Recently active topics

Hi all,I’m interested in hearing from anyone who has successfully implemented Azure Application Proxy as a front door to a BeyondTrust PRA appliance, specifically to reduce direct exposure to the internet. Current EnvironmentBeyondTrust PRA appliances hosted on-premises Appliances are internal-only (no direct internet exposure) Internal user authentication handled via SAML with Microsoft Entra ID RequirementWe are looking to enable access for external 3rd-party (guest) users while maintaining a zero/low direct exposure footprint.Key goals:Avoid publishing the PRA appliance directly to the internet Leverage Azure App Proxy as the external entry point Use Entra ID authentication (including B2B guest users) for access control Maintain alignment with our existing guest onboarding and governance model (via Entra B2B) Avoid using the BeyondTrust vendor portal where possible Proposed ApproachExpose a dedicated external URL via Azure App Proxy Require pre-authentication with Entra ID (includin

Hi communityOur clients are currently starting to use SQL Tunnel and PostgreSQL Tunnel connections. When checking the recordings, they are not available; only the transcript is shown. I would like to know if PRA does not support these types of recordings.

Hi team My client is having this problem: some sessions are recording, and others aren't. They have several connections to the same device, and while some recordings are available, others only have the transcript. I'd like to know what's happening in this case and what the problem might be. As an additional note, the product is in version 25.3.2. All sessions are from the same user and are of type RDP

Hey guys, hope you can answer my question and maybe give suggestions:I am trying to onboard my users’ privileged accounts into PS. I have an AD security group where I add the privilege accounts (by batch). My Directory queries, Smart Rules to onboard priv account, including the linking and mapping of the accounts, are all ready to go.My question is this. If I have just added a group of users into my AD security group and waited for the replication between my domain controllers, how long should I wait for the users to be onboarded into my PS? In the past, I have manually processed each individual smart rules for the propagation. If I have an automated system to add users into the security group and will just wait for the DQ/Smart rules to run, how long do I have to wait? Or can I configure this to run upon changes to the security group? I am asking so I can provide some specific timelines/duration for my users. 

Hello Team, We are trying to configure AWS Scan Target Collector as connector in Beyond Trust Password Safe (On Premise version 25.1).The required fields for this configuration need Access Key ID and Access Secret.We have a Organization security policy on AWS to rotate these access key ID’s and Secrets every 12 hour for any role. Is there any by which we can get those updated access key and use them for configuration or any alternative way to set up stable connector configuration. Thanks,Prasad

I would like to establish a connection to a closed network with a jumpoint/gateway every 30 Minutes, do some tasks and then close the connection again.I thought about using the tcp or network tunnel to establish the connection.Does anyone know a way how to automate this with the APIs? I couldn't find anything. thanks for your input on this

Hi All,My organisation has auditing requirement to review who approved what session request for certain applications. Now - Using the Activity Report in Analytics and Report, I have managed to generate the reports who approved session for RDP and SSH connections but I am unable to generate the same for application connections. Now this is mainly because as per my understanding you cannot classify an application connector as asset or an asset smart group hence I am not able to generate this report. I am looking for any guidance on how to generate application connector’s session approval request or alternatively how I can classify application connector as an asset smart group for report generation Thanks in advance for any support.

I need to elevate a simple powershell script that copies a file to a directory in “C:\Program Files”. The problem is that if I put in the hash of the ps1 file, it does not trigger the elevation because EPM only seems to see the hash of powershell. I followed KB0019883 which seems to suggest it is possible to do this. I did try by right-clicking on the ps1 and selecting “Run with Powershell” but it does not work by hash. I do not want to approve by file name.Has anyone been able to elevate a powershell script by hash? 

Is there a way to disable this action/button?When a rep removes a customer using this button, the system message in the chat transcript logs it as “Event Type: Conference Member Departed” and “Performed by: [customer name]” which gives the appearance that it was customer initiated. In the chat pane, it displays “(timestamp) [customer name] has left the conversation.”The only mention of “Remove Participant” in the documentation is in the rep doc and appears in the Session Tools section on a list of actions with dedicated icons.As to why disable the button, it is a potential work avoidance issue and the current level of logging makes it difficult to track.

From what I can tell, dedicated account mapping (e.g. KB0017035) the only option available is to map the exact same attribute in both domains. For example, employeedomain\user1 has attribute1 set to “user1”privilegeddomain\admin1 has attribute1 set to “user1”to drive the mapping via smart rules. However, that implies that modifying attribute1 in employeedomain to a different value, say, “user2” would grant user1 access to user2’s privileged resources, giving domain1 authority over a privileged domain’s access. What I want to be able to do is have privilegeddomain\admin1 attribute1 set to “user1”, and map that to employeedomain\user1’s name field (or samaccountname, or SID - something not modifiable without breaking the employeedomain\user1 account). Is that possible? 

Hi community,I'm deploying AD Bridge in a production environment, and the client has a high-availability infrastructure where server restarts are not permitted.Is it possible to install the AD Bridge agent without requiring a server reboot after the installation?I look forward to your response.Thank you.

I have a windows 2019 server enabled with RDS services and password safe for users that need to have privileged access to cloud apps that are onboarded as enterprise apps in Entra / Azure. How can i give users a single on sign experience when they do not have access to the account password? I am trying to avoid published apps and keep my admin overheads as low as possible.Has any here been able to make this happen? I had something running to support this when we had ADFS, but sadly we have moved on.

