Unanswered questions

Some users intermittently encountered this error in Password Safe PAM:Because of an error in data encryption, this session will end. Please try connecting to the remote computer again.After that error message, the session disconnects.Tech Support determined that the issue is caused due to a network-related TLS/SSL interference between the appliances and target servers. However, Networking team couldn't find any issues to fix.Please share with us if anyone encountered this type of issue.ThanksMeku

I can log into the portal but when I click on links for KB articles or cases nothing happens. If I use a direct link to a KB article I get a message that it was not found. Is anyone else experiencing problems or do I need to look for issues on my ends?

What is the best practice for configuring IP rules on APIs when the servers’ external IP addresses change frequently?

Hello All,Is there a way to notify (some sort of pop up) the users that the JIT request has been approved via BT EPM app/agent for a better user experience ? PMC has been integrated with SNOW.

Hey everyone,Checking to see if anyone has seen this before, I have multiple servers in an environment that all point to the same proxy.  On a handful of these servers, I can see where package manager is downloading and attempting to install the adapter and client.  However, on others I’m seeing where it cannot download the package.  It tries 5 times, gives up and says I can find more information on the agent with a specific ID (looks like the computer ID).  Anyone have a location for that log? I’ve looked in the standard ones with no luck.I’ll attach an example from the event viewer logs so you can see where it downloads and tries to install the adapter with a 1603 error on one (this I’m trying to fix with workarounds) and on the other it can’t download at all.  

Does anyone know if it is possible to include multiple domains in a management rule filter?  For an example, we need to setup rules to move multiple domains to single computer groups after a certain length of time.  Currently, I have over 20 management rules in place to do this functionality, however I would like to cut that down if possible.  

Hi,I have a problem with the Avecto Defendpoint Service (client version 25.8.12.0).When I restart a Windows 11 notebook, the service is running, but EPM does not work correctly.To resolve the issue, I have to restart the Avecto Defendpoint Service manually, after which everything works as expected.If I set the service startup type to Delayed Start, it starts after about two minutes and then works fine.Has anyone else experienced this issue?Thank you.Kind regards,Thien

I set up my jump groups and created a jumpclient linked to each jump group. In the jump client configuration I checked the box to allow override for the Name field and I’m trying to pass the jc_name parameter with the MSI deployment. However, it seems to just ignore it and the device comes in the rep console with the name showing as the Jump client name and not what I entered in for the jc_name parameter…. Has anyone had luck setting the name in the rep console with the MSI parameter? 

Hi Guys, Can anyone address this query? Does PRA Remote RDP Jump using SecureApp with Type Remote Desktop Agent requires Cal License. Use case is we have an application that needs to be accessed, so we configured the Remote RDP jump short cut and configured  SecureApp with Type selected Remote Desktop Agent. If Yes Cal is needed then why do we have two options one RemoteApp and the other Remote Desktop Agent. please let me know how to go ahead without the Cal license for this use case

Hi Everyone,I’m posting here to seek your guidance and help in troubleshooting an issue we encountered during a recent Beyond Trust Password Safe upgrade from Password safe 23.3 version to 25.1 version.During the upgrade activity we faced an issue that required us to roll back the change to restore service stability. Since we did not have an immediate workaround available from BT support team , we proceeded with the rollback.Inputs or best practices for troubleshooting similar issues during upgrades Guidance on the error observed, based on the screenshots and details shared below. Any recommendations or pre-checks that should be performed to avoid encountering the same issue againPFB screenshot for your ready reference. Any insights or experiences you can share would be greatly appreciated and will help us better prepare for the next upgrade window.Thank you in advance for your support.Best regards,Billa Shiva Teja

Hello Everyone, We are currently performing clean up act for previously configured data in BeyondTrust Password Safe (On-Premises Instance). while analyzing data it was found that there are number of Address groups which are configured but not sure how those are related to any Smart Rules.Is there any easy way to find out list of smart rules using those Address groups? May be a DB query also works. Thanks,Prasad

Hi Team,  I need latest version  password safe upgrade document. Regards,K.Sathiya

EPM-W is blocking some of the functionality of ZoomText screen reader. How do we get around that and allow all functions of ZoomText to run? zt.exe and child processes have been whitelisted already.

Qurestion for beekepers , has anyone onboarded XEN hypervisor as password sase does not have a platform for this as default . Require guidance on how we can onboard XEN hyperviors onto PS

Hi All I have been looking arround for a document that can help in building the Beyondinsight Using UVM for Privilege Management for Windows & Mac in Active Active mode for DC & DR. What are the prerequisites and how to establish the DC & DR scenarios, what are the things that we should be really looking into for the deployment. My another query is how does the Agent understand the DC & DR scenario as if we need to deploy 1 Management node in DC and 1 Management node in DR with 2 Event worker nodes in DC and 2 Event Worker nodes in DR. Where in DC we have SQL in Cluster with Always ON Availability Group and Same deployed seprately in DR too. Can some one explain as how it works and what are the precautionary measurements we need to take care of.

