2016


  • Mac Session Launcher
    • RDP, SSH, and Custom Launchers are now supported with the new Mac OS X protocol handler.
    • For more information see this KB.
  • Geo Replication
    • MS SQL Replication is now supported as an additional add on module. Contact your account rep if you are interested.
  • UNIX Privilege Manager
    • Administrators can configure SSH command menus to limit what users can do with root and other privileged credentials.
    • Requires a separate add on, contact your account rep if you are interested.
  • Remember Me is now available for 2 factor.
  • New option for SSH launchers to specify a Connect As Secret to make the initial connection before switching to the current Secret’s user for cases when accounts are denied SSH login.
  • Dependencies and Secret Audit are now copied to the new Secret when converting Secrets.
  • The Tree View on Dashboard and Discovery Network View is now collapsible.
  • Windows Discovery now finds:
    • If an account is Local Administrator
    • If an account is in the Local Administrators Group
    • Password last set date
    • Password expiration date
    • Password expiration status

Bug Fixes:

  • Fixed issue where domain FQDN wasn’t populated during Active Directory Sync.
  • Fixed issue with syncing an Active Directory Group with more than 1,500 members.
  • Fixed issue where SSH proxy wouldn’t restart after web server failover.
  • Fixed issue where searching wouldn’t work on Secret name’s starting with “:”
  • Fixed issue where selecting an approval user or group could cause an error on Secret Policy creation.
  • Added optional remember me setting for two factor authentication.

Security Fixes

  • The version of PuTTY shipped with Secret Server has been updated to version 0.67 to include the latest security fixes.For more information please refer to the PuTTY change log.

Release Notes 8.9.300008

Release Date: 3/8/2016


  • Secret Script Dependency Parameters can now reference associated Secrets by Secret ID in addition to the Secret order number in the associated Secrets list. See this KB for more information.
  • Added new Time to Live and Retry Time settings to Distributed Engine configuration
  • Secret Server Express Edition is now called Secret Server Free. There are no changes in capabilities available between the two editions.

Bug Fixes:

  • Fixed issue where domain password changing failed when target credential was on different domain than Secret Server and no privileged account was used
  • Fixed issue with running Discovery over LDAPS
  • Fixed issue where nested groups would not import correctly in AD synchronization when the group is nested within multiple AD groups
  • Fixed issue where Folder was not added to the Dependency when importing Scheduled Tasks through Discovery
  • Fixed issue where scheduled task discovery could get incorrectly marked with an error and prevent import
  • Fixed authentication issues when using the Web Password Filler with Integrated Windows Authentication
  • Fixed RDP proxying error when using FIPS compliance mode
  • Fixed Session Launcher error if TLS 1.0 is disabled on the web server.
  • Fixed Discovery issue when scanning using credentials from a different domain.
  • Fixed issue where new domain users were not getting a personal folder.
  • Fixed issue where Distributed Engine could create excessive database entries for background threads
  • Oracle Script Dependencies will now ignore extra parameters passed in from Secret Server
  • Fixed potential error during upgrade if there were users that had never logged in

Security Fixes

  • Fixed reflected XSS issue
  • Removed ASP.NET version disclosure from response headers

Release Notes 8.9.300000

Release Date: 1/13/2016

Main Focus: Active Directory Synchronization Through Engine

  • Active Directory sync through Distributed Engine
    • Active Directory synchronization and user authentication can now be routed through a specified site. This allows for AD authentication even if the Secret Server web server does not have direct access to the domain.
  • Password Requirements now support starting character rules.
    • When target systems disallow certain characters, users can now set a rule for which characters a generated password is allowed to start with.
  • Dates are now stored in UTC format
    • Customers with servers in different time zones no longer need to set the servers to use the same timezone or UTC time. Existing dates in the database will be retrofitted to UTC if the web server is not already in UTC time.
  • Installer updates 
    • Improved installer to pre-configure IIS and .NETfor fresh installation
    • Added configuration wizard for the initial setup of Secret Server
    • New users will see a dashboard overlay highlighting key features.
  • Added configuration option to allow for concurrent login sessions.
  • The session launcher .NET framework support has moved from .NET 3.5 to .NET 4.5.1 and higher.
  • Added configuration option to enable frame breaking.
  • FIPS support is now available in Enterprise Edition.

Bug Fixes:

  • Fixed issue where local windows account heartbeat and password changing didn’t work on the same machine as an engine.
  • Fixed issue where ticket links weren’t clickable in audit logs when generated by an access request.
  • SOAP web services now respect the ZeroInformationDisclosureMessage setting recommended in the Security Hardening Report.
  • Fixed issue where local account discovery scanned domain controllers in some scenarios.

Security Fixes

  • Fixed security issue with named pipe permissions when passing credentials to the PuTTY launcher.
  • Fixed an XSS vulnerability.

Release Notes 8.9.000022

Release Date: 10/1/2015

Main Focus: Ticket System Integration and Security Fixes

  • Ticket System Integration
    • Secret Server will validate whether a ticket is open in either BMC Remedy or ServiceNow as part of the require comment and approval for access workflows.
    • Enterprise Plus customers can create PowerShell scripts to create a custom workflow or integrate with other solutions.
  • API Updates
    • AddGroupToActiveDirectorySynchronization: Adds a group to the Active Directory Synchronization list.
    • RunActiveDirectorySynchronization: Kicks off the Active Directory User Synchronization Process.
    • AddSecretPolicy: Adds a new Secret Policy.
    • AssignSecretPolicyForSecret: Set a Secret policy on a Secret.
    • SearchSecretPolicies: Search existing Secret Policies.
    • GetScript, AddScript, GetAllScripts: New methods for managing the PowerShell, SSH, and SQL scripts.
    • The Folder Extended Windows Authenticated Web Service methods no longer have the token parameter.
  • Added NAS attributes to the RADIUS messages.
  • The SonicWALL Web Admin and SonicWALL Web Local User password changers have an option to validate or bypass remote SSL certificates.
  • The RDP Session Launcher now shows the end target machine name in the RDP window when RDP Proxying is used.
  • Logging to the Remote Password Change log when a Secret isn’t changed because it’s outside its AutoChange Scheduled time is now only logged once.
  • Added new option for Active Directory Discovery Sources to resolve based on machine name only.
  • Added new options for how the custom process launcher runs to help handle UAC prompts.
  • SSH, SQL, and PowerShell Dependencies can now use the $CURRENTPASSWORD token.
  • Updated the web password filler to prioritize exact matches in the search results to help show matching Secrets when on sub-domains.
  • IP Address Restrictions can now be applied to Active Directory Groups.

Bug Fixes:

  • Fixed issue where Dashboard would not display in Firefox 41.
  • Fixed performance issue some customers were seeing after upgrades to 8.9.
  • Fixed issue where SSH Dependencies were suppressing the full error details.
  • Fixed issue where SSH connections were not being closed after Heartbeat.
  • Fixed test dialog for custom UNIX password changers with linked Secrets.
  • Fixed incorrect display of the SSH Log link in Secret Audit trails.
  • Fixed issue where pressing enter in the quick search area when viewing a Secret would run the Secret Launcher in some browsers.
  • Secret Server will no longer override root level IIS HTTP Redirects on upgrade.
  • Fixed issue where the Web Password Filler didn’t work with SAML integration.
  • Fixed error in test dialog for custom UNIX password changers when no key was present.
  • Fixed copy to clipboard issue in IE11.
  • Fixed issue where hitting Enter on Secret Edit would prompt to generate a new password.
  • Fixed password strength error alert on Secret View.
  • Fixed issue where SSH Discovery would leave hanging sshd processes on AIX instances.
  • Fixed issue where duplicate Active Directory discovery sources could be created.

Security Fixes

  • Fixed security issue with update checks with update process. See our security advisory  for more details.
  • NOTE: It is recommended to perform an offline upgrade to 8.9.000022. See this KB article for instructions on performing offline upgrades. Upgrading Without Outbound Access
  • Fixed DOM XSS issue.

Release Notes 8.9.000000

Release Date: 8/7/2015

NOTE: Secret Server version 8.8 will be the last version to support Windows Server 2008. If you wish to upgrade to a version higher than 8.8, you will need to upgrade your server to Windows Server 2008 R2 or higher.

Main Focus: Distributed Engine

  • Distributed Engine – SITES
    • Distributed Engine is a NEW feature. All existing customers will receive unlimited Sites to replace our Agent feature. A Site can be assigned to a Secret or a Discovery Source.
    • Discovery can be run through the Sites to provide discovery on remote sites.
    • Customers using Agents will need to install an additional service. Review this KB and this KB prior to upgrade.
      • PLEASE NOTE: After upgrading, Secret Server will automatically upgrade all Agents to Sites. Agents will not be available after upgrading to 8.9.
    • API Change: The web service method “AssignToAgent” has renamed to “AssignSite”. Use the new method, or use Secret Policy to assign Sites to Secrets.
  • Distributed Engine – ENGINES 
    • All existing customers will receive enhanced performance through our new Engine technology. Engines are installed on remote networks and are grouped by Site in Secret Server. The new Engines will provide improved performance for Heartbeat, Remote Password Changing, and Discovery. See this KB for additional information on configuration of Distributed Engine:Distributed Engine KB Overview.
  • RDP Proxying
    • RDP Sessions can now be proxied through Secret Server.
    • Secret Proxying can now be set per Secret and in Secret Policy, as well as through the API.
  • Advanced Permissions
    • Several new Permissions have been added and the folder and Secret Permission UI enhanced. Permissions on folders and what Secrets inherit can now be set separately.
      • List Folder – Allows user to traverse a folder without seeing the contained Secrets.
      • Add Secret – Allows a user to Add a Secret to a folder.
      • List Secret – Allows a user to see that a Secret exists and view the audit, but not see the Secret contents
  • Added support for literal arguments in SSH Dependency Scripts.
  • Custom icons can now be set on custom launchers.
  • Added new #FOLDERID and #FOLDERPATH parameters for custom reports.

API Changes

  • New API methods
    • FolderExtendedUpdate – Allows updating a folder with permissions and policy.
    • FolderExtendedGet – Retrieves an existing folder with extended settings.
    • FolderExtendedGetNew – Retrieves a new blank object.
    • FolderExtendedCreate – Add a new folder with permissions and policy settings.
    • Impersonate – Allows web services impersonation of other users for API integrations. Requires the new “Web Services Impersonate” role permission be assigned and that the target user approve the request.
  • Updated API Methods
    • AddNewSecret, GetBlankSecret, GetSecret, and UpdateSecret have been updated to account for new permissions. These methods will continue to be backwards compatible, but it is recommended to review the WSDL prior to upgrading if making use of these methods

Bug Fixes

  • Fixed issue with SSH Proxying when using the Safenet HSM.
  • Fixed issue where the IsFile element in the XML export was not properly set.
  • Fixed issue where SSH Dependencies would attempt to use a password first even when a key was set.
  • Fixed issue where the Dependency Discovery Import did not apply Secret Policy for newly created Secrets.
  • Fixed issues with web password filler in IE 11 enterprise mode.
  • Fixed issue where testing SSH scripts would not use a test SSH key for authentication.
  • Fixed memory issues in Scheduled Task Discovery.

Release Notes 8.8.000020

  • Fixed an XSS vulnerability. For more information, see our Security Advisory.
  • Added option for SIEM messages to use UTC date instead of Server Date.
  • Added an option to load the user profile when running custom launchers.
    • If you have deployed the protocol handler through Group Policy to your users, it will need to be updated.
  • Fixed issue where web password filler would not recognize some password fields correctly.
  • Added new web service methods for searching Secrets by exposed fields.
  • Fixed an error that would happen if an SSH key was not provided when testing custom SSH remote password changing commands.

Release Notes 8.8.000018

Release Date: 3/16/2015

  • Added Per Secret Key Encryption
  • Administrators can rotate these keys periodically (Enterprise Plus). For more information please refer to this KB article on Secret key rotation.
  • Updated local user hashed passwords to use PBKDF2 going forward.
  • Administrators can now choose an RSA key size when configuring the HSM integration.
  • Managing Dependencies on a Secret now only requires Edit access to the Secret. Importing Service Accounts from Discovery requires Edit on the Folder the Secrets will be created in.

