prasenjitmass Respected Contributor.
Respected Contributor.
963 views

Want to establish Credential Provider Rule for RDP

Hi,
I want to create rule for RDP with Credential Provider. Our objective is if an user want to request for an Emergency access fro RDP through "New Request", his Request should be approved and he get authentication to access for a period, after that password would change automatically. What I did as follows:

1) Lunch "Windows Credential Provider Session" from add policy template .
2) Put the server information in credential vault .
3) Edit rule as
Begin Rule :RL-WIN-CREDENTIAL-PROVIDER
IF (command IN Windows Credential Provider Session)
THEN
Set Authorize : yes
Set Session Capture : yes
Set Run Host = 192.168.19.84
Set Run User = designer\Administrator
END IF
END RULE :RL-WIN-CREDENTIAL-PROVIDER

4) Access my access console as requester user. Go ot emergency access --> new request.
5) Request generated , but approve state shows pending.
6) Searched in PAM admin, but no request came to admin.

Am I walking in right direction? Please help

Thank you
0 Likes
3 Replies
Micro Focus Expert
Micro Focus Expert

Re: Want to establish Credential Provider Rule for RDP

Yes, you are on the right track, but please consider the following approach as well as an alternative to Credential Provider:
PAM can actually elevate the requester's credentials and provide access to the server as the privileged Administrator without exposing any password to the end-user. So it may not be necessary to reveal some temporary password to the user that is reset after use. And the user experience would be more fluid in this approach in my opinion, as they could get elevated access to a privileged account through rdp-relay in the User Console (MyAccess) without having to manage a password checkout/checkin. The same Emergency Access workflow could take place for approval, but the privileged credential is not revealed to the end-user and they gain access through rdp-relay in the User Console.

However, the Direct-RDP / Credential Provider approach can work as well in PAM where privileged accounts are checked out (user knows privileged credential) and then reset once checked-in or the access duration has expired. This would be achieved with the Credential Checkout for Applications feature in PAM for Active Directory. Could create a policy / cmdctrl rule that grants users the ability to checkout particular privileged accounts as they need or require approval to have this permission for some period of time. Privileged credentials are reset via AD LDAP script and are ready for the next check-out.

--

Now, some things to verify:

Is 192.168.19.4 a registered PAM Agent ? Does this Agent appear in the Hosts Console as "Online" and is the registered "DNS Name / IP Address" 192.168.19.4 ?

Does "designer" exist in the PAM Enterprise Credential Vault (crdvlt) as a Windows Active Directory (AD) Account Domain? Or is this an environment without AD ?
Is "designer" the actual Domain / NetBIOSName for this Windows server or is it some personal alias you are using? (i.e. Powershell> Get-ADDDomain)

Does the "Administrator" credential exist within this Account Domain in PAM crdvlt with the appropriate DN context (AD) and password ?

Also, you can login to the new "/pam" ("/myaccess") URL as an Admin (instead of Administration Console), which has the Access features there for approval, etc. with the new & improved UI.
0 Likes
prasenjitmass Respected Contributor.
Respected Contributor.

Re: Want to establish Credential Provider Rule for RDP

Hi,
Thanks for your kind help. As the answer of your queries as follows:

Q. Is 192.168.19.4 a registered PAM Agent ? Does this Agent appear in the Hosts Console as "Online" and is the registered "DNS Name / IP Address" 192.168.19.4 ?
A. yes, 192.168.19.84 is a registered PAM agent and it appear as "Online", registered IP is 192.168.19.84

Q. Does "designer" exist in the PAM Enterprise Credential Vault (crdvlt) as a Windows Active Directory (AD) Account Domain? Or is this an environment without AD ?
A. This server "Designer" is joined in AD domain, but it is not AD. I've add an account domain with this server credential.

Q. Is "designer" the actual Domain / NetBIOSName for this Windows server or is it some personal alias you are using? (i.e. Powershell> Get-ADDDomain)
A. Yes.

Q. Does the "Administrator" credential exist within this Account Domain in PAM crdvlt with the appropriate DN context (AD) and password ?
A. yes

May I have to modify "Active Directory Password Check-in Checkout" rule if I import that rule from Policy Template ? May I have to put the name of the account domain in "Run Host" option of this rule? What steps I've to follow to make this rule working ? please help.

Thank you
0 Likes
Micro Focus Expert
Micro Focus Expert

Re: Want to establish Credential Provider Rule for RDP

Managing Local Administrative accounts on Windows isn't supported directly out of the box in PAM currently; although it is theoretically possible with some custom perl script for password checkin.
However, if these users are within AD, then the LDAP AD Password Checkout script can be used to reset their passwords.

Details regarding configuration of Credential Checkout for Applications can be found here:
https://www.netiq.com/documentation/privileged-account-manager-35/npam_admin/data/t46pvfk3dzz3.html#b1fti8ni
0 Likes
The opinions expressed above are the personal opinions of the authors, not of Micro Focus. By using this site, you accept the Terms of Use and Rules of Participation. Certain versions of content ("Material") accessible here may contain branding from Hewlett-Packard Company (now HP Inc.) and Hewlett Packard Enterprise Company. As of September 1, 2017, the Material is now offered by Micro Focus, a separately owned and operated company. Any reference to the HP and Hewlett Packard Enterprise/HPE marks is historical in nature, and the HP and Hewlett Packard Enterprise/HPE marks are the property of their respective owners.