Devolutions ForumDevolutions Forum

Integrating Thycotic Secret Server

Integrating Thycotic Secret Server

avatar
meelisn

I would like to use Thycotic Secret Server as source of credential accounts. But when trying to create credential entry, I get nex message.

The request failed with the error message:
--
<html><head><title>Object moved</title></head><body>
<h2>Object moved to <a href="/SecretServer/Login.aspx?ReturnUrl=%2fsecretserver">here</a>.</h2>
</body></html>

--.

help links (https://help.remotedesktopmanager.com/credentials_secretserver.html) don't work and that message is not helpful.

All Comments (18)

avatar
Maurice Côté

Hello,

What version of Secret Server are you running?
It looks like our authentication attempt is simply receiving an alternate URL...

Maurice

avatar
meelisn

Secret Server is v10.9 . RDM version is 2020.3.18

avatar
Maurice Côté

just a quick note to let you know that we have asked for a new NFR licence from Thycotic because ours was expired.

As soon as I receive it we will upgrade to 10.9 and test it out.

Maurice

avatar
meelisn

any news on the topic?

avatar
Maurice Côté

I works for me, we will require a bunch of screen shots and maybe a remote session to see what is wrong.

Please drop an email to ticket@devolutions.net with just a subject of Secret Server and we'll ask questions from there.

Best regards,

Maurice

avatar
meelisn

Trying to make it work once again, but still confused. Now I can save the credential entry, but when I try to view password or copy username, the error message occurs:

Unexpected character encountered while parsing value: <. Path '', line 0, position 0.

Is there any guidance, what should be done to integrate RDM with Thycotic Secret Server?

avatar
Richard Boisvert

Hello meelisn,

If you are using RDM 2021.2.15 and above, the Secret Server integration now users REST API. Your error seems to indicate an error with the URL. Can you change it to either https://servername or https://servername/SecretServer

Let us know if you run into any issues.

Best regards,

Richard Boisvert

avatar
meelisn

RDM version is 2021.2.16 and URL inside Secret Server credential object is pointing to real server. I also have 'Use Windows Authentication' checked.

BTW, does it mean that I need to repeat Secret Server URL in every credential object?

avatar
Richard Boisvert

Hello,

Note that if you have 2FA, you cannot use it in conjunction with Windows Authentication, the engineering team is looking into it to see if it is possible in the REST API.

To modify it in all your entries, select them and then you can use an Edit - Special Actions > Custom PowerShell to modify them in batch:

forum image

forum image

forum image

$connection.credentials.SecretServerWebUrl = "https://servername";
$RDM.Save();


Best regards,

Richard Boisvert

avatar
meelisn

I had to turn on Windows Integrated Authentication in SecretServer REST API. After that it started to work.

Now, would it be possible to have all that information in online help?

avatar
meelisn

Also, having SecretServer URL somewhere in configuration (like "My Account Settings" for SecretServer) would also be good. So i only need to enter it once, not for every single credential object.

avatar
Richard Boisvert

Hello,

Glad it works after the feature is allowed in the REST API configuration. I will work with the documentation team to make the information available in a KB.

For the URL, you can configure a template in File > Templates, and set the options you want, for example
forum image

Then, when you create a new entry, simply select that template and the information will be filled out:

forum image

Best regards,

Richard Boisvert

avatar
meelisn

Is it possible to locate secrets by some other field than name? For example by custom field (using the field's slug) added to Secret Template in Secret Server?

avatar
Jonathan Del Signore

Hello,

Just to make sure I understand you correctly, you would like another "look up" option in the entry properties, in which you could specify any slug ?

And then instead of the secret name you would enter the corresponding field's value ? That would indeed be possible for us to implement.

forum image

Regards

Jonathan Del Signore

avatar
meelisn

Yes.

That would make it possible to use additional metadata added to secrets in SecretServer

avatar
Jonathan Del Signore

Hello,

This feature has been implemented, it will be available in our next official release early next year.

Regards

Jonathan Del Signore

avatar

I'm POCing Devolutions with a client using Secret Server. There is a security concern on being able to access the RestAPI (I assume that's how Devolutions is accessing secrets in SS) with a basic user credential to checkout and use any privileged account that they have access to without being prompted by MFA (they are using SAML).

Is it possible to have a pre-auth with Secret Server from Devolutions that would trigger an MFA prompt from their SAML provider for the non-privileged user authenticating with Secret Server? Delinea's Connection Manager is doing this already, but isn't as feature rich as Devolutions. If something like this could be developed, this would then open a session with Secret Server and could use the Web Session Timeouts that would prompt for reauthentication based on the Web Session timeout set in the configuration settings.

Or is there a simpler method to allow for seamless use without allowing any user to authenticate with Secret Server through RestAPI bypassing SAML/MFA?

avatar
Jonathan Del Signore

Hello Chris,

As of now, this is not possible to accomplish within our RDM implementation, though this is possibly something we could look into once we get our Secret Server setup up and running again.

Thanks again for reaching out to your contact for us, hopefully this will get things going!

Regards

Jonathan Del Signore