Skip to main content

Unanswered questions

45 Topics
A
Anshuman PatidarNewcomer
asked in Windows & MacOS
Manual Policy Refresh Issue

Hi, We have an issue of manual policy from PMC console is not getting refreshed to latest version when trying to manually refresh the policy. Although all looks good on PMC console, if I try to manually refresh a policy on a machine in PMC console it will say that system is on latest assigned policy, I will also get a message that system is on latest revision but when I check in BT icon > right click the policy is still on older version.Automatic policy refresh works fine that is when system check-in with PMC console on its own the latest policy is applied without any issue.I have test policy group where the policy refresh is working perfectly fine only production policy group we are facing this issue.If anyone of you has encountered this issue, it will great help if you can suggest what could be the possible reason.  

751
MikeK
H
HamzaTrailblazer
asked in General
PRA External Invite

I have multiple questions regarding PRA External invite feature if anyone has used it.is the invite is only for the session the user has created for or external user can also view other session in the console once joined through invite? once external user joins the session , can he will be able to see even if the I minimize the console for some other work ?

191
MikeK
M
MichaelDVeteran
asked in Windows & MacOS
EPMfW: U-Series (on prem) API for Response codes

Hi I’m trying to confirm if there’s any API/REST documentation around generating response codes for on-prem U-Series BeyondInsight instances.   I know in the cloud we have additional options but at this moment looking for U-Series API calls for generating response codes. 

181
H
BeyondTrust Employee
S
SammedPatilNewcomer
asked in General
Managed Account Next change date should consider Last change date

Hello Team,  We have observed a issue with PasswordSafe, where Managed Account Next change date is calculated based on Last scheduled change date. If the user changes the password manually, Next change date is not updated to new date based on Password change Frequency (Xdays). The problem observed today, is that teams who have manually changed the password for a Service account ahead of a policy based 90-day rotation, as part of a RFC change window, will suddenly have the service account password rotated automatically again (potentially just a few days later) on the 90-day rotation enforcement date by PasswordSafe - thus breaking their production service. How can we achieve this use case in such a way that Next change date is updated based on last change date (scheduled & manual)?

233
L
K
kimberlyvApprentice
asked in General
API Endpoints

When API endpoints are changed, how often will this be? With the last big update BI had, some endpoints were depracated. I am curious how often this is going to happen? APIs have become very popular in our environment and alot of our scripts are breaking with these changes. Ex.) In BeyondInsight/Password Safe 24.3, "UserGroupId" has been deprecated.I know the word “Safe” was also replaced with “Folder”. 

270
K
B
bt101Veteran
asked in General
app parameters for PRA - BT Desktop Agent based app launch and cred injection

Hello! is there any documentation that includes example parameters/strings that should be used while launching apps using PRA BT desktop agent. Admin guide has details of configuration options but nothing further e.g. example strings. I am able to connect to RDP using first set of  credentials , at one time was able to launch web browser but later started seeing error in chat windows that says file name/path could not be found. 

1111
GloriaB
BeyondTrust Employee
A
ArnoApprentice
asked in General
Enhance performance for PRA

Hi Community,Is there any experience that latency times increase as longer as a PRA appliance runs?Subjectively, we have the impression that the PRA connection is getting slower, even within the sessions.Are there ways of measuring this objectively?What can be done to improve it? More RAM in the jump points or something similar? RegardsArno

644
I
B
BartoszApprentice
asked in General
ESA deployment requirements

Hello community,I’m looking for a list of requirements for ESA deployment along with information if SMB3 is supported and which SMB version is the default one?I can’t find this information anywhere in documentation, the only mention about it is this KBA but its 9 months old and I’m not sure if its up to date at this moment.Cheers,Bartosz

265
B
frank.colvin
frank.colvinVeteran
asked in General
SSH using Secure CRT, Winscp or sftp clients

we are rolling out linux/unix managed systems and we are having great success with putty, however our developers user Secure CRT, winscp and sftp clients. does anyone have any advice/guidance? 

342
R
T
BeyondTrust Employee
tkellumBeyondTrust Employee
asked in General
Remote App Launch Display Scaling

I wanted to bring this to the community for feedback as it was brought up for discussion during a troubleshooting case for a Password Safe customer, while configuring Remote Applications to be launched via ps_automate.exeIt was found that if we expand the Remote App window during the login process, we may see the login screen display look distorted based on the size the window takes up on the user’s screen. I attached a screen capture showing what was observed while initiating the session with a single high resolution display detected and one with multiple displays detected. observed remote app loginThe important thing to note here is that this does NOT affect the look of the actual application when it appears in RemoteApp mode and it does not affect the ability to launch the application itself. This is purely a cosmetic concern.I have three questions on this:Is this this due to the configuration of the Remote App session? Is this the result of a limitation of FreeRDP? What would be th

180
T
BeyondTrust Employee
H
HamzaTrailblazer
asked in General
PRA Multiple approvers

Can there be multiple approvers in PRA to approve jump session?if yes, how it works, any one to approve or all must approve?

