Thread Rating:
  • 0 Vote(s) - 0 Average
  • 1
  • 2
  • 3
  • 4
  • 5
ASGRD 2018 integration with Thycotic
#21
(30-01-2018, 03:33 PM)DevOma Wrote: @sylvain.hamel: Could you post me the complete error message - Thycotic support engineer wants to see the whole thing - or is it only a server name? You can send me more confidential data via private message if you want…


Hi,

ASG1.jpg is when I'm going to our load balancer (with public certificate)
ASG2.jpg is the error when I go directly to the server. (using our internal pki cert)

In both case, if I'm using a browser and connect to one or the other, I'm able to authenticate and obtain a token, but not from ASG product.  Hope this help.


Attached Files Thumbnail(s)
       
Reply
#22
Could you please post the whole error from second image - you should find it in ErrorLogs - thanks again!
Regards/Gruss
Oliver
Reply
#23
Dear all,

we have a problem with the anonymous authentication to IIS for Thycotic Secret Server that ASG requires. 
For SSO in Secret Server it is necessary to enable windows authentication and disable anonymous and forms authentication.
Is it possible to change authentication scheme in ASG?

The error message is attached


Attached Files Thumbnail(s)
   
Reply
#24
Patch is planned for today :-)
Regards/Gruss
Oliver
Reply
#25
The problem with anonymous authentication is not resolved in patch 1
Reply
#26
Ok - I'm sorry that it is not working for you...

So I guess you have activated "Active Directory Integration" in Thycotic Secret Server?

Enable Active Directory Integration Yes
Enable Integrated Windows Authentication Yes

Can you please confirm that? Then we will try to reproduce in our test environment...
Regards/Gruss
Oliver
Reply
#27
Yes, so it is. Here is the link to the Thycotic article for "Setting Up Integrated Windows Authentication".
https://thycotic.force.com/support/s/art...erver-10-0
Reply
#28
(31-01-2018, 04:47 PM)DevOma Wrote: Could you please post the whole error from second image - you should find it in ErrorLogs - thanks again!

Here it is:

An error occurred while making the HTTP request to https://myserver.domain.com/secretserver...rvice.asmx. This could be due to the fact that the server certificate is not configured properly with HTTP.SYS in the HTTPS case. This could also be caused by a mismatch of the security binding between the client and the server.
---------------------------

Server stack trace:
   at System.ServiceModel.Channels.HttpChannelUtilities.ProcessGetResponseWebException(WebException webException, HttpWebRequest request, HttpAbortReason abortReason)
   at System.ServiceModel.Channels.HttpChannelFactory`1.HttpRequestChannel.HttpChannelRequest.WaitForReply(TimeSpan timeout)
   at System.ServiceModel.Channels.RequestChannel.Request(Message message, TimeSpan timeout)
   at System.ServiceModel.Dispatcher.RequestChannelBinder.Request(Message message, TimeSpan timeout)
   at System.ServiceModel.Channels.ServiceChannel.Call(String action, Boolean oneway, ProxyOperationRuntime operation, Object[] ins, Object[] outs, TimeSpan timeout)
   at System.ServiceModel.Channels.ServiceChannelProxy.InvokeService(IMethodCallMessage methodCall, ProxyOperationRuntime operation)
   at System.ServiceModel.Channels.ServiceChannelProxy.Invoke(IMessage message)
Exception rethrown at [0]:
   at System.Runtime.Remoting.Proxies.RealProxy.HandleReturnMessage(IMessage reqMsg, IMessage retMsg)
   at System.Runtime.Remoting.Proxies.RealProxy.PrivateInvoke(MessageData& msgData, Int32 type)
   at PlugInThycotic.ThycoticService.SSWebServiceSoap.Authenticate(String username, String password, String organization, String domain)
   at PlugInThycotic.Helper.ThycoticSync.GetSecretServerWebService(IWin32Window owner, ThycoticSyncProperties props, String& token)
   at PlugInThycotic.Helper.ThycoticSync.CreateThycoticSourceStructureList(IWin32Window owner, ThycoticSyncProperties props, List`1& syncList)
Reply
#29
@sylvain.hamel: I forwarded to Thycotic support - waiting for response

