Using application SSO, you can achieve the following:
Privileged SSO to any target resource using the appropriate application.
Privileged access without the PAM agent on the target.
Complete session capture, such as keystroke and video capture.
For understanding and setting up application SSO, see the Configuring Application Single Sign-On section in the Privileged Account Manager Installation Guide.
You can configure application SSO in the following modes:
In Remoteapp mode, the user launches the application from the user console and PAM does a SSO to the application using the SSO module installed in the server. For more information about remoteapp mode, see the RemoteApp Mode section in the Privileged Account Manager Installation Guide.
CAUTION:Ensure that you disable Sticky Keys and Keyboard Shortcut keys for Task Manager in Windows while configuring Remote Application SSO feature. For more information, see Disabling Task Manager Keyboard Shortcut Keys and Sticky Keys in Windows.
You can disable Sticky keys using Group Policy or through Control Panel for Windows.
To disable the Keyboard Shortcut keys for Task Manager, you can use Group policy or one of the following methods:
Access the Windows Registry by typing regedit in the Windows search box on the taskbar and press Enter.
Go to HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System.
Create a new DWORD(32-bit) value with Name as DisableTaskMgr and Data value as 1.
To disable the use of Keyboard Shortcut Keys for Task Manager, using a script, follow the below procedure:
Copy the following text in a notepad:
Windows Registry Editor Version 5.00[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System] "DisableTaskMgr"=dword:00000001
Save the file with a.reg extension.
For example:
DisableCtrlShiftEscape.reg
In a different notepad, copy REGEDIT /s \\servername\share\filename.reg. Replace the servername, share, and reg file information appropriately.
Save the file with a.bat extension.
Double-click on the saved batch file and the registry key will be imported.
Verify the procedure by entering the key combination Ctrl + Shift + Esc.
The following sections explain how to configure application SSO using RemoteApp mode and how to view application SSO reports:
Ensure that you have completed all the steps mentioned in the section Configuring Application Single Sign-On in the Privileged Account Manager Installation Guide.
You must add a credential vault for each and every application to which you want to enable SSO. To add an Application SSO resource to the vault, click Credential Vault > Application > Application SSO and click + next to Resources in the new administration console.
You must add a rule for every application to which PAM must perform SSO.
To add an application SSO rule:
Click Command Control > Rules.
Click Add in the last pane.
Specify a name for the rule and click Add.
To configure the rule, select the rule and click the edit icon in the last pane.
Make the following changes:
Session Capture: Set this option to ON to enable session capture.
Video Capture: Set this option to ON to enable video capture.
Authorize: Select Yes and select Stop if authorized.
Define what happens next by using the drop-down list as follows:
Blank: The next rule in the hierarchy is checked.
Stop: No more rules are checked for the command.
Return: The next rule to be checked is up one level in the hierarchy from the current rule.
Stop if authorized: If Authorize is set to Yes, no more rules are checked for the command.
Stop if unauthorized: If Authorize is set to No, no more rules are checked for the command.
Application SSO: Select Yes.
If you are creating nested rules, ensure that you set the Application SSO to Yes in each and every rule in the nested hierarchy.
Application Details: Select the appropriate application SSO vault.
Application Credentials: Select the appropriate credentials to perform SSO.
Application Host: Specify the host and the port number that must be included during SSO. You must specify the host and port number in the format <Host Name or IP Address>:<Port Number>
This option appears only when you have selected Use Host from Policy when creating the application SSO credential vault.
Account Domain: Select the domain which you used when configuring the application SSO installation attributes.
Credentials: Select the domain credential created for SSO.
Run Host: Select All Host as PAM would perform load balancing when connecting to Remoteapp servers.
For more information about all the rule configuration fields, see Modifying a Rule.
Click Modify.
Click the command icon on the middle pane.
Drag the Application SSO command and drop it on the application SSO rule.
If you are creating nested rules, ensure that you drag the Application SSO command and drop it on the parent application SSO rule.
This rule is accessible by all the PAM users. If you want to restrict the application access to specific users, create a user group and drag and drop the user group to this rule. For more information about creating user groups, see User Groups.
In RemoteApp mode, PAM load balances the application SSO requests. For PAM to load balance the application SSO requests, you must configure the application SSO agents among which the application SSO requests must be distributed.
To configure agents for application SSO load balancing:
Click Hosts > Application SSO > Remote App Servers.
Displays all the agents with the appsso package.
Select the required agents for load balancing.
If you do not select the agent, all the agents that are listed are taken for load balancing application SSO requests.
Click Finish.
PAM audits all the activities performed in the application SSO session. Based on the rule configuration, the reports can show keystroke and video audits.
To view application SSO reports:
Click Reporting > Command Control Reports.
All report instances are displayed. You can interpret the SSO report columns as follows:
User: PAM user who has logged into the user console.
Host: Host where the user console is launched.
RunAs: The user who logs into the application.
RunHost: Host to which the application connects. If the application does not connect to any host, then asterisk (*) is displayed.
Command: Application.
Double-click the appropriate report.
(Conditional) If you have configured video capture, select Output and click Playback to play the audit video.
For more information about reports, see Command Control Reports.
In direct access mode, the application is installed on a remote server. The user performs an RDP connection to the remote server with the AD account, launches the application as a privileged user, and PAM performs SSO. For more information about direct access mode, see the section Direct Access Mode in the Privileged Account Manager Installation Guide.
