Configure the Thycotic Secret Server Plugin for Integration with BeyondTrust Privileged Remote Access

 

You must purchase this integration separately from your BeyondTrust Privileged Remote Access solution. For more information, contact BeyondTrust sales.

Install the Endpoint Credential Manager

The Endpoint Credential Manager (ECM) must be installed on a system with the following requirements:

  • Windows Vista or newer, 64-bit only
  • .NET 4.5 or newer
  • Processor: 2GHz or faster
  • Memory: 2GB or greater
  • Available Disk Space: 80GB or greater

 

  1. To begin, download the BeyondTrust Endpoint Credential Manager (ECM) from BeyondTrust Support.
  2. Start the BeyondTrust Endpoint Credential Manager Setup Wizard.

    BeyondTrust ECM EULA

  3. Agree to the EULA terms and conditions. Check the box if you agree, and then click Install.

    If you need to modify the ECM installation path, click the Options button to customize the installation location.

You are not allowed to proceed with the installation unless you agree to the EULA.

 

BeyondTrust Welcome to ECM Setup Wizard

  1. Click Next on the Welcome screen.

     

  2. BeyondTrust ECM EULA

  3. Choose a location for the credential manager, and then click Next.

 

  1. On the next screen, you can begin the installation or review any previous step.
  2. BeyondTrust ECM Installation

  3. Click Install when you are ready to begin.
  4.  

    BeyondTrust ECM Installation Complete - Click Finish

  5. The installation takes a few moments. On the Completed screen, click Finish.
  6.  

    To ensure optimal up-time, administrators can install up to three ECMs on different Windows machines to communicate with the same credential store. A list of the ECMs connected to the appliance site can be found at /login > Status > Information > ECM Clients.

    When ECMs are connected in a high availability configuration, the BeyondTrust Appliance B Seriesroutes requests to the ECM in the ECM Group that has been connected to the appliance the longest.

Install and Configure the Plugin

  1. Once the BeyondTrust ECM is installed, extract and copy the plugin files to the installation directory (typically C:\Program Files\Bomgar \ECM).
  2. Run the ECM Configurator to install the plugin.
  1. The Configurator should automatically detect the plugin and load it. If so, skip to step 4 below. Otherwise, follow these steps:

    Unblock DLL

    • First, ensure that the DLL is not blocked. Right-click on the DLL and select Properties.
    • On the General tab, look at the bottom of the pane. If there is a Security section with an Unblock button, click the button.
    • Repeat these steps for any other DLLs packaged with the plugin.
    • In the Configurator, click the Choose Plugin button and browse to the location of the plugin DLL.

     

ECM Configurator

  1. Click the gear icon in the Configurator window to configure plugin settings.

 

  1. The following settings are available:

     

    Setting NameDescriptionNotesRequired
    Endpoint URLThe full URL to the Secret Server web servicese.g., https://<thycotic-server-hostname>/SecretServer/webservices/SSWebservice.asmxYes
    API UserUsername of the API account created in Secret Server Yes
    API PasswordPassword of the above user Yes
    API DomainDomain of the API account created in Secret ServerUsed only if the API account is not a local user in Secret ServerNo
    API OrganizationOrganization of the API account created in Secret ServerNot typically used for such accountsNo
    Include domain credentials forWhen checked, in addition to retrieving machine-specific credentials for the select endpoint, it also retrieves domain credentials where the domain field (configured below) matches one of the configured domainsThis field can contain multiple domains separated with commasNo
    Domain FieldAPI web service field containing domain names

    The default value of Domain should be left unless an organization is using another field to store this information on domain secrets

    Yes
    Machine FieldAPI web service field containing machine names

    The default value of Machine should be left unless an organization is using another field to store this information on machine-specific secrets

    Yes
    Default Domain for Local BeyondTrust UsersWhen a value is supplied, the plugin initially attempts to retrieve credentials for the user with the username from BeyondTrust and the configured default domainThis setting is necessary if some or all BeyondTrust users are local users but the corresponding accounts in Secret Server are domain accounts with the same username portionNo
    Enable fall-back to local account if domain account not foundWhen checked, the plugin first attempts to retrieve credentials for the user as a domain user and then, if no match is found, makes a second attempt without the domainThis setting is necessary if some or all BeyondTrust users are domain users but the corresponding accounts in Secret Server are domain accounts with the same username portionNo
    Include default organizationIf enabled, the supplied organization is included when querying for a matching Secret Server user

     

    No

The test functionality allows you to test new or updated configuration without the need to go through the Access Console or to save the changes first. The form collects information to simulate a request from the B Series Appliance to the ECM. Naturally, this means you can test the settings without having the ECM service running or connected to the B Series Appliance.