@JulianV: Test environment is not running as it should - we are still trying to fix it - could you please try to change the webservice url - you need access to https://yoursecretserverinstallation/win...rvice.asmx
Regards/Gruss
Oliver
Reply
#30
(05-02-2018, 01:45 PM)DevOma Wrote: @sylvain.hamel: I forwarded to Thycotic support - waiting for response

@JulianV: Test environment is not running as it should - we are still trying to fix it - could you please try to change the webservice url - you need access to https://yoursecretserverinstallation/win...rvice.asmx

No news ?
Reply
#31
It's fixed - a new patch should be published end of this week
Regards/Gruss
Oliver
Reply
#32
@sylvain.hamel: Sorry, thought you are asking for SSO fix - we didn't get any helpful hints from Thycotic - just like "check your certificate, check webservice enabled and so on"...

I havee a small test app - you can unzip in any directory, just enter the data to access the webservice and press "Try" - you will see the results in a textbox

Or do you also use Windows Authentication in Your Secret Server? But this is also available in the test app...

Waiting for your feedback :-)

http://d2l2g77p7dyozs.cloudfront.net/TyhcoticTest.zip
Regards/Gruss
Oliver
Reply
#33
(21-02-2018, 10:53 AM)DevOma Wrote: @sylvain.hamel: Sorry, thought you are asking for SSO fix - we didn't get any helpful hints from Thycotic - just like "check your certificate, check webservice enabled and so on"...

I havee a small test app - you can unzip in any directory, just enter the data to access the webservice and press "Try" - you will see the results in a textbox

Or do you also use Windows Authentication in Your Secret Server? But this is also available in the test app...

Waiting for your feedback :-)

http://d2l2g77p7dyozs.cloudfront.net/TyhcoticTest.zip

Whatever you did in resolved my issue.  However, I have new ones :-).

If I select all folders in my Secret Server, I get the following error (too many objects ?):

The maximum message size quota for incoming messages (65536) has been exceeded. To increase the quota, use the MaxReceivedMessageSize property on the appropriate binding element.
---------------------------

Server stack trace:
   at System.ServiceModel.Channels.HttpInput.ThrowMaxReceivedMessageSizeExceeded()
   at System.ServiceModel.Channels.HttpInput.GetMessageBuffer()
   at System.ServiceModel.Channels.HttpInput.ReadBufferedMessage(Stream inputStream)
   at System.ServiceModel.Channels.HttpInput.ParseIncomingMessage(HttpRequestMessage httpRequestMessage, Exception& requestException)
   at System.ServiceModel.Channels.HttpChannelFactory`1.HttpRequestChannel.HttpChannelRequest.WaitForReply(TimeSpan timeout)
   at System.ServiceModel.Channels.RequestChannel.Request(Message message, TimeSpan timeout)
   at System.ServiceModel.Dispatcher.RequestChannelBinder.Request(Message message, TimeSpan timeout)
   at System.ServiceModel.Channels.ServiceChannel.Call(String action, Boolean oneway, ProxyOperationRuntime operation, Object[] ins, Object[] outs, TimeSpan timeout)
   at System.ServiceModel.Channels.ServiceChannelProxy.InvokeService(IMethodCallMessage methodCall, ProxyOperationRuntime operation)
   at System.ServiceModel.Channels.ServiceChannelProxy.Invoke(IMessage message)
Exception rethrown at [0]:
   at System.Runtime.Remoting.Proxies.RealProxy.HandleReturnMessage(IMessage reqMsg, IMessage retMsg)
   at System.Runtime.Remoting.Proxies.RealProxy.PrivateInvoke(MessageData& msgData, Int32 type)
   at PlugInThycotic.ThycoticService.SSWebServiceSoap.SearchSecretsByFolder(SearchSecretsByFolderRequest request)
   at PlugInThycotic.ThycoticService.SSWebServiceSoapClient.PlugInThycotic.ThycoticService.SSWebServiceSoap.SearchSecretsByFolder(SearchSecretsByFolderRequest request)
   at PlugInThycotic.Helper.ThycoticSync.ReadFolderFromSecretServer(ThycoticSyncProperties props, Int32 id, SerializableDictionary`2 syncFolderIds, String token, SSWebServiceSoapClient webservice, List`1& syncList)
   at PlugInThycotic.Helper.ThycoticSync.ReadFolderFromSecretServer(ThycoticSyncProperties props, Int32 id, SerializableDictionary`2 syncFolderIds, String token, SSWebServiceSoapClient webservice, List`1& syncList)
   at PlugInThycotic.Helper.ThycoticSync.ReadFolderFromSecretServer(ThycoticSyncProperties props, Int32 id, SerializableDictionary`2 syncFolderIds, String token, SSWebServiceSoapClient webservice, List`1& syncList)
   at PlugInThycotic.Helper.ThycoticSync.ReadFolderFromSecretServer(ThycoticSyncProperties props, Int32 id, SerializableDictionary`2 syncFolderIds, String token, SSWebServiceSoapClient webservice, List`1& syncList)
   at PlugInThycotic.Helper.ThycoticSync.CreateThycoticSourceStructureList(IWin32Window owner, ThycoticSyncProperties props, List`1& syncList)

