Forum / Remote Desktop Manager - Feature Request

Secret Server Auto Credential

  • Create an Issue
  • Cancel

hi,
We are trying out Remote Desktop Manager to replace Terminals (Site License).
The main reason for the suggested change is the integration into Secret Server.
As i have seen i have to create a Credential entry for each secret i need. This is very inconvenient for the few hundred servers, where we would like to access their secrets dynamically.
We would like to have a feature (or explanation) how to get the Credentials automatically.
e.g. we have Server01, Server02 and the according secrets (Name Standard) are Server01_LA and Server02_LA (LA=Local Admin). So we just need to access the following Secret:
$HOST$_LA
Is there a way to do it? Best would be dynamically: so i have One Credential: SecretServer_LocalAdmin and it connects to Secret Server and fetches the credentials for each of the configured RDP sessions according to the $HOST$ variable.

Thank you in advance and kind regards,
Peter Cermak

Clock6 yrs

Hi,
I'll see for a way to solve your issue and I'll come back to you soon.
Regards,

André Sanscartier

signaturesignature

Clock6 yrs

Hi,
I have good news for you.
A new feature has been implemented in RDM. In the next release it will be possible to access the secret server database by a secret name that variables like $HOST$ will be allowed in it. It should solve your issue.
At this time I am not able to say when it will be released but it should be soon.
Regards,

André Sanscartier

signaturesignature

Clock6 yrs

Hi André,
Thank you for this info! It will help me get the budget for the License.
Regards,
Peter

Clock6 yrs

Hi,
The new Beta version is now available ! v8.1.11.0
http://remotedesktopmanager.com/Home/Download

You may try the new "By secret name" feature for Secret Server.

Regards,

André Sanscartier

signaturesignature

Clock6 yrs

Thank you for this tip!
It works as expected! :-)

Another Feature Request:
Could you add "known" SecretServer URLs to the "Service URL" Drop Down box?
I know i can use Templates but ...

Another Idea would be to link a Password to the SecretServer Login. We each have an Administrative AD account we use for connection do Domain Servers and the login to SecretServer (SecretServer is used to access DMZ Server with only local accounts).
So i have several SecretServer Credential Objects (different Secret name Patterns) which all use the same Username/Password credential to log into SecretServer.
edited by POI on 4/4/2013
edited by POI on 4/5/2013

Clock6 yrs

Hi,
Regarding this topic also:
http://forum.devolutions.net/topic2799-shared-sessions--local-credentials.aspx
We would need to enter the SecretServer Credentials from a Datasource, like keepass ;-) So we can achieve a clean separation between sessions and Credential management. This is mandatory for us - i wonder why it's not for others who use shared datasources.

Thanks and regards,
Peter

Clock6 yrs

Hi,
Sorry but your issue is not clear for me.
If you could log in Secret server with a different credential for each member of your team (current logged Windows User name) would it be ok ?

Regards,

André Sanscartier

signaturesignature

Clock6 yrs

André Sanscartier wrote:

Hi,
Sorry but your issue is not clear for me.
If you could log in Secret server with a different credential for each member of your team (current logged Windows User name) would it be ok ?

Regards,


Hi André,

This is closely connected to http://forum.devolutions.net/topic2799-shared-sessions--local-credentials.aspx

I cannot understand why we're the only company with this basic security requirement of shared sessions and personal credentials. hmm
No personal user/password in anything shared and accessible by any other people. <- lockd

Yes, if we could create a Shared Credential which uses the currently logged in User to access Secret Server (instead of entering the username statically in each Secret Server Credential object).
We could then enter the Personal password into secret Server and retrieve the real passwords on demand via the loggod on dynamic Secret Server connection.

This is just a bit more complicated than allowing credentials from a local DB into a shared session DB, but not a real problem.
It would be very inconvenient if we could not use the shared Datasource Feature for the sessions - we would have to distribute new local xml whenever the Session Config changes (a new Server is introduced or something) and then everybody has to re-import (Credential Backup) and reassign his personal credentials into this newly distributed local xml file.

