Recently active topics

I have granted myself Recorded session reviewer and Active Session reviewer role but when I try to view completed sessions, I get this error:Unable to open the session. The underlying connection was closed: Could not establish trust relationship for the SSL/TLS secure channel. Please contact your Password Safe administrator.Looking at the system event viewer, I am getting a certificate validation failure for host xxxxxxx MessageCertficate validation failed for host kbpdpammgt001.corp.bank.nzpfs.co.nz:443 on url https://hostnameFQDN/eEye.RetinaCS.Server/api/PMM/remotesessions/replayI have checked my certificate (Load balancer certificate) and confirmed that it does have the SAN pointing to this host. 

Does anyone know if it is possible to include multiple domains in a management rule filter?  For an example, we need to setup rules to move multiple domains to single computer groups after a certain length of time.  Currently, I have over 20 management rules in place to do this functionality, however I would like to cut that down if possible.  

Hello,I am working on creating a new BT EPM policy for our Win 10 and 11 system in our environment. I created an application group and added it under Low Flex workstyle. I am trying to create a policy that will block all the applications except the ones i have approved in SCCM Software Center and InTune. My problem is that i have a list of couple of hundred of approved apps and i don’t want to add them in the application group manually one by one. is there a way to import them from an excel list if i populate the excel with publisher and product name and whatever else i might need. or is there any API i can use for that.Thank You

On our systems we’ve deployed beyondtrust to, if I do a Microsoft sentinel or KQL search for local admin login events, I’m seeing a lot of accounts that start with lenovo_tmp. After some searching, it appears that these are used by the lenovo system updater software to run updates with elevated privileges when a user is not admin. This concerns me because it seems to violate the tamper protection of beyondtrust that disallows the creation of other admin accounts. (lenovo forum for context).Is anyone else seeing this? If you can run KQL advanced hunting queries, look at the DeviceLoginEvents table: DeviceLogonEvents| where IsLocalAdmin == true  

Hello,We are currently integrating credential injection from Password Safe into PRA for Cisco devices using the Shell Jump method.Users are able to successfully authenticate and access the devices with the injected credentials. However, when they attempt to enter "enable" mode to perform configuration changes, the system prompts for the password again.At this point, no credential injection prompt or window is displayed, so users are required to manually enter the password. Since the credentials were injected automatically during the initial login, the users do not have visibility of the password and cannot proceed.There is any feature or recommended approach that allows re-injecting or reusing the credentials once inside the shell session (for example, when escalating to enable mode).Thank you.

Hi  I have configured PRA where I have jump client and a RDP for a windows Server, when I am accessing I strangely started noticing that Over the Mouse there is a black dot which keeps moving along with the Mouse Arrow cursor. the problem is that they are not in sync, there is a kind of lag, is there a way to fix the Mouse having that black dot., can we remove it.

We’re currently using BeyondTrust Password Safe to manage SSH access to a large number of Linux servers (100+), where users authenticate using their AD accounts.Access to the servers works fine through Password Safe, but we’re running into an issue when users need to elevate privileges. When they run sudo su, the system prompts for a password, but since password retrieval is disabled, users can’t proceed.We want to avoid enabling password retrieval or exposing any credentials to users, but still allow them to perform privileged operations when required.At the same time, managing sudo access directly on each server (e.g., updating /etc/sudoers individually or using NOPASSWD per user) isn’t really practical at this scale.So I wanted to check with the community:Is there a way to handle sudo password injection through Password Safe for SSH sessions? How are others managing privilege escalation in similar environments without exposing credentials? Any recommended best practices for scaling

We have Cimplicity Webspace in our environment, which is web based. The main dashboard does not have a login screen, but each page off of the main page is an embedded IDE object that has its own authentication. We are trying right now to run the application as a Web Jump, but Web Jump does not see the authentication fields because they are in the embedded IDE and not HTML fields.Has anyone found a way to use Cimplicity Webspace with PRA?

