Request and Start Sessions in Password Safe

When configured by your Password Safe administrator, you can request access to a managed system using a remote session. Using the Password Safe request and approval system, you can request remote sessions that use RDP and SSH connection types.

Password Safe acts as a proxy, providing session management to target systems. No passwords are transmitted, allowing inherently secure session management. The sections below detail how to request and start sessions in Password Safe.

Request an RDP Session

  1. From the Accounts tab, load the accounts in the grid by clicking a category or using the filter options, and then click Load All Accounts.
  2. Click Access for the managed account for which you wish to request a session.
  3. From the Start Session tab, select a ticket system and provide a ticket number if required, check your desired options, and then click Start RDP Session. An RDP connection file downloads with a one-time use token, which expires after a period of time based on Session Initialization timeout settings.
  4. Run the file to establish a connection to the target system.
  5. Enter the password that you use to authenticate into Password Safe.

Submit a request for accessing a managed systemPassword Safe

  1. Click Access for the managed account for which you wish to request a session.
  2. From the Submit Request tab:
    • Set a session start date and time that corresponds with the access policy and is outside of a scheduled maintenance window.
    • Set the length of time for the session.
    • Check RDP Session for the type of access you need.
    • Provide a reason for the request. The maximum allowed length is 200 characters.
    • Select a ticket system and provide a ticket number.

Reason, Ticket System, and Ticket Number fields might be optional or required, depending upon options configured in the access policy by your Password Safe administrator. Also, if your Password Safe administrator has set a specific ticket system in the access policy, you cannot select a different ticket system with your request.

  1. Click Submit Request. An email is sent to the approver if email notification is configured.

Use Direct Connect for RDP Session

You can also use the Direct Connect feature to initiate an RDP session. As the requester, you can access the system without ever viewing the managed account's credentials.

To use Direct Connect, you must download the RDP file from the Password Safe web portal. This is a one-time download. Each account and system combination requires that you download the unique RDP file associated with it.

If the requestor is granted approval for RDP sessions, a message displays, stating, Request requires approval. If the request is not approved within 5 minutes, this connection will close. After five minutes, the RDP client disconnects, and you can send another connection request. When the request is approved, you are automatically connected.

To initiate a Direct Connect RDP session:

  1. From the Accounts tab, load the accounts in the grid by clicking a category or using the filter options, and then click Load All Accounts.
  2. Click Access for the managed account for which you wish to request a session.
  3. From the Start Session tab, select a ticket system and provide a ticket number if required, check your desired options, and then click Start RDP Session. An RDP connection file downloads with a one-time use token, which expires after a period of time based on Session Initialization timeout settings.
  4. Run the file to establish a connection to the target system.
  5. Enter the password that you use to authenticate into Password Safe.
  1. Find the account in the list.Click Access for the managed account for which you wish to request a session.
  2. From the Direct Connect tab, click Download RDP File.
  3. Run the file to establish a connection to the target system.
  4. Enter the password that you use to authenticate into Password Safe.

When using direct connect, enter the password, the defined delimiter, and then the 2FA. The password policy does not need to account for the delimiter.

LDAP users that use the mail account naming attribute cannot use RDP Direct Connect.

Start an RDP Session Without Submitting a Request

Start Session tab for accessing a managed system in Password Safe

Users who have permissions to bypass the request and approval process for accessing the managed system and Password Safe administrators are able to start sessions and retrieve passwords immediately from the Start Session tab. The Start Session tab does not display for users who do not have permissions to bypass the request and approval process. To start the session:

  1. From the Accounts tab, load the accounts in the grid by clicking a category or using the filter options, and then click Load All Accounts.
  2. Click Access for the managed account for which you wish to request a session.
  3. From the Start Session tab, select a ticket system and provide a ticket number if required, check your desired options, and then click Start RDP Session. An RDP connection file downloads with a one-time use token, which expires after a period of time based on Session Initialization timeout settings.
  4. Run the file to establish a connection to the target system.
  5. Enter the password that you use to authenticate into Password Safe.

 

Start an Admin Session

Password Safe Portal Admin Session Tab

Users who have full control permissions for the Password Safe Admin Session feature and Password Safe administrators can open ad-hoc RDP and SSH sessions without going through the request process, using an Admin Session. From Admin Session tab, you can start a session immediately by completing the form and clicking Connect. Admin sessions also allow you to select a node associated with another region to act as a proxy for the session. This is useful in larger environments when assets you need to access are in your region.

Admin sessions are recorded by default. If your administrator has enabled the option, a Record Session check box displays on the form, giving you the option to record the session or not.

 

SSH Direct Connect

Using an SSH client, a user can use the Password Safe Request and Approval system for SSH remote connections. The requester's information, including the Reason and the Request Duration, are auto-populated with default Password Safe settings.

To access a managed account or application using Direct Connect, the requester has to connect to Password Safe's SSH Proxy using a custom SSH connection string with one of the following formats:

  • For UPN credentials:
    <Requester>+<Username@Domain>+<System Name>@<Password Safe>
  • For down-level logon names\non-domain credentials:
    <Requester>@<Domain\\Username>@<System Name>@<Password Safe> 

You can override the default SSH port and enter port 4422. The requester is then prompted to enter the password they use to authenticate with Password Safe.

  • For UPN credentials:
    ssh -p 4422 <Requester>+<Username@Domain>+<System Name>@<Password Safe>
  • For down-level logon names\non-domain credentials:
    ssh -p 4422 <Requester>@<Domain\\Username>@<System Name>@<Password Safe>
  • For an SSH application:
    ssh -p 4422 <Requester>@<Account name>:<Application alias>@<System name>@<Password Safe>

Once the requester is authenticated, they are immediately connected to the desired machine.