---------------
The second issue I have is when I successfully sync some credential, If I sync the object only, it doesn't do anything when I try connecting using the credential.  If I sync the object and the password, it does work.  However, these secret are for managing local admin user and I do not see a way to pick up that option at the folder level.  It would be annoying for me to set the "Use local login on destination computer" option for each connection. (would be more convenient if I could set that per folder for each Secret Server folder that I sync.)
Reply
#34
Wow - great that is working - and we will continue working on the other issues :-)

First issue: Will make this value configurable

Second issue: We will test it again - currently this option should work like "you see the name of creds in navigation tree but each time you use it the username and password will be retrieved via the webservice from Secret Server"

Third issue: We will think about a solution - one idea is that for all usernames without a domain specification we could set it as "local" user - like if you use "admin" as user name it would match and if you use "mydomain\admin" or "admin@mydomain" it would use it as domain user?!? Would that be ok - or do you prefer to configure it on folder level in the "Select folders" dialog?!?

Thanks for your feedback
Regards/Gruss
Oliver
Reply
#35
Dear DevOma,

in Patch 2 we get the same error for SSO as in Patch 1, if we enable windows authentication on the IIS. (see attachment ASG2018_Thycotic_SSO.png).

The ThycoticTest.exe shows this detailed error:


Code:
Informationen über das Aufrufen von JIT-Debuggen
anstelle dieses Dialogfelds finden Sie am Ende dieser Meldung.

************** Ausnahmetext **************
System.ServiceModel.Security.MessageSecurityException: Die HTTP-Anforderung ist beim Clientauthentifizierungsschema "Anonymous" nicht autorisiert. Vom Server wurde der Authentifizierungsheader "Bearer,Negotiate,NTLM" empfangen. ---> System.Net.WebException: Der Remoteserver hat einen Fehler zurückgegeben: (401) Nicht autorisiert.
   bei System.Net.HttpWebRequest.GetResponse()
   bei System.ServiceModel.Channels.HttpChannelFactory`1.HttpRequestChannel.HttpChannelRequest.WaitForReply(TimeSpan timeout)
   --- Ende der internen Ausnahmestapelüberwachung ---

Server stack trace: 
   bei System.ServiceModel.Channels.HttpChannelUtilities.ValidateAuthentication(HttpWebRequest request, HttpWebResponse response, WebException responseException, HttpChannelFactory`1 factory)
   bei System.ServiceModel.Channels.HttpChannelUtilities.ValidateRequestReplyResponse(HttpWebRequest request, HttpWebResponse response, HttpChannelFactory`1 factory, WebException responseException, ChannelBinding channelBinding)
   bei System.ServiceModel.Channels.HttpChannelFactory`1.HttpRequestChannel.HttpChannelRequest.WaitForReply(TimeSpan timeout)
   bei System.ServiceModel.Channels.RequestChannel.Request(Message message, TimeSpan timeout)
   bei System.ServiceModel.Dispatcher.RequestChannelBinder.Request(Message message, TimeSpan timeout)
   bei System.ServiceModel.Channels.ServiceChannel.Call(String action, Boolean oneway, ProxyOperationRuntime operation, Object[] ins, Object[] outs, TimeSpan timeout)
   bei System.ServiceModel.Channels.ServiceChannelProxy.InvokeService(IMethodCallMessage methodCall, ProxyOperationRuntime operation)
   bei System.ServiceModel.Channels.ServiceChannelProxy.Invoke(IMessage message)