Bug Fixes:

  • Fixed issue with Daylight Savings time offset in approval for access.
  • Fixed issue where the bookmarklet would return Secrets that did not have URL fields.
  • Fixed issue with importing duplicate Secrets with the XML import.
  • Fixed issue with Google Auth two-factor when HSM is enabled.

Release Notes 8.8.000005

Release Date: 2/20/2015

Release Notes 8.8.000004

Release Date: 2/10/2015

  • Added new extended mapping for specifying a public key digest when connecting to a server for password changing, Heartbeat, Discovery, or through a Launcher. If the public key digest is present, it will be validated. For more information, see our Security Advisory and KB article on how to add public keys.
  • Fixed performance issues with Web Password Filler, caused by many Secrets containing matching URLs.
  • Fixed issue where Secrets that have an Auto Change Schedule might not change if there are many Secrets failing password changing.
  • Fixed issue where the Regex file dependency wouldn’t work with a privileged account on an untrusted domain.
  • Fixed issue where Active Directory Synchronization wouldn’t find users on a domain if a group being synchronized had zero members.

Release Notes 8.8.000001

  • Fixed IE 8 compatibility issue.

Release Notes 8.8.000000

Main Focus: SSH Key Support and Dependency Scripting

  • SSH Key Support
    • SSH Keys are now supported for authentication with PuTTY, Dependencies, Remote Password Changing, and Discovery.
    • Added a new SSH Key Secret Template and added Key and Passphrase Fields to default UNIX Secret Templates.
  • SAP
    • Updated the SAP libraries used by the SAP Password Changer NOTE: In order for SAP Password Changing to work after an upgrade, the SAP libraries on the Secret Server instance need to be updated. Please follow the steps in this KB.
  • Dependency Updates
    • Admins can now create SSH and SQL Scripts to run as Dependencies in addition to the existing PowerShell Dependency types
    • The Dependency UI has been reworked for information density in cases when there are lots of Dependencies for a single Secret
    • Dependencies can now be retried and additional logging is now available per Dependency
    • When updating Dependencies for an Active Directory Account Secret, Secret Server will try to automatically unlock the account if it gets locked out, if there is a privileged account set on the Secret.
  • HSM
    • Thales HSM’s are now supported
    • Safenet Network HSMs are now supported.
  • Administrators can use custom created PowerShell scripts for password changing.
  • Added a new Office365 password changer.
  • File Attachments now can keep history.
  • New API methods
    • SearchUsers
    • GetUser
    • UpdateUser
    • GetSecretItemHistoryByFieldName
  • Added a new widget for managing access requests.
  • Approvers can now set a start time for an approval for access request.
  • Approvers are now required to enter a reason when approving an access request within Secret Server.
  • Added a new role permission Administer Create Users for creating users only. To edit user accounts, administrators will still need the Administer Users role permission.
  • Maximum Attempts can now be set for Password Changing on the Secret Template.
  • A custom field for displaying to users on the Basic Home can now be set on the Secret Template.
  • The Protocol Handler is now the default launcher option for fresh installations of Secret Server.
  • Computers not in specified OU’s for an Active Directory Discovery Source will no longer be shown on the Discovery Network View.
  • Added enrollment URL for Duo authentication for when the user is not enrolled.
  • Added support for control characters in the SSH command sets.
  • Added support for Secret values in the Approval for Access email customization.
  • Added a Administer Create Users role permission which gives user account creation permissions only. Administer Users role permission still allows an admin to create and edit user accounts.
  • Added View Audit button on the Dashboard Secret view for users that have the View Audit role permission but not the View Secret role permission.
  • Syslog change: Syslog events now pass the Username instead of the Display Name of the user. Display Name has been moved to cs4 and cs4label fields. Please refer to the syslog guide for full field listing.
  • NOTE: 8.8 supports running Secret Server on Windows Server 2008, but support for this will be deprecated in a future version of Secret Server. Server 2008 R2 will continue to be supported.
  • Fixed an issue that would allow users with permissions to view a Secret to access the password history directly without going through Check Out or Approval for Access flows THY-SS-002.

Bug Fixes:

  • Custom proxied SSH Launchers can now use custom fields in process arguments
  • Fixed issues where Secrets created through the web password filler would not respect default field values or Secret Policy settings.
  • Fixed issues with folder searching in some dialogs.
  • Fixed bug where an admin could not add application accounts if the user count was already at the licensing limit.
  • Fixed issue where the some OU’s could not be selected in a Discovery Source when there were several OU’s named similarly on the domain.
  • Fixed issue where a failed password change on check in would write additional audits for Secret Set for Check In.
  • Fixed memory issues in scheduled task discovery.
  • Updated the query to retrieve computers from the domain to only return computers in specified OU’s.
  • Fixed issues with Active Directory Sync connection failures potentially disabling users.
  • Fixed issue with using the attempt user password setting for RADIUS and integrated windows authentication.
  • Fixed issue when creating a folder shared with hundreds of users and groups.
  • Fixed workflow issues in web password filler when a Secret has check out or other security settings applied.
  • Fixed issue where web password filler would not work properly if the URL was extremely long.
  • Tokens are now supported for use with Duo Security.
  • Events written to the Windows Event Log now have unique identifiers.
  • Fixed performance issues in dashboard searching for deep folder structures.
  • Fixed searching behavior where a found value is on multiple Secret fields.
  • Fixed issue in dashboard searching where a backslash in the search terms would not return results in Firefox only.
  • Fixed display issue on Service Account Discovery when using an account to run the scan on a child domain.
  • Fixed URL encoding issues on the Basic Dashboard.

Release Notes 8.7.000000

Main Focus: ESX/ESXi and Unix Account Discovery

  • Unix Account Discovery
    • In addition to Windows Local Account and AD Service Account Discovery, Secret Server can now scan and import Linux local accounts.
  • ESX/ESXi Local Account Discovery
    • Discovery has been expanded to support scanning and automatically importing local accounts on ESX/ESXi systems.
  • ESX/ESXi Password Changing
    • Added a new ESX Secret Template and a new ESX password changer to perform changes via VMware’s API. SSH is no longer required to be enabled on the ESX/ESXi system if this password changer is used.
  • Search Updates
    • Multiple search terms will use implicit AND’s rather than OR’s for more accurate results.
    • Reduced the number of search hashes created in the database to help limit database growth.
    • Improved performance of searching on unencrypted Secret fields.
  • There is a new option to delete secrets shown in a report.
  • Added password masking in all entry fields
  • Folder deletes and renames are now audited.
  • RADIUS authentication now handles multiple consecutive access challenges.
  • Added support for Duo Security as a two-factor option.
  • Added support for optionally using a user’s login password as the RADIUS password if prompted.
  • Added search bar for web password filler to filter returned Secrets.
  • Unmasked passwords on Secrets now use a different font to help distinguish between certain similar characters.
  • Added option to specify a Secret for running Discovery in Active Directory Sources rather than using the Active Directory Synchronization credentials.
  • Added “Password Changed” event subscription event.

Bug Fixes:

  • SSH Proxy now respects the client terminal type settings.
  • Users can now edit notes fields in cases where they do not have access to the privileged account on the Secret.
  • Fixed an issue where the launcher may not start when configured to use a protocol handler in Chrome and Firefox.
  • Users will be able to see the name of the privileged account on the Secret if they do not have access to it.
  • Logging in via the Windows Authenticated Web Services now sets the Last Login on the user.
  • Enable Approval from Email is no longer on the Security Hardening report for editions without Approval for Access available.
  • Fixed issue where an admin in unlimited admin mode would bypass entering in a comment when both Check Out and Require Comment were enabled on a Secret.
  • Fixed issues with the Web Password Filler in IE8.
  • Fixed issue where failover with the web servers could occur even if clustering was disabled.
  • Fixed issue where there were inconsistent permission checks for adding and deleting between the web interface and the web service methods.
  • Fixed issue where the MSI installer would not detect a local SQL 2014 instance.
  • Fixed issue where a file could be uploaded to a non-File field using the web service API.
  • Fixed issue where service account import could fail because the saved folder no longer exists.
  • Fixed issue where Check Out and Require Comment workflows could send a user back to the dashboard instead of to the Secret.
  • Fixed error where email report options were available when no SMTP server was set.
  • Fixed issue where the SalesForce password changer would not correctly work on sandbox instances.
  • Fixed incorrect display of line breaks in Notes fields on the Basic Dashboard view.
  • Windows account discovery now uses the LastLoginTimestamp AD attribute rather than LastLogin to better support replicated domains.
  • Fixed performance issues on Dashboard when loading large numbers of Secrets.
  • Fixed issue where Access Request approvals could not be accessed by Email.

Release Notes 8.6.000010

Main Focus: Security Update

  • Fixed an issue that would prevent the Windows Remote Desktop Launcher from cleaning up generated RDP files, which contain DPAPI encrypted passwords. This report was acknowledged within 24 hours. CVE-2014-4861.
  • Fixed an issue that would prevent users in certain time zones from viewing SSH Proxy logs.

Release Notes 8.6.000009

Main Focus: Security Update

  • Fixed security issues reported by a customer. This report was acknowledged within 24 hours.
  • Added built-in support for HTTP Strict Transport Security (HSTS).
  • Improved performance of loading dashboard for very large installations.
  • Administrators can now disable HTTP GET functionality for web services.
  • Added additional HTTP headers to improve Secret Server’s security policies.
  • Added additional options to the new Theme Roller to change font size and padding between elements.
  • Added new web service methods for adding dependencies to Secrets.

Bug Fixes:

  • Fixed issue where users with non-ASCII characters in their username could not be issued a valid token for web services.
  • Fixed issue where Discovery scanning may not occur at expected times due to Application Pool recycles.
  • Fixed issue where Windows Authentication web services did not respect the Require Two Factor for Web Services configuration option.
  • Fixed issue where the Agent installer would incorrectly report the .NET Framework was not installed when the .NET Framework 4.5.2 was installed.

Release Notes 8.6.000000

Main Focus: UI Refresh and Secret Policy

  • Secret Policy: Administrators can now define a policy for Secret Security and Auto Change settings. This can be applied at the Folder level and Secrets in that Folder automatically inherit those settings.
  • The Secret Server UI has been significantly updated for look and feel, including a new basic dashboard view for non-admin users who just need core functionality.
    • Added a theme roller for creating new themes and uploading corporate logos.
    • Warning: Users with custom themes will be moved to the default theme on upgrade and will need to use the new Theme Roller to create a theme. See this KB article for new instructions on theming.
  • Added Personal Folders option for users to store work related Secrets. These are only accessible by a named user by default, but can be accessed in Unlimited Admin mode by an administrator.
  • Added support for mobile app authenticator soft tokens for Two-Factor.
  • Added a built in SSH password changer for F5 root accounts.
  • Added a Salesforce password changer. See this KB article for more information.
  • DoubleLocked Secrets can now be accessed through web services.
  • Added a new option to run Local Account Discovery using WMI, which can provide a performance boost in some environments where WMI is properly configured.
  • Added optional Domain Controller field to the LDAP based Password Changers: LDAP (Active Directory), LDAP (openLDAP), and LDAP (DSEE).
  • Reorganized the bulk operation drop down list for usability.
  • Added AssignUserToGroup and GetAllGroups API methods.
  • When proxying is enabled users can manually make a connection to Secret Server using the get proxy credentials API method or button on Secret.
  • SSH Proxying can now be specified on a per node basis for clustered environments.
  • Check Out and Approval for Access end times are now synchronized. A user will not be able to keep a Secret checked out past the approval period end time.
  • Added in a configuration option for whether launched sessions automatically close on Check In.
  • Added additional logging and event subscriptions for when DPAPI encryption is enabled or disabled.
  • Improved performance for the SearchSecrets API call.
  • Cluster computer objects are now ignored by default in Discovery.

