Devolutions ForumDevolutions Forum

Further option for PAM management in PowerShell Module or API

Implemented

Further option for PAM management in PowerShell Module or API

0 vote

avatar
jeanpascalgoetze

Hello Devolutions,

we need to batch create PAM Providers aswell as JIT and Scan configurations for them.
By now, the powershell Module only supports are very limited set of features, for managing PAM.

Please add the option to configure JIT access and also to batch create Scan configurations.

Thank you!

All Comments (16)

avatar
Maxime Bernier

Hello,

JIT access is currently supported. Here's an example using an existing 'Domain User' provider:

$providerID = 'the-provider-id'
$groupResponse = Get-DSADGroup -ProviderID $providerID -DN 'OU=Test,DC=mydomain,DC=loc' -AsJITSettings
$providerResponse = Get-DSPamProvider 
$provider = $providerResponse.Data | Where { $_.ID -eq $providerID }
$provider.JitElevationSettings = $groupResponse.Data
Update-DSPamProvider -InputObject $provider


Additionally, a ticket has been created to develop a cmdlet for creating scan configurations. However, please note that we cannot begin immediate work on this due to other priorities. We will keep you updated on our progress.

Best regards,
Maxime

avatar
Maxime Bernier

Hello,

In the version 2024.2.1 of the module, the cmdlet New-DSPamScanConfiguration has been added. It allows to create scan configurations. Let us know if improvements are required.

Best regards,
Maxime

avatar
jeanpascalgoetze

Hello Maxime,

thank you for the feature update.
I just tested this but I am failing at "New-DSSession" with following error

HttpRequestError : SecureConnectionError
StatusCode       :
TargetSite       : T RunSynchronous[T](System.Threading.Tasks.Task`1[T])
Message          : The SSL connection could not be established, see inner exception.
Data             : {}
InnerException   : System.Security.Authentication.AuthenticationException: Cannot determine the frame size or a
                   corrupted frame was received.
                      at System.Net.Security.SslStream.GetFrameSize(ReadOnlySpan`1 buffer)
                      at System.Net.Security.SslStream.EnsureFullTlsFrameAsync[TIOAdapter](CancellationToken
                   cancellationToken, Int32 estimatedSize)
                      at System.Runtime.CompilerServices.PoolingAsyncValueTaskMethodBuilder`1.StateMachineBox`1.System.
                   Threading.Tasks.Sources.IValueTaskSource<TResult>.GetResult(Int16 token)
                      at System.Net.Security.SslStream.ReceiveHandshakeFrameAsync[TIOAdapter](CancellationToken
                   cancellationToken)
                      at System.Net.Security.SslStream.ForceAuthenticationAsync[TIOAdapter](Boolean receiveFirst,
                   Byte[] reAuthenticationData, CancellationToken cancellationToken)
                      at System.Net.Http.ConnectHelper.EstablishSslConnectionAsync(SslClientAuthenticationOptions
                   sslOptions, HttpRequestMessage request, Boolean async, Stream stream, CancellationToken
                   cancellationToken)
HelpLink         :
Source           : Devolutions.Server.ApiWrapper
HResult          : -2146233087
StackTrace       :    at Devolutions.Server.ApiWrapper.RDMSWebClient.RunSynchronous[T](Task`1 task)
                      at Devolutions.Server.ApiWrapper.RDMSWebClient.GetPublicWebInstanceInformation()
                      at RemoteDesktopManager.PowerShellModule.NewDSSessionCommand.ProcessRecord()
                      at System.Management.Automation.CommandProcessor.ProcessRecord()


Any idea ?

Best regards
Jean Pascal

avatar
Maxime Bernier

Hello Jean Pascal,

Could you please provide the following details?

  • What version of the PowerShell module and Devolutions Server are you using?
  • What parameters are you using (e.g., -AsApplication, -WindowsAuthentication)?
  • If you have RDM, can you connect to the data source with it?


This information will help us better understand the problem.

Best regards,
Maxime

avatar
jeanpascalgoetze

Hello Maxime,

thanks for the quick reply !

  • What version of the PowerShell module and Devolutions Server are you using?

They are all latest...


