Configure the Thycotic Secret Server Plugin for Integration with BeyondTrust Privileged Remote Access
You must purchase this integration separately from both your BeyondTrust Privileged Remote Access and Privileged Identity solutions. For more information, contact BeyondTrust sales.
Install the Endpoint Credential Manager
The Endpoint Credential Manager (ECM) must be installed on a system with the following requirements:
- Windows Vista or newer, 64-bit only
- .NET 4.5 or newer
- To begin, download the BeyondTrust Endpoint Credential Manager (ECM) from BeyondTrust Support . Start the BeyondTrust Endpoint Credential Manager Setup Wizard.
- Agree to the EULA terms and conditions. Mark the checkbox if you agree, and click Install.
If you need to modify the ECM installation path, click the Options button to customize the installation location.
You are not allowed to proceed with the installation unless you agree to the EULA.
- Click Install.
- Choose a location for the credential manager and click Next.
- On the next screen, you can begin the installation or review any previous step.
- Click Install when you are ready to begin.
- The installation takes a few moments. On the screen, click Finish.
To ensure optimal up-time, administrators can install up to five ECMs on different Windows machines to communicate with the same site on the PRA Appliance. A list of the ECMs connected to the appliance site can be found at /login > Status > Information > ECM Clients.
When multiple ECMs are connected to a BeyondTrust site, the PRA Appliance routes requests to the ECM that has been connected to the appliance the longest.
Install and Configure the Plugin
- Once the BeyondTrust ECM is installed, extract and copy the plugin files to the installation directory (typically C:\Program Files\Bomgar \ECM).
- Run the ECM Configurator to install the plugin.
- The Configurator should automatically detect the plugin and load it. If so, skip to step 4 below. Otherwise, follow these steps:
- First, ensure that the DLL is not blocked. Right-click on the DLL and select Properties.
- On the General tab, look at the bottom of the pane. If there is a Security section with an Unblock button, click the button.
- Repeat these steps for any other DLLs packaged with the plugin.
- In the Configurator, click the Choose Plugin button and browse to the location of the plugin DLL ThycoticSecretServerPlugin.dll.
- After selecting the DLL, click the gear icon in the Configurator window to configure plugin settings.
- The following settings are available:
Setting Name Description Notes Required Endpoint URL The full URL to the Secret Server web services e.g., https://<thycotic-server-hostname>/SecretServer/webservices/SSWebservice.asmx Yes API User Username of the API account created in Secret Server Yes API Password Password of the above user Yes API Domain Domain of the API account created in Secret Server Used only if the API account is not a local user in Secret Server No API Organization Organization of the API account created in Secret Server Not typically used for such accounts No Include domain credentials for When checked, in addition to retrieving machine-specific credentials for the select endpoint, it also retrieves domain credentials where the domain field (configured below) matches one of the configured domains This field can contain multiple domains separated with commas No Domain Field API web service field containing domain names
The default value of Domain should be left unless an organization is using another field to store this information on domain secrets
Yes Machine Field API web service field containing machine names
The default value of Machine should be left unless an organization is using another field to store this information on machine-specific secrets
Yes Default Domain for Local BeyondTrust Users When a value is supplied, the plugin initially attempts to retrieve credentials for the user with the username from BeyondTrust and the configured default domain This setting is necessary if some or all BeyondTrust users are local users but the corresponding accounts in Secret Server are domain accounts with the same username portion No Enable fall-back to local account if domain account not found When checked, the plugin first attempts to retrieve credentials for the user as a domain user and then, if no match is found, makes a second attempt without the domain This setting is necessary if some or all BeyondTrust users are domain users but the corresponding accounts in Secret Server are domain accounts with the same username portion No Include default organization If enabled, the supplied organization is included when querying for a matching Secret Server user No
The settings specific to Secret Server can be tested directly from the plugin configuration screen using the Test Settings button.
- Enter a user account from which to retrieve secrets.
- Enter an endpoint for which the user account has one or more secrets.
- View the resulting list.
No actual passwords are retrieved or displayed, only the list of credentials.
The settings used for the test are the ones currently entered on the screen, not necessarily what is saved.
Access to individual Secret Server user secrets is handled by a delegated trust feature built into Secret Server. This means that a user can grant access to their secrets to an API user. The first time a user attempts to access an endpoint via the BeyondTrust access console, a request for this access is generated, and an email is sent to the user. The user can either approve the request, granting API user access to their credentials for future sessions, or they can deny the request. This access can be revoked by the user at any time. If for some reason the email is not received, the page to manage this access is available to all Secret Server users under Tools > Manage Applications.
When using the Test Settings button to test the retrieval of secrets for a user who has NOT approved access for the API account, the resulting dialog for the test is similar to the screen shot below.
The Configurator.log should indicate that authentication was successful but that permission to access that user's secrets is pending approval.
Clear Token Cache
To avoid excessive authentication calls to Thycotic, the plugin caches (in an encrypted form) authentication tokens for users as they attempt to retrieve secrets through the integration. Subsequent calls use the cached token until it expires. At that point, a new authentication token is retrieved and cached. The Clear Token Cache button allows an admin to clear all cached authentication tokens if such action becomes necessary for maintenance, testing, etc.