Known Issues

Receiving non-mapped information from the SIEM for mandatory fields like Accounts Security ID can result in a False Positive alert. Unmanaged Privileged Access is alerted on an incorrect account, sending it to PVWA for automatic onboarding

Repair/ Uninstall options that are available from both the Vault install wizard and the programs and features view in Windows are not supported. Do not use them

PVWA URL for the new interface will show v10. For example, for the Accounts page the URL will be: '.../PasswordVault/v10/Accounts' 

To copy passwords using the Chrome extension, customers must install the extension from the Google Chrome Extensions store and not from the PVWA

AdHoc Access is not supported in Active/Active architecture when CPM scanner is connected to a PVWA that works with a Satellite Vault

SAML authentication supports only one signed assertion 

Customers that are using the Delete Account REST API (DELETE /api/Accounts/{ID}) must use it with a Vault version 11.1 or higher.

In any other case, the following error might occur: ITATS768E Invalid value 4 for ServiceBehaviourOptions 

When the CPM is installed on a different machine than PVWA, TLS 1.2 must be enabled on the CPM machine

When using silent installation on a hardened PVWA machine on Windows 2016, the installation will fail 

Upgrade to v11.1 from the OVF released in 10.9.1, 10.10, or 11.0 results in the appliance not meeting the minimum CPU and memory requirements as documented in the Online Help center. Customers can fix this issue by following the instructions published in the following Knowledge Base article: https://cyberark-customers.force.com/s/article/PSM-for-WEB-OVF-Under-specs

Note: A clean install of v11.1 OVF meets the minimal system requirements

All old PSM for Web system logs will be deleted from the system during an upgrade of PSM for Web

Connectors created using the Universal Connector Generator in versions prior to 11.0 are not compatible with version 11.1. After upgrading to version 11.1, use the Universal Connector Generator to record the application connector again, and overwrite the existing connectors by creating the connectors with the same Web Application ID values as the existing ones

Connectors can only be generated through the PSM for Web Console using the Chrome browser. Internet Explorer is not supported

Creating a connector for applications that are accessed using an IP address and not a hostname requires an additional manual change that is documented in Connector Generator (Beta)

Link previews are not available to users who access the corporate twitter account through PSM for Web.

Note: External users reading tweets with links that are posted by the corporate account are not affected, and the preview will be available for them

Automatic response to a risky session while suspending or terminating the session is not supported in a distributed environment

Uploading a new generic plugin to PTA requires a manual step to allow replication permissions on the plugin file between Primary PTA and Secondary PTA

When a domain group is added to a local privileged group, PTA will not detect this as part of the new use case for Unmanaged Privileged Account detection

The Add Discovered Accounts REST API does not support SSH Keys as dependencies or as a newly discovered account

To copy passwords using the Chrome extension, customers must install the extension from the Chrome Extensions store and not from the PVWA

These are the limitations for the new addition to the Unmanaged Privileged Account detection:

• Supported only for Splunk, LogRhythm, and DC agent in forwarding mode
• When a domain group is added to a privileged local group, PTA does not identify the domain group members that became privileged

Add Discovered Accounts REST API does not support SSH Keys as dependencies or as a newly discovered account.

When PVWA 10.9 works with CPM 10.6 or 10.7, the newly added AdHoc time period configuration will be enforced correctly, yet the audit log will indicate 4 hours.

There is a known limitation for CPM v10.7 working with PVWA v10.8. Customers who wish to upgrade only the PVWA must use CPM v10.6.

When the CPM is installed on a different machine from PVWA, TLS 1.2 needs to be enabled on the CPM machine.

Add Discovered Accounts REST API does not support SSH Keys as dependencies or as a newly discovered account

Due to a known limitation for CPM v10.7 working with PVWA v10.8, customers who want to upgrade only the PVWA must use CPM v10.6

Customers who upgraded their domain controller from Server 2003 to Server 2008 without modifying the default configuration of high port range, cannot configure a Golden Ticket detection

As a solution, configure the Vault to allow an outbound connection to the Domain Controllers, with TCP ports 1025 - 5000

For more details, see https://docs.microsoft.com/en-us/previous- versions/windows/it-pro/windows-server-2008-R2-and-2008/dd772723(v=ws.10)

When installing PTA using the PAS installer, PTA fails to initiate automatic termination and suspension, due to missing permissions

As a solution, run a manual step to configure PTA permissions for automatic termination and suspension, using the "Vault Permissions Validation" utility

In a Distributed Vaults environment, when retrieving files (such as Reports, Recordings) the following error message appears in ITALog – ITAPE281E Error while retrieving file (Code 8, 2, 0) – although the file is retrieved.

This message can be ignored

The Copy Password function is not supported when using PVWA in the Microsoft Edge browser.

Passwords can be copied from the Show Password window in the new UI.

The new LDAP integration module supports the following (only):

• Integrate with Active Directory

• Filter a mapping based on Active Directory Group

• In a Distributed Vaults environment, the new LDAP Integration page is supported only when working with PVWA that is connected to the Primary Vault

• Support LDAP and LDAP/S (using TLS)

  To support TLS, a customer must import the Domain Controller Certificate to the Vault and make sure the PVWA trusts that Certificate as well

• Edit a mapping

• Create multiple Domain integrations

• Delete a Domain integration

  This action will also delete all Mappings related to that Domain Integration

Auditing of user activities within the classic mode is only for actions performed by SF administrators within the Setup area and not for

actions performed by privileged business users within the business areas (such as Sales or Support)

Capturing posted text is supported only for ASCII characters. Other text will be captured but presented unclear in PVWA

Switching between privileged accounts using the Switch User option in Azure is disabled. To use Azure with a different privileged account, the user must log out and log in again with the new privileged account.