[string]$Username = "http<area>://localhost/dvls"
[string]$Password = "your_appkey"
[string]$DVLSUrl = "your_appsecret"

[securestring]$SecPassword = ConvertTo-SecureString $Password -AsPlainText -Force
[pscredential]$Creds = New-Object System.Management.Automation.PSCredential ($Username, $SecPassword)

$Response = New-DSSession -Credential $Creds -BaseURI $DVLSUrl -AsApplication


For "your_appkey" and "your_appsecret" we created them in the "Administration -> Application identities" menu of Devolutions Server without any further config except for "Enabled", wasn't shure about that. It's not described in the docs.
"http<area>://localhost/dvls" = our link to Devolutions Server, which has the SSL certificate. (localhost is not part of the SSL certificate)

  • If you have RDM, can you connect to the data source with it?
    • We didn't upgrade RDM in our RDS environment yet, so it's not compatible to the current DVLS Server Version. (But I can install the latest version locally though, if needed)
    • Connection from the PowerShell Module to Data Source was successfull. (like described in the docs)

https://docs.devolutions.net/powershell/Getting-started/#testing-connection-to-a-data-source

avatar
jeanpascalgoetze

Hello Maxime,

we did some more testing and managed to solve the SSL error for our productive environment (which has a public SSL certificate). So that error only exists for our testing environment (uses certificate from our PKI).

For the productive environment we are getting following error:

[securestring]$SecPassword = ConvertTo-SecureString $Password -AsPlainText -Force
[pscredential]$Creds = New-Object System.Management.Automation.PSCredential ($Username, $SecPassword)
$Response = New-DSSession -Credential $Creds -BaseURI $DVLSUrl -AsApplication

New-DSSession:
Line |
   8 |  $Response = New-DSSession -Credential $Creds -BaseURI $DVLSUrl -AsApp …
     |              ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
     | [New-DSSession] Unhandled error while logging in. Please submit a ticket if problem persists.
avatar
jeanpascalgoetze
Hello,

JIT access is currently supported. Here's an example using an existing 'Domain User' provider:
$providerID = 'the-provider-id'
$groupResponse = Get-DSADGroup -ProviderID $providerID -DN 'OU=Test,DC=mydomain,DC=loc' -AsJITSettings
$providerResponse = Get-DSPamProvider
$provider = $providerResponse.Data | Where { $_.ID -eq $providerID }
$provider.JitElevationSettings = $groupResponse.Data
Update-DSPamProvider -InputObject $provider
Additionally, a ticket has been created to develop a cmdlet for creating scan configurations. However, please note that we cannot begin immediate work on this due to other priorities. We will keep you updated on our progress.

Best regards,
Maxime


Another question came up, if it is already possible to manage the "new" PAM just-in-time elevation privilege sets
which got added in 2024.2 and if not, if there is a timeline for that (as this would strongly impact the architecture/design of our Providers and Scan-Configs)

avatar
Maxime Bernier

Hello Jean-Pascal,

[New-DSSession] Unhandled error while logging in. Please submit a ticket if problem persists.


This error occurs when authentication fails. I will improve the error message to provide a clearer explanation of why it fails. Have you tried using another application identity?

Another question came up, if it is already possible to manage the "new" PAM just-in-time elevation privilege sets which got added in 2024.2 and if not, if there is a timeline for that (as this would strongly impact the architecture/design of our Providers and Scan-Configs)


Regarding the privileged sets, it should be possible, though I haven't tried it yet. However, in the next major version (2024.3.0.0), there are changes coming to the PAM accounts. I will investigate whether this impacts the providers before giving you a definitive answer. I'll keep you updated on that.

Best regards,
Maxime

avatar
jeanpascalgoetze

Hello Maxime,

thank you!

I retested with a new secret but still the same error.
I saw the documentation says

For RDM Cmdlets:
$dsurl = "https<area>://your_dvls_url"

For Devolutions Server Cmdlets:
$env:DS_URL= "http<area>://localhost/dvls"

Do I need to execute that script from the Devolutions Server itself, as only localhost works?

>> [string]$Username = $env:DS_USER
>> [string]$Password = $env:DS_PASSWORD
>> [string]$DVLSUrl = $env:DS_URL
>>
>> [securestring]$SecPassword = ConvertTo-SecureString $Password -AsPlainText -Force
>> [pscredential]$Creds = New-Object System.Management.Automation.PSCredential ($Username, $SecPassword)
>>
>> $Response = New-DSSession -Credential $Creds -BaseURI $DVLSUrl -AsApplication

New-DSSession:
Line |
   8 |  $Response = New-DSSession -Credential $Creds -BaseURI $DVLSUrl -AsApp …
     |              ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
     | [New-DSSession] Unhandled error while logging in. Please submit a ticket if problem persists.