Exception rethrown at [0]: 
   bei System.Runtime.Remoting.Proxies.RealProxy.HandleReturnMessage(IMessage reqMsg, IMessage retMsg)
   bei System.Runtime.Remoting.Proxies.RealProxy.PrivateInvoke(MessageData& msgData, Int32 type)
   bei TyhcoticTest.Thycotic.SSWebServiceSoap.Authenticate(String username, String password, String organization, String domain)
   bei TyhcoticTest.Thycotic.SSWebServiceSoapClient.Authenticate(String username, String password, String organization, String domain) in C:\Users\oliver.mahr\Documents\Visual Studio 2017\Projects\TyhcoticTest\TyhcoticTest\Connected Services\Thycotic\Reference.cs:Zeile 9065.
   bei TyhcoticTest.Form1.button1_Click(Object sender, EventArgs e) in C:\Users\oliver.mahr\Documents\Visual Studio 2017\Projects\TyhcoticTest\TyhcoticTest\Form1.cs:Zeile 59.
   bei System.Windows.Forms.Control.OnClick(EventArgs e)
   bei System.Windows.Forms.Button.OnClick(EventArgs e)
   bei System.Windows.Forms.Button.OnMouseUp(MouseEventArgs mevent)
   bei System.Windows.Forms.Control.WmMouseUp(Message& m, MouseButtons button, Int32 clicks)
   bei System.Windows.Forms.Control.WndProc(Message& m)
   bei System.Windows.Forms.ButtonBase.WndProc(Message& m)
   bei System.Windows.Forms.Button.WndProc(Message& m)
   bei System.Windows.Forms.Control.ControlNativeWindow.OnMessage(Message& m)
   bei System.Windows.Forms.Control.ControlNativeWindow.WndProc(Message& m)
   bei System.Windows.Forms.NativeWindow.Callback(IntPtr hWnd, Int32 msg, IntPtr wparam, IntPtr lparam)


