Recently active topics

I have two assets hosting a database cluster:Server 1 hosts DB01 which load balances to 4 database servers Server 2 hosts DB02 which load balance to 4 database serversI ran a scan on both servers. The results showed that Server 1 discovered 0 databases, while Server 2 discovered DB02.How can I confirm whether this behavior is expected?Additionally, I have a few questions:How can I verify that there is already a link/relationship between the two cluster nodes without performing a failover test? From the database side, there is supposed to be a floating hostname that redirects connections to the active node. However, during discovery, we only detected the hostname of one of the databases instead of the floating hostname. Is this the expected behavior? How will password rotation be handled in this clustered setup? 

Hello all,I have a user that needs elevated privileges on multiple computers, but if I put them in a flexible workstyle then they will have that workstyle and the permissions that come with it, on any computer the user logs into.  Is there a way to limit which computers this user will have elevate permissions on?Thanks for any guidance.-Joseph

We are installing a new PRA , onpremise installation and on Asser Management menu , we are missing gateway tab.

With macOS Golden Gate being announced in WWDC, I thought I'd create a post to share any known issues we've found so far. We have been testing EPM with all macOS Tahoe betas which we have available to us as a member of the Apple Developer Program. During this testing, we’ve identified a few minor issues. Below, you’ll find details of the problems, workarounds (where available), and planned resolutions.Issue 1: Incorrect OS Name and Version Displayed in PM CloudDescription: In PM Cloud, the macOS Golden Gate version is reported incorrectly. Where to See: Home → Computer → Details → OS → the “Name” and “Version” fields show incorrect values. Workaround: None. Resolution: This will be fixed in 26.3.1 release, where the OS will correctly display as macOS Golden Gate (27.0). Issue 2: Apple Publisher Name Change for macOS 27 System ApplicationsDescription: In macOS 27 Golden Gate, Apple has changed the code-signing publisher name for system applications from "Software signing" to "macOS Soft

Hello,I am new to EPM - I have just watched the Administrator BTU videos. I am deploying demo environment: 3 ubuntu VMs in cloudshare that I need to manage from Pathfinder. The Pathfinder interface looks way different to the one shown in the BTU materials.Since now, I installed&activated epml client packages at the cloudshare VMs (which is nicely covered in the documentation). I do not know yet how to scan for them from the Pathfinder interface.Could you point me to the proper source explaining how to proceed? Is there any guide available for Pathfinder?Thanks!Tomasz

Configuring a webhook integration with ServiceNow IT Service Management (ITSM) allows you to create incidents automatically in ServiceNow ITSM.ImportantThird-party documentation is subject to change. Updates might not be reflected in BeyondTrust documentation. For the most up-to-date information, visit ServiceNow product documentation.Requirements Access to a BeyondTrust site with an EPM app An EPM account with webhook read/write privileges An service account in ServiceNow, with permissions to create a new user in ServiceNow with the itil role. Create a service accountThe webhook integration between ServiceNow and EPM requires an service account in ServiceNow. You must create a new user in ServiceNow with the itil role and copy the user's sys_id. You require the user's sys_id when configuring the webhook in Insights.NoteFor more information on creating users and assign roles in ServiceNow, see Create a user and Assign a role to a user.Create a webhook integration for ServiceNow - I

I would like to establish a connection to a closed network with a jumpoint/gateway every 30 Minutes, do some tasks and then close the connection again.I thought about using the tcp or network tunnel to establish the connection.Does anyone know a way how to automate this with the APIs? I couldn't find anything. thanks for your input on this

Is there any way Beyondtrust support setting managed account password rotation setting to below option?Change password every 24 hours or any specified hours instead of mentioning change password number of days and specifying the exact hour to change? I am okay mentioning change password every 1 day but looking for an option of not mentioning what hour of the day. It makes sense when want to schedule passwrod rotation at particular time that that will be useful. 

Hi team We're writing to report a problem that has been occurring with our client. Several users have reported that while connected to a session, their session suddenly disconnects. This has happened to multiple users, and we'd like to know the cause of this behavior and if it's a known bug.