Bug Fixes

  • Added extra error handling to the Discovery process.
  • Fixed issue with running user audit report with the Exclude Changed and Deleted Secrets.
  • Updated the web password filler to handle different zones in IE. Due to security restrictions users may now be required to log in to the web password filler in addition to Secret Server. Other browsers are unaffected.
  • Fixed performance issues in reports with large amounts of data.
  • Fixed issue where the Secret Export incorrectly reflected the Secret count for a Folder.
  • Fixed date range search in Session Monitoring.
  • Fixed issue where automatic backups were not available in Express Edition.
  • Fixed issue with email two-factor in Express Edition.
  • Fixed issue where an incorrect SMTP configuration could cause an Application Pool Recycle.
  • Fixed issue where bat file launcher would require a port field when mapping to the Secret Template.
  • Fixed issue where bat file launcher did not handle parameters enclosed in double quotes correctly.
  • Added performance enhancements for session video processing.
  • Secret fields marked as Exposed for Display on the Template will no longer have their history encrypted for consistency and reporting.
  • Fixed paging on Report Schedule History grid.
  • The Out of Sync Report now shows the reason in the saved report.
  • Added additional error handling for RADIUS authentication.
  • Added additional error handling for Discovery machine scanning.

Release Notes 8.5.000000

Main Focus: Session Monitoring and SSH Proxying

  • Upgrade to .NET Framework 4.5.1: This will require downtime and a manual change of the application pool. .Net 4.5.1 is a prerequisite for the web server. You will need to make other changes, see Considerations for Upgrading to 8.5 for details.
    • .NET 4.5.1: Secret Server now runs on .NET 4.5.1 to provide better support for the latest Microsoft technologies. To find out what this change means for you, view our KB Article.
    • PowerShell 3.0: Changes were made to the PowerShell scripting in order to fix certain remote authentication issues. These changes require an update to PowerShell 3.0.
    • Agent: If using the Agent, .NET 4.5.1 will need to be installed on machines where the Agent is installed.
    • Step Upgrade: Before upgrading to the 8.5 release, you must be running 8.4.000004. The Secret Server updater will update you to 8.4.000004 first, then allow you to update to 8.5
  • Session Monitoring: The Session Monitoring administrators can now view sessions launched from Secret Server, watch activity, and even terminate the session or send a message to the end-user while the session is in progress.
  • SSH Proxy: SSH Launchers can now be proxied through Secret Server. Admins can review full SSH logs of proxied sessions as part of the Session Recording feature.
  • Discovery and Password Change Performance: Speed of Discovery scanning, password changing and Heartbeat checks are significantly faster for management of very large environments.
  • Session Recording Retention: New configuration options are available for moving stored session movies out of the database and establishing a retention period.
  • Group Owners: Owners can now be assigned to local groups. Group owners can manage membership for the group.
  • Added support for PostgreSQL password changing.
  • Added support for custom ODBC based password changing.
  • Session Recording now uses differential images to reduce network bandwidth and database size.
  • Added new Video Codec option for Microsoft Video 9, which provides high levels of compression.
  • Secret Audits now include field and setting names that were changed.
  • Automatic Backups now support Copy-Only database backups.
  • User Audit report now has option to exclude deleted Secrets.
  • Added new search options to help performance for choosing groups for Active Directory Synchronization.
  • User drop down on User Audit report will properly switch to an autocomplete based on user count.
  • Passwords are now masked on Secret Edit.
  • Secret Check In will now terminate any open launched sessions.
  • Added configuration option to check in Secrets when a launcher session is closed..
  • Added P3P policy to help with cross domain issues with the Web Password Filler in IE.
  • Added new configuration option to specify a custom Secret Server URL for use by the Session Launchers and Emails. This is for cases when Secret Server is behind a proxy or load balancer and a client machine cannot resolve the Secret Server web server name.

Bug Fixes

  • Fixed issue with Scheduled Task Discovery on Windows Server 2003.
  • Added additional checks to installer to help validate access to update files.
  • Fixed a performance issue with Service Account Discovery attempting to resolve domains.
  • Fixed issue with searching inside Folders on Dashboard with query string parameters.
  • Fixed improper display of Edit button on custom reports.
  • Web service view audits now respect the Secret View interval in configuration.
  • Fixed issue where disabling check out did not clear the user it was checked out to.
  • Fixed issue with bulk operation for Set Privileged Account when setting to “Credentials on Secret”.
  • Fixed issue where user could get an error on the Hooks tab of Check Out Secrets when not assigned the Owner permission.
  • Fixed issue in 8.4 where scheduled task dependencies could be disabled from Service Account Discovery. If the instance has Service Account Discovery for tasks running these dependencies will be re-enabled. Please contact support if there are issues with Scheduled Task dependencies staying disabled.

Release Notes 8.4.000004

Main Focus: Usability and Configuration Enhancements

  • Administrators can now require ticket numbers or comment for Secrets with Require Comment and Approval for Access enabled.
  • The Require Comment interval when viewing a Secret can now be set on configuration so users are not prompted multiple times when accessing a Secret for the same reason.
  • Added configuration option to require two-factor for API and Web Access separately.
  • Added new whoami web service method to the standard web services to return what user a token is for.

Bug Fixes

  • Fixed variable replacement for custom launchers in some cases when field names contained other field names.
  • Added additional database connection properties for MS SQL Always On configuration.
  • Fixed issue where the background processing of expired Secrets for password changing could overwrite changes in the UI in certain cases.
  • Fixed issue where a custom report with a Secret ID column would cause an error if there was a row with no Secret ID value.
  • Added performance enhancements for the GetSecretsByFieldValue web service method.
  • Fixed potential upgrade issue for customers upgrading from versions below 7.9.000012.
  • Fixed issue where copy to clipboard for Internet Explorer 10 and 11 would cause the page to scroll to the top.

Release Notes 8.4.000000

Main Focus: Service Account Discovery and Launcher Enhancements

  • Multiple Launchers
    • Secrets can now have more than one Launcher, so if the same credential is used to run different tools admins can set up multiple Launchers per Secret Template.
  • Added support for scanning for Scheduled Tasks and IIS Application pools as part of Service Account Discovery.
  • Auto-Create Dependencies (Enterprise Plus)
    • Secret Server can now automatically link any found IIS Application Pools, Windows Services, and Scheduled tasks as Dependencies to existing Secrets.
  • User added Dependencies that don’t exist on the machine are now shown on the Discovery grid.
  • Added new Bulk Operations
    • Heartbeat Run Now
    • Heartbeat Enable / Disable
  • The Secret Server Launcher can now be optionally run using a Protocol Handler instead of Microsoft ClickOnce. This may be needed in some virtualized environments where ClickOnce does not function properly. You can read about the Protocol Handler configuration here
  • Added performance improvements for Dashboard search.
  • Added option to force expire Secrets from any report with a Secret Id column.
  • User Bulk Operations are now available.
  • Added new User preference and Secret preference for the size of the launched Remote Desktop Window..
  • Web Service Change: The Secret object used in the Web Service API has new fields in the SecretSettings section for setting privileged Secrets for RPC. This is documented in the Web Service API Guide .
  • .NET 3.5 SP1 Support
    • This will be the last minor version of Secret Server to run on .NET 3.5.1. The next subsequent minor version (8.5) will require the .NET Framework 4.5.1. You can read more about why this move is happening in this KB Article

Bug Fixes

  • Secret IDs on reports are now links, not link buttons.
  • Reports on Dashboard now show rows with background colors if specified.
  • Fixed error when viewing a secret set for check out by the bulk operation and a next password was already specified.
  • Fixed issue where viewing the password history would not produce an audit for password displayed.
  • Fixed issues with password changing for Oracle accounts without the Alter User privilege.
  • Fixed potential issues with Service Account Discovery importing duplicate dependencies.
  • Fixed issue where the password strength indicator on Secret View could be incorrect.
  • Fixed issues with Dependencies not matching correctly in Discovery if the username format was different.
  • Fixed issues with Service Account Discovery import not properly matching to existing Secrets.
  • Fixed issues with Local Account Discovery rules importing accounts from OUs excluded from the domain level scanning.
  • Individual computer discovery scan logs are now limited to the number of entries stored to prevent excessive database growth.
  • Fixed issue where the search results on Dashboard could sometimes be incorrect due to timing of search.
  • Fixed issues with the header search box ignoring custom columns in the returned results.
  • Fixed issue with an incorrect validation for Folder permissions when saving a Secret through web services.
  • Fixed issue where the password strength icon on Secret View was incorrect in some cases.
  • Added missing Check In method to the windows authenticated web service API.
  • Fixed issue where the Check Out information was not correctly populated by the return value of the GetCheckOutStatus web service method.
  • Fixed issue with enter key not starting the launcher when a drop down list was used for the target machines.

Release Notes 8.3.000019

Main Focus: SAML Support

  • Added support for SAML 2.0 for authentication to Secret Server. Additional information on configuring SAML can be found here.
  • Added configuration option to allow approval or denial of access requests directly from the email notifications.
  • Updated Discovery to use the DNS name of the target machines for environments where that differs from the machine name.
  • Added an additional configuration option to allow a separate timeout option for API sessions.
  • Added the option to set a custom password requirement on the Secret.

Bug Fixes

  • Fixed several places that had double encoded HTML.
  • Fixed issue with the Create button getting disabled in some cases when making a new Discovery Rule.
  • Fixed searching issue with Discovery Rules when searching in Child OUs.
  • Fixed error exporting Secrets to CSV for large numbers of Secrets.

Release Notes 8.3.000002

Main Focus: Security Fix

  • Fixed issue where administrators could export Secrets they had access to via inactive groups. This was reported by a customer and a fix was released within 24 hours.
  • Exported Secret history can be viewed through this report.

Release Notes 8.3.000001

Main Focus: Bug Fixes

  • Fixed issue with editing Security properties on a Secret where the Template did not have a Remote Password Changer mapped.
  • Reduced timeout on Web Password Filler to streamline automatic logins where only one Secret matched.
  • Added performance index for stored session images.

Release Notes 8.3.000000

Main Focus: Website Password Changing and Bug Fixes

  • Website Password Changing. Secret Server now supports password changing on Amazon and Google Accounts in addition to improvements to Windows Live password changing.
  • Administrators can limit Discovery to only search certain OUs for Windows Local Accounts and Service Accounts.
  • Added new SonicWALL password changers for latest SonicWALL firmware versions.
  • Added French Language Support
  • The recipient email address is now displayed when testing email on SMTP Configuration.
  • Added SearchSecretsLegacy Web Service API method to allow calls for Search Secrets via GET requests.

Bug Fixes

  • Fixed issues with Windows Live password changing due to changes on Microsoft’s site.
  • Fixed issue where the File Dependency could get a logon failure due to privileged account username format.
  • Fixed issue where Web Service authentication failed if the user did not have the View Deleted Secrets permission in some cases.
  • Fixed double encoding of text in a few places in the UI.
  • Save to File on the Admin Performance page now exports Fastest Time.
  • User IP Address Restrictions redirects properly if navigated to with an incorrect querystring.
  • Fixed issue where the Discovery Import could break if an Active Directory Secret was Double Locked.
  • Fixed issue when searching using Unicode characters in search terms on Dashboard.
  • Fixed display issue with editing multiple file attachments on a Secret.
  • Removed obsolete warning on Secret Template regarding write access to file system.
  • Fixed display issues with Copy Secret button.
  • Fixed issue where a required Secret File Field could be saved without an attachment.
  • Added required field indicators on the Password Requirements page.
  • Fixed issue where emails could be configured in Discovery Rules even when an SMTP server was not configured.
  • Added validation to prevent users from enabling email two-factor when an SMTP server was not configured.
  • Fixed issues with Sharing Secrets with large numbers of individual users.
  • Fixed error when setting up ConnectWise integration in a new Secret Server installation.
  • Added timeout to the RADIUS login page.
  • Added validation for day of month when creating a Secret AutoChange Schedule.
  • Fixed visibility issue with the Add Secret button on the Web Password Filler.
  • Fixed issue with clear search button in IE 10.
  • Fixed issue with updating Secrets via web services if some fields were left blank.
  • Fixed issue with the Reset Password test action on Remote Password Changers using privileged accounts.
  • Fixed performance issue in some environments when authenticating via web services.