The following sections explain the configurations required for application SSO using direct access mode and how to view application SSO reports:
Ensure that you have completed all the steps in the section Configuring Application Single Sign-On in the Privileged Account Manager Installation Guide.
You must add a credential vault for every application to which you want to allow SSO. To add an Application SSO resource to the vault, click Credential Vault > Application > Application SSO and click + next to Resources in the new administration console.
You must add the following rules for application SSO using direct access mode:
This rule authorizes the RDP session to the application SSO agent.
To add a direct RDP rule:
Click Command Control > Rules.
Click Add in the last pane.
Specify a name for the rule and click Add.
To configure the rule, select the rule and click the edit icon in the last pane.
Make the following changes:
Session Capture: Set this option to ON to enable session capture.
Video Capture: Set this option to ON to enable video capture.
Authorize: Select Yes.
Define what happens next by using the drop-down list as follows:
Blank: The next rule in the hierarchy is checked.
Stop: No more rules are checked for the command.
Return: The next rule to be checked is up one level in the hierarchy from the current rule.
Stop if authorized: If Authorize is set to Yes, no more rules are checked for the command.
Stop if unauthorized: If Authorize is set to No, no more rules are checked for the command.
Run User: Select Submit User to monitor actions of any user logging into the desktop.
Run Host: Select Submit Host to monitor actions on any host that has a PAM agent.
For information about other rule configuration fields, see Modifying a Rule.
Click Modify.
Click the command icon in the middle pane.
Drag the Windows Direct Session command and drop it on the direct RDP rule.
This rule enables privileged access to the application.
To add a rule to run application as privileged user:
Click Command Control > Rules.
Click Add in the last pane.
Specify a name for the rule and click Add.
To configure the rule, select the rule and click the edit icon in the last pane.
Make the following changes:
Session Capture: Set this option to ON to enable session capture.
Authorize: Select Yes.
Define what happens next by using the drop-down list as follows:
Blank: The next rule in the hierarchy is checked.
Stop: No more rules are checked for the command.
Return: The next rule to be checked is up one level in the hierarchy from the current rule.
Stop if authorized: If Authorize is set to Yes, no more rules are checked for the command.
Stop if unauthorized: If Authorize is set to No, no more rules are checked for the command.
Account Domain: Select the appropriate domain.
Credentials: Select the domain credential created for SSO.
Run User: Select the domain user created for SSO.
Run Host: Select Submit Host.
For information about other rule configuration fields, see Modifying a Rule.
Click Modify.
Click the command icon in the middle pane.
Click Add in the last pane and specify a name for the command. For example, pamrun.
Click Add.
Select the command that you created in step 8 in the middle pane and click the edit icon in the last pane.
Specify the path of all the applications that must be authorized using this rule.
To improve security, you can provide the absolute path of the application. For example, C:\Windows\System32\mstsc.exe. If the absolute path of the application contains space, include the absolute path between quotes. For example, "C:\Program Files (x86)\WinSCP\WinSCP.exe".
Click Modify.
Drag the newly created command and drop it on the run application as a privileged user rule.
This rule authorizes application user and performs SSO. You must add this rule for every application to which you want to allow SSO. For example, if you want to allow SSO to WinSCP and Remote Desktop Connection, you must create two application SSO rules.
To add an application SSO rule:
Click Command Control > Rules.
Click Add in the last pane.
Specify a name for the rule and click Add.
To configure the rule, select the rule and click the edit icon in the last pane.
Make the following changes:
Application SSO: Select Yes as this rule is used for application SSO.
Session Capture: Set this option to ON to enable session capture.
Video Capture: Set this option to ON to enable video capture.
Authorize: Select Yes.
Define what happens next by using the drop-down list as follows:
Blank: The next rule in the hierarchy is checked.
Stop: No more rules are checked for the command.
Return: The next rule to be checked is up one level in the hierarchy from the current rule.
Stop if authorized: If Authorize is set to Yes, no more rules are checked for the command.
Stop if unauthorized: If Authorize is set to No, no more rules are checked for the command.
If you are creating nested rules, ensure that you set the Application SSO to Yes in each and every rule in the nested hierarchy.
Application Details: Select the appropriate application SSO vault.
Application Credentials: Select the appropriate credential that must be used to perform SSO.
Application Host: Specify the host and the port number that must be included during SSO. You must specify the host and port number in the format <Host Name or IP Address>:<Port Number>
This option appears only when you have selected Use Host from Policy when creating the application SSO credential vault.
Run User: Select everyone.
Run Host: Select All Host.
For more information about the rule fields, see Modifying a Rule.
Click Modify.
Click the command icon on the middle pane.
Drag the Application SSO command and drop it on the application SSO rule.
If you are creating nested rules, ensure that you drag the Application SSO command and drop it on the parent application SSO rule.
PAM audits all the activities performed in the application SSO session. Based on the rule configuration, the report can show keystroke and video audits.
PAM generates the following reports for every application SSO session using direct access mode:
Report for launching Windows direct RDP session
Report for launching the application as a privileged user
Report for the operations performed in the application
To view activities performed in the application SSO session:
Click Reporting > Command Control Reports.
All the report instances are displayed. You can interpret the SSO reports columns as follows:
User: User who has logged into the remote server.
Host: Remote server where the application is launched.
RunAs: Application user who has logged into the application.
RunHost: Host to which the application is connected.
Command: Application.
Double-click the appropriate report.
(Conditional) If you have configured video capture, click Linked Session > Output > Playback to view the keystrokes and play audit video.
For more information about reports, see Command Control Reports.