Unanswered questions

I have strange behavior in my PasswordSafe.I am using an application session, and when I try to start an RDP Session / Start Application Session: When using the option to run on a different system with the functional account, it works perfectly. When using the option to run on the current system with the user account, the RDP session does not start. It shows a black screen for some time and then closes. When I checked the logs in the second case, I found the following: INFO: Accepted RDP session 1234 for 1.2.3.4:1234 INFO: RDP Handler 1234 starting INFO: Found RDP certificate: My:.... INFO: Reading self signed cert INFO: (RDP server) Client Security: NLA:1 TLS:1 RDP:0 INFO: (RDP server) Negotiated Security: NLA:0 TLS:1 RDP:0 INFO: (RDP server) Server Security: NLA:0 TLS:1 RDP:0 ERROR: (RDP server) BIO_read returned a system error 0: No error ERROR: (RDP server) transport_read_layer:freerdp_set_last_error_ex ERRCONNECT_CONNECT_TRANSPORT_FAILED [0x0002000D] ERROR: (RDP) BIO_should_retr

I can see several old sessions still appearing in the Active Sessions list in Password Safe, even though only today’s sessions should be showing. 

Hi everyone,The end users are experiencing delay and slowness when taking RDP sessions through Password Safe on-prem. Usually they have to read logs and commands and the slow and delayed screen output is becoming a hassle for them, resulting in a very poor user experience.After some researching, I found a commonality in the solution that it an issue with the client’s network, however, they are not ready to accept it.According to them, when they take RDP directly from the U-series appliance, the session is much better but from the Web UI, it’s very delayed and slow.Has anyone here encountered an issue like this, if yes, how did you solve it.Thanks in advance.

Hi All, I wanted to check if there is any API available that I can use to retrieve the password of account ? We are using cloud version of Password safe. With my initial analysis , I found there is any API available that can be used to Set password for account But want to understand if there is any API available to retrieve the password as well?Awaiting response .thanks in advance.

Hello All, We have created the custom Mainframe platform to onboard the Mainframe account under Password safe. This functionality is working fine . We have a requirement to onboard the shared Ids on the custom Platform wherein one Id will be accessed  by 8 users.  Here we are facing issue that when one user checks out the Id other user gets the error saying “The account is not available during requested time”. I have seen the below KB article which says concurrent session is not available on Custom/Generic platforms and it asks to change the platform type of system to Windows/Linux which is not possible for us .https://beyondtrustcorp.service-now.com/csm?sys_kb_id=cf6c24fc47a2669015c43e7d826d4394&id=kb_article_view&sysparm_rank=2&sysparm_tsqueryId=6c5caa3f47d436501bf1db37536d43b3 My requirement here is , is there any workaround available which we can use from which users can at least  view the password from Password safe for these shared ids ?.  If users can view the passwo

Hi everyone, have any of you implemented High Availability using a proxy server, or worked with customers who have deployed this setup? If so, I’d appreciate hearing about your experience, challenges, and overall results.Please share any relatable articles, would appreciate it. Thanks! 

Hi Elevate registry and allow changes only to particular section in registry HKEY_LOCAL_MACHINE\SOFTWARE\xxx and nothing else. So we know we can elevate any .reg files but we need to control because anyone can add anything into the reg file and do changes in registry. So is there any way to do this?

Hi Team,How to block dmg file installation in EPM-M we are unable to block installation for dmg file as well as package installer. The blocking rule is ineffective for application installations, whereas the actions related to allowing or requesting installations are functioning as intended.

Hi All, I would like to know how a user is being assigned to local admin group, via which AD security group or direct. Is there any way we can find this information through password safe A&R reporting service. Current setup is BeyondInsight 24.3.0.1186 Cloud.Br,Mani

Hello Community! I guess at least one people had is problem.Some times depending on the environment (cloud or on-prem) when we are just navigating between the menus, when we click to go to configuration, smart rules or any other menu, simply the Webconsole gets logged out.Other scenario is when we are using the webconsole and stops to user for few seconds (and really is few seconds) and appears the message "will be logged out soon/extend session"Have someone get this case? If yes, exists a reason for that and consequently the fix for that?Obs: in System > Site Options > Session: the time for Session Timout is already on a high time.Regards,Felipe 

We have several systems that, when viewing analytics/events there is no event activity reported on these systems. Yet if we view them in our RMM tool we see plenty of activity that should be appearing in analytics/events. What would be the best steps to take to address this issue?