Hey guys, hope you can answer my question and maybe give suggestions:I am trying to onboard my users’ privileged accounts into PS. I have an AD security group where I add the privilege accounts (by batch). My Directory queries, Smart Rules to onboard priv account, including the linking and mapping of the accounts, are all ready to go.My question is this. If I have just added a group of users into my AD security group and waited for the replication between my domain controllers, how long should I wait for the users to be onboarded into my PS? In the past, I have manually processed each individual smart rules for the propagation. If I have an automated system to add users into the security group and will just wait for the DQ/Smart rules to run, how long do I have to wait? Or can I configure this to run upon changes to the security group? I am asking so I can provide some specific timelines/duration for my users. 

The following articles were published last week. New Knowledge Base Articles: KB0022465 - Warning message: Installing more than one Jump client being phased out KB0022554 - How to retrieve Integration Client connection string KB0022565 - Rotation of accounts failed for a subdomain in PRA and RS KB0022590 - Issue with admin credential prompt visibility during Remote Session KB0023605 - Endpoints for local accounts are shown incorrectly in Vault accounts tab within the console KB0023620 - Access denied error when running canned scripts from the Shell tab in Remote Support after upgrade KB0023634 - macOS Sequoia does not show RS or PRA as an option in settings to enable screen recording KB0023651 - Are Privileged Remote Access or Remote Support appliances vulnerable to PHP 7.1.29, 8.0.12, or 8.1.27 vulnerabilities? KB0023657 - Android devices disconnect after upgrading Remote Su

The following articles were published last week. New Knowledge Base Articles: KB0022452 - Using an AD vault account to launch an SQL tunnel fails - Login failed. The login is from an untrusted domain and cannot be used with Integration authentication. KB0022465 - Warning message: Installing more than one Jump client being phased out KB0022554 - How to retrieve Integration Client connection string KB0022565 - Rotation of accounts failed for a subdomain in PRA and RS KB0023605 - Endpoints for local accounts are shown incorrectly in Vault accounts tab within the console KB0023608 - Console shows "Error initializing application" or "Account is already in use" KB0023634 - macOS Sequoia does not show RS or PRA as an option in settings to enable screen recording KB0023651 - Are Privileged Remote Access or Remote Support appliances vulnerable to PHP 7.1.29, 8.0.12, or 8.1.27 vulnerabilities?

The following articles were published last week. New Knowledge Base Articles: KB0022551 - Frequent BSOD when Nerdio Manager software is used to manage AVDs KB0022576 - Error adding certificate to keychain EPM for Mac "SecTrustSettingsSetTrustSettings: The authorization was denied" KB0022588 - Unable to "Delete immediately" from Trash or Bin with EPM-M - prompted for admin credentials KB0022592 - Can EPM policy be configured to deactivate NTLM ? KB0022642 - Unable to upload changes via MMC - Unexpected communication error KB0023545 - Endpoint Utility connection test error - Unexpected communication error. Access to the path 'C:\...\EventService' is denied. KB0023676 - VirusTotal Reputation Score tokens render as empty in JIT ticket-create webhook payloads KB0023678 - BT-2026-June-EPM Cloud KB0023687 - EPM Cloud events sent to CrowdStrike through s3 bucket ingested incorrectly

The following articles were published last week. New Knowledge Base Articles: KB0021507 - Appliance API keys fails for high availability active passive pair setup KB0022569 - Launch Microsoft SSMS version 21.x as an application session is slow KB0022579 - Error when creating users in SailpointIQ built-in admin group "Error while performing operation : Create Account Error code : 500" KB0022681 - HA setup fails error : "The certificate, asymmetric key, or private key file is not valid or does not exist; or you do not have permission for it" KB0023390 - SQL Server Reporting Services (SSRS) discontinuation and on-premises U-Series Reporting KB0023667 - How to troubleshoot Password Safe and ECM integration with Secure Remote Access (SRA) KB0023673 - Which versions of BeyondInsight, Password Safe, and U-Series Management are supported? KB0023674 - PS_Automate.exe fails to load target URL — E

