Posts: 4
Threads: 1
Joined: Oct 2019
Reputation:
0
Hello,
We recently implemented BeyondTrust Password Safe but have had some buy-in resistance because most of our IT users use ASG-RD to manage their remote desktop sessions. One thing that makes this difficult out of the box is that to connect to a server, the server name has to be included in the username. For example, if I want to connect to SERVERA, I have to RDP to BEYONDTRUST with the username of DOMAIN\USER+DOMAIN\ACCOUNT+SERVERA, meaning I'd need a unique Credential for each server.
I upgraded ASG to 2019 (from 2017) and was glad to see several password vault integrations, but BeyondTrust was not one of them. Is there any chance this could be included in a future release, or does anyone have any suggestions for a workaround? BeyondTrust does provide an API. I would more than happy to test any beta releases.
Thanks!
Posts: 10,906
Threads: 96
Joined: Aug 2006
Reputation:
190
We will check that - which products of BeyondTrust do you use? Only PasswordSafe or also RemoteAccess Security or anything else? Just to know what we should do :-)
Regards/Gruss
Oliver
Posts: 4
Threads: 1
Joined: Oct 2019
Reputation:
0
(01-11-2019, 10:14 AM)DevOma Wrote: We will check that - which products of BeyondTrust do you use? Only PasswordSafe or also RemoteAccess Security or anything else? Just to know what we should do :-)
Just Password Safe.
Posts: 3
Threads: 0
Joined: Jun 2020
Reputation:
0
Any ETA on a solution for BeyondTrust / Password Safe?
Posts: 10,906
Threads: 96
Joined: Aug 2006
Reputation:
190
Sorry, it's on hold - we never got a test environment that was running well - so we stopped it - we can try to reactivate...
Regards/Gruss
Oliver
Posts: 3
Threads: 0
Joined: Jun 2020
Reputation:
0
We are currently rolling out Password Safe and have been using ASG for a long time, so the internal IT staff are used to it and it would be great if we could continue with using ASG after the shift to Password Safe
Posts: 3
Threads: 0
Joined: Jun 2020
Reputation:
0
Posts: 10,906
Threads: 96
Joined: Aug 2006
Reputation:
190
Was planned for this week to get a test environment - but I have to ask again...
Regards/Gruss
Oliver
Posts: 10,906
Threads: 96
Joined: Aug 2006
Reputation:
190
We have a working test environment - and can read the data from Beyond Password Safe - but as we do not use it really it is not easy to see which data we need - I can see that getting passwords must be "Requested" for each system? And there are some categories like ManagedAccounts and FunctionalAccounts that I do not understand the difference - if you can tell me what do you expect to be synced it would help
You can answer here or send your suggestions to asg.rd@asg.com
Thanks
Regards/Gruss
Oliver
Posts: 4
Threads: 1
Joined: Oct 2019
Reputation:
0
(24-09-2020, 09:24 AM)DevOma Wrote: We have a working test environment - and can read the data from Beyond Password Safe - but as we do not use it really it is not easy to see which data we need - I can see that getting passwords must be "Requested" for each system? And there are some categories like ManagedAccounts and FunctionalAccounts that I do not understand the difference - if you can tell me what do you expect to be synced it would help
You can answer here or send your suggestions to asg.rd@asg.com
Thanks
Functional Accounts are the service accounts that BeyondTrust uses to change the passwords for Managed Accounts. For ASG, Managed Accounts are the ones we'd be concerned with. They would match up to the Credentials in ASG. In BeyondTrust, I have a regular account (call it "USER") that I use to login to BeyondTrust, then I request access to a Managed Account (call it "MA-USER") that has admin access on the systems. I know the password to USER, but BeyondTrust is the only one that knows the password to MA-USER, and it changes the MA-USER password when I am finished with the account. While some orgs may require approval to use an account, we just auto-approve all requests.
Within ASG, we'd want to have connections in our list where we could choose Connect as and choose the MA-USER account, then it would interact with BeyondTrust to get the appropriate password for the MA-USER account to connect to the connection.
Posts: 10,906
Threads: 96
Joined: Aug 2006
Reputation:
190
Ok thanks - we will try to implement
Regards/Gruss
Oliver
Posts: 10,906
Threads: 96
Joined: Aug 2006
Reputation:
190
Back at BeyondTrust implementation - and I'm thinking about how it would be the best to implement... Because the structure of Beyond PS
In Beyond PasswordSafe there are accounts for each system - sure we can read all accounts and remove duplicate ones - and then show it as Credentials - but if you connect using an account that is not assigned to a system it won't work (I guess) because BT PS needs a request tfor system/account combination to retrieve the password data - and perhaps not all users have access to all credentials?!? So don't know if that really is a good solution?!?
So another idea is - Choose your system (in ASGRD-Navigation) => Connect As => Beyond Credentials - popup is displayed (or the next sub menu is opened) and ASGRD reads all available accounts for that system? Of course the system names must match and you always have to choose an account to use - but that would be the way BeyondTrust is working as I understand... After account was chosen by the user we Request the creds and connect to the system with the retrieved credentials
Just tell me what you think :-) We don't want to implement something that nobody can use...