************** Geladene Assemblys **************
mscorlib
    Assembly-Version: 4.0.0.0.
    Win32-Version: 4.7.2115.0 built by: NET47REL1LAST.
    CodeBase: file:///C:/Windows/Microsoft.NET/Framework/v4.0.30319/mscorlib.dll.
----------------------------------------
TyhcoticTest
    Assembly-Version: 1.0.0.0.
    Win32-Version: 1.0.0.0.
    CodeBase: file:///C:/Users/Username/Downloads/TyhcoticTest/TyhcoticTest.exe.
----------------------------------------
System.Windows.Forms
    Assembly-Version: 4.0.0.0.
    Win32-Version: 4.7.2110.0 built by: NET47REL1LAST.
    CodeBase: file:///C:/WINDOWS/Microsoft.Net/assembly/GAC_MSIL/System.Windows.Forms/v4.0_4.0.0.0__b77a5c561934e089/System.Windows.Forms.dll.
----------------------------------------
System
    Assembly-Version: 4.0.0.0.
    Win32-Version: 4.7.2110.0 built by: NET47REL1LAST.
    CodeBase: file:///C:/WINDOWS/Microsoft.Net/assembly/GAC_MSIL/System/v4.0_4.0.0.0__b77a5c561934e089/System.dll.
----------------------------------------
System.Drawing
    Assembly-Version: 4.0.0.0.
    Win32-Version: 4.7.2046.0 built by: NET47REL1.
    CodeBase: file:///C:/WINDOWS/Microsoft.Net/assembly/GAC_MSIL/System.Drawing/v4.0_4.0.0.0__b03f5f7f11d50a3a/System.Drawing.dll.
----------------------------------------
System.Configuration
    Assembly-Version: 4.0.0.0.
    Win32-Version: 4.7.2046.0 built by: NET47REL1.
    CodeBase: file:///C:/WINDOWS/Microsoft.Net/assembly/GAC_MSIL/System.Configuration/v4.0_4.0.0.0__b03f5f7f11d50a3a/System.Configuration.dll.
----------------------------------------
System.Core
    Assembly-Version: 4.0.0.0.
    Win32-Version: 4.7.2117.0 built by: NET47REL1LAST.
    CodeBase: file:///C:/WINDOWS/Microsoft.Net/assembly/GAC_MSIL/System.Core/v4.0_4.0.0.0__b77a5c561934e089/System.Core.dll.
----------------------------------------
System.Xml
    Assembly-Version: 4.0.0.0.
    Win32-Version: 4.7.2612.0 built by: NET471REL1LAST_B.
    CodeBase: file:///C:/WINDOWS/Microsoft.Net/assembly/GAC_MSIL/System.Xml/v4.0_4.0.0.0__b77a5c561934e089/System.Xml.dll.
----------------------------------------
System.ServiceModel
    Assembly-Version: 4.0.0.0.
    Win32-Version: 4.7.2612.0 built by: NET471REL1LAST_B.
    CodeBase: file:///C:/WINDOWS/Microsoft.Net/assembly/GAC_MSIL/System.ServiceModel/v4.0_4.0.0.0__b77a5c561934e089/System.ServiceModel.dll.
----------------------------------------
System.Runtime.Serialization
    Assembly-Version: 4.0.0.0.
    Win32-Version: 4.7.2612.0 built by: NET471REL1LAST_B.
    CodeBase: file:///C:/WINDOWS/Microsoft.Net/assembly/GAC_MSIL/System.Runtime.Serialization/v4.0_4.0.0.0__b77a5c561934e089/System.Runtime.Serialization.dll.
----------------------------------------
SMDiagnostics
    Assembly-Version: 4.0.0.0.
    Win32-Version: 4.7.2612.0 built by: NET471REL1LAST_B.
    CodeBase: file:///C:/WINDOWS/Microsoft.Net/assembly/GAC_MSIL/SMDiagnostics/v4.0_4.0.0.0__b77a5c561934e089/SMDiagnostics.dll.
----------------------------------------
System.ServiceModel.Internals
    Assembly-Version: 4.0.0.0.
    Win32-Version: 4.7.2612.0 built by: NET471REL1LAST_B.
    CodeBase: file:///C:/WINDOWS/Microsoft.Net/assembly/GAC_MSIL/System.ServiceModel.Internals/v4.0_4.0.0.0__31bf3856ad364e35/System.ServiceModel.Internals.dll.
----------------------------------------
System.Data
    Assembly-Version: 4.0.0.0.
    Win32-Version: 4.7.2102.0 built by: NET47REL1LAST.
    CodeBase: file:///C:/WINDOWS/Microsoft.Net/assembly/GAC_32/System.Data/v4.0_4.0.0.0__b77a5c561934e089/System.Data.dll.
----------------------------------------
System.IdentityModel
    Assembly-Version: 4.0.0.0.
    Win32-Version: 4.7.2612.0 built by: NET471REL1LAST_B.
    CodeBase: file:///C:/WINDOWS/Microsoft.Net/assembly/GAC_MSIL/System.IdentityModel/v4.0_4.0.0.0__b77a5c561934e089/System.IdentityModel.dll.
----------------------------------------
Microsoft.GeneratedCode
    Assembly-Version: 1.0.0.0.
    Win32-Version: 4.7.2612.0 built by: NET471REL1LAST_B.
    CodeBase: file:///C:/WINDOWS/Microsoft.Net/assembly/GAC_MSIL/System.Xml/v4.0_4.0.0.0__b77a5c561934e089/System.Xml.dll.
----------------------------------------
System.resources
    Assembly-Version: 4.0.0.0.
    Win32-Version: 4.7.2046.0 built by: NET47REL1.
    CodeBase: file:///C:/WINDOWS/Microsoft.Net/assembly/GAC_MSIL/System.resources/v4.0_4.0.0.0_de_b77a5c561934e089/System.resources.dll.
----------------------------------------
System.Xaml
    Assembly-Version: 4.0.0.0.
    Win32-Version: 4.7.2117.0 built by: NET47REL1LAST.
    CodeBase: file:///C:/WINDOWS/Microsoft.Net/assembly/GAC_MSIL/System.Xaml/v4.0_4.0.0.0__b77a5c561934e089/System.Xaml.dll.
----------------------------------------
System.ServiceModel.resources
    Assembly-Version: 4.0.0.0.
    Win32-Version: 4.7.2046.0 built by: NET47REL1.
    CodeBase: file:///C:/WINDOWS/Microsoft.Net/assembly/GAC_MSIL/System.ServiceModel.resources/v4.0_4.0.0.0_de_b77a5c561934e089/System.ServiceModel.resources.dll.
----------------------------------------
mscorlib.resources
    Assembly-Version: 4.0.0.0.
    Win32-Version: 4.7.2046.0 built by: NET47REL1.
    CodeBase: file:///C:/WINDOWS/Microsoft.Net/assembly/GAC_MSIL/mscorlib.resources/v4.0_4.0.0.0_de_b77a5c561934e089/mscorlib.resources.dll.
----------------------------------------
System.Windows.Forms.resources
    Assembly-Version: 4.0.0.0.
    Win32-Version: 4.7.2046.0 built by: NET47REL1.
    CodeBase: file:///C:/WINDOWS/Microsoft.Net/assembly/GAC_MSIL/System.Windows.Forms.resources/v4.0_4.0.0.0_de_b77a5c561934e089/System.Windows.Forms.resources.dll.
----------------------------------------

