Unanswered questions

I would like to connect to a specific computer by hostname to perform queries via API. The problem I’m running into is the API requires the jump client ID, not the host name. And there is no server side filtering for the hosts to find the jump client ID. I then tried to pull a list of all hosts and jump client IDs to filter on my end, but the maximum number of results I get is 13. I have extensively consulted with chatgpt and it came to this conclusion:Ah — that clarifies things. The reason your earlier scripts didn’t work is the Command API only supports listing all connected clients; it does not support a server-side filter by hostname. That’s why trying to query a single host returns nothing — the API only gives batches of connected clients, and without paging through, your host might not be in the first page.Ah — now it’s clear why you’re still only seeing 13 Jump Clients: the BeyondTrust Cloud Command API get_connected_client_list does not return all connected clients at once. On

we have 2 PRA appliance in cluster.  The primary appliance was initially deployed as stand alone in 2020 and only in 2022 ,the second appliance was deployed. So, in secondary appliance, we can see the data encryption is already enabled but in Primary , this is not enabled and says we need to free up space. we needed a confirmation, if we fail over to current secondary, will we face issue in this scenario with one appliance data encrypted and other not?  Also, in the documents and in KB, it says secret store is required to be added but since in secondary its already enabled without external secret store, we can assume the encryption keys are stored locally? since only AWS is supported for external secret store, we are unable to add external secret store.  

All our workstations are managed through Intune in User Mode, which means that there are no Admin rights on the workstations by default as part of our security hardening. Applications to be installed is dictated through the Company Portal. However we do have some apps that are very difficult to package for Company Portal deployment and BTRS is then the route to go through and through the session the engineer has the ability to elevate command prompt/powershell prompt to install the particular application. Also for admin elevated tasks, BTRS is the lifeline. Of course we do detect left and right that engineers “abuse” the rights and install apps without proper approval which in turn could be a security risk. Is there an “easy” way through any of the reports (haven't found any so far) to see who did elevation of command prompts/powershell prompts which can then be evaluated if it was correct use or abuse.  

Hello everyone,I am currently encountering an issue when performing a managed account password change on F5 BIG-IP. I would like to describe the issue as follows:On the F5 BIG-IP device, I created a user named "btfunctional" and configured this user in PAM as a Functional Account (FA). I performed a Test Functional Account, and it completed successfully. However, when I attempt to change the password of another managed account, I encounter the following error:[btfunctional@ltm01:Active:Disconnected] ~ # Thread was interrupted from a waiting state. Password change failed.I would greatly appreciate your support and assistance with this issue.Thank you very much.

Hi Team, is there any way to clean/flush the password  stored in clipboard “when you do a copy of credentials from password safe , it does not get cleared automatically from your clipboard. The clipboard storers the credentials rather than clearing the clipboard after a short period of time”

Hi,Anyone else have a need to keep password history for more than one year? A problem we face is if we need to restore a windows server from more than a year ago, we won’t be able to log in via the local administrator password as it will be unknown. I know there are some workarounds where you can reset if it is an AzureVM, but having history more than a year is needed.Anyone have any smart ways to work around this limitation?Someone has already logged an idea for this if you want to vote.Allow Password History For More Than 360 | All Product Ideas - PublicThanks

Hello!We are running version 24.3.4 and have observed multiple Jump Clients going offline intermittently. Upon investigation, most affected clients show that the service has stopped.We’ve been using PRA for several years and have performed multiple upgrades from 20.x versions. This issue started appearing after the last 1–2 upgrades. Based on the support KBs, our current version does not appear to be impacted by any documented known issue.I’ve opened a support ticket and will provide logs, but the behavior is random and difficult to predict when it will occur again.Other users seem to have reported similar issues, and a scheduled service restart is suggested as a workaround. However, this approach is not scalable for us since we manage thousands of endpoints and have 24/7 user activity, which could negatively impact user experience. I also noticed recommendations to restart the site software. Fresh re-install will be a pain.Is there a known root cause for this issue? Has anyone success

Good morning.I'm trying to inject the credentials of a Linux system into a domain that's password safe, but it connects using PRA.In PRA, when I inject the credentials, it does so without the domain.If I manually enter the username, domain, and credentials, it connects.I'd like to know how to inject the username with the full domain.Regards.

Hi,just a short question. Is there a need/ recommendation for the “recommended exclusions from 3rd party anti-virus - KB0017099 ” in combination with Microsoft Defender for Endpoint?We are asking this because at the moment we do not have set these exclusions and for us the Defender is not a typical “3rd party av”. Regards,Jens

Hi  I would like to see if we can block commands in CMD for Windows Platform.If yes, how can we do a sample would help for building it.RegardsNaveen

hi guys, is there a way to get a list of AD managed systems without linked accounts? thank you

Hi All,I'm new to PS but have been running RS for over a year now, we export syslog via webhooks on RS and PRA to our Rapid7 SIEM and it is working well, but I cannot seem to get it to work with PS. Any ideas?