Release Notes 8.2.000001

Main Focus: Web Password Filler Updates and Bug Fixes

  • Notes Fields can now be marked as “Exposed for Display”.
  • The Web Password Filler will now try to automatically fill out login information even if the Secret has not been configured by an owner.
  • For Heartbeat on Windows Accounts, the error condition of “RPC Service Is Unavailable” is now considered to be an Unable to Connect result.
  • Webservice Functionality Change: GetSecretsByField now only returns Secret Items that have been marked as “Exposed for Display” and no longer writes an audit record for each Secret returned.

Bug Fixes

  • Fixed occasional error with processing Session Recordings for certain resolutions.
  • Fixed default sort order on Dashboard.
  • Fixed issues with Web Password Filler in IE8.
  • Fixed issue where users were not prompted to enter a comment, or request access when logging into a website with the Web Password Filler.

Release Notes 8.2.000000

Main Focus: Custom Columns

  • Secret Server now requires the database to be set to 2005 Compatibility Mode or higher. Please refer to this KB article for steps on how to set that property.
  • Added ability to specify custom columns on the Dashboard search. They can be Secret status information such as Heartbeat Status, or Days until Expiration, and allowed Secret Values.
  • Updated and added new methods to the Web Services API. For full descriptions of the Web Services methods, please refer to the Web Service Guide.
    • SearchSecretsByFieldValue
    • AddNewSecret
    • GetNewSecret
    • UpdateSecretPermission
    • UpdateSecretPermission
    • CheckInByKey
    • Potential Breaking Change: The CheckOutEnabled property moved from Secret to the new Secret Settings section.
    • Potential Breaking Change: The GetSecret, SearchSecrets, and SearchSecretsByFolder methods now have additional parameters.
  • New Audits and Event Subscriptions for Displaying Passwords, and Copying to Clipboard.
  • RADIUS Two Factor can be set to be automatically enabled on new users per Domain.
  • Discovery Network View now remembers the last selected tab.
  • Increased performance on the Discovery Network View.
  • Increased performance for Reports.
  • Added optional retry interval on Secret Template for failed password changes.
  • Added TimeZone configuration option.
  • Added a timeout setting for automated backups.
  • Inactive Users can now be selected in Reports.

Bug Fixes

  • Updated the session recording video processing to work on Server 2012 x64 environments.
  • Fixed issues with the XML Import / Export not applying permissions correctly when inheritance should be used.
  • Fixed button layout for some resolutions on the User Edit page.
  • Fixed bug where GetSecretAudit API method required Secret View permission.
  • Fixed layout of Weekly and Monthly schedules for reports in Internet Explorer.
  • Users can no longer click the RADIUS login button multiple times.
  • Fixed paging on Discovery Network View.
  • Fixed searching in Service Account Discovery log.
  • Fixed potential incorrect Secret matches for Local Account Discovery when machine names were too similar.
  • Discovery for Service Accounts now correctly handles the stored record if the Windows Service no longer exists or is running under a different account.
  • Fixed issue where Service Account Discovery would not run automatically in Enterprise Edition.
  • Fixed Windows Service Dependencies for connecting by IP Address for Local Accounts.
  • Fixed bug where RADIUS could be disabled if login security settings were modified and the user didn’t have permissions to the RADIUS configuration.
  • The Regular Expression in the Flat File Dependency type is no longer case sensitive.
  • Fixed potential exception during audit when adding large numbers of users to a group.

Release Notes 8.1.000014

Main Focus: Default Privileged Account

  • Added ability to set a default Privileged Account for Windows and Active Directory Secret Templates.

Bug Fixes

  • Fixed issue where personal Secret settings required Edit permission.
  • Fixed bug with Copy Secret not showing field values.

Release Notes 8.1.000011

Main Focus: Web Service API & Secret Field Security

  • Added Assign Agent method to Web Service API.
  • Added Create User method to Web Service API.
  • Added Get Secrets in Folder method to Web Service API.
  • Added the ability to restrict edit access at the Secret Template Field level.
  • Added the ability to set Secret Fields to not display in View mode.
  • Added the ability to restrict Session Launcher computers to a specified list for when the computer is selected by the user.
  • Minor display fixes on the Dashboard.
  • Improved usability of the Web Password Filler.
  • Sorted Bulk operations on Dashboard.
  • Added the ability to set a default domain for the login screen.
  • Added an ‘Inherit’ option to Discovery Rules to allow optional overriding of the configuration setting for created Secret permissions.
  • Customers with Event Subscriptions for Configuration Edit will receive an email during the upgrade, for more information refer to this KB article.

Bug Fixes

  • HSM Encryption integration fixes
    • Fixed session-use issue.
    • Fixed threading issue.
  • Fixed an issue where certain event subscriptions did not fire for web services and bulk operations.
  • Fixed an issue with email two factor login.
  • Prevented AutoChange Schedule drift on start times.
  • Improved the performance of Service Account Discovery and fixed issue due to duplicate names.
  • Fixed a display issue on the AD sync user preview.
  • Added an audit for Enable and Disable Role.
  • Fixed issue with auto linking on the first column in Custom Reports.
  • Enhanced Folder security related to root folders when being moved.
  • Prevented issue where manual failover to a different web server may not occur in certain configurations.
  • Fixed an issue where the Web Password Filler displayed duplicate Secrets.
  • Fixed Sybase reference errors that could occur during Sybase password changing.

Release Notes 8.1.000000

Main Focus: SAP Platform Support and Languages

  • SAP Platform support (Enterprise Plus)
    • A new SAP Secret Template was added to include all the fields required by the SAP Password Changer.
  • Web Password Filler
    • Users can now install a bookmarklet that will fill in website login forms with Secret data. This is simpler to configure, and will work on more websites than the existing Web Launcher feature.
  • Check Out Hooks using PowerShell
    • Custom PowerShell Scripts can be run as “before” and “after” actions for CheckOut enabled Secrets.
  • New Languages
    • Dutch (Thank you to our partner Jan Dijk and his team at MCCS in the Netherlands for providing this translation)
    • Chinese (Simplified)
    • Spanish
    • Portuguese
  • Added new API method GetSecretsByFieldValue that will return Secrets based on an exact match of a search term on a specific field.
  • Increased Session Recording efficiency, movies now take up less storage in the database.
  • Users can now add Folders and Edit Folders from the Dashboard.
  • Users now have access to community and support resources from the Help Menu.

Bug Fixes

  • Fixed bug where importing multiple service accounts created multiple Secrets.
  • Fixed bug where certain special characters in the Dashboard Search could not be used.
  • Fixed error where a Custom Launcher could throw an error if no parameters were set.
  • Fixed bug where Admins could not disable a user with the same username but for a different domain.
  • Fixed issues with PowerShell scripts impersonating as Privileged Accounts. PowerShell scripts now require that the WinRM service is configured.
  • Updated the collation check on installation and upgrades to better handle different SQL language collations.
  • Fixed bug where movies longer than 24 hours could not be processed.

Release Notes 8.0.000005

Main Focus: Bug Fixes

  • Fixed bug where Associated Secrets for certain SSH Password Changers were hidden in the UI after upgrading.
  • Fixed bug where Active Directory Groups with a symbol in the name weren’t able to be synchronized.
  • Fixed issues found during internal security review.

Release Notes 8.0.000004

Main Focus: Minor Improvements and Bug Fixes

  • Improved long term SQL performance in heavy load scenarios.
  • Fixed an issue related to privileged account visibility on the Secret Remote Password Changing page.
  • Loosened collation restrictions.
  • Updated contact information.

Release Notes 8.0.000000

Main Focus: New Dependencies And HSM Integration

  • PowerShell Dependencies (Enterprise Plus)
    • Administrators can upload custom PowerShell scripts which can be set as Dependencies on Secrets.
    • After a password change Secret Server can execute Administrator created scripts as custom actions.
  • IIS Application Pool Recycle
    • Adds the ability for Secret Server to recycle an application pool without updating the Application Pool’s service account.
  • New installations have an option to specify a SafeNet HSM for encryption. (Enterprise Plus)
  • Added functionality for an Administrator to upload a batch file for use with a Custom Launcher.

Bug Fixes

  • Fixed issue where the Launcher failed in IE in certain security zones.
  • Fixed error that could appear in the system log due to OU’s being deleted after the Discovery Process ran.
  • Fixed duplicate checking in the CSV import.
  • Fixed layout issue with the Report Widget in lower resolutions.
  • Inactive Application Accounts are now hidden by default on the User Administration page.
  • Fixed potential XSS vulnerability on the Dashboard.
  • Fixed issues with Custom Launchers running as Privileged accounts of different Secret Types.
  • Exporting reports or logs to CSV will now include the timestamp instead of just the date.

Release Notes 7.9.000004

Main Focus: Security Update

  • Fixed issue with launchers and Secret Check Out.
    • (This was reported by a customer – the issue was confirmed, fixed and released within 24 hours by the Secret Server team.)

Release Notes 7.9.000003

Bug Fixes

  • Fixed issue that prevents upgrades on a non-default collation on the SQL Server database.
  • Fixed issue where a scheduled report email would show an image link when no image was specified on the report.

Release Notes 7.9.000001

Main Focus: Layout and Bug Fixes

  • Fixed display issue in Folder Tree for Bulk Move to Folder for Chrome.
  • Fixed layout issues in Admin Network View for IE 7.
  • The Windows Auth Web Services will now resolve an authenticated user by friendly domain name in addition to the previous authentication methods.
  • Fixed error when manually emailing a report with parameters.

Release Notes 7.9.000000

Main Focus: Automatic Import of Local Accounts

  • Secret Server Discovery now includes automatically creating Secrets when Local Accounts are found using “rules” (Enterprise Plus Edition)
    • Administrators can specify users that should be alerted when Local Accounts are discovered.
    • Administrators can create search rules to create Secrets when Local Accounts are discovered.
  • Service Account Discovery for all Service Accounts (Enterprise Edition)
    • Secret Server will scan machines on the domain and retrieve Windows Services that run under a domain service Account.
    • Administrators can manually import these as Secrets with Dependencies, or if the Secret already exists, import the Windows Service as a Dependency.
  • Linked Accounts for Custom Launchers
    • If a Secret Template is tied to a custom launcher, the owner can link other Secrets to either run the custom process, or to use for command line parameters.
  • Added bulk operations for “Hide Launcher Password”.
  • When Unlimited Administrator is turned on, a banner is displayed on the dashboard warning users that it is on.
  • Added Check In / Check Out events to Event Subscriptions and SIEM events.
  • Updated error display icons to be more prominent on Event Subscription, and Password Rule screens.
  • The search grid on Dashboard now expands to full screen if no widgets are in the rightmost column.
  • Added installer check to prevent installation on non-compatible SQL Server collations.
  • Improved performance for reports that checked Folders and Permissions.

Bug Fixes

  • Fixed issue where certain unpatched versions of IE8 would not display Dashboard correctly.
  • Fixed bug where the password compliance status of a Secret was not updated after a remote password change.
  • Fixed issue on the Discovery page where Accounts linked to deleted Secrets were not returned when searching for Unmanaged accounts.
  • Fixed error in the system log due to incorrect parsing of Dates in certain locales.
  • Fixed bug where Application Accounts could be set as Secret Approvers.
  • Fixed bug where Secret Owners could change Share permissions on Secrets that were set for Approval for Access without getting approved.

Release Notes 7.8.000062

Main Focus: Security/Bug Fixes

  • Fixed security issue found during internal security review. (All customers are recommended to upgrade)
  • Fixed locale issue on web browsers for unusual locales.

Release Notes 7.8.000061

Main Focus: Scheduled Reports

  • Added scheduled reports
    • Administrators can now set up Report generation on specific schedules.
    • Reports can be emailed to a subscription list.
    • Reports can be set as “Health Checks” that will only be delivered if the conditions of the Report are met.
  • Added #STARTWEEK and #ENDWEEK as dynamic Report parameters.
  • Updated Active Directory Synchronization to make adding synchronization Groups in large Domains easier.
  • Added Event Subscription for support license expirations. Admins can now be notified when support licenses need to be renewed.
  • Updated calendar and search controls throughout the application for formatting and consistency.
  • Improved inactivity timeout
    • If a tab is closed but not the browser, inactivity timeout will now work.
    • If multiple tabs are open for Secret Server, being active on any tab will prevent inactivity timeout from occurring (Except for IE).
    • If inactivity timeout occurs, all open Secret Server tabs will be redirected to the logout page (Except for IE).

