Thread Rating:
  • 0 Vote(s) - 0 Average
  • 1
  • 2
  • 3
  • 4
  • 5
Thycotic Secret Server Privileged Password Integration
#1
Hi,

Our company has been using ASG-RD for over 6 years and we love it. We are a MSP looking after financial services clients and so password management and control is critically important.

While the ASG-RD integrated Credentials are a great, when passwords change on hosts then there is a massive amount of work to update the Credentials in ASG. We currently have under management approx. 100 different AD domains, 600 servers running Windows and Linux variants and 500 network devices.

Thycotic Secret Server is a best in class (KuppingerCole Report here: http://thycotic.com/wp-content/uploads/2...ycotic.pdf) privileged password management system which allows the automatic changing of passwords across the enterprise and managed client networks auditing and control.

Is it possible for ASG to integrate Thycotic Secret Server with RemoteDesktop?

The end result would be Thycotic Secret Server would be able to automatically change and store the end host credentials and ASG-RD would be then use that database to retrieve credentials without any manual intervention. A stunning win for security and ease password of management!

There are other products which do provide this integration, but are not anywhere as easy to use as ASG-RD. There is a published API available from Thycotic.

Many thanks for considering this suggestion.


Regards,


Richard
Reply
#2
We plan for the next major release to integrate API support - then it will be easy to integrate Pasword Manager tools
Regards/Gruss
Oliver
Reply
#3
(08-12-2015, 08:23 AM)DevOma Wrote: We plan for the next major release to integrate API support - then it will be easy to integrate Pasword Manager tools

Hi,

I was wondering if this has happened yet. We need to have this for compliance reasons. Can you help us with developing the interface needed?

Kind regards,


Richard
Reply
#4
We have a Powershell API implemented for version 2016 - please have a look at it...
Regards/Gruss
Oliver
Reply
#5
Rolleyes 
(17-03-2017, 07:57 AM)DevOma Wrote: We have a Powershell API implemented for version 2016 - please have a look at it...

I'd love to...but:

WARNING: Environment could not be connected. Powershell mode is not supported in 'Eval mode'.

Hmmm... Rolleyes
Reply
#6
Had this same issue. Re-import your license file.
Reply
#7
Here is some quick code to Create a new user.

$retCredGuid = Get-RDBaseItemId -ItemPath Credentials
$ret = New-RDBaseItem -ParentItemId $retCredGuid.Guid -ItemType credential -Text NewTestCredential
Set-RDPropertiesCredential -ItemId $ret.ItemID -Domain TEST -Password TEST -Username TestUserName
Reply
#8
Anybody have more details on how to make this work? Do we configure PowerShell from within ASG to reach out to Thycotic? Or will it start in Thycotic and connect to ASG? Confused here and could use more detail. Thanks // David
Reply
#9
Anyone have more detail to help here?
Reply
#10
I do not know the product from Thycotic - and the API from that product - perhaps you need to write a script that gets all credentials from ASG-RD and then you have to get the right password for the credential from your Thycotic API and set this password back via the Powershell API
Regards/Gruss
Oliver
Reply
#11
(16-05-2017, 08:09 AM)DevOma Wrote: I do not know the product from Thycotic - and the API from that product - perhaps you need to write a script that gets all credentials from ASG-RD and then you have to get the right password for the credential from your Thycotic API and set this password back via the Powershell API

I just looked and Thyotic has PowerShell support.  So you would need to do something like.

Read the accounts in ASG-RD, Check each account name for the password in ThyCotic, use that password to then update your account in ASG-RD.

here is an excerpt from my larger script that changes the password for an account that matches the $Account variable. Note that the connection to the Database has already been created.

Code:
Function Update-RDPassword($account, $Password)
{
    
    $parms = @{'ParentItemId'=(Get-RDBaseItemId -ItemPath "Credentials").Guid;
        'itemType'="Credential";
   }
   
