Posts: 1
Threads: 1
Joined: Nov 2019
Reputation:
0
I want to integrate ASG Remote Desktop with CyberArk PAS to use only Privilege ID (Secondary ID) for all Remote Desktop Connection to servers. Does any one knows how to configure?
Also, Is it possible to edit RDP properties for "alternate shell:" for customize command for all RDP connection to Servers via ASG?
Posts: 11,205
Threads: 101
Joined: Aug 2006
Reputation:
205
We did try to integrate - but CyberArk do not allow to read any passwords via the API - so we cancelled the implementation
Regards/Gruss
Oliver
Posts: 5
Threads: 1
Joined: Feb 2015
Reputation:
0
That's very sad.. On the company they are currently working on building cyberark and such an integration would have been great.
Do you keep an eye on it if something changes in the api on new versions? Maybe it's some day possible.. I don't know how popular cyberark is, but at least we would be very happy about an integration into ASG. :-)
Anyway thanks for the quick answer and have a nice week!
Regards
Posts: 11,205
Threads: 101
Joined: Aug 2006
Reputation:
205
Yes - let me say, we paused the integration :-) Perhaps there are other ways how to combine the 2 products - we will keep an eye on it :-)
Thanks and have a great week too!
Regards/Gruss
Oliver
Posts: 11,205
Threads: 101
Joined: Aug 2006
Reputation:
205
Cyberark do allow reading passwords via API now? Then we can do the integration very quickly I think - but currently we have a lot of issues with new version 2021 that are more important.
No currently it is not possible to integrate "customer plugins" - but if you can send me a link to the API we will work on it asap...
Regards/Gruss
Oliver
Posts: 11,205
Threads: 101
Joined: Aug 2006
Reputation:
205
Ok we will have a look when version 2021 is more stable and the main issues are fixed!
Regards/Gruss
Oliver
Posts: 6
Threads: 0
Joined: Jun 2021
Reputation:
0
Just to add this here, too: I'm looking into this for a customer and they would also be very interested. If any information about how CyberArk can be accessed would be helpful: feel free to ask.
--
Working as an IT security consultant with lots of CyberArk experience. No experience with ASG Remote desktop yet. Trying to help a customer.
Posts: 11,205
Threads: 101
Joined: Aug 2006
Reputation:
205
Ok - I will come back to you when we have some time for implementation - it's nearly finished - but then we run into any problems (can't remember) and nobody helped on our problems - I think it was the test environment that was not working correctly...
Regards/Gruss
Oliver
Posts: 3
Threads: 0
Joined: Jul 2021
Reputation:
0
Hi, any news on that topic? We need an integration to CyberArk to get the passwords out from our PAM solution? Additionally I want to know if we can setup MFA for Accessing ASG database.
For us its important to get access to privileged accounts only with MFA. Please let us know...
Posts: 11,205
Threads: 101
Joined: Aug 2006
Reputation:
205
No - I think we will integrate in near future - but currently we do not have 2FA/MFA integrated for ASGRD - also on the todo list :-)
Regards/Gruss
Oliver
Posts: 28
Threads: 9
Joined: Sep 2017
Reputation:
0
Hi,
Any luck on integration with cyberark?
Posts: 11,205
Threads: 101
Joined: Aug 2006
Reputation:
205
It is one of the next tasks...
Regards/Gruss
Oliver
Posts: 11,205
Threads: 101
Joined: Aug 2006
Reputation:
205
For anybody who like to help integrating CyberArk - as I do not have a running system currently - I need to understand the structure of CyberArk and how we can map to the ASG-RD structure... I can get the technical requests from the API documentation - but currently I don't know what data is stored in which objects...
Login / Logoff is clear and easy
Is there any structure like Folders in ASGRD - perhaps Vaults / Safes? I do not see this logic in the API - or are there just "Accounts" that should be retrieved? Or is ihe idea behind CyberArk to store Accounts only to "Server" objects? That would make it difficult to match with ASGRD... I had a Cyberark system in the past (as demo environment) but can not remember all details :-)
Need some help to build a first draft :-)
Regards/Gruss
Oliver
Posts: 63
Threads: 19
Joined: Nov 2013
Reputation:
0
29-09-2021, 09:39 AM
(This post was last modified: 29-09-2021, 11:22 AM by Vahr001.)
Hey Oliver,
long time no speak, but we are currently in the process of switching our landscape from "classic" Multi-domain personal accounts to a cyberarc environment.
Our main focus is on RDP Connections at the moment, as the unix/linux teams use CyberArc a bit differently (but could also be that an integration to ASGRD would be handy)
As the CyberArc Web UI is quite clumsy to use on a daily basis we were looking into integrating it to our ASGRD Landscape.
Currently we have a working solution like this:
Create a Connection Object in ASGRD
On Connection --> Connection --> Destination: Use DNS Name of the PSM (Which is basically the server that is authenticating your "user", we use MFA on that step and authenticate using a Certificate bound to our domain user we use for administrative purposes
On RDP --> Programs --> Executable path: We use something like this: "psm /u <PAM-User> /a <Destination-Server> /c PSM-RDP"
This Feature was implented in CyberArk 12 (we are currently using 12.2), this Feature is called "RDP-Direct"
What it basically does is open an RDP connection to the destination server using the CyberArk PSM Server as a gateway authenticating you as a user with your MFA solution built into CyberArk, directly passing the credential needed to connect to the server, so no need to "read" passwords from the CyberArk vaults.
Currently we have 2 Things on our list that would help a lot to bring more quality of life to using that Feature:
1. Ability to adjust "RDP --> Programs --> Executable path:" via ASGRD Powershell API (which seems to not be the case atm)
2. Cache the MFA Pin used within ASGRD to be able to do multiple connections using the same Authentication (atm you need to type in the PIN for MFA on each new connection and also on using the "reconnect" Feature.
Would love to help bringing the CyberArk integration forward, we currently have 2 CyberArk Systems up and running (Dev + Prod) and also have a working Landscape for ASGRD + MFA etc.
German native speaker here (if that helps :-), also willing to spend time on workshops or something, if that would help.
Regards,
Tim
Posts: 11,205
Threads: 101
Joined: Aug 2006
Reputation:
205
Ok - step 1 is not really a problem - so we will add this for the next patch version!
Step 2 - Cache the MFA Pin - any idea how to do that? I guess the PIN has to be entered in a Cyberark dialog - so how should we access this key? Do you have a screenshot for me of that step?
Regards/Gruss
Oliver
Posts: 63
Threads: 19
Joined: Nov 2013
Reputation:
0
Basically it uses the Windows Authentication mechanism used for RDP (mstsc) Connections using Smart Card authentication as MFA.
The Web UI of CyberArk for example also uses the same authentication, you log in to it using the Smart Card MFA Pin once and then you are able to connect to various servers without reauthentication, so i guess the browser caches and reuses it on each connection you make.
Will send a PN with a video of the authentication mechanism