Thread Rating:
  • 0 Vote(s) - 0 Average
  • 1
  • 2
  • 3
  • 4
  • 5
ASG Remote Desktop with CyberArk
#21
Thanks for the video - will reply to you in the next days :-)
Regards/Gruss
Oliver
Reply
#22
Just had an idea :-) Perhaps we have already a solution :-)

Goto a Connection-Properties => RDP => Logon/SendKeys - activate Send custom keys - Start recording custom keys and type your PIN of your Smartcard - the keystrokes will be recorded and send to the login dialog - that should be also possible for the authentication of your Smartcard - can't test it myself because we don't use Smartcards for RDP login currently.

If that works we can think about to parse variables in this field - so you could add a global variable and put your keystrokes in that variable - currently the field is not parsed for variables but that would be easy to extend :-)
Regards/Gruss
Oliver
Reply
#23
Hey there, tried that but it doesn't seem to work, although it would only be a "workaround" a built in solution would be much more appreciated :-)
Maybe the trick would be to authenticate with Smartcard already against ASGRD so the "application" is aware of the Smartcard and could use it for logon purposes also, but i think this would be a lot more stuff to do to implement 2FA/MFA into the application.
Reply
#24
We try to setup a system with Smartcard authentication the next days... then we can try to find a solution...

We have 2FA implemented - but only with Google Authenticator currently :-)

I can see in the video that a rdp file is generated by Cyberark to connect - perhaps there we find properties for pass the SmartCard Pin to the RDP connection? Can you save the file, remove any relevant information like user, server names, passwords and send it to me? Even then there are properties it's not sure that we can pass these values to the RDP-ActiveX component - some functionality is embedded in mstsc.exe :-( And I don't see any properties to pass PIN code for Smartcard directly...
Regards/Gruss
Oliver
Reply
#25
Good catch, seems that the rdp files generated from the WebUI use some kind of guid for username&alternate shell:

username:s:PSM@37013c5a-623a-46d1-9b96-4ee5a6cf0846
alternate shell:s:PSM@37013c5a-623a-46d1-9b96-4ee5a6cf0846


This is the content of the rdp file:

full address:s:<IP Adress of PSM Server>
server port:i:3389
username:s:PSM@37013c5a-623a-46d1-9b96-4ee5a6cf0846
alternate shell:s:PSM@37013c5a-623a-46d1-9b96-4ee5a6cf0846
desktopwidth:i:1024
desktopheight:i:768
screen mode id:i:2
redirectdrives:i:1
drivestoredirect:s:*
redirectsmartcards:i:0
EnableCredSspSupport:i:0
redirectcomports:i:0
remoteapplicationmode:i:0
use multimon:i:0
span monitors:i:0
authentication level:i:2
smart sizing:i:1

This GUID changes each time you click on "Connect" on the WebUI, so i guess it is dynamically created within the application and is only useable once
Reply
#26
Thanks - will update you if we have SmartCard enabled :-)
Regards/Gruss
Oliver
Reply
#27
Any news on this one? :-)
Reply
#28
Sorry, not yet - but still on the list...
Regards/Gruss
Oliver
Reply
#29
@DevOma:


Quote:Is there any structure like Folders in ASGRD - perhaps Vaults / Safes? I do not see this logic in the API - or are there just "Accounts" that should be retrieved? Or is ihe idea behind CyberArk to store Accounts only to "Server" objects? That would make it difficult to match with ASGRD... I had a Cyberark system in the past (as demo environment) but can not remember all details :-)


I think, the structure is basically flat - but the concept of "safes" can be used to seperate accounts, e.g. one safe for the team with shared accounts and one safe per user - it is probably a good idea to make the safe name configurable.

If you have any prebuilds or need some testing, let me know.
Reply
#30
Hi all,

we have a quite similar situation as  Vahr001. We are also interested in having MFA (AzureAD) for ASG initiated connections via PSM to target system.
Any news on that topic?

I have some contacts from  Cyberark directly. May it make sense to bring you together.
Reply
#31
Currently we have to many areas we are working on with limited resources - I hope we can start working on that issue in near future...
Regards/Gruss
Oliver
Reply
#32
(29-11-2021, 04:16 PM)DevOma Wrote: Currently we have to many areas we are working on with limited resources - I hope we can start working on that issue in near future...

Hello,

I just wanted to add, that I've now got another CyberArk-customer who wants to integrate ASG Remote Desktop with its CyberArk environment.
I will have some workshops with this customer in January 2022, where we could also address this topic. If you want to, I could answer your questions concerning CyberArk and you could directly implement and test it on the customer's systems.
--
Working as an IT security consultant with lots of CyberArk experience. No experience with ASG Remote desktop yet. Trying to help a customer.
Reply
#33
(07-12-2021, 12:42 PM)J.R Wrote:
(29-11-2021, 04:16 PM)DevOma Wrote: Currently we have to many areas we are working on with limited resources - I hope we can start working on that issue in near future...