Hi Team, I need a report to pull the data of all the managed account last login details on associated servers this is required for Audit purpose has anyone tried to pull out successfully from the Analytics and reporting feature?Quick suggestions and recommendation from the community will be appreciated. 

hello friends,we are doing a fresh install for our UVM’s we have downloaded the OVA and having them mounted. is there an implementation guide on how to set up this UVM/BI. we had one for earlier versions which included the default username/password and steps to set up and configure the base UVM. we are doing an upgrade/migration Thanks.Frank Colvin

The following articles were published last week. New Knowledge Base Articles: KB0022540 - Is there any effect when changing SMTP authentication from Legacy to Oauth2 with the Integration Client? KB0022553 - What operating system can BeyondTrust SRA Integration Client be installed on? KB0022568 - All new users getting all Asset or Jump Items by default in RS and PRA KB0023619 - Will local users stay in User Accounts after expiry? KB0023658 - Vault checkout error "System name is not configured for directory linked account checkout" KB0023662 - Console tab missing in /login KB0023671 - Can multiple connected screens be viewed simultaneously in separate, detachable windows?

The following articles were published last week. New Knowledge Base Articles: KB0022540 - Is there any effect when changing SMTP authentication from Legacy to Oauth2 with the Integration Client? KB0022553 - What operating system can BeyondTrust SRA Integration Client be installed on? KB0022568 - All new users getting all Asset or Jump Items by default in RS and PRA KB0023619 - Will local users stay in User Accounts after expiry? KB0023656 - Network Tunnel: The privileged remote access network tunnel endpoint service is not installed KB0023658 - Vault checkout error "System name is not configured for directory linked account checkout" KB0023662 - Console tab missing in /login KB0023671 - Can multiple connected screens be viewed simultaneously in separate, detachable windows?

The following articles were published last week. New Knowledge Base Articles: KB0023609 - Child matched events using Any Application or have missing data KB0023663 - What is the URLCache used for? KB0023664 - Custom messages configured to show two lines with the BT PM App display all three KB0023668 - "Mail To" email sent from an EPM-W block message is missing file hash and publisher name

The following articles were published last week. New Knowledge Base Articles: KB0022494 - Error while rotating a password: Missing Custom Plugin KB0022513 - Workforce Passwords Usage Summary Report or Active Users report fails KB0022534 - Is BeyondTrust Workforce Passwords available on Firefox and macOS? KB0023328 - After upgrading to 25.3 OAuth does not work KB0023541 - EPM client check-in fails with "Database Offline" and "Unable to refresh policies" errors after upgrade KB0023624 - "HTTP/2 Protocol Error: Stream closed with an error" when using Password Safe API with Postman 12.x KB0023635 - BeyondInsight Password Safe features overview KB0023648 - Is there a way to tell who did a session request or viewed a password for managed account? KB0023660 - Where is the Endpoint Credential Manager (ECM) installer and what are the requirements? KB0023669 - Can a U-Serie

Hello everyone,We are running BeyondTrust Password Safe (On-Prem) and managing several network appliances configured as Managed Systems.Our environment includes:Network appliances onboarded as Managed Systems Local managed accounts on each appliance Application Sessions configured for access to the appliances’ web interfaces Two managed accounts (One as Managed account for network appliance and the other for RDS credential injection) with the same username that must share and stay synchronized with a single passwordGoal:When a password is rotated or manually changed for one managed account, the password should be automatically updated on the corresponding account on the other appliance.Questions specific to Password Safe On-Prem:What is the recommended approach to synchronize passwords between multiple managed accounts? Can this be achieved using: Account dependencies (primary / dependent accounts) Shared password objects Password change policies applied to multiple managed systems

Hello Team,We are looking for setting configuration for Maximum Password Age and Minimum Password Age to be set in Configuration > Role Based Access > Local Account Settings > Account Password.I don't see that option field for version BeyondTrust Password Safe 25.1 version. Can someone help to know how to see these fields in configuration part.Thanks,Prasad

I have a standalone Gateway (Jumpoint) and a Gateway cluster (jumpoint cluster).Wha can I configure my Jump Clients only to use a standalone gateway (jumpoint) and not the gateway cluster?

Hello, We have a requirement from Auditing point of view which states -“Beyond Trust Password safe should start session recording once user has checked in Password for managed account and this recording should end once his access is revoked from AD group for that managed account. The recording should cover entire session with showing what all applications were touched upon with retrieved password”Is it possible with Beyond Trust Password safe (On Premise) environment. Thanks,Prasad

This might be a bit too big of a question for this forum. However, I am not sure where to start. We are still somewhat new to PRA. I am wanting to start using Docker containers for our jumpoints instead of putting them on Linux instances. First, where do I go to download the container image? I heard that there is a stock image that we would use and then just input the key to start the connection to our system. Second, can we put the container in a service like AWS container service or Azure container service? Third, and this will show my very beginner level of experience with containers, would we do the firewall rules for the containers the same way that we do them for the Linux servers that are jumpoints?I have a feeling there are other items that I am totally missing, but I figured this is a good start. If you know of documentation you can point me to I am more than happy to start reading and testing things out. 

Hi Everyone,I received some information from a friend regarding the use of BeyondTrust Password Safe licenses specifically, the asset-based version.Let’s say we purchase 1,000 licenses. If all the licenses have been used, we will still be able to add and access the new system.1.However, we don’t know what the maximum tolerance is. Is that correct?2.What other information should I know regarding license usage and what happens once all licenses have been used? Thank you,Please help and give me some advice