While the test does simulate a request from the B Series Appliance to the ECM, it does not in any way test configuration or connectivity to the B Series Appliance. It is used only for configuration, connectivity, permissions, etc., related to the password vault system.

Screenshot of ECM Test Plugin Settings

 

The fields collected in this section simulate the information that is sent to the ECM about the user logged into the console and requesting credentials from the password vault.

  • SRA Console Username: The username of the console user. Depending on the type of Security Provider and how it is configured, this could be username-only ( joe.user), which is the most common format, or it could include other information and in other formats, such as down-level domain info (ACME\joe.user) or email / UPN (joe.user@acme-inc.com).
  • Distinguished Name: For LDAP Security Providers, the provider often populates the Distinguished Name of the user in addition to the username. The Distinguished Name includes domain information which is extracted by the integration and used to help identify the matching account in the password vault. An example DN is: uid=joe.user,ou=HelpDesk,dc=acme-inc,dc=com.

The fields collected in this section simulate the information that is sent to the ECM about the endpoint or Jump Item to which the console user may connect.

  • Jump Item Type: Because different Jump Items result in different pieces of information being sent to the ECM, as well as how the ECM may query the password vault for applicable credentials, it is important to identify the type of Jump Item you wish to simulate as part of the test process.

The Jump Client type should be used to simulate Remote Jump and Local Jump items as well.

  • Hostname / IP Address: For most types of Jump Items, the primary piece of information used to find credentials in the password vault is the endpoint's hostname or IP address.
  • Website URL: For Web Jump items, rather than a hostname, the ECM is provided with the URL to which the item points. This field validates that the supplied string appears to be an actual URL.
  • Additional IP Address: For Jump Client items, in addition to the machine's name, the installed client also makes the machine's public and private IP addresses available to the ECM. Some integrations use this information to query for credentials in addition to or even instead of those which match the hostname value.
  • Application Name: For testing credential retrieval for injection into an application via an RDP + SecureApp item, the ECM is provided with both a value to identify the endpoint (Hostname / IP Address) and one to identify the specific application. The required value for Application Name may vary across integrations. The integration specific installation guides should contain more information on possible values.

Screenshot of ECM Plugin Test Failure Error Message

If the test fails for any reason, error information is displayed to assist in diagnosing the cause of the failure. In most cases these errors are handled and then assigned a type, such as an authentication-related error, and then displayed with the inputs as well as any specific error messages. However, there may still be some instances where a particular error could not be anticipated, so the information is displayed in a more raw form.

It's important to note that, either way, the same information is included in the Configurator.log, along with more detail as to exactly what point in the execution the failure occurred.


Screenshot of ECM Test Plugin No Results Found Message

It's possible that the test succeeds in that it doesn't encounter any errors and yet it doesn't return any credentials. Because this is a perfectly valid result, it is not treated as an error.

 

In either case, if the test succeeds but the results do not match what was expected, it's important to make note of the inputs which led to those results and verify permissions and access to credentials within the password vault.

Screenshot of the ECM Test Plugin - Credential Search Results

When the search does yield one or more matching credentials, the test does allow for one additional level of verification by allowing a tester to retrieve a specific credential as would occur if it were selected for injection within the Console. The tester simply clicks the Retrieve Credential button in the right column of the results list, and the integration then attempts to retrieve that credential on behalf of the supplied user.

 

Screenshot of the ECM Plugin Test > Retrieve Credential > Found Credential Message

The test will display the result of the attempt to retrieve the credential, but for security reasons no password is ever displayed in clear text.

 

Only credentials are retrieved; no actual passwords are retrieved or displayed. The settings used for the test are the ones currently entered on the screen, not necessarily what is saved.

 

Access to individual Secret Server user secrets is handled by a delegated trust feature built into Secret Server. This means that a user can grant access to their secrets to an API user. The first time a user attempts to access an endpoint via the BeyondTrust access console, a request for this access is generated, and an email is sent to the user. The user can either approve the request, granting API user access to their credentials for future sessions, or they can deny the request. This access can be revoked by the user at any time. If for some reason the email is not received, the page to manage this access is available to all Secret Server users under Tools > Manage Applications.

When using the Test Settings button to test the retrieval of secrets for a user who has NOT approved access for the API account, the resulting dialog for the test is similar to the screen shot below.

Error Retrieving Credential List

The Configurator.log should indicate that authentication was successful but that permission to access that user's secrets is pending approval.

Clear Token Cache

To avoid excessive authentication calls to Thycotic, the plugin caches (in an encrypted form) authentication tokens for users as they attempt to retrieve secrets through the integration. Subsequent calls use the cached token until it expires. At that point, a new authentication token is retrieved and cached. The Clear Token Cache button allows an admin to clear all cached authentication tokens if such action becomes necessary for maintenance, testing, etc.