Bug Fixes

  • Recorded IP Address in the Secret Audit record when a Dependency is updated.
  • Added guard to prevent the expiration of Secrets through web services when Expiration is disabled on the Secret Template.
  • Fixed the installer so it properly detects a local instance of Microsoft SQL Server 2012.
  • Fixed Windows Live Password Changer due to updates on the Windows Live site.
  • Updated Chrome Copy To Clipboard extension, it now installs from the Chrome web store to comply with the latest release of Chrome.
  • Fixed bug where updating personal notifications for a single Secret could update personal notifications for other Secrets.

Release Notes 7.8.000048

Main Focus: Windows Live password changer and COM+ dependencies

  • Added support for changing Windows Live web passwords.
  • Added support for COM+ Applications as Dependencies.
  • Added new Bulk Operations
    • Disable AutoChange
    • Disable Comment On View
    • Undelete
  • Added Folder Name on Secret Audit header.
  • Added Configuration option to prevent duplicate Secret names.
  • Added name of Template created to Create Template Event Subscription emails.
  • Added additional web service methods to the windows authenticated web service.
  • Added Copy Secret Template.
  • Added new Folder Slider on Dashboard to make navigating highly nested Folder trees simpler.
  • Added additional tooltips to the Secret View page.

Bug Fixes

  • Fixed issue where Agent connections could sometimes fail due to the version not being handled properly.
  • Fixed issue where SQL Password Changing could fail when the target SQL instance was configured to use a dynamic port.
  • Added missing audit record for when a Secret moves to the root folder due to the Folder getting deleted.
  • Fixed missing localizations on the IP Address page.
  • Fixed issue where users could import Secrets without Folders when the configuration option to require Folders was turned on.
  • Fixed bug where Template Name could be set to blank.
  • Fixed bug where Secret permissions could get in an inconsistent state when Bulk Changing permissions and inheritance was enabled.

Java API Release Notes

  • Added file attachment support.

Release Notes 7.8.000040

Bug Fixes

  • Added support for Next TokenCode mode for RADIUS servers.
  • Fixed performance issues in Folders for IE on dashboard.
  • Fixed issue where the custom commands for UNIX Remote Password Changers would not correctly parse Fields with adjacent special characters in the test dialogs.
  • Fixed issue where a Secret Field specified in the Parameters value of a Custom Launcher would not get masked if Hide Launcher Password was enabled.
  • Fixed incorrect display width of Folders in Folder Administration.
  • Fixed duplicate Folder name shown in Reports for highly nested Folders.
  • Fixed bug where OK button would not enable on folder picker for bulk operations sometimes in certain browsers.

Release Notes 7.8.000039

Main Focus : SonicWALL Integration and SSH Enhancements

  • Added support for changing passwords on SonicWALL NSA devices.
  • Added support for SSH password changing where no user authentication is required to establish a connection. Used for BlueCoat Packet Shaper devices.
  • CSV Import with Folder now creates the Folders if they do not exist.
  • Added a column to show whether a Group is Active on the Group Membership report.
  • Updated the Get Secret Audit API method to not check out a Secret if Check Out is enabled.
  • Made it more clear when a folder is selected for non-default themes.

Bug Fixes

  • Fixed potential issue with heartbeat on SSH Secrets that would cause heartbeat to stay in pending and shut down the web application due to incompatible SSH versions.
  • Fixed issue where Folders might not return in a sorted order on Dashboard.
  • Fixed display issues on Dashboard for IE 9.
  • Fixed bug where Configuration Change event subscriptions did not fire.
  • Fixed line ending issue that caused password changing on HP iLO devices to not work.
  • Fixed bug that caused Windows Authentication Web Services to not work.

Release Notes 7.8.000036

Main Focus : Application API and Ticket System Integration

  • Added Application User type for use with the Application API.
  • Added support for Authenticated SMTP.
  • Added LDAPS support for Active Directory.
  • New Bulk Operations
    • Change Check Out Status.
    • Convert Secret Template.
  • New Web Service API methods
    • Secret Status to show whether a Secret is checked out.
    • Import XML to automate the advanced import.
    • Enable Check Out.
    • Expire Now.
    • Get Secret Audit.
  • Discovery
    • Added new Reports for Discovery diagnostics.
    • The Full Scan log is now stored per computer.
    • Added Re-Scan button for each computer.
  • Ticket System Integration
    • Administrators can enter a support system URL to navigate to Tickets from the Secret Audit.
    • Users can enter a ticket number for Require Comment and Approval for Access.
  • Configuration option to change Default Secret permissions to Secret Creator only.
  • Added option to allow Editors to bypass Approval for Access.
  • Increased the maximum length on all Secret fields from 1991 characters to 10000 characters.
  • Added new role permission for the Advanced Import.
  • Increased security in the PuTTY launcher to prevent password exposure in the command line arguments.
  • Added option to exclude Secrets from the User Audit Report that have been changed since the User last viewed them.

Bug Fixes

  • Fixed issue when removing more than one field during a Template Convert.
  • Fixed issue with Event Subscriptions Dependency Failure Events that caused the alerts to be sent every time a dependency was changed.
  • Fixed issue where Application Pool Dependencies would sometimes not verify due to casing in Dependency Name.
  • Added support for UTF-8 characters for the service account’s password for Active Directory Synchronization.
  • Added support for UTF-8 characters for RADIUS two factor.
  • Fixed issue where password requirements would validate on non-required password fields.
  • Updated the Automatic Backup so it will not try to delete backup types that are not enabled.
  • Fixed issues with datagrid paging on the Event Subscriptions screen.
  • Fixed error when saving the Backup Log to a file.
  • Fixed issue with Telnet Password Changer not always respecting the correct line endings.
  • Fixed issue where Active Directory Group renames would not correctly resolve when synchronizing a low number of Groups.
  • Fixed error on Event Subscription page when running Secret Server in FIPS compliant mode.
  • Fixed display issues on Dashboard for Internet Explorer 9.
  • Fixed error when returning a large number of Secrets in a Dashboard search.
  • Improved email address validation for Activation.
  • Improved performance on Discovery Network View.
  • Fixed issue where Secrets with a 1 Day Expiration interval could change every 2 days.
  • Prevented potential XSS attack on the Discovery dialog.

Release Notes 7.8.000015

Main Focus : Bug Fixes

  • Fixed issue with Active Directory Synchronization for some cases where if a group was disabled, it did not get re-enabled after being resynchronized.
  • Fixed issue with Active Directory Synchronization where groups with a custom schema would not be synchronized correctly.
  • Fixed issue with Active Directory Synchronization where distribution groups would incorrectly get synchronized if manually added to the synchronization group list. Distribution groups will no longer work in AD sync – you must use Security Groups in AD.
  • Fixed issue on Password Requirement Edit screen where a Password Requirement would fail validation if a description was not entered.
  • Fixed issue with the advanced XML import where Secret data would not be created properly if there was a case sensitivity difference in the Secret Field Name and the Secret Template Field Name.
  • Fixed issue with the advanced XML import where a Folder with trailing spaces in the Folder Name could be created, but no Secrets in the import would be added to the Folder.

Release Notes 7.8.000014

Main Focus : Bug Fixes and Usability Enhancements

  • Added extra detail to the Export and Unlimited Administrator email alerts.
  • Added arrow key support for the Folder search on Dashboard and the quick search in the header.
  • Dependency Searcher now alpha sorts machines and shows the target OS when possible.
  • Added Check All option for Windows Services found by the Dependency Searcher.
  • Domain and Username are remembered on the Dependency Searcher.
  • Added support for updating Windows Services Dependencies that are on the same machine as an Agent or the Secret Server application.
  • Added help text for IP Address ranges.
  • Added explanation on the Secret Audit page and the Secret Security tab for how often View Audits are recorded.
  • Added option to separately backup the application and database.
  • Changed “Indexable” to “Searchable” in the Secret Template Designer.
  • Added IP Address auditing for the imports.
  • Modified privileges required to change a Secret’s Folder. Secret Owners can change a folder regardless of whether they have the “Share Secret” permission and the Folder is inheriting permission. See the User Guide for the full details on Folder and Secret inheritance rules.
  • Removed option to specify minutes for offline access in Configuration.
  • Improved error notification for the Advanced Import dialog.
  • SecretID Columns are now clickable links in the Reports.
  • Added Audit record for when Hide Launcher Password is changed.
  • Added additional validation for Active Directory Domains to automatically resolve the Domain Name to the Fully Qualified Domain Name.

Bug Fixes

  • Fixed issue with Dollar signs in custom UNIX\Cisco accounts.
  • Fixed bug with large result sets when searching for linked accounts.
  • Fixed issue with inactivity timeout on the server prompt for launcher for AD Secrets.
  • Fixed bug where $$CHECKFOR and $$CHECKINFO commands did not work on the Password Changer test dialogs.
  • Fixed issue where the Keep Alive monitor would log an error if the site certificate wasn’t trusted.
  • Fixed a bug where the database backups would not get deleted if in a separate folder from the web application backups.

Release Notes 7.8.000010

Main Focus: Configuration file support for Service Accounts

  • Configuration files can now be managed for Service Accounts.
    • Secret Server can update hardcoded values stored in configuration files using Regular Expressions when changing service account passwords. (Dependency Regex KB)
  • Secret Dependency Page updated to more easily handle ordering (drag and drop) and Dependency specific information.
  • Added Active Directory synchronization optimizations for large domains.
  • New Folders default to inherit permissions.
  • Added Group handling to Advanced XML Import.
  • Diagnostics page now includes database name for configuration purposes.
  • Secret Template edit automatically re-focuses to next row when adding fields.

Bug Fixes

  • Fixed XSS vulnerability with the privileged account picker control.
  • Fixed open redirect vulnerability on the Login page when already logged in.
  • Fixed possible database connection error for long running Active Directory synchronizations and other background threads.
  • Fixed auto complete issue on some sensitive fields.
  • Heartbeat status is now automatically updated when RPC succeeds.
  • Fixed issue with Oracle password changing failing on passwords with certain special characters.
  • Fixed issue with Agents not properly failing over in clustered instances.
  • Fixed issues in advanced XML import when loading items with duplicate permissions.
  • Fixed issue with incorrect lockout warning on Group and Role Assignment page.
  • Fixed error for Event Subscriptions with inactive users.
  • Fixed potential timeout errors on Diagnostics page.

Release Notes 7.8.000002

Bug Fixes

  • Fixed issue with web services for Windows Authentication not enabling properly.

Release Notes 7.8.000001

Bug Fixes

  • Fixed wording of confusing instruction text when changing a Secret’s Template.
  • Fixed header version to reflect the correct version.

Release Notes 7.8.000000

Main Focus: Password Changing Integrations and Custom Launchers

  • Created Java API for use in embedded scripts without hardcoding a password.
  • Added MySQL Password Changer and Template.
  • Added OpenLDAP Password Changer and Template.
  • Added DSEE Password Changer.
  • SQL Server password changes can now use a privileged account.
  • Admins can now create configurable LDAP based Password Changers.
  • Added Custom Process Launchers to start user specified applications on a client machine with credentials from the Secret.
    • Added PowerShell, SQL Management Studio, and Sybase iSQL custom launchers.
  • Added XML Export option to simplify restoring or migrating from an export.
  • Added support for sys accounts for Oracle password changes.
  • Updated Activation to handle VM environments better.
  • Added Convert Secret Template.
  • Added option to Check Out a Secret without changing the password on Check In.
  • Added new report to show Secrets with pending approval requests.
  • Added change password web service method.

Bug Fixes

  • Fixed bug where disabled accounts in Active Directory did not get automatically disabled in Secret Server.
  • Fixed bug with dependency finder when using Agent.
  • Fixed issues with Oracle connection strings exceeding allowed length.
  • Fixed bug with Login Other Location in Firefox.
  • Fixed bug with Secret Server user password history.

