Credentials

The RDP Credential Storage feature in Imprivata Customer Privileged Access Management allows customers to securely store their Windows credentials within their CPAM Gatekeeper. When a user connects to a customer’s Gatekeeper and selects the RPD service with stored credentials, the gatekeeper passes the credentials to the Windows machine automatically and takes the user directly to the desktop bypassing the username and password login prompt.

This feature offers two key benefits:

  • Customers can add, remove, or update credentials at any time without sharing secure credentials with your support department.

  • Your support team no longer needs to store, manage, or update thousands of customer authentication credentials, saving time and minimizing security risks.

There’s no limit to the number of RDP credentials that can be stored on a single Gatekeeper. For example, if a Gatekeeper routes to 19 different Ricochet hosts, and the RPD service is enabled on each, credentials for all 20 hosts can be securely stored and assigned within the same Gatekeeper.

Requirements

There are a few prerequisites for using RDP credential storage.

  • RDP Credential storage is not supported in Windows 2000 (Server or Professional) or any earlier versions of Windows.

  • For CPAM Servers - RDP credential storage takes advantage of CPAM's modified RDP wrapper to access and pass the gatekeeper's stored RDP credentials and does not utilize the support person's desktop RDP client. However, CPAM's RDP wrapper requires several classes available only within the Windows .NET Framework version 2.0. As such, The Microsoft Windows .NET Framework v2.0 is a necessary prerequisite.

TIP:

A good indicator of whether users have the .NET Framework v2.0 installed is by checking if they have the RDP 5 or RDP 6 client on their devices. CPAM recommends that all support and service personnel utilizing this feature should have the RDP 6 client installed. This ensures that the necessary .NET classes are also installed. While some users with the RDP 5 client may have the required .NET 2.x classes, there is a risk that they could be missing some essential components, potentially causing connection issues.

Set up

Follow this instructions to ensure a seamless setup for both the Gatekeeper and the CPAM Server.

Gatekeepers upgraded to version 3.4.x and above now feature a new section under Settings called RDP Credentials.

On this page, customers can click Add to create a new credential.

Two fields are required:

  • Name, which uniquely identifies the credential.

  • User Name, where a valid Windows username must be entered.

NOTE:

In most cases, customers will also need to provide a valid password and domain (unless the machine is part of a workgroup).

Once completed, click Save to store the new credential on the gatekeeper.

Next, go to Vendor Privilege Settings and ensure that an RDP service is added for the relevant host. Hovering over the Windows Remote Desktop Protocol service will reveal the service configuration menu (on the right side). Click Edit to open the Credentials drop-down, where the customer can select and save the correct credential for that host.

This process can be repeated for as many additional hosts as needed.

Once the setup is complete on the Gatekeeper, CPAM users should now be able to select the RDP service for gatekeepers with stored credentials and be taken directly to the customer's desktop.

Troubleshooting

If the RDP session is not opening at all or failing to bypass the Windows RDP login prompt check the following items:

  • Ensure that the customer has implemented RDP credential storage on a supported Windows operating system.

  • Ensure that the customer has chosen valid user name, password and domain credentials for the host in question. Invalid credentials causes the connection to fail and does not display the login prompt at all.

  • Ensure the proper credential name has been assigned to the correct host.

If a user is presented with a login prompt that has the user name and domain pre-populated but the password field is empty, the host's Terminal Services settings are set to Always prompt for a password. To change these settings, the customer needs to do the following:

  1. Start > Administrative Tools > Terminal Services Configuration.

  2. Click Connections in the left pane.

  3. Double-click RDP-Tcp to open the settings menu.

Users with the RDP 5 client may not have all the updated .NET Framework Version 2.x classes installed on their machine. They normally see a pop up window error like: Error occurred while connecting to requested server: Class not registered {some class in registry missing}. To remedy this, the user can do one of two things.

  • Install the latest .NET Framework v2.0 Windows updates to take advantage of RDP Credential Storage.

  • In the immediate, to gain regular RDP access, the user can hover their mouse over the RDP service and on the service configuration menu select To use the normal Windows client, turn off the CPAM RDP client and click Service again. This enables them to get to the servers RDP login prompt but does not automatically pass through the stored credentials on the gatekeeper.
    To determine which version of the RDP client is on a user's desktop, go to: Start > Programs > Accessories > Remote Desktop Connection.
    Once open, minimize the RDP client and click About to find the RDP client version number.

