Deploying Active Directory as Authentication Domain with RDP Relay Feature of Privileged User Manager



By: mugirish

September 2, 2011 12:31 pm

Reads: 547

Comments:0

Rating:5.0

Author: Girish Mutt

Abstract:

The main objective of this AppNote is to give a step by step procedure for customers to help them integrate the RDP relay feature of PUM on Windows with Active Directory as the authentication domain. The normal approach will be to use existing PUM framework users to enable the RDP Relay feature. This proposed approach will help customers directly integrate their existing Active Directory environment with the PUM framework thereby allowing usage of a single source for all corporate users. In addition to this, PUM makes use of the LDAP groups to enable access to RDP relay hosts which allow PUM to make use of corporate directory specific access controls with PUM deployments.

Table of Contents

  1. Introduction
  2. Integrating PUM Manager with Active Directory as Authentication Domain
  3. RDP Relay Feature enabling with PUM Manager
  4. Command Control Rule for LDAP Group Matching in Active Directory
  5. Using RDP Relay feature with Active Directory as Authentication Domain
  6. Glossary of Terms

  • Introduction

NetIQ Privileged User Management (PUM) helps IT administrators manage the identity and access for superuser, root accounts, and application users by providing controlled superuser/privileged access to administrators, allowing them to perform jobs without needlessly exposing root account credentials. It also provides a centralized activity log across multiple platforms needed for ensuring compliance in enterprise deployments.

RDP relay is new feature added to PUM that enables delegation of privileged credentials to windows hosts through use of Single Sign on functionality. This feature makes use of the underlying RDP functionality of Windows systems to provide privileged access and monitoring of the activities after the delegation. PUM has been designed to work with its own framework user management. With the new release of PUM 2.3, LDAP group support has been added which helps to achieve easy integration with corporate Active Directory as the authentication domain. It helps to overcome the issue of managing users differently for PUM deployment and existing corporate Active Directory deployment.

The Remote Desktop Protocol Relay (RDP Relay) feature offers Single Sign-on capability and remote access to desktops through a secured connection. In a privileged session, an administrator user who is allowed to access various devices can sign on to many managed devices from a single workstation without knowing the authentication passwords of those devices. In addition, the user can remotely view the desktops of the managed devices and work on them. You enable privileged sessions for an administrator user with the user’s user group information. Then you associate the privileged session with a rule that controls the commands that the user can run on permitted devices and applications.

This AppNote talks about the various configuration that needs to performed by a customer to enable the RDP relay feature integrated with corporate Active Directory deployment.

  • Integrating PUM Manager with Active Directory as Authentication Domain

To integrate the PUM manager with Active Directory, the following steps needs to be performed:

2.1 Create Privileged Account Domain for Active Directory
2.2 Integrate the PUM manager to use Active Directory as authentication domain

2.1 Create Privileged Account Domain for Active Directory

Before we can integrate the PUM to use Active Directory as the authentication domain, the account domain details to authenticate with should be added to PUM manager. PUM manager supports creation of the account domain under command control console installed as part of default manager installation. The various steps to be followed to add authentication account domain to PUM are as follows:

      1. Goto Home/Command Control console –> Privileged Accounts.
      2. Now choose the option Add Account Domain to add a new account domain to PUM manager framework.
      3. Provide all the details as shown in the picture below. Make sure replace xxx.xxx.xxx.xxx with the IP address of the corporate Active Directory server.

Click to view.

Figure 1: Adding corporate Active Directory account domain details.

2.2 Integrate the PUM manager to use Active Directory as authentication domain

After the addition of the Privileged Account Domain details under the privileged accounts of PUM manager, the next step is to add the association between the PUM user framework to directly make use of user accounts in the newly added authentication domain. The following steps should be followed to create that association:

      1. Goto Home/ Framework User Manager console in PUM manager.
      2. Now choose the Users options and select the Account Settings from the left panel.
      3. In the Default Account Settings console, goto Authentication Domain and choose the newly added authentication domain from drop down box as shown in the picture below.

Click to view.

Figure 2: Associating the Account domain to be used by PUM default account settings.

After the successful association, PUM deployment is now is ready to make use of the corporate Active Directory as the default authentication domain. From this point onwards all users will be managed in the corporate Active Directory and those users, groups can be directly made use of for all PUM administration.

Note: In some cases the admin account name used by default in PUM framework will not be available in Active Directory. In such cases you can map the Active Directory Administrator to local admin user using Native Mapping feature available under Framework Users as shown below.

Click to view.

Figure 3: Native mapping of admin PUM user to that of Administrator user in Active Directory

  • RDP Relay Feature enabling with PUM Manager

To enable the RDP relay feature to a particular host or to a group of hosts, RDP credentials of the privileged users needs to be added to the Privileged Account under Command Control. The following steps should be followed to create privileged accounts:

      1. Goto Home/Command Control –> Privileged Accounts.
      2. Now choose the option Add Account Domain from left panel.
      3. Add all the details of the host and its privileged credentials as shown in the picture below.