Release Notes 7.7.000012

Main Focus: Secret Server Installer Improvements

  • Added MSI for initially installing Secret Server.
  • Added ability to create the database if it does not exist during installation.
  • Added support for a RADIUS failover server.
  • Added more descriptive message when secret is checked out and then accessed from mobile devices.
  • Added message to Role page to highlight any permissions that are not currently assigned.

Bug Fixes

  • Fixed bug with visual keyboard that caused it to not submit correctly.
  • Fixed bug where error occurred when using Unlimited Administrator and attempting to checkout a Secret.

Release Notes 7.7.000009

Main Focus: Secret Template Improvements

  • Added auditing to all Secret Template and Secret Field actions.
  • Updated Secret Fields to use a soft-delete so the data can be retrieved.
  • Added Chrome support for Copy-to-Clipboard.
  • Added clustering support for Remote Password Changing Agents.
  • Added embedded searching and Page Size settings to most Admin Logs and Grids.
  • Added exception logging to SQL Account Password Changing.

Bug Fixes

  • Fixed issue with Expired Secrets not sending event alerts.
  • Security Fix for restricting the search textboxes to a max length.
  • Security Fix to prevent XPath expressions with the language resources.

Release Notes 7.7.000002


  • Created the Password Compliance Report Category.
  • Renamed the Non-Alphanumeric Character Set to Symbol.

Bug Fixes

  • Fixed bug where the Remote Desktop Launcher was not properly cleaning up configuration files.
  • Updated the Password Requirement edit page to prevent overriding the minimum length while entering the maximum length.

Release Notes 7.7.000001

Bug Fix

  • Fixed bug where Secret Update email alerts are triggered by checking Password Compliance.

Release Notes 7.7.000000

Main Focus: Advanced Password Requirements

  • Advanced rules can now be applied to password fields on the Secret Template.
    • Multiple custom character sets can be created and used in these rules to more exactly limit the type of password generated.
    • New reports to show what passwords do not meet complexity requirements.
    • Validation can be enabled to prevent saving Secrets that do not meet the password complexity requirements.
  • Added audit record for machine when using an Active Directory account to launch Remote Desktop and PuTTY.
  • The advanced XML import now includes Secret dependencies.

Bug Fixes

  • Fixed bug in the color column on custom reports.
  • Fixed bug that could cause the Local Account Finder in Discovery to fail for some sets of credentials.
  • Fixed bug where the default folder was not always being set on Dashboard.

Release Notes 7.6.000000

Main Focus: Discovery

  • Discovery: Account Import (Enterprise Plus)
    • Administrators can now scan for domain joined machines and import local Windows accounts into Secret Server.
  • Dependency Ordering
    • Dependencies can now be ordered and a wait time can be specified which will be observed before the Dependency is updated.
  • Added new Password Changers for Juniper, HP ILO, and Blue Coat Devices.
  • Added option on custom password changers to specify line ending type (CR/LF).
  • Added new Web Services methods for file upload and download from Secrets.
  • Added new Bulk Operation to set the privileged account for Windows and AD Secrets.
  • Added Secret Copy event for use in Event Subscriptions.
  • Added configuration option to send Syslog/CEF messages by TCP instead of UDP.

Bug Fixes

  • Fixed bug where Secret Copy created an Edit Audit Record.
  • Fixed bug where dates in reports did not observe the user’s date format preference.
  • Fixed bug with dates as report parameters on non-US SQL installations.
  • Fixed bug where unchecking All on Secret Template History caused error.

Release Notes 7.5.000002

Bug Fixes

  • Fixed cross-site scripting (XSS) vulnerability on Secret View screen related to URL fields.
  • Fixed command injection vulnerability in the PuTTY Launcher.
    • (These were reported by a customer performing a security audit – the issues were confirmed, fixed and released within 24 hours by the Secret Server team.)
  • Fixed issue with limited number of concurrent Agents being able to connect.

Release Notes 7.5.000001

Bug Fixes

  • Fixed Configuration page to only show video codec option when Session Recording is on.
  • Fixed bug where Secret Server uses excessive CPU resources related to new Discovery capabilities.

Release Notes 7.5.000000

Main Focus: Discovery and Session Recording

  • New Discovery Network View (Enterprise Plus)
    • Brings together the view of the network and the Secret Server repository to show Administrators whether local accounts on Domain Computers have corresponding Secrets.
  • Session Recording (Enterprise Plus)
    • Remote Desktop or PuTTY sessions can now be recorded and the full movie is available as part of the audit. This setting can be configured per Secret and role permissions control who can access the audit movie.
  • Hide Launcher Password setting can now be configured per Secret as an alternative to the role permission.
  • Users are now automatically redirected from the pending request page when their request for access has been approved.

Bug Fixes

  • Fixed copy to clipboard bug in Remote Desktop launcher.
  • Fixed bug where users were not correctly removed from Groups in Secret Server during synchronization when the AD Group is empty.
  • Fixed bug where CEF port defaulted to -1 in Configuration.


Bug Fixes

  • Fixed bug in Approval for Access Quick Pick control.


Features and Enhancements

  • New Enterprise Plus Edition
    • Added SIEM integration using CEF and Syslog formats.
    • Support for front end server clustering.
  • Added Group filter on Active Directory Synchronization screen.
  • New Copy Secret option.
  • New Delete Secret Role Permission.
  • New Events for Users.
    • Login, Logout, Login Failure, and Password Change
  • File attachments are now stored in the database rather than the file system.
  • Added new Advanced Import option from XML.

Bug Fixes

  • Calendar on Approve Access now respects all date formats.
  • Fixed Tab and Copy to Clipboard bugs in IE9.
  • Fixed issue where users assigning groups needed Administer Roles permission.
  • Search box on Dashboard is now automatically given focus.
  • Fixed bug with Secret data not always formatting correctly in Dashboard Widgets.
  • Fixed bug where option to view deleted secrets showed incorrectly on Dashboard.
  • Fixed bug with single quote in search breaking not working on dashboard.
  • Fixed security issue with Ajax services.
  • Fixed bug with alternative Active Directory account name formats not being supported.


Security Update

  • Fixed potential cross-site scripting vulnerabilities on Administration screens. (This was reported by a customer who performed a security audit – the issue was fixed and released within 24 hours by the Secret Server team.)
  • View this Knowledge Base article for having Secret Server require secure cookies. This is done through changing a setting in the web.config.


Main Focus – Bug Fixes

Features and Enhancements:

  • Updated the Browse widget on Dashboard to highlight the search term when the tab loads.
  • Added Activate Offline button.

Bug Fixes:

  • Updated License Activation to support Unicode characters in the license name.
  • Fixed bug in the phonetic icon on Secret View.


Main Focus – User Interface Improvements

Features and Enhancements:

  • Added a new front end home page called Dashboard. For a movie preview click here
    • Multiple Customizable Tabs.
    • Draggable Widgets.
    • Report Widgets.
    • Expandable Secret View in search results.
    • Streamlined Folder and Secret search.
  • Added new setting for how unmasking a password works (hold versus single click).
  • Added new header menu with drop down navigation.
  • Added additional auditing to the upgrade process.
  • Added license activation to Secret Server, existing customers have 30 days to activate.

Bug Fixes:

  • Fixed bug in DBConnectionReset page.
  • Fixed bug in Users Activity Report.
  • Fixed bug where the application would sometimes give an error after a fresh install.
  • Fixed validation bug in assigning Role by User.
  • Fixed bug in Dependency finder where unchecking the ‘select all’ did not unselect all computers.
  • Fixed bug in Search having to do with inactive groups.
  • Extended RADIUS two factor timeout.


Features and Enhancements:

  • Added Folder Path, whether child folders were exported, and number of secrets exported to Export Log grid.
  • Added audit records to each secret when exported.


Bug Fixes:

  • Fixed issue in 7.2.000001 that could cause duplicate users to be created during an AD sync.


Bug Fixes:

  • Fixed bug in Active Directory Synchronization for custom schemas.
  • Fixed memory issue in Active Directory Synchronization for large domains.
  • Fixed bug in the Event Engine administration section for Professional Edition.
  • Fixed bug with two factor pin code email timeouts.


Main Focus: Event Subscriptions (“Custom Alerts”) and Active Directory Synchronization Performance

Features and Enhancements:

  • Event Subscription feature:
    • Users can receive email alerts for custom event subscriptions.
    • Subscription events include: Unlimited Administration Mode toggle, Secret Edit/Add/View, Role and Group Assignment changes, Secret Expiration, Configuration changes, and many more.
  • Improved Active Directory Synchronization to reduce time spent retrieving domain information.
  • Added option to additionally force owners and approvers to request access on a Secret.
  • When approving access to a Secret, users can specify the access window down to the minute.
  • Added optional port field to the default Oracle Template and Oracle Remote Password Changer.
  • Increased performance for folder permission updates.
  • Removed Security Code from Credit Card Template for new installations for PCI compliance.

Bug Fixes

  • Fixed bug where duplicate Secrets could occur during create.
  • Fixed bug with assigning groups by users for administrator role validation.
  • Fixed bug where the custom command test action did not correctly replace all parameters.
  • Updated Heartbeat to perform additional validation in cases where accounts may not have the login privilege.
  • Fixed web launcher for Chrome and Safari.


Main Focus: Usability and Performance

NOTE: An important security update has been released for the Microsoft .NET Framework. Please ensure that this update is installed on your server to ensure maximum security. For further detail and how to obtain the patch, please click here.

NOTE: We are phasing out support for Microsoft SQL Server 2000. Future releases will not support Microsoft SQL Server 2000.

Features and Enhancements:

  • Added support for changing Scheduled Tasks on Windows Server 2008 and Windows 7 instances.
  • Improved Search performance for highly nested folders.
  • Offline upgrades can now be performed by uploading a local zip file.
  • Database Connection Reset page now resets the application automatically.
  • Require Comment to View and Approval for Access can now be applied to the same Secret.
  • Require Comment to View coincides with checking out a Secret.
  • Secret Access Request now shows full request history on Pending Requests page.
  • Notification emails sent for Request Reason now contain the user entered reason comment.
  • Added ability to encrypt the instance encryption key with DPAPI for added security.
  • Backup file path now allows all valid special characters.
  • Allow setting an AutoChange schedule on a Secret before enabling AutoChange.

Bug Fixes

  • Fixed bug in Integrated Authentication with local Windows Accounts.
  • Secrets mapped to Users through inactive groups are no longer visible in custom reports.
  • Fixed exception that occurs on Remote Password Changing Agents after upgrades.
  • Fixed issue where updating file attachment did not save in certain situations.
  • The Enter key now works on home page search box.
  • Fixed sort for inactive users on User Administration page.
  • Fixed Active Directory Synchronization login error on Domain search when fully qualified username was not used.
  • Fixed bug in Oracle password changing by updating template to allow additional parameter specifications.
  • Fixed bug in the autopopulate search where clicking a Secret failed to navigate to the Secret view page.
  • Fixed error when running “Test Action” on remote password changer custom commands.


Security Update

  • Updated Error Reporting in order to address a vulnerability in ASP.Net. For more information see this Knowledge Base article


Secret Server Agent

  • Use Remote Password Changing, Heartbeat, Dependency Finder on external networks.
  • Easy Agent Installation with MSI.
  • High Security: Full over-the-wire Encryption.
  • Requires no incoming ports on the Agent network.
  • Customizable URL and Server Port.
  • Light-weight bandwidth usage.
  • Client automatically upgrades when Server is upgraded.

Require Comment

  • Require Comment when a Secret is Viewed (useful for tracking change control numbers).
  • Bulk Operation to enable Require Comment on Secrets.


  • Major Database Performance increases in Home, Secret View, and background threads.
  • Added Bulk Operation for Remotely Changing the Password. This can be used to keep multiple accounts in-sync with the same password.
  • Improved Search in Navigation Bar to go directly to the selected Secret (when unique name).