Get-RDMCurrentDatasource comes up with

IsConnected : True
IsOffline : False

In regards of privileged sets... do you have an code example for that please?
Couldn't find any info about it yet. (also couldn't try as the connection still doesnt work, like stated above)

avatar
Maxime Bernier

Hello Jean Pascal,

I wanted to clarify that the Devolutions Server cmdlets are not restricted to localhost. You can use the same URL format as the one used by the RDM cmdlets. ($dsurl = "https<area>://your_dvls_url)

Regarding privileged sets, here is an example:

$provider # contains the provider to update
$ldpsPamProviderId # provider ID
$ldpsPamEntryId # a pam account ID

$resource = New-Object -TypeName Devolutions.RemoteDesktopManager.Business.DVLS.Pam.Entities.Jit.JitProviderPrivilegeResource
$resource.providerId = $ldpsPamProviderId 
$resource.Name = 'pwsha'
$resource.Id = $ldpsPamEntryId 

# Filter the desired group. For the example, I take the first one
$gr = (Get-DSADGroup -ProviderID $ldpsPamProviderId)[0]

$provPriv = New-Object Devolutions.RemoteDesktopManager.Business.DVLS.Pam.Entities.Jit.JitProviderPrivilege
$provPriv.ProviderId = $ldpsPamProviderId
$provPriv.ExternalId = $gr.Sid
$provPriv.Name = $gr.Name
$provPriv.Id = (New-Guid)

$set = New-Object -TypeName Devolutions.RemoteDesktopManager.Business.DVLS.Pam.Entities.Jit.JitPrivilegeSet
$set.Name = 'RRRRRRRRRR'
$set.ProviderId = $ldpsPamProviderId
$set.Id = (New-Guid)
$set.ProviderPrivileges = @($provPriv)
$set.providerPrivilegeResources = @($resource)

$provider.JitElevationSettings.PrivilegeSetEnabled = $true
$provider.JitElevationSettings.PrivilegeSets = @($set)
$provider.JitElevationSettings.ProviderPrivileges = @($provPriv)

Update-DSPamProvider -InputObject $provider


For the privileged set and provider privileges, if you want them empty, use an empty array.
If you have any further questions or need additional information, feel free to reach out.

Best regards,
Maxime

avatar
jeanpascalgoetze

Hello Maxime,

thank you!

So how can we deal with that "Unhandled error while logging in. Please submit a ticket if problem persists."
Authentication error now?

Should I open a ticket for that?

As the connection seems to work ( Get-RDMCurrentDatasource ) but not the login.

Are there any log where we could investigate that behaviour further?

avatar
Maxime Bernier

Hello,

Please take a look at the Login Attempt report (Reports -> Login Attempt). You should see the failed attempts along with the failure type.

If this does not help, the next step would be to open a support ticket.

Best regards,
Maxime

avatar
jeanpascalgoetze

"Application access denied by system settings"

"Cli" was disabled and works now.
Thank you! :)

Would recommend to put that detail level on the PowerShell Output aswell and list "Active Cli" in the "Getting Started" sesction of the docs.

Will try the JIT and ScanConfig Cmdlets the next days and let you know if there are any problems.

avatar
jeanpascalgoetze

Hi Maxime,

things working good so far but we encounter a new problem.
We now created ~700 PAM Vaults by PowerShell but the

Get-DSPamAccount

Now seems to run into a timeout, which seems to be fixxed by like 15 seconds or so and theres no switch to prolong that.
Is there a way to change that timeout or fasten up the API response? As we need the results of that for further scripting.

We are also struggeling a bit for all commands not giving back a results (e.g. New-DSPamFolder), so we always have to scan and filtering the existing results afterwards to work with that new object instead of just getting the id / name returned.

avatar
Maxime Bernier

Hello Jean Pascal,

As I mentioned earlier, the PAM accounts/folders are being reworked for the next server major release (2024.3.0.0). This update should resolve the current issues but will require you to adapt your script accordingly.

For now, there are two approaches you could consider:

  1. Using the 'Timeout' parameter in New-DSSession: This might help, but with a large number of PAM accounts, the results are not guaranteed.
  2. Using the 'BasicInformation' parameter of Get-DSPamAccount: This returns a simplified object with basic information. Depending on your needs, this might be useful.


Regarding the cmdlets not returning the created objects, I’ll work on addressing that.

Best regards,
Maxime

avatar
Maxime Bernier

Hello Jean Pascal,

In version 2024.2.7 of the module, the created objects, such as the PAM folder, are returned. If you notice any missing cmdlets or need further clarification, please let me know.

Best regards,
Maxime