Regards,
Peter
edited by POI on 4/8/2013

Clock6 yrs

Hi,
I just modify the editor dialog for SecretServer credential.
It is now possible to use environment variables in the Username.
Here an example:
SecretServer
This way each user would have there own SecretServer access.
This update should be released soon.
Regards,

André Sanscartier

signaturesignature

SecretServer.png
Clock6 yrs

Hi,
The version is now updated. The version number hasn't been changed so you have to download the zip file and overwrite files in your installation folder. Please do not use the install program it would refuse to work.

http://remotedesktopmanager.com/Home/ThankYou?f=RDMbin
Regards,
edited by dhervieux on 4/8/2013

André Sanscartier

signaturesignature

Clock6 yrs

Hi André,

Thank you very much! That's what i call good customer care! bow

I tried it on 2 Machines with different Users and it works. Applause
I suppose i have to enter my Credentials each time i start RDM <- we will see what our colleagues say to this, but i think it would be accepted since it is not needed for each SS-Credential.

The %USERNAME% does not yet work in the Secret Server "Browser for Secret" dialog, but we would not need this feature for our requirement, since we user variables.

It' very good to know, that i can use both types of variables anywhere now (Systemvariables %Variable% and RDM Variables $Variable$)?
The same procedure seems to work for "Username/Password" credential also, but here i have to enter the password each time the secret is accessed (with the prompt for password option, otherwise only the username is filled in).

Thank you,
Peter

Clock6 yrs

Hi Peter,
Yes you have to enter your credentials at the first access of SecretServer after a RDM start. Otherwise it would be considered a security breach, credentials repositories do not allow applications to store there master password.
For "Browser for Secret" dialog it should be fixed soon.

Regards,

André Sanscartier

signaturesignature

Clock6 yrs

Hi André,

You could use the integrated windows credential mechanism - forwarding the locally signed in user, like the webbrowser-session does.

Regards,
Peter

Clock6 yrs

Hi,
This is not as simple as it sound. It's impossible to extract the Windows credentials. The target must support Single Sign On. For the web browser, it works only if the web site is designed this way. IE will never send the real username / password, it's always a Keberos authentication.

David Hervieux

signaturesignature

Clock6 yrs

Of course the Target is configured this way and the current Kerberos Ticket is used.

I think it is much more simple than it sounds! Thycotic has a separate Webservice URL with different Parameters for this. smile

Have you checked this (symbolic) URL, or talked with the guys from Thycotic?
"https://www.secretserveronline.com/winauthwebservices/SSWinAuthWebService.asmx"

I have a Powershell script, which works this way:


$URI = "https://MySecretServer/SSWEB/winauthwebservices/SSWinAuthWebService.asmx"	
$SSConnection = New-WebServiceProxy -UseDefaultCredential -uri $URI


You just have to update GUI with a checkbox "Use local Credentials" and the disable the Logon fields/dialogs and then use a different SOAP Call to another URI.

Regards,
Peter

Clock6 yrs

Interesting. Thank you I was not aware of that. I will ask André to give it a try

David Hervieux

signaturesignature

Clock6 yrs

Hi,

The latest Beta version (v8.2.7.0) now includes the windows authentication for Secret Server.
Unfortunately I am not able to test it correctly here. I hope that it will work correctly in a real environment.
You just have to select the SSWinAuthWebService service in the ComboBox.

Best regards,

André Sanscartier

signaturesignature

Clock6 yrs

I've never seen support of your quality in my whole IT career! bowrofl
It works - with just a little (around 5 seconds) hang of RDM UI Boogy Dance
Thank you again very much!
Regards,
Peter

PS:
My Boss initiated the purchase, i hope we get it through before the trial run out.

Clock6 yrs

That's great. You can thanks André.

I don't know if we can do something with the hang but if you could give us more details, André will look into it.

David Hervieux

signaturesignature

Clock6 yrs