Hi all,I’m interested in hearing from anyone who has successfully implemented Azure Application Proxy as a front door to a BeyondTrust PRA appliance, specifically to reduce direct exposure to the internet. Current EnvironmentBeyondTrust PRA appliances hosted on-premises Appliances are internal-only (no direct internet exposure) Internal user authentication handled via SAML with Microsoft Entra ID RequirementWe are looking to enable access for external 3rd-party (guest) users while maintaining a zero/low direct exposure footprint.Key goals:Avoid publishing the PRA appliance directly to the internet Leverage Azure App Proxy as the external entry point Use Entra ID authentication (including B2B guest users) for access control Maintain alignment with our existing guest onboarding and governance model (via Entra B2B) Avoid using the BeyondTrust vendor portal where possible Proposed ApproachExpose a dedicated external URL via Azure App Proxy Require pre-authentication with Entra ID (includin

Hi communityOur clients are currently starting to use SQL Tunnel and PostgreSQL Tunnel connections. When checking the recordings, they are not available; only the transcript is shown. I would like to know if PRA does not support these types of recordings.

Hi team My client is having this problem: some sessions are recording, and others aren't. They have several connections to the same device, and while some recordings are available, others only have the transcript. I'd like to know what's happening in this case and what the problem might be. As an additional note, the product is in version 25.3.2. All sessions are from the same user and are of type RDP

Hello Team, We are trying to configure AWS Scan Target Collector as connector in Beyond Trust Password Safe (On Premise version 25.1).The required fields for this configuration need Access Key ID and Access Secret.We have a Organization security policy on AWS to rotate these access key ID’s and Secrets every 12 hour for any role. Is there any by which we can get those updated access key and use them for configuration or any alternative way to set up stable connector configuration. Thanks,Prasad

Hi All,My organisation has auditing requirement to review who approved what session request for certain applications. Now - Using the Activity Report in Analytics and Report, I have managed to generate the reports who approved session for RDP and SSH connections but I am unable to generate the same for application connections. Now this is mainly because as per my understanding you cannot classify an application connector as asset or an asset smart group hence I am not able to generate this report. I am looking for any guidance on how to generate application connector’s session approval request or alternatively how I can classify application connector as an asset smart group for report generation Thanks in advance for any support.

I need to elevate a simple powershell script that copies a file to a directory in “C:\Program Files”. The problem is that if I put in the hash of the ps1 file, it does not trigger the elevation because EPM only seems to see the hash of powershell. I followed KB0019883 which seems to suggest it is possible to do this. I did try by right-clicking on the ps1 and selecting “Run with Powershell” but it does not work by hash. I do not want to approve by file name.Has anyone been able to elevate a powershell script by hash? 

Is there a way to disable this action/button?When a rep removes a customer using this button, the system message in the chat transcript logs it as “Event Type: Conference Member Departed” and “Performed by: [customer name]” which gives the appearance that it was customer initiated. In the chat pane, it displays “(timestamp) [customer name] has left the conversation.”The only mention of “Remove Participant” in the documentation is in the rep doc and appears in the Session Tools section on a list of actions with dedicated icons.As to why disable the button, it is a potential work avoidance issue and the current level of logging makes it difficult to track.

From what I can tell, dedicated account mapping (e.g. KB0017035) the only option available is to map the exact same attribute in both domains. For example, employeedomain\user1 has attribute1 set to “user1”privilegeddomain\admin1 has attribute1 set to “user1”to drive the mapping via smart rules. However, that implies that modifying attribute1 in employeedomain to a different value, say, “user2” would grant user1 access to user2’s privileged resources, giving domain1 authority over a privileged domain’s access. What I want to be able to do is have privilegeddomain\admin1 attribute1 set to “user1”, and map that to employeedomain\user1’s name field (or samaccountname, or SID - something not modifiable without breaking the employeedomain\user1 account). Is that possible? 

Hi community,I'm deploying AD Bridge in a production environment, and the client has a high-availability infrastructure where server restarts are not permitted.Is it possible to install the AD Bridge agent without requiring a server reboot after the installation?I look forward to your response.Thank you.

I have a windows 2019 server enabled with RDS services and password safe for users that need to have privileged access to cloud apps that are onboarded as enterprise apps in Entra / Azure. How can i give users a single on sign experience when they do not have access to the account password? I am trying to avoid published apps and keep my admin overheads as low as possible.Has any here been able to make this happen? I had something running to support this when we had ADFS, but sadly we have moved on.