Recently active topics

Recently, we upgraded several customers to versions 25.1.1 and 25.3 of Password Safe/BI, and we have encountered an issue when accessing some SSH devices:"Managed system host key check is enabled but the list of accepted host keys is empty."In some cases, enabling the Auto Accept Initial Key property on the Managed System resolves the issue.However, for certain managed systems, this setting causes access problems.Has anyone else experienced this behavior or found an definitive and clear solution?

Hi all! Hope you are doing well.I’ve encountered an issue regarding installation of BT RS. Currently I have about 60 users that have the Jump Client installed on their device. I wanted to update the clients, and it seems like the .dmg file now says sra-scc-<uid>.dmg, and not bomgar-scc-<uid>.dmg (I believe this is not the issue though).Right now, when I prepared the package to be deployed from Jamf Pro (our MDM), the package installs, it shows the BT RS icon on the top-menu bar for a split second (it’s crossed), and then disappears. I can’t see the newly installed jump client in my representative console, so basically it’s like it installed for a moment, then uninstalled or is not present on the machine. I’ve followed the ‘mass deploy on macOS’ instruction, so have all the PPPC settings as well. I have also included the xattr command into the deployment script, but it looks like it does not matter whether it is included or not, the same situation keeps happening on both set

Installing the Linux Remote Support jumpclient in system mode breaks our GDM authentication configuration by installing the file /etc/dconf/profile/gdm with the contents:user-db:user system-db:gdm file-db:/usr/share/gdm/greeter-dconf-defaultsRedHat systems configure gdm by default via the dconf site database. RedHat expects a confguration like:user-db:user system-db:local system-db:site system-db:distro By removing the local, site, and distro DBs you are completely breaking the standard RedHat configuration. This is completely irresponsible on your part to be modifying such a critical system configuration. This took most of my day to resolve and locked a couple of users out of their machines for a few hours.I had actually just decided to enable your automatic updating of Remote Support - but that is out the window now if you are going to be releasing stuff like this.

I understand that to implement TAP you add the TAP High Flex or High Security workstyles but what is this option in all workstyles:And given that specific rules block or allow and audit, what does this do?TIA

One of the laptop our company recent setup had error: BeyondTrust Jump Client disconnected from xxxxxxxxxBeyondTrust representative can not even find the computer name or ip address. Reconnect doesn't work at all and Enabled was ticked. 

Hello everyone, Is there any way to filter the linking of domain accounts in Oracle databases?In my environment, I have some accounts that are linked to Windows servers. However, this link is extending to Oracle databases located on these same servers.So when I go to Password Safe > Directory Linked Accounts and filter by the server in question, the credentials appear duplicated, pointing to the Server system and the Database system.We don't use these domain accounts to access the Oracle databases, and I understand that this link is being replicated by the smart rule created for linking the accounts to the server only. This is also causing me problems with the Secret Cache replication, which is collecting the passwords of these accounts and registering the database as the System, and not the System I registered for these accounts to be linked. Regards,Rudolf.

Hello everyone. In managing accounts in our environment, I've identified some accounts that fail during password testing. "Error[9] - code: 49, error: The supplied credential is invalid.The password for 'ACCOUNT' on domain 'DOMAIN' is invalid..." What I've identified is that this is caused by the account only being able to log in on two devices on the network, defined in the "Log on to..." option of Active Directory.Removing any device from this list makes the test work correctly.This makes sense because the password test is simply a login to a Domain Controller to validate if it's correct. Now comes the question... Is there any way to make this password test work even with devices listed in Log on to...?The only way I thought of would be to add the domain controller to the "Log on to" list. But then I would have to add all the Domain Controllers in our environment or limit it to a single Domain Controller that this account will be managed on, right? Has anyone else experienced this? R

Hi All,In PRA, we have a SAML security provider configured for user authentication and provisioning. User will only be provisioned when they first-time logged in.Is there anyway we can pre-provision the users by LDAP/AD Group synchronization similar functionality as Password Safe (without using SCIM). Thanks, 

Hi Team, I have requirement wherein I need to open Browser as RunApp. I cannot use TargetURL option as targetULR option will open Browser in Private Mode.  We have some restriction and due to which we cannot open the URL in private mode. I am insisted trying to open the chrome/Edge as RunApp option which opens the browser in Normal Mode and ULR is also getting opened.  My next target is click some other link which are present on landing page. I am using TAB key to bring the cursor to link but Tab key is not working and it is not bring the cursor to link on which I want to click.   Hence I am unable to move a head.Below is my basic INI file [General]RunApp="C:\Program Files (x86)\Google\Chrome\Application\chrome.exe %targeturl%"[TaskSequence1]SendKeys={TAB}{TAB}{TAB}{TAB}{TAB} Has any one face similar issue ? can anyone please tell me how was it solved. thanks in advance Regards,Imran Aliyani

I have a question regarding RDS CALs per user. If only one functional account is defined in the Application settings, then do I only need one RDS CALs because only that functional account is technically initiating the RDP session to the RDS server.

Hi All,I have the PWS to PRA connection functional and have imported managed systems and account and can inject using the console from my account. BUT one of the use cases that sold us on this solution was to onboard our 3rd parties.So, during the build I onboarded an account from a different domain. (eg. my admin account is luke@company1.com and the test account is test@company2.com).When I just and start a jump when logged in as test@company2.com, no creds are injected and when I check the PWS logs I can see an error that the account from comany2.com does not exist, and this is correct. Company2 only exists at PRA not PWS.Have I done my build wrong???  Plugin found no credentials - [436c54cfe6ea4ccfa2053d1b94db6ec6]: Unable to authenticate app and run-as user; verify the API Registration, SSL/TLS Settings, and user permissions -- originalUsername=[test1], originalUserDomain=[] -- Details: Failed to authenticate due to one or more authentication rules.

