Cyberark 2FA

Hi,

What is the version of RDM that you are trying to integrate CyberArk with?
And what is type of CyberArk Entry are ou using, in RDM? (CyberArk PSM, CyberArk Credentials or CyberArk AAM)

Regards,

Hi David,

Version: 2020.1.20.0 64-bit
Below it's my current configuration:

In Cyberark (Credentials) the vaults are available and i can choose one account. ex.: xxxxxxxM05


Cyberark PSM Server


In PSM Connection i use the same Cyberark account xxxxxxM05

And the result


I can't find any configuration related with OTP Code.

Thanks in advance.

Cheers,
Nuno

Hi I'm also interested in this thread since we're using a similar setup like the poster. in our case it is RSA authentication on our CyberArk connection that is configured and that requires the OTP code to be entered during connection...
So I'll monitor this thread as well and hope to add information / combine it with my current request for RSA

Regards, Ben

Hello,

To use Cyberark PSM, LDAP Authentication must be used on the Cyberark Vault, and the account must also have the permission to logon RDP on the PSM machine.
The PSM integration actually uses the Alternate Shell with this format : psm /u [Privileged account to use] /a [Address of the endpoint] /c psm-rdp

If the LDAP Account to Cyberark have access to both run a RDP session to the PSM and retrieve the Account from the vault.

Te OTP will be handled by the PSM-RDM Component, upon connection to PSM Initial connection.

I hope this helps.

Best regards,

Hi Alexandre,

I'm not sure if i understood what do you mean.
We are dealing with two accounts:
One regular user to login in cyberark platform.
When credentials added we receive an OTP Code by email to login.
We choose one diferent account in Cyberark to access the servers.

How can i setup this in RDM?

Thanks in advance.

Cheers,
Nuno

This feature closely resembles my current requests for RSA credential type, and integration of RSA with CyberArk and CyberArk PSM.
Only difference is: Nuno gets an OTP by mail, We get an OTP code from a personal PIN + Token code on our RSA display.

In both cases we need the connection to request the OTP code from us, let it fill in, then use a username + OTP to authenticate to CyberArk, where CyberArk is configured to perform RADIUS authentication to our RSA server instead of LDAP. (Maybe in Nuno's case also RADIUS or some other authentication).

So we need an 'OTP consumer' credential type in contrast to the exiting 'OTP Generator' that is already in CyberArk.
@Hubert Mireault: Ideally that type of credential can then not only be used in my proposed case as RSA, Google, Microsoft authenticator app response, but now also as an email response

Please also see my other threads regarding this.

• https://forum.devolutions.net/topics/31306/create-a-new-credential-type-of-rsa-secureid
• https://forum.devolutions.net/topics/32803/enhance-cyberark-credential-entry-to-work-with-rsa-token-id
• https://forum.devolutions.net/topics/33647/openvpn--suport-for-otp-from-saved-otp-credential-entry
• https://forum.devolutions.net/topics/1955/passwords-and-rsatokens
• https://forum.devolutions.net/topics/31002/cyberark-privileged-access-solution

Regards, Ben

Hello Ben,

Please see the reply in this thread regarding your feature request: https://forum.devolutions.net/topics/31306/create-a-new-credential-type-of-rsa-secureid

Regards,