Regards/Gruss
Oliver
Posts: 4
Threads: 1
Joined: Oct 2019
Reputation:
0
(27-10-2020, 04:11 PM)DevOma Wrote: Back at BeyondTrust implementation - and I'm thinking about how it would be the best to implement... Because the structure of Beyond PS
In Beyond PasswordSafe there are accounts for each system - sure we can read all accounts and remove duplicate ones - and then show it as Credentials - but if you connect using an account that is not assigned to a system it won't work (I guess) because BT PS needs a request tfor system/account combination to retrieve the password data - and perhaps not all users have access to all credentials?!? So don't know if that really is a good solution?!?
So another idea is - Choose your system (in ASGRD-Navigation) => Connect As => Beyond Credentials - popup is displayed (or the next sub menu is opened) and ASGRD reads all available accounts for that system? Of course the system names must match and you always have to choose an account to use - but that would be the way BeyondTrust is working as I understand... After account was chosen by the user we Request the creds and connect to the system with the retrieved credentials
Just tell me what you think :-) We don't want to implement something that nobody can use...
Thanks for looking into it, Oliver. You are correct that the managed user (Credential) has to be assigned to the managed system (Connection) for BeyondTrust to allow that account to login to that system. While other orgs may be different, for our implementation of BeyondTrust, it would not make sense to pull a list of managed accounts associated to managed systems. A managed system may have several managed accounts that could access it, and each managed account is generally assigned to a human user, so I wouldn't want our IT admins to be presented with a list of their coworkers' accounts.
Rather than focusing on the systems, I think it would make more sense to focus first on the managed accounts. While I haven't seen how the other credential synchronisations work, based on the help article, this should be similar. The plug-in options would allow the user to specify an account to use to connect to BeyondTrust (what I called USER before), then ASGRD would authenticate to BeyondTrust with that account. The user would then configure a credential object by specifying the managed account they want to check-out from BeyondTrust, and ASGRD would request that account's password and store it.
It would be a nice addition to work similarly for the Connections, but this would be a secondary request for us. BeyondTrust allows you to proxy RDP connections through it so that the session is recorded. We have work-around for doing this today by using the variable name of the connection in the credential object, but it would be nice to be integrated. Again though, I'd rather have the credentials working first. Maybe someone else can chime-in if they have a different idea.
Posts: 10,906
Threads: 96
Joined: Aug 2006
Reputation:
190
ok thanks again for your feedback :-)
Regards/Gruss
Oliver
Posts: 2
Threads: 0
Joined: Apr 2023
Reputation:
0
Is there any new update on this? I see there is more beyondTrust PasswordSafe options but I do not see if there is any broker implementation on it nor can I find a how-to document for Rocket and BeyondTrsut PasswordSafe.
Thanks
Posts: 10,906
Threads: 96
Joined: Aug 2006
Reputation:
190
First you need to activate the BeyondTrust Plugin - Settings=>Extensions
After restart you can configure global settings for your Beyond Environment in Settings=>Beyond PasswordSafe
There are 2 implementations - one is to sync your Passwords from BeyondTrust - therefore you need to create a folder under Credentials and set your access user in category Beyond - then you should be able to sync your credentials
The other way is to create a folder under Connections - add Role "Beyond PassordSafe" - then you should be able to sync your managed systems from Beyond to RRD - if you try to connect to any of these systems it should log you on without any password in RRD - uses the Gateway/Broker to connect, get login information via API
Just try it and let me know when you are running into any issue
Regards/Gruss
Oliver
Posts: 2
Threads: 0
Joined: Apr 2023
Reputation:
0
(02-04-2024, 08:08 AM)DevOma Wrote: First you need to activate the BeyondTrust Plugin - Settings=>Extensions
After restart you can configure global settings for your Beyond Environment in Settings=>Beyond PasswordSafe
There are 2 implementations - one is to sync your Passwords from BeyondTrust - therefore you need to create a folder under Credentials and set your access user in category Beyond - then you should be able to sync your credentials
The other way is to create a folder under Connections - add Role "Beyond PassordSafe" - then you should be able to sync your managed systems from Beyond to RRD - if you try to connect to any of these systems it should log you on without any password in RRD - uses the Gateway/Broker to connect, get login information via API
Just try it and let me know when you are running into any issue
We have the 2nd scenario where we are syncing our accounts/applications and have the requirement to go through the broker server. But finding a proper configuration option to specify the broker server. Are there any documents? I'm not able to find any end to end documents anywhere and I have been unable to find a how-to in the help or forums either. Thank you
Posts: 10,906
Threads: 96
Joined: Aug 2006
Reputation:
190
It is described in Help - only a short chapter, but it should be only a few steps for full integration
Working with connections=>Syncronization of connection objects=>Beyond PasswordSafe
If you are running into any issue - would make sense if you post a new thread - just for visibility - here in Feature Requests forum is not the best location for trouble shooting.
Regards/Gruss
Oliver
|