Hi All, We are moving to Workforce Passwords for our individual password vaults, but the IT team also has a shared vault, we are required to keep an offline backup of this shared vault for DR purposes.  From what I can see the only way to back this up is via the API? can anyone confirm?

The following articles were published last week. New Knowledge Base Articles: KB0022055 - Domain discovery error - Failed to get information about discovery account KB0022427 - Unable to update. Error: An error occurred installing this update KB0023316 - Unable to install BT26-02-RS or BT26-02-PRA patch - Error: An error occurred installing this update.

The following articles were published last week. New Knowledge Base Articles: KB0022055 - Domain discovery error - Failed to get information about discovery account KB0022427 - Unable to update. Error: An error occurred installing this update KB0023316 - Unable to install BT26-02-RS or BT26-02-PRA patch - Error: An error occurred installing this update.

The following articles were published last week. New Knowledge Base Articles: KB0022038 - EPM-W Cloud policy refresh using EndpointUtility error - Received unexpected status code 500 KB0022052 - Analytics full raw data not sent to Splunk

The following articles were published last week. New Knowledge Base Articles: KB0022043 - BeyondTrust Scan Accounts not closing sessions. Idle sessions open for extended periods after scans complete KB0022097 - NTLM is being deprecated; can it be removed from U-Series appliances? KB0023277 - Error received when attempting to turn any Appliance Feature on or off after upgrading Appliance Management KB0023284 - Is TOTP secret associated with Authenticator App and the user stored and encrypted in Password Safe? KB0023285 - How to filter, favorite, and request RDP sessions, SSH sessions, and passwords as a Password Safe end-user KB0023322 - Getting started with Password Safe and the location of information

ps automate is not able launch chrome/edge browser sessionHi all i am facing  issue wherein ps automate is not able to launch the browser session. we are using password safe cloud 24.1 version and i downloaded the same version of ps automate. driver versions are also same .still browser session is not opening any idea how to get this issue resolved Awaiting response  RegardsImran

Hello, I am trying to setup an Azure SQL Database for a new AA BT PWS environment. Is there any way to use a serverless SQL with own key material for TDE?Right now the installer just gets stuck and although I can run the connection check I get a small window stating “validation failed” after I click next on the database configuration step.Any recommendations?  Thanks!

I had some issue with my RDP Proxy when being initiated. It comes up with an error like below. The RDP file is being successfully downloaded but when launched, I get this. I am using a load balancer between my client and the appliance. Is there something I am missing? I tried to bypass my load balancer connection and just updated my local hosts file to point directly to the appliance and the RDP proxy works but if I use it with my load balancer, it fails with this.  

Hi All,Please correct me if I am wrong. Based on the architecture diagram (refer to the part highlighted in red), does this mean that the Resource Broker server requires an RDS CAL license for users to start a proxy session through the resource broker server (on port 4489 or port 4422) to the managed system like windows server, linux server and network devices?Thanks again.  

While I was going through documentation looking to find out some specific information regarding Computer Logs vs Command Logs and trying to determine how they might be useful to troubleshoot issues with various machines from what I’m seeing on a select few vs that of the many machines in the same group, I came across this part. One thing I have noticed that is different than what is written, there does not appear to be any means to download “Command Logs” like the write-up states. And to that point, the only “Command” I have ever seen listed in this tab is when I Request Computer logs from a machine. Are there other types of “Commands” that show up here?  As to “Request Logs” from the Computer Logs section, you only really get 2 files.AvectoiC3Adapter25.8.840.msi-Installation-11-02-2026-0905.log PrivilegeGuardClient25.8.12.0.msi-Installation-11-02-2026-0906.logI think the documentation could use some improvement in this regard, to give a little more information as to what to expect or

Hello everyone!We are facing a possible configuration issue, we believe.Is there any setting for using BeyondTrust Workforce Passwords in a fixed browser window? The problem is that every time we authenticate, a new browser window opens, causing us to lose visibility and usability. Has anyone else encountered this situation?Thank you very much.  

Hello Everyone,We are currently developing API scripts to automate some functionalities within BeyondTrust. As part of this effort, we seek guidance on an API script that can provide comprehensive information about a user group.We are aware of the "GET UserGroups" API, but it does not include details about assigned users, Smart groups, and enabled features. Although we know there are separate calls to retrieve this information individually, we are looking for a way to obtain all this data in a single call. Thanks,Prasad

Apologies in advanced if this is common knowledge, I mainly support our Windows environment but I’m wanting to learn more about EPM on Mac.  Most of our Mac end users utilize an Active Directory group that we grant elevated privileges with.  A discussion came up recently about Homebrew, and I asked our support techs the current process for when they swap out machines for developers on Mac.  What I’m being told, is that possibly in the past EPM used to be able to allow standard users to install Homebrew via EPM for Mac however I’m being told Homebrew is incompatible with EPM for Mac.  End users are being added as local admin as part of the process which I’m not understanding why.If anyone has documentation, KB, or first-hand knowledge of using EPM for Mac and utilizing Homebrew without having to add users to local admin, it would be much appreciated.Example of what I’m being told from my End User Computing support team about the troubleshooting cadence of Homebrew for elevated privilege

Hi Team, Has anyone worked on onboarding sql developer application in Password safe? We are trying to onboard the SQL Developer application in password safe, However we are not able to click on connection which is already created in Sql Developer. I need help in understanding using AutoIT , how can I click on connection which is created. Once we can click on existing instance we will inject password on it .Need help here please .Regards,Imran