Hello,

I just wanted to add, that I've now got another CyberArk-customer who wants to integrate ASG Remote Desktop with its CyberArk environment.
I will have some workshops with this customer in January 2022, where we could also address this topic. If you want to, I could answer your questions concerning CyberArk and you could directly implement and test it on the customer's systems.

Project is running now. You wouldn't have some time to connect with me and your customer now or next week?
--
Working as an IT security consultant with lots of CyberArk experience. No experience with ASG Remote desktop yet. Trying to help a customer.
Reply
#34
You can send me invitation via Private Message - I will see if it is possible to join...
Regards/Gruss
Oliver
Reply
#35
Just another customer who is eager to use ASGRD as our primary RDP provider and CyberArk as the credential provider.    The comments about setting up ASG connection to connect to a destination using CyberArk PSM are interesting, but I would ask, why have ASG then?   Just go into Cyberark PVWA find your account, click connect, tell CyberArk the destination and let PSM take you there.   (I understand, PSM does record sessions, audits keystrokes,  and also eliminates caching of credentials). 

For us, it's really just a matter of having ASGRD connections able to retrieve passwords (securely) from CyberArk for the referenced account when we choose the connection in ASGRD.  

CyberArk rotates our passwords frequently enough so we don't have to worry about cached credentials on the local server - they are changed at the next access.    We audit events on the server. 

I hope you've been able to find a way.  ASGRD is a great solution and CyberArk PAS is a great password storage solution.   CyberArk PSM is very cool, but it's pretty expensive and doesn't have ASG's great organization of resources.   In CyberArk / PSM everything is account focused (rightfully so for what CyberArk does), but you better know where you want to connect.   ASG is so much better at giving us what we want the way we think, which is: I need to get to this destination with this account - now what is that "darn" password ?   Oh I need logon / MFA CyberArk, find the account and copy the password .... would be great to marry to the two technologies. 

Are you aware of PS-PAS, powershell for CyberArk - there may be some gold to mine with those sets of tools.
Reply
#36
We will work shortly on a better integration...
Regards/Gruss
Oliver
Reply
#37
(11-02-2022, 08:37 AM)DevOma Wrote: We will work shortly on a better integration...

MANY THANKS!!!!!!!
Reply
#38
(10-02-2022, 11:48 PM)sdpnme3 Wrote: Just another customer who is eager to use ASGRD as our primary RDP provider and CyberArk as the credential provider.    The comments about setting up ASG connection to connect to a destination using CyberArk PSM are interesting, but I would ask, why have ASG then?   Just go into Cyberark PVWA find your account, click connect, tell CyberArk the destination and let PSM take you there.   (I understand, PSM does record sessions, audits keystrokes,  and also eliminates caching of credentials). 

For us, it's really just a matter of having ASGRD connections able to retrieve passwords (securely) from CyberArk for the referenced account when we choose the connection in ASGRD.  

CyberArk rotates our passwords frequently enough so we don't have to worry about cached credentials on the local server - they are changed at the next access.    We audit events on the server. 

I hope you've been able to find a way.  ASGRD is a great solution and CyberArk PAS is a great password storage solution.   CyberArk PSM is very cool, but it's pretty expensive and doesn't have ASG's great organization of resources.   In CyberArk / PSM everything is account focused (rightfully so for what CyberArk does), but you better know where you want to connect.   ASG is so much better at giving us what we want the way we think, which is: I need to get to this destination with this account - now what is that "darn" password ?   Oh I need logon / MFA CyberArk, find the account and copy the password .... would be great to marry to the two technologies. 

Are you aware of PS-PAS, powershell for CyberArk - there may be some gold to mine with those sets of tools.
Hi,

in the current license model, CyberArk only licenses by the number of users - PSM and PSM for SSH are included (AFAIK). So PSM shouldn't be a monetary problem anymore. Still the options to organize and search in ASG as well as the possibility to easily fulfil tasks on several targets are very useful, according to my customers.
--
Working as an IT security consultant with lots of CyberArk experience. No experience with ASG Remote desktop yet. Trying to help a customer.
Reply
#39
Another customer here, very interested in CA integration.  Any news on this yet?
Reply
#40
(19-04-2022, 01:02 PM)Anon_man Wrote: Another customer here, very interested in CA integration.  Any news on this yet?

I'll take silence as a 'no' then  Sad
Reply




Users browsing this thread: 1 Guest(s)