Credential Pools Overview

A credential pool is a group of credentials based upon port type (Ex/ RDP, SSH, Telnet).

Adding credentials enables you to store and pass valid username and password credentials to credential-enabled services for a gatekeeper. Credentials cannot be shared across multiple pools.

When you access a gatekeeper service, the User ID and Password provided by the stored credential are automatically passed to the associated Client and you are automatically logged in.

Credential Pools, once defined, are instanced per Host Name and Customer. This means that it is possible for the Credential Pool to hand out the same credential more than once; however, because the hostname (and/or customer) is different that's okay because it's presumed to be a different system. In the case of a hostname being defined twice at the same customer — once as a string (host.domain.tld) and once as an ip address (192.168.1.1) -- CPAM considers this as two separate hostnames and two separate pool instances.

Adding a Credential Pool

To add new credential pools from the System Admin module, click Add Credential Pool from the Credentials section in the navigation menu. Fill in the following required fields:

  • Name: Enter a unique name for this Credential Pool.

  • Port Type: Select a Port Type for this Credential Pool.

Adding Credentials to a Credential Pool

When viewing a credential pool, click New Credential. To add new credentials from the System Admin module, click Add New Credential from the Credentials section in the navigation menu. Fill in the following required fields:

  • Credential Name: Enter a unique name for this credential.

  • Description: An optional description field.

  • User ID: Enter the User ID to be stored.

  • Password .

  • Domain: Enter the domain (if any) that is associated with the referenced User ID.

Once one or more credentials have been added, you can edit services to take advantage of the new credential(s).

External Credential Providers

An External Credential Provider works just like a Credential Pool, only that instead of having a pool of credentials, it uses a PAM Provider Plugin to allow usage of external, third-party credential vaults and privileged access provider solutions for CPAM hosts and services.

To create an External Credential Provider you need to:

  • Provide a Name, a Description and the appropriate Search Parameters that the plugin uses to find the credential when communicating with the remote vault or third-party solution.

  • Select an available PAM Server Configuration to allow the plugin to connect to the remote vault.

A suitable list of placeholders can be used, so that external vault credentials can be mapped as needed. To see the list of placeholders, the Administrator needs to hover their mouse over Help on the top right. Placeholders resolve according to the appropriate service, host and user that is trying to access the service, each time that a credential is requested. PAM Plugins use these values as part of their workflow when requesting a credential from the external provider.

SSH Key Pairs

SSH Credentials may use password or key based authentication. To use key based authentication, you must upload the credential to the Customer Privileged Access Management server as a Private Key/Public Key pair so that the CPAM server may present this on behalf of the connecting user.

System Administration > Credentials > New SSH Key Pair

Once uploaded, the Key Pair can be linked to most CPAM credential types (all but Credential Pools). A Key Pair may be linked to multiple credentials at the same time.

CPAM is compatible with RSA, DSA and ECDSA key formats. Here's an example of how to generate a key from the command line:

 

ssh-keygen -m PEM

NOTE:

Legacy OpenSSH versions do not support the -m PEM flag. For these versions, the flag is not required and the generated keys should work by default.

If you have an existing OpenSSH Key with the new format, you may need to convert to the -m PEM format. Here's an example command to do the conversion:

ssh-keygen -p -f /path/user/.ssh/existing_keyfile -m PEM

NOTE:

The -p flag is used to remove the passphrase from the file.

SSH PAM Module

SSH PAM modules allow for an extra layer of security by prompting the connecting user to respond to a challenge via keyboard input. For example, Google Authenticator's verification codes.

SSH PAM modules are configured separately from normal sshd settings. The configuration files are typically in /etc/pam.d/sshd and /etc/ssh/sshd configuration respectively.

For successful SSH service launches, the connecting host must have consistent authentication methods in the PAM and sshd configurations. For example, password authentication must be enabled in sshd_conf if it is enabled in the sshd PAM settings and vice versa. Inconsistent authentication methods in sshd PAM and sshd_conf can prevent proper credential handling. The sshd server may prompt for a password despite the PAM settings refusing password authentication. Or, the PAM settings may require password authentication despite the sshd_conf not accepting them.