  • Updated Search Indexer to run as a batch process.
  • Fixed performance issue when Unlimited Administration Mode is turned on.
  • Fixed RDP Launcher to work consistently for local Windows Accounts on Windows XP machines.


Remote Password Changing

  • Added Cisco password changing support (SSH and legacy Telnet).
  • Added Unix Root Account password changing using separate Secret for login.
  • Added the Remote Password Changing tab for configuring options on a Secret (moved AutoChange checkbox to this tab).
  • Password change can be set up for Active Directory and Windows accounts using a privileged account instead of the account changing its own password.
  • Added the ability to create configurable command sets for handling different platforms and operating systems to do password reset using SSH or Telnet (including using credentials from other Secrets).
  • Added the ability to test Password Reset and Verify from an admin dialog.
  • Added the ability to specify the port for password changes when using SSH and Telnet.
  • Added button to allow cancellation of Change Password Remotely.


  • Secret Heartbeat will test the credentials stored in Secret Server on a periodic basis to ensure they are still valid.
  • Receive email alerts when a Secret fails the Heartbeat.
  • Supports all Remote Password Changing templates and Password Verify.

Web Launcher

  • Web Launcher to automatically login to websites using credentials stored in Secret Server.
  • Web Launcher bookmarklet for single click login from the browser (supports all browsers).
  • Note: Secret Assistant is being retired in favor of the Web Launcher and bookmarklet (Secret Assistant is still supported but no longer recommended).
  • Automatic download option for the latest Web Launcher settings for commonly used sites from thycotic.com.


  • Made extended Search Indexer split indexed terms into 3-12 character segments instead of just 3 character segments.
  • Made extended Search Indexer not split the search term before searching.
  • Improved order of search results. Exact matches on name will be on the top, followed by ‘like’ matches in the name (ordered by name) and then secret item hash matches (ordered by name).


  • Added webservice to use Integrated Windows Authentication to allow scripts to run without having embedded username/password and retrieve passwords from Secret Server.(see KB article)
  • Updated Active Directory synchronization to support Child, Parent, and Sibling Domain Credentials.
  • Changed all random number generation to use System.Cryptography.RandomNumberGenerator for improved security.
  • Increased the hash iterations on both local user passwords and DoubleLock passwords to provide additional security against brute force attacks on the hashes.
  • Extended IP Address Range restrictions to work for class A and B networks.
  • Added Maximum Offline Minutes feature so that mobile devices can only cache data for a limited time.
  • Added a Generate Password button to the “Change Password Remotely” page.
  • Split Unlimited Administrator role into “Administer Unlimited Admin Configuration”, “Unlimited Administrator”, and “View Unlimited Admin Configuration”.
  • Changed minimizing on Copy to Clipboard to be a per user preference.

Bug fixes:

  • Fixed “No process is at end of pipe” SQL exception that occasionally occurred after doing an iisreset.
  • Added email addresses to all users during Active Directory synchronization even if disabled in Secret Server.
  • Fixed URL field on Secret to open correctly if http:// is not included.
  • Fixed SSH issues when changing passwords on SUSE Linux.
  • Fixed the ActivityDirectorySynchronization page, the AvailableGroups listbox no longer displays Groups that have been removed in AD.
  • Added saving of the ADGuid for new groups when Save button clicked on the Group Synchronization page (instead of waiting for first AD sync).


Features and Enhancements

  • Added the ability to specify the characters to separate on when building the Search Index. Note: On upgrade the current search index will be rebuilt.
  • Updated Dependency Finder to allow the user to manually specify the machine names to search.
  • Disabled the trace and debug settings from the Web.config by default.
  • BUG: Fixed Administration Export for IE when SSL is enabled.
  • BUG: For XP machines, fixed the unsupported hash algorithm error for both the Email Pincode process and the Search Indexer.
  • BUG: Updated RADIUS login to process passwords greater than 16 characters long to support Yubikeys.


Main Focus: Custom reports, support for RADIUS, and more

Features and Enhancements

  • Reporting
    • Reports page allows administrators to view standard reports, or to create reports with SQL and charting options. Reports can use a variety of 2D or 3D charts.
    • Reports can be displayed with all their associated data points (grid).
    • Reports can be placed into categories, and these categories and their reports can be organized using drag and drop.
    • Reports can have rows with different colors based on data values
    • Reports can be created using parameters such as start date, end date, and user ID.
  • Added support for RADIUS integration to authenticate to Secret Server. This will work with AuthAnvil tokens, RSA tokens, and any other authentication scheme that supports RADIUS.
  • Secret Server now uses FIPS 140 compliant algorithms and operates normally when limited to FIPS 140 only under Windows Security/Group Policy.
  • Auto-complete added to Secret search textbox.
  • Terminology change – renamed “inactive” to “deleted” for Secrets.
  • Added scrollbars to Search and Browse tabs in homepage – makes it easier when you have lots of folders.
  • Added icons to permission grids to indicate person or group.
  • Groups in permission grid are clickable, which shows the list of users in the group.
  • Date time picker works with the user’s preferred date/time format.
  • Added “copy to clipboard” support for Chrome and Safari.
  • The layout of the Configuration page is now categorized into tabs for better organization.
  • Added IP address logging for all failed authentication attempts. Previously, only attempts that caused lockouts were logged.
  • Improved localization so that messages that do not exist in the localized XML file are rendered as “Resource Not Found:”.
  • Changed the inactivity timeout timer to reset on partial postbacks. This means that users will not get redirected due to inactivity when browsing folders or searching for secrets on the home page.
  • Added on-screen notification for support license expiration.
  • Added Configuration settings for an instance level default Time and Date format.
  • Added separate page (DBConnectionReset.aspx) to allow users to change their database connection information without going through the installer.
  • Added the ability to reset a forgotten DoubleLock password.
  • Added Folder Search to the Folder picker.
  • Added Folder Templates to support Folder (default), Customer, and Computer.
  • Greatly improved Home page performance for running BulkOperations for larger instances.
  • Improved the Change Password screen to give instructions for the password complexity guidelines.
  • Improved System log to support having a maximum number of rows and to alert administrators when the log is truncated (by 50%).
  • Updated the Launcher to support having a “blank” domain for local accounts.
  • Updated the Launcher to support credentials for launching into multiple hosts. The user will be prompted to enter the Machine or Host before the RDP or Putty instance is opened when wired to the “user input” field.
  • Added a User and Group picker to replace the dropdownlist for user and group assignment for large instances.
  • Updated the User create process to automatically assign the “User” Role by default.
  • Added a grid of the user’s Roles on the user view page.
  • Webservice additions and updates:
    • Added FolderId to the Secret get methods
    • Added the ability to specific the folder on Secret Create and Update
      • Added Folder webservices for Get, Create, Update, and Search
  • Added support for RPC support for Sybase databases.
  • Added the ability to migrate a local user to an Active Directory user and maintain the existing groups and permissions.
  • Added the full Folder Path on the folder edit and create pages.
  • Search Indexer will split by newline.
  • Added icon for NATO phonetics translation of Secret field on Secret View page for reading information verbally.
  • Added Login form to the “Logged in at another location” page.
  • Update the Resource Provider to support changing a single element with custom resource such as the Help link.
  • Session Timeout has been moved to external config file to prevent overriding settings on upgrade.
  • Added folder picker and “include subfolders” option to the User Audit report.
  • Added “Last Date” column to the user audit report page.
  • Added “Save to File” functionality for many grids.
  • Added common table expression functionality to folder database queries to improve performance on SQL Server 2005 and SQL Server 2008.
  • Updated code signing certificate for Launcher.

Bug fixes

  • Fixed bug that caused Dependency Finder to time out prematurely for some systems.
  • Changed “lock out” for Web Services to be consistent with logging in through the Web interface.
  • Removed unnecessary validation when entering a new domain that required the domain account to have reset password permissions.
  • Fixed issues with Admin Secret Export for some browsers.
  • Fixed Dependency to show all computers found in Active Directory.
  • Fixed the Keep Alive thread and other background threads to avoid spamming the system log when thread cannot be stopped.
  • Fixed the Active Directory Group Synchronization page to display the listboxes with a proper width for all Browsers.
  • Expanded the SQL timeout on backups to support large instances.
  • Updated Active Directory synchronization to properly assign membership for groups made up of both child and parent domain users.
  • Fixed the display of login policy to fit inside the box.
  • Turned off autocomplete for password textboxes on the “Secret Edit” screen.


Main Focus: Bug fixes

  • Fixed bug where Folders would not be visible in Unlimited Admin Mode.
  • Fixed bug when adding a new domain with a non-Administrator account.
  • Fixed bug that caused Active Directory synchronization to crash if an AD user could not be accessed.
  • Fixed bug that would incorrectly enable an AD user that exists in AD and Secret Server but are not in a synch group.
  • Fixed bug related to Remember Me value and Inactivity Timeout.


Main Focus: Responding to customer requests

  • Added support for child domain users being members in parent domain groups.
  • Remote Desktop Preferences for the Launcher
    • Copy to clipboard, admin/console, attach drives, share printers
  • Ability to Delete IP Address Ranges
  • Embedded mode to Hide Headers and Footers
  • Improved support for Database access through Windows Authentication to have the background thread run with identity of the site instead of AppPool
  • Added Permission and confirmation for force expiring secrets on the User Audit Report.
  • Added Full Path to folder in Secret View and Edit alerts.
  • Improved the performance on the Domain Synchronization for selecting AD groups.
  • Made Favorites click through to its own bookmarkable page.
  • Terminology Change: “Owner” permission replaces “Share.”
  • Improved and fixed bugs in Backup:
    • Backup respects setting for not sending failure emails to Administrators
    • Fix scheduled backup inconsistencies for some users
    • Limited to 3 retries
  • Added better support for incomplete language files, so defaults to English if item is not found.
  • Increased folder performance for renaming and editing permissions.
  • Updated Domain Synchronization to set the DisplayName for new users and support username changes in Active Directory.
  • Updated display issues with listboxes being too small on the Group Edit page and Domain Synchronization page.


  • Fixed bug with the Role Assignment screen showing duplicate groups.
  • Fixed bug where the Everyone group was not appearing in the Group assignment dropdownlist on the permission screens.


Main Focus: Remote Password Changing enhancements and performance tuning

Features and Enhancements

  • Disabled autocomplete on the Next Password textbox for Remote Password Changing.
  • Service account credentials in these formats are now found by the dependency finder:
    • username@fulldomainname
    • username@shortdomainname
    • shortdomainname\username
    • fulldomainname\username
  • Updated the Expired Secret log to include when the Secret is not changed due to the expiration time schedule.
  • Performance improvements when using Unlimited Administrator Mode.
  • Performance improvements on the Folder edit page.

Bug fixes

  • Remote Password Changing will no longer fail when a privileged account on a dependency is not set. Instead, it will attempt to use the credentials on the Secret.


  • Fixed minor bug that incorrectly displayed encrypted values after saving a Secret.


Main Focus: Usability and Workflow

Features and Enhancements

  • Streamlined the Secret creation process
    • Single click for folder selection
    • Remembers last selected folder
    • Allow changing Secret Template on the Create page
    • Combined Search and Browse last selected Folder
  • Option to allow Secrets to require approval for access
    • Email Notifications to approvers and requesters
    • Audit is kept of all approve and deny actions
    • Secret Access Request Manager page

Bug fixes

  • Fixed the missing folder indentation in IE 6.0


Main Focus: Responding to customer requests

Features and Enhancements

  • Users can now reset their login password through a password reset email.
  • Added configuration option to AD synchronization to prevent enabling and disabling users during synchronization.
  • Added ability to synchronize email addresses for AD users.
  • Added “LockedOut” feature so that failed authentication attempts locks out a user instead of disabling them.
  • Added ability to specify whether or not Windows Service dependencies should restart after a password is changed remotely.
  • Added ability to handle AD hierarchies that contain cycles in their groups.
  • Added several new webservice methods to support the new Secret Server iPhone application.
  • Added a password migration tool for Password Corral (See the Tools page in Secret Server for more details).
  • Added option to enable a Keep Alive thread so that the ASP.NET worker process never gets shut down.
  • Added an audit record for when the launcher is used.