Hello All, We have one new BeyondTrust setup. It seems option ‘Use SAML Authentication’ on login page is not visible for somehow.We have configured AD domain, and it shows in dropdown option but the link for SAML authentication is not showing up.Can you help if any settings need to be updated?  Thanks,Prasad

Hello Team,We are currently running BeyondTrust Password Safe version 23.3 in our environment and are planning an upgrade to version 25.1.We would like guidance on the recommended upgrade path:Can we upgrade directly from 23.3 to 25.1, or Is it required/recommended to upgrade first to 24.x and then to 25.1?Additionally, it would be helpful if someone could share:Any prerequisites or constraints for this upgrade path Known issues or best practices based on previous upgrades High‑level steps or documentation references for performing the upgradeYour insights and recommendations will help us plan this upgrade.

We have enabled Log "Run As" Special Action Commands in the Session Reports, but is there a way to extract just this specific details to see on which devices this has been run? I've checked back and forth the reportings, exported many reports, but none seem to have this data..

We are interested in enabling this option: Force the closure of windows that were opened during the session. We expect that it will close any opened command prompts that are elevated from run as etc. But will it also close other applications that are open done by the user like word/outlook etc. The explanations found on internet and the bt documentation don't say much and would like to know more on this, or if anyone else has enabled it and can tell me what exactly is happening with all the apps that are open when the engineer jumps onto the machine does his bit and jumps off again. We also don't see an option to test it or assign it to a test group to experience the behaviour as it seems to be an all or nothing setting.  

Hello!I am curious to know what type of filtering and packet inspection controls are typically recommended/used for on-prem PRA/RS appliances. As typical use cases (e.g. remote users, vendor access etc.) require the appliance to be external network facing , it is not feasible to restrict access to IP ranges. Based on KB articles SSL Offloading is not supported for client to appliance communication.Question: What typical network security controls are recommended apart from restricting the outbound from appliance, blocking known-bad source IPs, and segmentation.Anyone using Web App Firewalls , NGFWs or IDPS effectively ? Are there any resources available that can help identifying know benign traffic vs malicious traffic ?

The following articles were published last week. New Knowledge Base Articles: KB0022194 - How to create a registered app for Remote Support and Privileged Remote Access Vault KB0022195 - Error: This account has expired when trying to log into the administrative interface KB0022251 - Vault account fails to check in post-use, becomes unusable KB0022254 - Upload Update option removed in Remote Support and Privileged Remote Access Cloud 25.1.1 KB0022265 - How many characters can the password value field contain in Vault? KB0022266 - How many generic Vault accounts can be created? KB0022271 - Which ports are required for the discovery and rotation of Vault accounts? KB0022272 - Is it possible to exclude credentials from an Asset (Jump Item)? KB0022283 - Can old sessions more than 90 days be restored for auditing? KB0023427 - Can VNC tokens be used for injection?

The following articles were published last week. New Knowledge Base Articles: KB0022194 - How to create a registered app for Remote Support and Privileged Remote Access Vault KB0022195 - Error: This account has expired when trying to log into the administrative interface KB0022251 - Vault account fails to check in post-use, becomes unusable KB0022254 - Upload Update option removed in Remote Support and Privileged Remote Access Cloud 25.1.1 KB0022265 - How many characters can the password value field contain in Vault? KB0022266 - How many generic Vault accounts can be created? KB0022271 - Which ports are required for the discovery and rotation of Vault accounts? KB0022272 - Is it possible to exclude credentials from an Asset (Jump Item)? KB0022283 - Can old sessions more than 90 days be restored for auditing? KB0022289 - Can a distribution list be used for approver

The following articles were published last week. New Knowledge Base Articles: KB0023439 - Error after running profile task - Could not authenticate with PMUL REST API

The following articles were published last week. New Knowledge Base Articles: KB0022184 - ServiceNow ticket for JIT request does not show username in 'Caller' field KB0022206 - NVDA screen reader does not correctly activate on Secure Desktop KB0022208 - QuickStart Template Changes Regarding Microsoft Narrator KB0022210 - Use of .NET COR_PROFILER with EPM-W and suggested actions KB0022290 - EPM-M limitation with MAMP Pro KB0023469 - Cannot access Hyper-V VM after creating it with EPM-W installed KB0023471 - Troubleshooting EPM-M OAuth connectivity with BeyondInsight