************** JIT-Debuggen **************
Um das JIT-Debuggen (Just-In-Time) zu aktivieren, muss in der
Konfigurationsdatei der Anwendung oder des Computers
(machine.config) der jitDebugging-Wert im Abschnitt system.windows.forms festgelegt werden.
Die Anwendung muss mit aktiviertem Debuggen kompiliert werden.

Zum Beispiel:

<configuration>
    <system.windows.forms jitDebugging="true" />
</configuration>

Wenn das JIT-Debuggen aktiviert ist, werden alle nicht behandelten
Ausnahmen an den JIT-Debugger gesendet, der auf dem
Computer registriert ist, und nicht in diesem Dialogfeld behandelt.


Attached Files Thumbnail(s)
   
Reply
#36
In the screenshot you have configured Username/Password as authentication method - please select "Windows Authentication" - and if you use Windows Authentication you need another web service url: https://yoursecretserverinstallation/win...rvice.asmx

Please try with these settings again
Regards/Gruss
Oliver
Reply
#37
(27-02-2018, 09:15 AM)DevOma Wrote: Wow - great that is working - and we will continue working on the other issues :-)

First issue: Will make this value configurable

Second issue: We will test it again - currently this option should work like "you see the name of creds in navigation tree but each time you use it the username and password will be retrieved via the webservice from Secret Server"

Third issue: We will think about a solution - one idea is that for all usernames without a domain specification we could set it as "local" user - like if you use "admin" as user name it would match and if you use "mydomain\admin" or "admin@mydomain" it would use it as domain user?!? Would that be ok - or do you prefer to configure it on folder level in the "Select folders" dialog?!?

Thanks for your feedback

First Issue: Great

Second Issue: Let me know.  Could the issue related with the fact this is a local login and that we cannot set the option to "use local login on destination computer" when you sync only the object ?

Third issue: I think it is reasonable to say that if you don't have a domain field configured on a secret, that it is a local login.  That would be a great way to achieve this.  Btw, the username field will never have the domain configured, there is another field for domain when you use the Active Directory template in Secret Server.

Another request: Can you give us a third option to sync for "username/password + mfa" and use the AuthenticateRadius rest api to authenticate to Secret Server.  We usually enable MFA for our accounts to login to Secret Server.  I removed that on my account to test your integration but if we want this to fly, we need MFA :-).