Greetings all I have a developer who is using AWS Secrets Manager for his code. However, he is passing the username and password from Active Directory over to the secret in AWS Secrets Manager and calling that JSON from Secrets Manager.Ideally, yes, he should be calling it from BT and not AWS Secrets Manager but that would involve a lot of code rewrite for him on a production system.We are looking at adding the secret in Secrets Manager as a synced account with the service account so that when we rotate the password on the service account, it would also rotate the password on the AWS Secrets Manager secret to the same password.What he needs though, complicates it. He is storing this in his AWS secret{"binddn":"cn=ldapauth_account,OU=Service,OU=Accounts,OU=company,DC=domain,DC=com","password":"abcabc"}When BT rotates the password on the service account in AD, it writes the password to the secret in AWS wiping out everything so he ends up with something like newpassword instead of the wh

Hello dear community,We are planning to update the U-Series software (PWS and AM). In addition to the recommendation regarding the BeyondInsight / Password Safe - Upgrade BeyondInsight Password Safe Active Passive appliance high availability pair, we would appreciate hearing from anyone who has already performed this upgrade in a similar setup.Could you please share your experience? Specifically: Were there any system resource requirements or constraints to consider? How long did the process take? Was the upgrade smooth, or did you encounter any challenges? Thank you in advance for your collaboration. Br,

When a BeyondTrust Password Safe Cloud tenant is provisioned with Pathfinder, is direct access via the default subdomain (e.g., example.ps.beyondtrustcloud.com) completely restricted or disabled? If so, could you clarify the exact URL, FQDN, or endpoint that needs to be allowed from the Resource Broker to access Password Safe, including any required ports or protocols?

Hello,I am working on creating a new BT EPM policy for our Win 10 and 11 system in our environment. I created an application group and added it under Low Flex workstyle. I am trying to create a policy that will block all the applications except the ones i have approved in SCCM Software Center and InTune. My problem is that i have a list of couple of hundred of approved apps and i don’t want to add them in the application group manually one by one. is there a way to import them from an excel list if i populate the excel with publisher and product name and whatever else i might need. or is there any API i can use for that.Thank You

I have granted myself Recorded session reviewer and Active Session reviewer role but when I try to view completed sessions, I get this error:Unable to open the session. The underlying connection was closed: Could not establish trust relationship for the SSL/TLS secure channel. Please contact your Password Safe administrator.Looking at the system event viewer, I am getting a certificate validation failure for host xxxxxxx MessageCertficate validation failed for host kbpdpammgt001.corp.bank.nzpfs.co.nz:443 on url https://hostnameFQDN/eEye.RetinaCS.Server/api/PMM/remotesessions/replayI have checked my certificate (Load balancer certificate) and confirmed that it does have the SAN pointing to this host. 

Hello,We are currently integrating credential injection from Password Safe into PRA for Cisco devices using the Shell Jump method.Users are able to successfully authenticate and access the devices with the injected credentials. However, when they attempt to enter "enable" mode to perform configuration changes, the system prompts for the password again.At this point, no credential injection prompt or window is displayed, so users are required to manually enter the password. Since the credentials were injected automatically during the initial login, the users do not have visibility of the password and cannot proceed.There is any feature or recommended approach that allows re-injecting or reusing the credentials once inside the shell session (for example, when escalating to enable mode).Thank you.

Hi  I have configured PRA where I have jump client and a RDP for a windows Server, when I am accessing I strangely started noticing that Over the Mouse there is a black dot which keeps moving along with the Mouse Arrow cursor. the problem is that they are not in sync, there is a kind of lag, is there a way to fix the Mouse having that black dot., can we remove it.

We’re currently using BeyondTrust Password Safe to manage SSH access to a large number of Linux servers (100+), where users authenticate using their AD accounts.Access to the servers works fine through Password Safe, but we’re running into an issue when users need to elevate privileges. When they run sudo su, the system prompts for a password, but since password retrieval is disabled, users can’t proceed.We want to avoid enabling password retrieval or exposing any credentials to users, but still allow them to perform privileged operations when required.At the same time, managing sudo access directly on each server (e.g., updating /etc/sudoers individually or using NOPASSWD per user) isn’t really practical at this scale.So I wanted to check with the community:Is there a way to handle sudo password injection through Password Safe for SSH sessions? How are others managing privilege escalation in similar environments without exposing credentials? Any recommended best practices for scaling

We have Cimplicity Webspace in our environment, which is web based. The main dashboard does not have a login screen, but each page off of the main page is an embedded IDE object that has its own authentication. We are trying right now to run the application as a Web Jump, but Web Jump does not see the authentication fields because they are in the embedded IDE and not HTML fields.Has anyone found a way to use Cimplicity Webspace with PRA?

Hello All, We have one new BeyondTrust setup. It seems option ‘Use SAML Authentication’ on login page is not visible for somehow.We have configured AD domain, and it shows in dropdown option but the link for SAML authentication is not showing up.Can you help if any settings need to be updated?  Thanks,Prasad