Add a Windows Remote Target Connector

Add a Windows Remote Target Connector
capam32
The Windows Remote target connector lets
CA PAM
manage Windows accounts and the passwords for services and scheduled tasks that are local to the Windows server. The Windows Remote Target Connector is an alternative to the Windows Proxy Connector, but does not require that you install software in the Windows domain.
Two other Windows connectors are available:
This connector uses Samba commands and remote Windows API calls to make updates to the account, services, and scheduled tasks passwords. To complete discovery and password changes for services and scheduled tasks, the connector might incur extra overhead.
2
To add the target connector using the CLI, see the Windows Remote Target Connector CLI Configuration.
Prerequisites for Using the Windows Remote Connector
  1. To configure Windows Remote target accounts, first create a device (target server) that is assigned a device type of Password Management.
    Use the private IP address of an AWS or Azure Windows device. Some features do not function properly when you use the public IP address.
  2. Prepare the target server for using the Windows Remote Connector with the following information:
    • Ports Used by the Connector
      The Windows Remote Connector requires these ports to be open in the firewall:
      • SMB: port 445
      • WMI: port 135 and port range from 49152 through 65535 or 1024 through 4999
    • Disable the Guest Account
      If the guest account in the domain or on the target server is enabled, the connector tries to verify its password, which does not exist. Disable this account to prevent a false password verification
    • User Access Control workaround
      If User Access Control is enabled on the target server, and the account for password management is a local administrator, the connector needs access to perform SMB and WMI operations. To give the connector access, add the LocalAccountTokenFilterPolicy registry setting to remove remote restrictions:
      HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\LocalAccountTokenFilterPolicy = dword:00000001
      WMI traffic is encrypted. When a password is updated through WMI, the password is encrypted. 
    • Review Group or Local Policy Security Options 
      The default values for network security on Windows systems allow the Windows Remote Connector to function. However, if certain settings are set too restrictive, Windows Remote password management fails. To ensure that Windows Remote operates effectively, verify the following settings in the Group or Local Policy Security Options. Go to Start, Administrative Tools, Local Security Policy, Local Policies, Security Options.
      • Network security: Restrict NTLM: Incoming NTLM traffic 
        Allow all
        , or 
        Not Defined
         
      • Network security: Restrict NTLM: NTLM authentication in this domain 
        Disable
        Not Defined
        , or 
        Deny for domain accounts
         
    • Set the Local System Context
      The Windows Remote Connector can be run in the context of a local system. This scenario allows successful management and updates of the local Windows accounts, service passwords, and scheduled task passwords. The Windows Remote Administrator account that you add to the appliance must be part of the Local Administrator group on the target server.
Add the Target Application and Connector
Follow these steps in the UI:
 
  1. Select 
    Credentials
    Manage Targets
    Applications
  2. Select 
    Add
    .
  3. Fill in the following fields:
    • Host Name
       of the target server
    • Device Name
       
    • Application Name:
       The name must be unique.
  4. In the 
    Application Type
     field, select 
    Windows Remote
    .
  5. (Optional) Select a Password Composition Policy.
  6. If you are using target groupings, add Descriptors.
  7. Select the 
    Windows Remote
     tab.
  8. For the 
    Account Type
    , select one of the following options:
    • Local Account
       is only able to manage local accounts on target servers.
    • Domain Account
       is able to manage Windows Domain accounts. We recommend using the Active Directory connector to manage Domain Accounts.
      For the Domain Account, a drop-down list becomes active, with the following options:
      • Target Server is Domain Controller
         (For domain administrator accounts only)
      • Domain Controllers are on servers
         (with Specify Servers text field)
        Enter one or more servers, which are separated by commas.
      • Lookup Domain Controllers in DNS
         
      • Lookup Domain Controllers in specified
         (with Specify DNS text field)
        Enter one or more DNS servers, which are separated by commas.
      For
       
      DNS Servers, complete the following fields:
      • Domain Name: 
        Specify the Windows domain of the managed account.
      • Active Directory Site:
         This field is not active for the Target Server is Domain Controller option. If you enter a value is, it is used to narrow the search for domain controllers, using the specified name. If the field is empty, we search for all domain controllers in DNS.
      • DC replication time (in ms): 
        Enter the frequency of replication in milliseconds.
    • For 
      Active Directory Connect Timeout
      , enter the timeout for connecting to AD, in milliseconds.
    • For 
      Active Directory Read Timeout
      , enter the timeout for reading from AD, in milliseconds.
  9. On the 
    Account Discovery
     tab, select Discover Services and Discover tasks. (Optional) Specify a filter for Accounts.
    If you do not specify a filter, all accounts are discovered from the Windows server. Use only the * character in filters. Example: User*
  10. Select 
    OK
     to save the application.