202
Kenny Lyman
BeyondTrust Employee
Prudhvi Keertipati
Prudhvi KeertipatiVeteran
asked in General
PRA Access Console - Connection Issue

Hi Team,We have a PRA Cloud tenant deployed and there are NO network restrictions setup on /login console. From US, we are able to access the Access Console, but our users from India team are unable to access and getting below error. They can access /login console but not Access Console. Are there any logs that I can verify or what might be the cause?Thanks,Prudhvi

2165
Prudhvi Keertipati
T
tsipesNewcomer
asked in General
Accessing SRA API

This may have been asked already.  I have been working in the APIs for PWS with no issue.  Moving over to SRA, I cannot get the connection to work.  Tells me it is not allowed.  I have the account and API client/secret encoded.  I am using Powershell and tried it with/without the -Method POST option.  My code is $AuthKey = "Basic MyBase64Key"$AuthURI = "https://OURSITE.beyondtrustcloud.com/oauth2/token"$headers = @{ Authorization=$AuthKey}$Response = Invoke-RestMethod -URI $AuthURI -Header $headersWhat in the name of the sake of sanity am I missing?  Once I get this I know the rest falls into place. TIA

221
P
BeyondTrust Employee
R
Robert A.Rising Star
asked in General
Securing default generic accounts (bt/bi/bu-admin)

Hi,I’m trying to find a good way to secure these generic accounts and still to be able to use them as bt- and buadmin are used on a regular basis for updates and support cases. As I have 4 appliances to manage and have high security requirements I’d need to have individual passwords, with regular changes and changes after access for each of them. It would be a challenge to manage the regular changes and make performing regular tasks challenging.I had posted an idea to use the Enterprise Updater as SPOC (Single Point of Control) which would have it’s own credentials and would have an encrypted key based connection to all appliances. From the Updater one could create individual schedules for the updates and unlock/lock them centrally. This would make tracking, planning and handling of updates a lot easier and only one generic user (buadmin) would need to be secured. I’d prefer a personal account though and leaving the generic account as a breaking glas solution. This would only cover the

926
R
M
mikey
asked in Windows & MacOS
Issues with elevating MSI's

Hello, I can start with saying that we do have a support case open at the moment. But just curious is anyone else has encountered this. After updating to 25.2.11 some MSI’s fail directly after launch or mid through the installations.  They get errors like these:2738, Could not access VBScript run time for custom action [2]. 2739, Could not access JScript run time for custom action [2].to solve this one should run regsvr32 jscript.dll or regsvr32 VBScript.dll however after installing 25.2.11 we are no longer able to edit HKEY_CURRENT_USER\Software\Classes\CLSID\{Any CLSID Folder}.If I downgrade BTPM towards 23.9.261.0 the MSI’s does not fail and im able to read the content of HKEY_CURRENT_USER\Software\Classes\CLSID\{Any CLSID Folder}.regardsMichael

37410
N
S
suhail.salimNewcomer
asked in General
Change AD user status from active to inactive/disabled

Hi All,We have AD users in password safe who are quarantined and form login disabled. The users are no longer in organizations. The group we created to onboard these users are also disabled/deleted. The access revoke method used by earlier admins were incorrect and they removed the group from password before syncing them. Is there a way we can make these users status as inactive?

302
MikeK
D
Didla DheerajNewcomer
asked in General
Enhance the disco scans so they don't generate the false-positive logon events

Hi All,When the Password Safe Detailed Discovery Scan runs against a Windows server, the BTExecService agent deployed on the scanned server enumerates the members of all local admin groups, so these can eventually be onboarded and managed by Password Safe. We have observed that Group Memberships for each enumerated account are also checked. This enumeration process is causing the LastLogonTimeStamp for the enumerated accounts to be updated, generating logon events attributed to the Discovery Scan agent BTExecExt.Phoenix.exe, even though no actual logon operation took place.In fact, according to the Microsoft article below, the LastLogonTimeStamp attribute can be updated and trigger a logon event even if the user has not logged on. This behaviour is an artifact of a Kerberos operation known as Service-for-User-to-Self (S4u2Self), in which a client/service can request a ticket for a user that is only useful for things like determining Access Checks or Group Membership.https://techcommuni

641
H
BeyondTrust Employee
D
Didla DheerajNewcomer
asked in General
Native web application support in PAM

Hi All,Currently it's not possible to add a webbrowser application native in BeyondInsight Password Safe and inject the privileged/managed account credentials, without RDP/RDS server integration. Please add the option to: Add a (web)application page and inject the privileged/managed account credentials Add a rotate option, using an API functional account with custom API scripting/calls. Best regards,Dheeraj.

461
H
BeyondTrust Employee
T
tsipesNewcomer
asked in General
API /Secrets-Safe/Secrets returns no data

We recently upgrade to 24.3 and now we have a reporting issue.  Using the API /Secrets-Safe/Secrets with a GET returned all the secrets stored.  Now, it returns nothing.  Other API calls to other endpoints work with no problem.  This is a SOX reporting issue now.  I have opened a ticket but thought I would try here to see if anyone had any thoughts.  Other than the software upgrade, nothing else has changed. TIA

231
H
BeyondTrust Employee
S
SathishNewcomer
asked in General
how to setup email notifications to the service account owners once the password is rotated in password safe

We have the following use case:  Onboard the service account to password safeNotify the service account owners with the new password when the password is rotated in password safe. The password need to be communicated to the service account owners for any external service account usage beyond password safe  The service account password should be updated by the password safe on the underlying windows services/scheduled tasks/ IIS application pools.I would like to understand the feasibility on the email notifications, password updates on the services and any challenges that anyone faced while onboarding the service accounts. 

591
H
BeyondTrust Employee

Badge Earners

  • BCA: Endpoint Privilege Management - Windows
    jchewhas earned the badge BCA: Endpoint Privilege Management - Windows
  • BCIE: Password Safe
    ravi.bisramhas earned the badge BCIE: Password Safe
  • BCIE: Privileged Remote Access
    ravi.bisramhas earned the badge BCIE: Privileged Remote Access
  • BCA: Endpoint Privilege Management - Windows
    omarmohy98has earned the badge BCA: Endpoint Privilege Management - Windows
  • BCIE: Password Safe
    Emre Yardimcihas earned the badge BCIE: Password Safe
Show all badges
Terms & ConditionsCookie settings