The following articles were published last week. New Knowledge Base Articles: KB0022146 - Not receiving reports from the Analytics and Reporting tool - No records were found matching your criteria KB0022190 - Discovery Scans entries are not found in PS Cloud web console KB0022204 - Cannot view discovery reports "An error was reported" KB0022211 - Resource Broker update fails "Setup Wizard ended prematurely because of an error" KB0022217 - Secrets Cache install fails with error "0x80070643 - Fatal error during installation" KB0023396 - Azure Marketplace deployment shows "Error encountered while applying IP settings KB0023443 - Error when scanning PostgreSQL "no pg_hba.conf entry for host" KB0023452 - Receiving error when scanning PostgreSQL "The given key was not present in the dictionary" KB0023454 - After upgrading to 25.3, RDP sessions fail when FIPS mode is enabled. Error

The following articles were published last week. New Knowledge Base Articles: KB0023421 - Error implementing Apache SSO to AD Bridge "Cannot load /opt/pbis/lib64/apache2.4/mod_auth_kerb.so into server:" KB0023465 - Solaris 11.4 fails to resolve group or user with error LW_ERROR_NOT_HANDLED (0x9c51)

Common challenges with PasswordSafe User Provisioning comes down to the confusion between Smart Rules and Smart Groups, and the concept that PasswordSafe groups are only provisioned if they have permissions assigned to them. You cannot give access to users who are in a group with no permissions.  📌 If you’re wanting an overall yes/no flow if a user can access PasswordSafe or a managed account, please see Whiteboard Workflow Diagrams for PasswordSafe Authentication and Permissions | Community In the effort to share the knowledge, I’m sharing the raw whiteboard notes I have around an approach to thinking about PasswordSafe User Provisioning. Whiteboards are my first step in understanding any system, and, quite frankly, I’ll never get this article posted if I were to transpose this into writing.  🚩 This is a general case. There are different ways of altering what a user is provisioned to access by using the PasswordSafe configurations.  PasswordSafe Users need a provisioned reasonPasswo

Hi. I have recently performed a detailed discovery scan against one asset, it completed successfully but I am not seeing any details for services, tasks etc etc. Scan was completed three hours ago.Is it normal to take a long time to get this information populated? Are there any logs I need to check to see why I am not seeing the details yet?   

Hello All,We are trying to implement Rest API for different purposes. While executing Get ManagedAccounts API with powershell script, we found that it returns only first 1000 account records.Do we know how can we increase this limit to get result for more records. We have around 11000+ records.Thanks,Prasad 

Hello everyone,  I’ve no found anything about Zabbix in KBs or docs and I would like to know:Someone have included the Zabbix management with Password Safe Cloud? I’ve created a scan using only IPs, the agent found, but I can’t rename the Assets. I just have to rename the assets (to better view in enviroment), manage they in Password Safe, rotate the password and put in the group with all user can use.   

I have a question regarding use of BeyondTrust Password Safe Cloud, specifically around application session security controls.We are currently experiencing several security concerns when launching application sessions through the platform:1. File Access via Chrome DownloadWhen an application session is initiated, users can successfully access the target application via Chrome. However, if a user downloads a file and clicks “Show in folder”, it opens File Explorer on the application server.This behavior allows users to:Browse system directories Access sensitive locations (e.g., C:\ drive)2. Unrestricted Browser UsageWithin the same application session, users are able to:Open new browser tabs Navigate to other websites or internal applications Perform actions outside the intended application scopeSecurity ConcernsThis creates a significant risk, as users may gain unintended access to:Unauthorized system resources Sensitive files and directories Has anyone implemented similar restrictions

When a BeyondTrust Password Safe Cloud tenant is provisioned with Pathfinder, is direct access via the default subdomain (e.g., example.ps.beyondtrustcloud.com) completely restricted or disabled? If so, could you clarify the exact URL, FQDN, or endpoint that needs to be allowed from the Resource Broker to access Password Safe, including any required ports or protocols?