LAPS entry support for credential and gateway tunnel
0 vote
Hello,
Have been testing out the new LAPS entry and it looks promising.
Would it be possible to add the following enhancements please:
1) Accomdate specifying a credential dropdown like other entries, so 'My Privileged Account' or 'find in user vault' can be utilized. This is to ensure the user who has access to the LAPS entry in RDM, also has been granted sufficient access in Active Directory
2) Accomodate specifying a DVLS Gateway tunnel for the LDAP/S lookup. In some cases the machine running RDM may have line of sight for RDP protocol, but LDAP/S is blocked and needs to go via a tunnel
3) Provide some kind of error/information dialog when LDAP/S address is unreachable, or no credential found. Currently it seems to just return an empty credential.
Please let me know if you would like any additional info.
Thanks
Joe
All Comments (2)
Hi Joe,
1) We'll discuss this internally and see how we can support this better.
2) Full support for LAPS in Devolutions Gateway is being worked on. The main issue is that LDAP is only half of what's needed: a encrypted blob is obtained through LDAP, after which the DPAPI needs to be used to decrypt it. Under the hood, the DPAPI needs to make MSRPC calls to the domain controller, which again requires a line-of-sight. The DPAPI on Windows cannot be adapted for this, so we're implementing that part as a cross-platform component that should let us go beyond those limitations of the original API.
3) I agree better error handling could be done here, we'll see what we can do.
Best regards,
Marc-André Moreau
Thanks for explaining Marc-André, I can appreciate the technical challenge you described.