Hi team,We have onboarded WINSCP as application in Beyondtrust password safe (cloud).  We are facing one challenge here where after application is launched using functional account , how can user transfer file from his local machine to RDS server. As WINSCP is launched to connect to target linux server , I want to understand since the file will be at user local machine , how can user move it to target linux system.I am sending the winscp application screen shot for reference . Awaiting response. Thanks in advance .Regards,Imran Aliyani

We are using a SmartRule with the Selection Attribute Criteria “Directory Attribute Match” using the employeeID attribute to map privileged account as dedicated account for a user only. This all works fine but we are worried if somehow the source system (e.g. AD) is messing with the data of this attribute employeeID, e.g. deleting the value (e.g. AD Admin not aware of that field, doing cleanup, etc.) or being tampered. This privileged acount then would be exposed to all the users (with access to that Managed Account group). How can this be prevented or found/reported which accounts may have an issue. I understand data quality is key here but with such a highly security related topic of privileged accounts one always has to assume that the source (AD) might be wrong and counter-measures must be possible on both side (source and consumer, i.e. PasswordSafe)

A client, and myself, all have the same error on our Azure connector: Unable to access Platform Environments: Insufficient privileges. Unable to access Platform Admin Applications: Insufficient privilegesIs anyone else seeing this issue? Bit of coincidence that we have this in three seperate sites. 

Hi Team,We’ve a use case as mentioned below:a user initiated a web jump from BT PRA to vSphere portal and was logged in successfully. Within the vSphere portal, user selects a VM wherein vSphere gives 2 types of logins- 1.Remote & 2.Web Console. User selects web console access which then launches a new tab within the Jump Item requiring password to be entered again. The key option is disabled and looking for suggestions to enable it.  

So, I’ve attempted this multiple times and took a short break to clear my head. Cannot seem to get this wrapped up, and it’s a necessity. Hi, I’m Robert and I’m a Security Engineer for my company. Part of my portfolio is Enterprise Software Management via Intune. I manage all software deployments for the company on a tenant level, using assignment groups to make certain apps available to pertinent groups. Over the past 3 years, I’ve learned a lot where Intune deployments and the Windows OS intersect. I’m still on the learning path, but I’m figuring out the nuances, the lowest common denominators and getting better at troubleshooting issues. This is where things get complicated: 100% of my experience in this arena is Windows 10 / Windows 11 based. And we now have a very small fleet (<10 devices) of Mac devices for our Marketing team. Now, I’ve tried everything I can find online, but the documentation on how to pull this off via Intune is scarce and incomplete. Reddit has been the mos

Hello Beekeeper Community,I’m curious to hear how others handle the following:Onboarding:easy: AD query, smart rules, and we have managed account. Offboarding:When a managed account deleted from AD , the password can’t locate the user. Also, there doesn’t seem to be a smart rule capability to identify which accounts are in Password Safe and which are not, to help with automated cleanup and management.How do you manage this process? Any tips or best practices would be appreciated!Regards,Maulik

Hi Beekepr ,  Does Password safe support password rotation base on managed asset /application session instead of time-based interval. Regards,Maulik

Hello team, could someone please share the prerequisites what we required to further onboard and the key information we need to request from the customer regarding this Azure? Below, I have outlined the relevant scenarios. Customer Mentioned: This is an Cloud SaaS Password Safe, Users are in Azure EntraID and servers are Domain-Joined. I have collected these below KB's :Configuration SAML Azure EntraID - https://beyondtrustcorp.service-now.com/csm?id=kb_article_view&sys_kb_id=dd8ff4a91b019e946fe95287624bcb37 EntraID FA MA - https://beyondtrustcorp.service-now.com/csm?id=kb_article_view&sys_kb_id=aad9352747511e50b77b3ddbd36d4384 Attached Asset requirement sheet.Thansk!

Employees with EPM installed are having issues printing with Excel and I cant seem to figure out what is holding that up when printing works fine with everything else. 

Hi  I would like to see if we can block commands in CMD for Windows Platform.If yes, how can we do a sample would help for building it.RegardsNaveen

I have a very unexpected behavior in my environment.I have multiple desktop applications and web applications created using both PS Automate and AutoIT.Sometimes a user tries to launch Application X, but instead Application Y is launched, and the wrong credentials are supplied.I need to know how to troubleshoot this issue.

Hi All, I am onboarding Toad in BeyondTrust Password Safe. If anyone has done this before, could you please share the .ini or .au3 file you used for passing connection details? Thanks in advance. 

I’m trying to see if it’s possible to utilize an SSH client manager like SuperPutty or mRemoteNG for managing SSH sessions that use SAML authentication.  We can not use the Direct Connect feature due to SAML being token based.  Any guidance would be greatly appreciated.

Hello Everyone,I’m working on password rotation for a custom (unsupported) application using the BeyondTrust Password Safe Cloud REST API. Before proceeding, I want to confirm whether such an application can be integrated for automated password rotation.Can someone clarify:What technical criteria or parameters must a custom application support in order to be compatible with Password Safe Cloud’s REST API-based password rotation?For example: Required authentication methods? Connectivity or protocol requirements? Ability to expose credentials or respond to rotation workflows? Any mandatory fields/settings needed in Password Safe for custom platforms? Any limitations or known restrictions for cloud API rotations? Any guidance or examples from your experience would be greatly appreciated.Thanks!