    $creds = Get-RDBaseItemChilds @parms

    foreach ($Cred In $creds)
    {
        $CredText = $Cred.Text
        if ($CredText -match $account)
        {
            Write-Host "Changing Password for $CredText"
            $credGuid = $Cred.ItemID
            try
            {
                Set-RDPropertiesCredential -itemID $credGuid -Password $Password -erroraction stop
            }
            catch [System.Exception]
            {
                switch($_.Exception.GetType().FullName) {
                    'System.Management.Automation.ItemNotFoundException' {
                      Write-Error "ItemNotFound for $CredText"
                    }
                    'System.Management.Automation.SessionStateException' {
                      Write-Error "SessionState for $CredText"
                    }
                    'System.Management.Automation.RuntimeException' {
                      Write-Error "RuntimeException for $CredText"
                    }
                    'System.SystemException' {
                      Write-Error "SystemException for $CredText"
                    }
                    'System.Exception' {
                      Write-Error "Exception for $CredText"
                    }
                    'System.NullReferenceException' {
                      Write-Error "Null Reference Exception for $CredText"
                    }
                     default {
                        Write-Error "well, darn on setting the password"
                        Write-Error $_
                        }
                }
            }
            try
            {
                Set-RDPropertiesCredential -itemID $credGuid -alwaysPromptForPassword $false -erroraction stop
            }
            catch [System.Exception]
            {
                switch($_.Exception.GetType().FullName) {
                    'System.Management.Automation.ItemNotFoundException' {
                      Write-Error "ItemNotFound for $CredText"
                    }
                    'System.Management.Automation.SessionStateException' {
                      Write-Error "SessionState for $CredText"
                    }
                    'System.Management.Automation.RuntimeException' {
                      Write-Error "RuntimeException for $CredText"
                    }
                    'System.SystemException' {
                      Write-Error "SystemException for $CredText"
                    }
                    'System.Exception' {
                      Write-Error "Exception for $CredText"
                    }
                    'System.NullReferenceException' {
                      Write-Error "Null Reference Exception for $CredText"
                    }
                    default {
                        "well, darn on setting it to not prompt for $CredText"
                        Write-Error $_.Exception
                        }
                 }
             }
        }
            #sleep 1        

        $CredText = $null
    }
    
    $parms, $Cred, $creds, $credGuid, $Password = $null, $null, $null, $null, $null    
}
Reply
#12
Anybody have more details on how to make this work? Do we configure PowerShell from within ASG to reach out to Thycotic? https://www.arydigital.tv/videos/categor...a-dil-tha/ Or will it start in Thycotic and connect to ASG? Confused here and could use more detail.
Reply
#13
I don't know what you are trying to do?!? You can connect to any ASG-RD environment via PowerShell script and make changes or read content of the environment - and this data you can use for any purpose...
Regards/Gruss
Oliver
Reply
#14
Hi,

I know this is an older thread, but we just starting to look at tycotic to store our credentials.
As Thycotic can change password periodically, but "worse" can be used to check in and check out credentials, the ideal situation would be that ASG looks for the password in the Thycotic secret server when starting a connection.

Or the other thing around would be a possibility too, Can Thycotic open an connection through ASG, and I think the best thing would be that the connection should not be stored in ASG.
The main flaw of Thycotic is the lack of integrated user interface for managing multiple connections. and no offline version available.
Reply
#15
Since I requested this nothing has happened. We are not developers and certainly cannot integrate the Thycotic Web API and the ASG-RD Powershell toolset as has been suggested.

We are considering moving to Remote Desktop Manager by Devolution as they have had this working for years. I have tested and it works well. You do need their Server Subscrubscription ($2000/year) (Their DB backend) on top of the platform license ($3500) to make this work but considering the compliance implications its going to be worth the cost and pain.

Only reason why I have not made the change is I like the simple ASG-RD interface. Its nowhere near as complex as the RDM interface. Unfortunately cost vs pain vs compliance burden will win out.
Reply
#16
Thycotic is part of version 2018 - and yes it is able to use the passwords "live" from Thycotic - so only the object names are stored in the UI (ASGRD) - and always when a credential object should be used the data is retrieved from the PasswordManagement Tool - KeePass is also integrated - and 3 other Password Manager tools are "in development" and should be available soon...
Regards/Gruss
Oliver
Reply
#17
Hi oliver,
is there somewhere more information about this how to set this up ?
the only thing I found so far was the checkmark.
Reply
#18
In Help file you found under Working with credentials => Synchronisation of credential objects => Thycotic Secret Server


You need to activate the plugin under Tools=>Settings=>Extensions - then you will see the configuration in any Credential Folder...
Regards/Gruss
Oliver
Reply
#19
Hi DevOma

You are mentioning that 3 other Password Manager Tools are in development.
Can you tell us which ones?

I am searching for a Password Manager for our company and at the moment I am looking at TeamPasswordManager.

Regards,
Michael
Reply
#20
Password Manager Pro - Password Safe - LastPass are the systems we are integrating or evaluating currently

I will add TeamPasswordManager to our list - must check how it can be integrated via API
Regards/Gruss
Oliver
Reply




Users browsing this thread: 1 Guest(s)