Thread Rating:
  • 0 Vote(s) - 0 Average
  • 1
  • 2
  • 3
  • 4
  • 5
Logging details needed during connections
#1
Hi,

I'm having an intermittent problem with connections when accessing a Cyber-Ark passthrough session.

Scenario:

I have a credential set, Cred A, which has permissions to log into the Cyber-Ark passthrough server (CyberA) via RDP.  This account has access to pull secured credentials from the vault, which it then uses to pass through to a secured server, via the rdp client on CyberA.

I create a connection object, and in the Executable path field I put:

psm /u vaultaccount@mydomain.loc /a %NAME% /c PSM-RDP

%NAME% is inherited from my connection object name (new feature, thanks!!)

This command says "retrieve vaultaccount credentials and use them to rdp through to %NAME%".

So there are two authentications that happen here, the first one to CyberA, which ASG-RD is responsible for, and a second authentication, where the CyberA server has to pass credentials.

A significant percentage of the time, the first authentication fails, and I am re-prompted to enter credentials manually for the connection to CyberA.  Occasionally it works just fine.  I don't know if this is timing or something in actually passing wrong credentials due to inconsistent behavior with having the program field filled in.  The Cyber-Ark server is locked down so it's not trivial to get at the authentication logs, but it SEEMS the authentication to it is failing or credentials not provided.

The logging identifies the username that is sent; since there is a history of sometimes selecting the wrong credential set when making a connection, it may be beneficial to include the credential name.  If there is any information available on what the RDP endpoint returned, it would be beneficial to include this as it may improve troubleshooting connection issues.
Reply
#2
If the first auth fails that would mean that the assigned credentials are not working in this case - but that could not be limited to only your CyberA auth, other users should have the problem when launching other connections...
Regards/Gruss
Oliver
Reply
#3
(09-06-2017, 09:22 AM)DevOma Wrote: If the first auth fails that would mean that the assigned credentials are not working in this case - but that could not be limited to only your CyberA auth, other users should have the problem when launching other connections...

That would seem to be the case....yet I try the same connection object several times over the period of a 2 hour period, and out of 15 tries, it may be successful 1-2 times without making changes to the credentials.  The nature of the Cyber-Ark passthrough precludes me logging in without passing the authorized application to be run, so I can't "get in the middle" to see what's different - I was hoping for some more verbose "return codes" when the authentication fails.
Reply
#4
Update on this, it seems that the initial authorization is succeeding, and it's the intermediate authorization where authentication is not being passed to the PSM logged RDP session.  I have a case open with Cyber Ark and will try to update here in case anyone else experiences this.
Reply




Users browsing this thread: 1 Guest(s)