Linked PAM service account credentials & Password Propagation
Hi there
We are using the PAM module in Devolutions Server for a while now.
Since the used service account credentials in a PAM Provider is a critical account (because it most probably has elevated rights like Domain Admin within the target domain), there were two questions I'd like to address:
- Why is it not possible to link those credentials with an entry in a "normal" vault? (when selecting "Credential Type = linked credential" it's only possible to access PAM vaults)
- It would be an increase in security if the password of the used service account could be rotated automatically on a scheduled basis (incl. propagation to the target domain user withint the provider domain/active directory).
Maybe I missed the way how this is feasable today. Any hints much appreciated.
Best Regards,
Philipp
All Comments (1)
Hello Philipp,
Thank you for reaching out to our forum,Linking Service Account Credentials with a Standard Vault Entry: Currently, the system restricts “linked credentials” to PAM vaults only, not standard vaults. This limitation likely exists to maintain segregation between standard and PAM credentials due to PAM’s enhanced security requirements. I’d suggest submitting this feature request in the Devolutions forum.
There is actually a workaround for this. For the service account, our PAM module includes propagation capabilities. I'll share a link to our GitHub profile, where you'll find scripts related to managing the service account, application pool, and scheduled accounts PAM-Providers/Propagation-Scripts at master · Devolutions/PAM-Providers · GitHub. For the Provider, there's an alternative method as well, and I’ll include a link for that too https://docs.devolutions.net/pam/kb/how-to-articles/password-rotation-pam-provider-credentials/ .
Let me know if you need further assistance.
Best regards,
Michel Audi