08-06-2017, 11:04 PM
Hi,
I'm having an intermittent problem with connections when accessing a Cyber-Ark passthrough session.
Scenario:
I have a credential set, Cred A, which has permissions to log into the Cyber-Ark passthrough server (CyberA) via RDP. This account has access to pull secured credentials from the vault, which it then uses to pass through to a secured server, via the rdp client on CyberA.
I create a connection object, and in the Executable path field I put:
psm /u vaultaccount@mydomain.loc /a %NAME% /c PSM-RDP
%NAME% is inherited from my connection object name (new feature, thanks!!)
This command says "retrieve vaultaccount credentials and use them to rdp through to %NAME%".
So there are two authentications that happen here, the first one to CyberA, which ASG-RD is responsible for, and a second authentication, where the CyberA server has to pass credentials.
A significant percentage of the time, the first authentication fails, and I am re-prompted to enter credentials manually for the connection to CyberA. Occasionally it works just fine. I don't know if this is timing or something in actually passing wrong credentials due to inconsistent behavior with having the program field filled in. The Cyber-Ark server is locked down so it's not trivial to get at the authentication logs, but it SEEMS the authentication to it is failing or credentials not provided.
The logging identifies the username that is sent; since there is a history of sometimes selecting the wrong credential set when making a connection, it may be beneficial to include the credential name. If there is any information available on what the RDP endpoint returned, it would be beneficial to include this as it may improve troubleshooting connection issues.
I'm having an intermittent problem with connections when accessing a Cyber-Ark passthrough session.
Scenario:
I have a credential set, Cred A, which has permissions to log into the Cyber-Ark passthrough server (CyberA) via RDP. This account has access to pull secured credentials from the vault, which it then uses to pass through to a secured server, via the rdp client on CyberA.
I create a connection object, and in the Executable path field I put:
psm /u vaultaccount@mydomain.loc /a %NAME% /c PSM-RDP
%NAME% is inherited from my connection object name (new feature, thanks!!)
This command says "retrieve vaultaccount credentials and use them to rdp through to %NAME%".
So there are two authentications that happen here, the first one to CyberA, which ASG-RD is responsible for, and a second authentication, where the CyberA server has to pass credentials.
A significant percentage of the time, the first authentication fails, and I am re-prompted to enter credentials manually for the connection to CyberA. Occasionally it works just fine. I don't know if this is timing or something in actually passing wrong credentials due to inconsistent behavior with having the program field filled in. The Cyber-Ark server is locked down so it's not trivial to get at the authentication logs, but it SEEMS the authentication to it is failing or credentials not provided.
The logging identifies the username that is sent; since there is a history of sometimes selecting the wrong credential set when making a connection, it may be beneficial to include the credential name. If there is any information available on what the RDP endpoint returned, it would be beneficial to include this as it may improve troubleshooting connection issues.