I'm on vacation for the next 2 weeks so I will only answer when I'm back on March 16th.
Reply
#38
(27-02-2018, 05:35 PM)sylvain.hamel Wrote:
(27-02-2018, 09:15 AM)DevOma Wrote: Wow - great that is working - and we will continue working on the other issues :-)

First issue: Will make this value configurable

Second issue: We will test it again - currently this option should work like "you see the name of creds in navigation tree but each time you use it the username and password will be retrieved via the webservice from Secret Server"

Third issue: We will think about a solution - one idea is that for all usernames without a domain specification we could set it as "local" user - like if you use "admin" as user name it would match and if you use "mydomain\admin" or "admin@mydomain" it would use it as domain user?!? Would that be ok - or do you prefer to configure it on folder level in the "Select folders" dialog?!?

Thanks for your feedback

First Issue: Great

Second Issue: Let me know.  Could the issue related with the fact this is a local login and that we cannot set the option to "use local login on destination computer" when you sync only the object ?

Third issue: I think it is reasonable to say that if you don't have a domain field configured on a secret, that it is a local login.  That would be a great way to achieve this.  Btw, the username field will never have the domain configured, there is another field for domain when you use the Active Directory template in Secret Server.

Another request: Can you give us a third option to sync for "username/password + mfa" and use the AuthenticateRadius rest api to authenticate to Secret Server.  We usually enable MFA for our accounts to login to Secret Server.  I removed that on my account to test your integration but if we want this to fly, we need MFA :-).

I'm on vacation for the next 2 weeks so I will only answer when I'm back on March 16th.


Any progress on these issues ?

=Sylvain
Reply
#39
Yes - it is ready - but we run into several other issues (not for Thycotic) and are still working on the Patch - it was planned for last week, currently I think it should be ready in 1 or 2 days...
Regards/Gruss
Oliver
Reply
#40
(19-03-2018, 03:21 PM)sylvain.hamel Wrote:
(27-02-2018, 05:35 PM)sylvain.hamel Wrote:
(27-02-2018, 09:15 AM)DevOma Wrote: Wow - great that is working - and we will continue working on the other issues :-)

First issue: Will make this value configurable

Second issue: We will test it again - currently this option should work like "you see the name of creds in navigation tree but each time you use it the username and password will be retrieved via the webservice from Secret Server"

Third issue: We will think about a solution - one idea is that for all usernames without a domain specification we could set it as "local" user - like if you use "admin" as user name it would match and if you use "mydomain\admin" or "admin@mydomain" it would use it as domain user?!? Would that be ok - or do you prefer to configure it on folder level in the "Select folders" dialog?!?

Thanks for your feedback

First Issue: Great

Second Issue: Let me know.  Could the issue related with the fact this is a local login and that we cannot set the option to "use local login on destination computer" when you sync only the object ?

Third issue: I think it is reasonable to say that if you don't have a domain field configured on a secret, that it is a local login.  That would be a great way to achieve this.  Btw, the username field will never have the domain configured, there is another field for domain when you use the Active Directory template in Secret Server.

Another request: Can you give us a third option to sync for "username/password + mfa" and use the AuthenticateRadius rest api to authenticate to Secret Server.  We usually enable MFA for our accounts to login to Secret Server.  I removed that on my account to test your integration but if we want this to fly, we need MFA :-).

I'm on vacation for the next 2 weeks so I will only answer when I'm back on March 16th.


Any progress on these issues ?

=Sylvain

Hi, 

Here is the result of my test with Patch3:

First Issue: Great, that works well now.
Second Issue: It is also now working properly with Patch3 - Wonderful
Third Issue: It looks like you did not implement this change - at least not when you sync objects with all data.  Not really a problem for me because when I sync "only object names" (which is what I want), that works fine.

Request for Radius (MFA) support:  I'm glad you also introduced the support for Radius auth but unfortunately, it doesn't work.  I get Radius Authentication failed.  If I go manually to the webservice in my web browser (https://mysecretserver.mydomain.com/Secr...cateRADIUS, I'm able to authenticate just fine, I get a token back.

Thanks for your great work btw !!!

-Sylvain
Reply




Users browsing this thread: 1 Guest(s)