Hello,we just started with PRA and Vendors, and i wanted to add a new vendor group. When i want to choose the according group policy, i cannot pick the one i want ( it does not appear in the drop down menu). And there is that warning that states:Group Policies that grant administrative permissions are not available for Vendors.What is regarded a administrative permission? How can i find out what to change?Best regards,Sven

Can we scan the servers that are hosted in azure using the Master key rather than asking user to create individual accounts for discovery. If Yes what is the process?

Can BeyondTrust Password Safe support strict logical segregation between two departments (Network Division and IT Security Division) within the same Password Safe deployment, ensuring no visibility of assets, accounts, users, or sessions across divisions? Component Network Division IT Security Division PAM Admin Network PAM Admin Security PAM Admin Assets Network devices Security infrastructure Accounts Network privileged accounts Security privileged accounts Users Network engineers Security engineers Policies Network-specific Security-specific Reports Network only Security only Configuration Network Only Security Only

Hi all,Im currently exploring the features and benefits of the EPM solution, and I came across the TAP functionality. I have a quick question regarding this.What is the difference between TAP configured under a Workstyle created in Enhanced Security and the TAP policy templates found under Utilities > Template Policies? I could not find any clear explanation in the documentation, or I may have missed it.I would appreciate it if someone could clarify this for me. Thanks. TAP under Workstyle created TAP template policies under Utilities > Template Policies 

PRA requires a user to login a first time in order to be available in PRA for example to assign vault accounts.Unfortunately this is causing problems with new employees which are onboarded into PRA.Unless they have never logged in, administrators cannot assign personal vault accounts. If the user logs in, and does not see his/her vault account, they create tickets. This is a very large customer and it is difficult to orchestrate / communicate such a process and they would like to automatically provision new users (from AD). How do other customers provision users up-front and define vault accounts, etc. and not depend on a user’s first login?  

Jump SQL management studio with credential injection on PRA

I have multiple Database admins I need to give access to our database for. We have no resources for PAW or Internal Admin machines. Is it the purpose of Beyondtrust SQL server tunnels to be ran on BYOD device and have them tunnel SQL Studio traffic to my on prem SQL server? Has anyone done this? I believe I have the tunnel up. How do you use Management studio? My “Open datasource Client” is grayed out. How do the credentials work? Do the credentials I use for the tunnel work for everyone using the tunnel? Or do I need to create one tunnel per person? 

I have strange behavior in my PasswordSafe.I am using an application session, and when I try to start an RDP Session / Start Application Session: When using the option to run on a different system with the functional account, it works perfectly. When using the option to run on the current system with the user account, the RDP session does not start. It shows a black screen for some time and then closes. When I checked the logs in the second case, I found the following: INFO: Accepted RDP session 1234 for 1.2.3.4:1234 INFO: RDP Handler 1234 starting INFO: Found RDP certificate: My:.... INFO: Reading self signed cert INFO: (RDP server) Client Security: NLA:1 TLS:1 RDP:0 INFO: (RDP server) Negotiated Security: NLA:0 TLS:1 RDP:0 INFO: (RDP server) Server Security: NLA:0 TLS:1 RDP:0 ERROR: (RDP server) BIO_read returned a system error 0: No error ERROR: (RDP server) transport_read_layer:freerdp_set_last_error_ex ERRCONNECT_CONNECT_TRANSPORT_FAILED [0x0002000D] ERROR: (RDP) BIO_should_retr

Hi everyone, have any of you implemented High Availability using a proxy server, or worked with customers who have deployed this setup? If so, I’d appreciate hearing about your experience, challenges, and overall results.Please share any relatable articles, would appreciate it. Thanks! 

Hi,I’m trying to find a good way to secure these generic accounts and still to be able to use them as bt- and buadmin are used on a regular basis for updates and support cases. As I have 4 appliances to manage and have high security requirements I’d need to have individual passwords, with regular changes and changes after access for each of them. It would be a challenge to manage the regular changes and make performing regular tasks challenging.I had posted an idea to use the Enterprise Updater as SPOC (Single Point of Control) which would have it’s own credentials and would have an encrypted key based connection to all appliances. From the Updater one could create individual schedules for the updates and unlock/lock them centrally. This would make tracking, planning and handling of updates a lot easier and only one generic user (buadmin) would need to be secured. I’d prefer a personal account though and leaving the generic account as a breaking glas solution. This would only cover the

Hi All, I wanted to check if there is any API available that I can use to retrieve the password of account ? We are using cloud version of Password safe. With my initial analysis , I found there is any API available that can be used to Set password for account But want to understand if there is any API available to retrieve the password as well?Awaiting response .thanks in advance.

Hi everyone,The end users are experiencing delay and slowness when taking RDP sessions through Password Safe on-prem. Usually they have to read logs and commands and the slow and delayed screen output is becoming a hassle for them, resulting in a very poor user experience.After some researching, I found a commonality in the solution that it an issue with the client’s network, however, they are not ready to accept it.According to them, when they take RDP directly from the U-series appliance, the session is much better but from the Web UI, it’s very delayed and slow.Has anyone here encountered an issue like this, if yes, how did you solve it.Thanks in advance.