Bug fixes

  • Fixed bug where inactivity timeout did not work correctly.
  • Fixed bug that allowed users to delete folders containing Secrets when the “Require folder for Secret” option was turned on.
  • Fixed bug where Windows Integrated Authentication through AD did not work for domains not hosting Secret Server.
  • Fixed bug where some AD hierarchies that had root folders with no users in them could cause null reference exceptions.
  • Fixed bug where JavaScript was not getting cleared from cache on upgrades.
  • Fixed bug that allowed users to view folders and their audits without the appropriate permission setting.
  • Fixed bug where a Secret could be created from an inactive Secret Template if the query string was entered.
  • Fixed webservices to observe IP address restrictions.
  • Fixed bug where inactive roles were being displayed on Admin Role Assignment pages.


Main Focus: Minor updates to 6.1

Features and Enhancements

  • Introduced the Failover Partner on Step 3 of the installer to support mirrored database environments.
  • Added the use of the legacy Search / Browse functionality before 6.1 as a preference.
  • Added an option to allow Browse to also include the subfolders.
  • Added a Diagnostics page to assist troubleshooting Secret Server.

Bug fixes

  • Fixed bug where certain operating system settings would prevent users from being able to create a Doublelock password.
  • Fixed bug where the Launcher application did not start correctly.
  • Fixed bug where URLs contained in email alerts did not contain the right link.
  • Fixed link to a Knowledge Base article on the Backup Configuration page due to KB article restructuring.
  • Fixed minor security issue where creating a user with a special sequence of characters would cause unexpected behavior.


Main Focus: DoubleLock for sensitive Secrets and bug fixes

Features and Enhancements

  • Implemented DoubleLock to provide an additional security layer for sensitive Secrets
  • Enhanced performance for Active Directory authentication
  • Separated the “Search” and “Browse” functions on the Home screen
  • HTML now renders using “standards mode” (may affect user customized themes)

Bug Fixes

  • Passwords generated for expired Secrets now meet domain credential requirements
  • Fixed bug pertaining to an infinite redirect loop related to session expiration and password expiration
  • Fixed bug where exception occurred on SecretGet webmethod when user has no permission to a particular secret
  • Fixed bug with bulk operations where progress was not reported to the user
  • Fixed bug where file attachments with spaces in their names didn’t download properly
  • Fixed bug where folder name appeared outside of the dialog when viewing a folder
  • Fixed bug where multiple PIN codes were sometimes sent when using Windows Integrated Authentication
  • Fixed bug to not allow Checkout to be enabled when Remote Password Changing is disabled
  • Fixed broken Upgrade link in Firefox
  • Fixed bug where users with permanent cookies disabled were always redirected to LogoutAnotherLocation screen
  • Fixed bug to prevent users disabling Autochange on Secrets that require Checkout
  • Fixed bug where IOException was occasionally thrown during installation due to file permissions
  • Fixed bug in client-side JavaScript on installer
  • Fixed bug that caused NullReferenceException when inactivating a Secret without the required role permission
  • Fixed bug that occurred in user auditing when using an IPv6 address
  • Fixed UI layout on the dependencies tab related to the explain link
  • Fixed bug on Minimum Password Age validation when all fields are zero and checkbox is unchecked
  • Fixed bug when unmasking passwords that have XML special characters


Main Focus: Minor Updates to 6.0

Features and Enhancements

  • Added support for encrypted connections to SQL Server.
  • Changed installer to not overwrite customized configuration files in future releases.
  • Extended password length to 127 characters on AD credential used for AD Synchronization.

Bug fixes

  • Fixed bug where expired password and expired license caused redirects.
  • Fixed bug where user with an expired local password could still use webservices.
  • Improved stability of AD Synchronization capabilities.


Main Focus: Remote Password Changing and user experience

Features and Enhancements

  • Enhanced Remote Password Changing to allow setting a specific date and time schedule for changing service account passwords and their dependencies.
  • Dependent Windows Services are now automatically restarted when a service account credential is changed.
  • Added Remote Password Changing support for Oracle accounts.
  • Users can now specify their preferred date/time format.
  • Added new role permission to use the launcher feature without being able to view the password on the Secret.
  • Added AJAX support to various features to enhance the user experience.
  • Disabled the ‘Search by Active Secrets’ option for users without the ‘View Inactive Secrets’ permission.
  • Improved performance of initial AD sync page load.
  • Updated Russian Localization to support new features.

Bug fixes

  • Fixed bug where content was not correctly displayed on the ‘Expired Secret’ report page.
  • Fixed intermittent JavaScript error related to the scroll position on pages.


  • Secret Server 6.0 no longer supports Windows 2000 due to our upgrade to the Microsoft .NET Framework 3.5.


Minor Updates to 5.1

  • Changed link on Administration pages, from “Languages” to “Language Maintenance”
  • BUG: Fixed issues with URL case sensitive localization causing mixed languages to be displayed.


Main Focus: New email alerts and support for PuTTY

Features and Enhancements

  • Added support for launching PuTTY for UNIX-based secrets
  • Added ability to receive email alerts when secrets are viewed
  • Added ability to receive email alerts when a dependency fails to update on an automatic password change
  • Added new role permission for searching/viewing inactive secrets
  • Changed folder creation/movement to only require edit permissions on the parent folder
  • Added support for Remote Desktop launcher with Windows Integrated Authentication
  • Added new bulk operations for deactivating and setting autochange on secrets
  • All pages now maintain scroll position on postback
  • Added a Languages page for Administrators to update and translate content to their language of choice
  • Added an OK button to the top of the Folder picker
  • Added additional folder management buttons to the top of the Folder Administration screen
  • Added functionality to make Secret Server 64 bit compatible
  • Searching on all fields no longer splits words up by periods

Bug fixes

  • Fixed bug on Login where a minimum password age error was shown when creating a local user
  • Fixed bug with Windows Service Dependency Changers when using Windows Accounts due to a missing prefix of the machine name
  • Fixed bug related to unlimited setting on Remember Me
  • Fixed null reference bug on Secret Audit when user does have “View Secret” role permission
  • Fixed bug where an incorrect validation message was displayed when password history was set to ‘all’


Main Focus: Minor enhancements to 5.0

  • Improved database indexes for search functionality.
  • BUG: Fixed issue that intermittently occurred in older Secret Server instances when upgrading.
  • BUG: Fixed to not send alerts when search indexing.
  • BUG: Fixed Secret Template to not allow search indexing on file attachments.
  • Fix: Cleaned up the CSS and layout on several pages.


Main Focus:Changing Passwords for Scheduled Tasks and Service Accounts

Features and Enhancements:

  • Enhanced Remote Password Changing to update dependent Scheduled Tasks, IIS AppPools and Windows Services.
  • Added Checkout option to provide accountability for the use of a secret – the password gets changed automatically on checking.
  • Enhanced search functionality to allow users to search by all fields.
  • Implemented ‘Change Password Remotely’ feature to allow users to immediately change a password on a remote server.
  • Added new default theme to enhance the readability of the UI.
  • Export by folder now includes all child folders.
  • Added the SecretID field to SSwebservices to provide integration for custom development.
  • Administrators can now force local user password expiration.
  • Added configurable minimum password age requirements for local user passwords.
  • Added password history configuration options to prevent users from using past local user passwords.
  • Webservices and Secret Assistant usage now creates view audit records.
  • SSH Remote Password Changing now works for “root” accounts.
  • Added ability to automatically delete excess database backups on the application server.

Bug fixes

  • Fixed bug that occurred when trying to access the Administer Groups page with no active local groups.
  • Fixed unlimited remember me bug with Secret Assistant.
  • Fixed bug when trying to create a new secret from a Secret Template with no fields.
  • Fixed bug where SSH remote password changing left open connections.
  • Fixed bug where Secret Assistant would return inactive secrets.


  • Implemented SSH for password changing on Linux accounts.
  • Fixed bug with Active Directory Synchronization when pulling users and groups from an organizational unit.
  • Fixed issue with the ‘next password’ component of Remote Password Changing.


Main Focus: Enhancing Folder Functionality and Security

Features and Enhancements:

  • Added configuration option to allow Secrets to inherit folder permissions by default.
  • Added configuration option so that a user must have view permission on a folder to see it.
  • Users can now create and manage their own folders without them being visible to all users.
  • User now requires Edit permission on a folder to be able to add secrets to it.
  • Added a new ‘Everyone’ group to include each existing user for easier management and legacy folder permission support.
  • Tightened folder restrictions to require share permission on a parent folder in order to add a child folder.
  • Implemented audit records for when Groups are created, made inactive/active within Secret Server.
  • Implemented audit records for when users and groups are created or made active/inactive from Active Directory.
  • Renamed two Role Based Security permissions: Administer Roles is now Administer Role Permissions and Administer Group Roles is now Administer Role Assignment.
  • Secret Types are now labeled as Secret Templates.
  • Added an ‘Evaluation Expiry’ notice to alert users when their evaluation is about to expire.


  • Fixed bug when users were made inactive when Secret Server could not connect to Active Directory.
  • Fixed bug where Backup did not work properly if a database name contained certain characters.
  • Fixed error that occurred on the AdminGroupByGroup page when no groups exist.
  • Fixed error when trying to import folders with line breaks in a Secret field.
  • Fixed issue with Password Type configuration not saving correctly in certain situations.


Main Focus: Addressing Role Based Access Control

Features and Enhancements:

  • Implemented Role Based Access Control (Role Based Security) to set granular, assignable permissions for users.
  • Added the ability to launch Remote Desktop from a secret.
  • Added the ability to import secrets by folder.
  • Secrets can now be exported with a folder name.
  • Added “Run Now” button to the Remote Password Changing screen.
  • Implemented a visual keyboard on the login screen to thwart keyloggers.
  • Added the ability to create custom web.config files to override the default impersonation settings that will not be overwritten on upgrades.
  • Added a dropdown on the results screen for users to define the amount of secrets to display.
  • Created a Security Hardening Report that displays the security level of your system’s installation.
  • Created the SecretTypeSetActive.aspx page for quickly setting the active status on Secret Types.
  • Improved the “Help” documentation.
  • Groups deleted from Active Directory will now be disabled.
  • Improved performance by adding caching for theming.
  • Specific passwords can be set on the Remote Password Changing – AutoChange feature.
  • Added a preference for showing a full folder path on the home search grid.
  • Implemented robot.txt file to stop search engines from indexing Secret Server installations.
  • Folder creation and editing is now an assignable permission.
  • Added a search textbox to the Users screen.
  • All cookies are now HTTP only for additional security.
  • Added “Save and Add New” button SecretView.aspx.
  • Increased the visual size of the notes field.

Bug Fixes:

  • Fixed bug where an exception was thrown when invalid information was entered in the “minimum password length” configuration option.
  • Fixed bug where the folder picker modal did not work properly when Secret Server was viewed inside a frame.
  • Fixed error where Secret Type export XML format was incorrect.
  • Fixed bug where notification emails did not contain the full URL for the installation.
  • Fixed bug where Integrated Authentication was not setting last login.
  • Fixed bug where permission checkboxes were being displayed when the secret was set to inherit permissions from folder.
  • Fixed bug where duplicate users appeared in the Active Directory synchronization preview.


Main Focus: Improving permission inheritance and bug fixes.

Features and Enhancements:

  • Bulk operations now supports enabling folder inheritance on a secret.
  • Deleted Synchronized Active Directory groups are now disabled within Secret Server.
  • Added support for automatic backups on servers at different locations.

Bug Fixes:

  • Fixed bug when editing folder permissions that include a disabled user.
  • Fixed padding error for secret item history for very large values on secrets.
  • Fixed bug in Remote Password Changing due to new column for inherited permissions.
  • Fixed broken “unmask password” image on ‘Secret Edit’ page.
  • Fixed ‘Remember Me’ bug due to .NET 2.0 migration.
  • Fixed ‘Close’ image on dialog.
  • Fixed paging problem on AdminExport grid.
  • Fixed bug where expiration date did not decrease on old secrets.

Get you Free 30 Day Free Trial

Choose your deployment option:
By completing this form you are opting into emails from Thycotic. You can unsubscribe at any time.