Log in to Remote Systems Using Credential Injection from the Representative Console
When accessing a Windows-based Jump Item in the Representative Console, you can use credentials from a credential store to log in to the endpoint or to run applications as an admin.
Before using credential injection, make sure that you have a credential store or password vault available to connect to BeyondTrust Remote Support.
Install and Configure the Endpoint Credential Manager
Before you can begin accessing Jump Items using credential injection, you must download, install, and configure the BeyondTrust Endpoint Credential Manager (ECM). The BeyondTrust ECM allows you to quickly configure your connection to a credential store, such as a password vault.
The ECM must be installed on your system to enable the BeyondTrust ECM Service and to use credential injection in BeyondTrust Remote Support.
- Windows Vista or newer, 64-bit only
- .NET 4.5 or newer
- Processor: 2 GHz or faster
- Memory: 2 GB or greater
- Available Disk Space: 80 GB or greater
- To begin, download the BeyondTrust Endpoint Credential Manager (ECM) from BeyondTrust Support . Start the BeyondTrust Endpoint Credential Manager Setup Wizard.
- Agree to the EULA terms and conditions. Mark the checkbox if you agree, and click Install. If you wish to modify the installation path, click the Options button to customize the installation location.
You are not allowed to proceed with the installation unless you agree to the EULA.
- Choose a location for the Credential Manager and click Next.
- On the next screen, you can begin the installation or review any previous step.
- Click Install when you are ready to begin.
- The installation will take a few moments. On the screen, click Finish.
To ensure optimal up-time, administrators can install up to five ECMs on different Windows machines to communicate with the same site on the BeyondTrust Appliance B Series. A list of the ECMs connected to the B Series Appliance site can be found at /login > Status > Information > ECM Clients.
When multiple ECMs are connected to a BeyondTrust site, the B Series Appliance routes requests to the ECM that has been connected to the B Series Appliance the longest.
If you get a Windows plugin error during installation, locate and unblock BomgarVaultRestPlugin.dll.
Configure a Connection to Your Credential Store
Using the ECM Configurator, set up a connection to your credential store.
- Locate the BeyondTrust ECM Configurator you just installed using the Windows Search entry field or by viewing your Start menu programs list.
- Run the program to begin establishing a connection.
- When the ECM Configurator opens, complete the fields. All fields are required.
- When you click the Choose Plugin... button, the ECM location folder opens.
- Paste your plugin files into the folder.
- Open the plugin file to begin loading.
|Site||The URL for your credential store instance.|
|Port||The server port through which the ECM connects to your site.|
|Plugin||Click the Choose Plugin... button to locate the plugin.|
If you are connecting to a password vault, more configuration at the plugin level may be needed. Plugin requirements vary based on the credential store that is being connected.
To apply new settings in the configuration, restart the ECM service.
Use Credential Injection to Access Remote Systems
After the credential store has been configured and a connection established, the representative console can begin using credentials in the credential store to log in to remote systems.
- Log in to the representative console.
- Jump to a remote system with a Jump Item installed as an elevated service on a Windows machine.
- Click the Play button to begin screen sharing with the remote system. If the remote system is at the Windows login screen, the Inject Credentials button is highlighted.
- Click the Inject Credentials button. A pop-up credential selection dialog appears, listing the credentials available from the ECM.
- Select the appropriate credentials to use from the ECM. The system retrieves the credentials from the ECM and injects them into the Windows login screen.
- The representative is logged in to the remote system.
Choose from Favorite Credentials for Injection
After a representative has used a set of credentials to log in to an endpoint, the system stores the user's preferred credentials for the endpoint and the context in which they were used (to login, to perform a special action, to elevate, or to push) in the B Series Appliance database. The next time the user wants to use credentials to access the same endpoint, the credential injection menu makes a recommendation for which credentials to use. The credentials are displayed at the top of the credentials list, followed by any remaining credentials. If no credential history exists for an endpoint, the B Series Appliance simply displays all the possible credentials.
The credential list recommends no more than five credentials.
When using BeyondTrust Vault, the maximum number of credentials that can display in the dropdown menu is 2,000. When using the ECM, the limit is 200.
Check Out and Check In Vault Credentials
From the representative console, you can easily access the BeyondTrust Vault in the /login interface to check out and check in credentials when necessary, either during a session or outside of a session directly on the Representative Console.
To access the vault, select the Vault > Open Vault menu item. You are taken directly to the Vault > Accounts page in the /login interface, once logged in.
If you not logged in, you will be asked to enter your credentials. You are then taken directly to the Vault accounts page. If you are already logged in a browser window, you will not be asked for your credentials and are taken directly to the Vault page.
You can then locate and check out or check in a vault account.