16-07-2015, 05:07 PM
I have made a bunch of progress on this but I need to fully lay out what we are trying to do so that it makes sense.
We are using a privilege identity product (one of the main ones on the market) that has the ability to publish applications using MS Remote Desktop Services.
Clients connect to a web console with a non-privileged account and are presented with the option to launch applications with privileged accounts that they do not know the password for and have very short password cycles (hour or less).
When the session to the published app is established it uses a non-privileged generic account which starts the process and goes out the privileged identity product and gets the password for the account they are trying to use...
This part all works fine... the result that I see in procmon is the correct username and password are being passed in the following DE-identitified string.
"C:\Program Files (x86)\ASG-Remote Desktop 2015\ASGRD.exe" /Instance:Admin /loginmethod:0 /loginintegrated:false /logindomain:dev.com /loginusername:ultravenom-admin /loginpassword:P@$$w0rd! /LoginSubmit /passthrough:false /noenv /novideo
In the security log I see that the correct user is logged on (ultravenom-admin) and we have the option selected to the do RDP SSO -- The issue is that ASG is popping for the password of the privileged account (which the person doesn't know) when making connections to servers.
Any ideas?
We are using a privilege identity product (one of the main ones on the market) that has the ability to publish applications using MS Remote Desktop Services.
Clients connect to a web console with a non-privileged account and are presented with the option to launch applications with privileged accounts that they do not know the password for and have very short password cycles (hour or less).
When the session to the published app is established it uses a non-privileged generic account which starts the process and goes out the privileged identity product and gets the password for the account they are trying to use...
This part all works fine... the result that I see in procmon is the correct username and password are being passed in the following DE-identitified string.
"C:\Program Files (x86)\ASG-Remote Desktop 2015\ASGRD.exe" /Instance:Admin /loginmethod:0 /loginintegrated:false /logindomain:dev.com /loginusername:ultravenom-admin /loginpassword:P@$$w0rd! /LoginSubmit /passthrough:false /noenv /novideo
In the security log I see that the correct user is logged on (ultravenom-admin) and we have the option selected to the do RDP SSO -- The issue is that ASG is popping for the password of the privileged account (which the person doesn't know) when making connections to servers.
Any ideas?