Click to view.

Figure 4: Privileged Account details of the RDP Relay host

After adding the Privileged account details for RDP relay, the next step is to create rules in Command Control so that authorization to access the RDP relay host is given based on the rule. This can be achieved by following the steps below:

      1. Goto Home/Command Control –> Rules.
      2. Choose Add rule option from the left panel and add a rule R1.
      3. Now goto Modify Rule option for the R1 rule. Enable Session Capture to On and Authorize to Yes. Choose Run User as root and select the corresponding RDP relay privileged account added in Privileged Accounts. Choose Run Host as local as we are trying to enable RDP relay as root user to a normal user part of the corporate Active Directory as shown below.

Click to view.

Figure 5: Modifying rule to authorize and associate RDP credential for RDP relay host.

 

Note: In this example, we are trying to use the same host where PUM manager is installed as the RDP relay host also.

After this RDP command which will be part of the Home/Command Control/Commands needs to added to the rule.

  • Command Control Rule for LDAP Group Matching in Active Directory

After the integration of the PUM manager to use Active Directory, the next step will be to enable the LDAP group look up under rule matching which will make use of LDAP groups in Active Directory to decide on access permission for RDP sessions. This can be achieved by creating an Account Group which will be used to match for the LDAP group in Active Directory. The account group can be created by following the steps below:

      1. Goto Home/Command Control –> Account Groups –> User Groups.
      2. Create a new user group using Add User group with name G1 using option from left panel.
      3. Now choose Modify User Group option to edit it. Under Type choose the External Group check box and select the corporate Active Directory account domain to which group look up operation will be done by rule.
      4. Under Users add a regular expression which matches the LDAP group of a user. This regular expression is used to check whether a particular user is part of the group. When the same is attached to the rule access to Privileged RDP sessions will be granted based on the fact that whether a user is part of the group or not. Thus LDAP group matching is used to grant access to RDP relay sessions.

Click to view.

Figure 6: Modifying User Account Group to match a LDAP group in Active Directory.

 

Once the User group is modified to match an external LDAP group, it will be added to rule RDP RULE by dragging and dropping on top of the rule RDP RULE. Now this rule is able to grant access to RDP relay sessions based on the fact that whether a user is part of the external group or not. Hence PUM makes use of LDAP group look up feature to confirm membership of particular user in Active Directory and then grant access to RDP relay sessions.

The final rule after associating the group matching to rule will be as shown below:

Click to view.

Figure 7: Final rule view to match a LDAP group in Active Directory.

 

  • Using RDP Relay feature with Active Directory as authentication domain

After the successful completion of all the steps mentioned above, the deployed configuration can now be tried.

Use Case: Rule RDP RULE basically tries to check that the user used as part of RDP relay is in deed part of LDAP group GROUP1. If the user is part of the LDAP group in Active Directory which is the authentication domain , then list of allowed RDP Relay sessions will be displayed to user and user will be given access to RDP session as elevated user.

The various steps to be followed to gain access to Privileged RDP Relay sessions are:

      1. From Internet Explorer browser try making use of the RDP Relay feature accessing the following URL:https://xx.xx.xx.xx/rdprelay/index.htmHere we are trying to gain access to RDP relay session based on user1 being part of external LDAP group GROUP1 in Active Directory.

        Click to view.

        Figure 8: Active Directory user user1 in GROUP1 trying to gain access to allowed RDP sessions.

         

      2. Now user1 is checked to verify whether the user is part of group GROUP1 after providing password. If the user is part of the group GROUP1, the user is shown list of allowed RDP sessions . After choosing the session user is given access as privileged user as defined in the rule RDP RULE as depicted below. The user password provided will be that of user user1 under CN=Users, DC=PUM,DC=COM in PUM domain controller.

        Click to view.

        Figure 9: List of allowed RDP sessions for user1 in Active Directory after LDAP group matching

         

  • Glossary of Terms
    • PUM – Privileged User Manager
    • LDAP – Lightweight Directory Access Protocol
    • RDP – Remote Desktop Protocol
    • URL – Uniform Resource Locator
VN:D [1.9.22_1171]
Rating: 5.0/5 (1 vote cast)
Deploying Active Directory as Authentication Domain with RDP Relay Feature of Privileged User Manager, 5.0 out of 5 based on 1 rating

Tags: ,

Disclaimer: As with everything else at NetIQ Cool Solutions, this content is definitely not supported by NetIQ, so Customer Support will not be able to help you if it has any adverse effect on your environment.  It just worked for at least one person, and perhaps it will be useful for you too.  Be sure to test in a non-production environment.

Comment