Switching to a non-privileged account in a session is not supported. To use GCP with a non-privileged account, the user must log out and log in again with the non-privileged account, or use separate browsers for the different accounts.

The application account password cannot contain double-quote (") or backslash (\) characters.

Refer to the End User > Privileged Single Sign On > PSM for Cloud section in the Online Help Center

Running the PTA Agent in parallel to the Microsoft Network Monitor agent will result in failures

When upgrading PVWA in a Distributed Vaults environment, the PVWA must be directed to the Primary Vault and not the Satellite Vault during the upgrade process.

The Copy Password function is not supported when using PVWA in the Microsoft Edge browser.

Passwords can be copied from the Show Password window in the new UI.

• Multiple Secondary Servers cannot be configured

• Automatic Failover is not supported

• The initial synchronization of three months of data can take up to one hour

• When moving from an existing stand-alone environment to a disaster recovery environment, you must recreate the certificate for the existing standalone PTA Server that will now serve as the PTA Primary Server

• When manually failing over a Secondary PTA to be Primary, you must ensure that the original Primary is not up.

When upgrading PVWA in a Distributed Vaults environment, the PVWA must be directed to the Primary Vault and not the Satellite Vault during the upgrade process.

The new PVWA Deployment scripts are intended to be used only with new installations. These scripts should not be used in installations where a previous version of PVWA was installed.

The Synchronizer will fail to restart if more than 10 LOBs are defined in the Vault even if some of them were previously synced to Conjur.

When working in Distributed Vaults architecture, the System Health Monitoring page can only be viewed from the PVWA that is connected to the Master Vault.

Does not support Cluster Vaults.

There is an issue upgrading from v9.9 There are two workarounds:

1. Upgrade from 9.9 to 9.9.5 and then to v10.x.

2. Before the upgrade, rename the bin folder under the PasswordVault IIS folder (by default C:\inetpub\wwwroot\PasswordVault\bin) and then perform the upgrade.

When running on Windows Server 2016, Windows authentication will not work the first time it is clicked to authenticate returning an error message. On the second try the authentication will succeed.

Python based plugins (usages PMPasswordFile, SSHPrivateKey) do not work on Windows Server 2016 if run by PMTerminal.

Restore one safe from incremental backups may fail due to duplicate entries. (Error ITATS611E)

In the meantime: Using full backup to restore one safe works Full Vault restore works from either full back or incremental backup.

The new user interface is now supported on Internet Explorer 11 browser. Exception for that is the option to play a recording video, which is supported on Chrome browser only.

Customers who require Internet Explorer for viewing the recordings can leverage the classic v9 user interface. A refresh is needed after playing a recording from 'recording sessions' grid when using Internet Explorer.

When working in Distributed Vaults architecture, the System Health Monitoring page can be viewed from the PVWA that is connected to Master Vault.

Does not support Cluster Vaults.

There is an issue upgrading from v9.9 There are two workarounds:

1. Upgrade from 9.9 to 9.9.5 and then to v10.x.

2. Before the upgrade, rename the bin folder under the PasswordVault IIS folder (by default C:\inetpub\wwwroot\PasswordVault\bin) and then perform the upgrade.

Python based plugins (usages PMPasswordFile, SSHPrivateKey) do not work on Windows Server 2016 if run by PMTerminal.

PTA 3.95 upgrade requires at least 50% of the machine storage capacity to be free, for the migration to a new DB structure.

If there is not enough free space during the upgrade to 3.95, the upgrade stops.

False positive / negative results can occur in the following use cases:

1. When different database accounts have the same username, address and instance name, PTA will not differentiate between the accounts.

2. When accounts for different platforms have the same username, address and device type, PTA will not differentiate between the accounts.

The new user interface is now supported on Internet Explorer 11 browser. Exception for that is the option to play a recording video, which is supported on Chrome browser only.

Customers that require Internet Explorer for viewing the recordings can leverage the v9 user interface.

When working in Distributed Vaults architecture, the System Health Monitoring page can be viewed from the PVWA that is connected to the Master Vault.

Does not support Cluster Vaults.

Only accounts that have the required file categories are loaded to PTA ('Username', 'Address', 'DeviceType' for accounts of Operating Systems, and 'Username', 'Address', 'DeviceType', 'Database' for accounts of Databases)

When the database account username, address and instance name are the same for different databases on the same machine and only one of them is managed, PTA will not differentiate between the accounts

The new interface is supported:

• In Google Chrome 56 and up

• English locale

• Only with Password Account and not SSH Keys

Terminate, suspend or resume session automatically (from PTA or from the external use of a REST API) is supported for PSM sessions only (not PSMP).

The New Interface for Accounts supports:

• Connect to target accounts through PSM only with the RDP file and without specific user parameters

No Block option for the following rules:

• Microsoft Internet Explorer and Edge Credentials Theft (Beta)

• Credential Theft From Windows Credential Manager (Beta)

Events triggered by files that have a policy that contains a Publisher, in some cases are filtered out from the Inbox, even if the Publisher has not been verified, or if the Publisher has failed the verification process.

Cannot create Policies based on copied macOS audit events.

On High Sierra (10.13), the process to create a user with elevated system preference ends without the user being created.

Customers with agent’s version prior to v6.4, when selecting AD user/group information in the agent configuration page need to use Browse option (EPM plugin) or type the user SID manually.

In Advanced Policy, configuring Parent Process condition for script files does not applied on them.