Configure Windows Transparent Login
Provisioning Windows transparent login on and through has these stages:
capam33
Provisioning Windows transparent login on and through
Privileged Access Manager
has these stages:- Preparing Target Device records, including an RDP server hosting an RDP Application
- Running the Learn Tool at the RDP server in coordination (through the RDP Access Method applet) withPrivileged Access Manager
- Configuring the RDP Application record onPrivileged Access Manager
- Provisioning Target Account records andPrivileged Access ManagerPolicy
To run Learn Tool and edit transparent login configurations, a
Privileged Access Manager
administrator must have at minimum the role of Service Manager. This level of role permits the servicesRead
, servicesManage
, and servicesDelete
privileges. Among the preconfigured roles, these privileges are also provided only to the Global Administrator and Operational Administrator roles.Prepare Targets
Initially, as the
Privileged Access Manager
administrator, you provision a Device and the RDP Application that is the target (or intermediary) of the transparent login. You might also want to provision (in Credential Manager) the primary access credentials that are consumed during login to the Device. At this stage, you do not need to provision the secondary credentials that are consumed by the RDP Application.Run Learn Mode
During Learn Mode,
Privileged Access Manager
is taught the credential-processing interfaces of the provisioned RDP Application. This process captures the required sequence in a transparent login configuration file that is stored at Privileged Access Manager
.Example Procedure
This example procedure uses the execution of a connection to a Linux target device using the RDP Application PuTTY.
- Confirm that you have provisioned inPrivileged Access Manageryour desired target Device. Confirm that the target RDP Application, that is configured later inPrivileged Access Manager, is installed on that Device.
- If needed, log in toPrivileged Access Manageras the administrator responsible for Learn Mode.
- Navigate to theAccesspage.
- Mouse over theRDPlink to the target Device so that (after a moment) it displays the RDP options pop-up window.
- While in that panel:
- Select the optionLearn mode.
- You might also want to expand the size of your RDP window inResolutionsto the largest practical value. Example: "Fullscreen" Learn Mode is easier to use when there is a large target desktop.
- SelectLaunchto initiate the RDP connection.
Following login, a script window appears telling you that the Learn Mode Tool ("Transparent Login Learn Tool") is launching. The initial Learn Tool window opens. If transparent login configurations are already set up, they are shown in the drop box near the upper left corner of the Learn Tool.With the Learn Tool, you can create a configuration script that allowsPrivileged Access Managerto recognize the username, password, submit, and other widgets of an RDP Application when your Users connect to that application. This script also populates and executes these widgets for transparent login.Initially, several configurations (Transparent Login Configurations, or TLCs) can be pre-populated inPrivileged Access Manager. As the Learn Tool is launched, these configurations are loaded into Learn Tool memory and are available from the configuration name drop-down list.In this example, we create a configuration. First, assign it a name, in this example PuTTY-to-LinuxTarget1. This name is found in theTransparent Login Configurationslist onPrivileged Access Manager. You can edit the name in theNamefield when you prepare your RDP Application record.- Select the "Add new configuration" button, and in the dialog window enter aName, and selectOK.The configuration name now appears in the field to the left of that button, and is immediately saved.
- To save the (currently empty) configuration inPrivileged Access Managerwith this name, select the "Save configuration" button.
- Open your target RDP application; a configuration interface is ordinarily presented (thePuTTY Configurationwindow).While both the Learn Tool and the application are open during this procedure, you populate the Learn Tool script window (the body of its GUI). You identify widgets on the target application using one of several Learn Tool widgets that are detailed in the following tables. Each use of a scripting widget inserts a script command.When executing PuTTY using its GUI, the simplest procedure might be to specify a target address, then execute a connection using PuTTY default parameters. Then automatically submit the username and password to affect a login:First, identify for the Learn Tool the location of the PuTTY Session screen,Host Name (or IP address)field. When the script is run,Privileged Access Managerknows where to insert that address.
- To create the script command that provides this functionality, select the "Text input" tool. Like each of the other Learn Tool scripting controls, this tool invokes anAdd Edit Tagdialog window. Specify parameters to identify and populate this command in this window.The first field is theElement type. In this case, select the default "Text Field", which is the type of control widget that PuTTYHost Name (or IP address)is. (The other choices are "Drop Down List", "Checkbox", "Radio Button", and "Keystrokes"). To identify where this field is, provide theElement ID. The first step is to invoke the application AutoIt Control Viewer (v. 1.1) from the Learn Tool menu:
- Select the "Run Control Viewer" button from the Learn Tool menu bar. You might briefly see a script window, and then in a minute or so theControl Viewerwindow appears. Now you have three windows. The Learn Tool window is resizable.
- In the Control Viewer window, press and hold your mouse over theBrowse Toolsquare area to the upper right. A magnifying glass icon appears, which is your control selection cursor.While you hold your mouse down, move this cursor over to the location of the widget (GUI field, or control) that you want to identify.As you move the cursor, the control of the target application that is under the cursor displays a red outline. Depending on how the application (PuTTY) was designed, the red outline might refer to a single control or a group of controls.
- If thespecificcontrol (here, the host name field) is already outlined in red, you would now skip the remainder of this step 10.
- However, a group of controls is selected, and you have not yet been able to identify theHost Name (or IP address)field itself.
- Look at the additional characteristics for this specific control that is highlighted in the blue item in theControlslist at the bottom of the Control Viewer window. This list also identifies any subordinate controls that are contained by that control. In this case, we want to identify the specific host name control.
- Scroll that list to select the other controls in the list, one by one, until you match the one you are searching for. When the selected control is outlined, note (under theControltab in the centralInfogroup) what its fullInstancename (5) is: here, "[CLASS:Edit; INSTANCE:1]".
- You have now identified the exact field thatPrivileged Access Managermust populate. Finish using the Learn ToolAddEdit Tagwindow that you opened in step 8:
- Select the entireInstancename (from open bracket to close bracket, inclusive), and copy it in theElement Idfield.
- In theValue typefield, select the "text" option. The other two options are "username" and "password." These options refer to data that is supplied byPrivileged Access Managerduring execution, and not embedded in the script.
- In theValuefield, enter the IP address that you use to populate that PuTTY field. Alternatively, you can specify a variable hostname by using*Value type="host" (which has a fixedValue="true"). In that case, the Device that is associated with the secondary Target Account that is specified in policy is used. See alsoElement type='Keystrokes' in step 14, in which a Target Account is also used to populate username and password.
- SelectOKto insert the populated script command. The command appears in the script body. Alternatively, you can specify a variable hostname by using*Value type="host" (which has a fixedValue="true"). In that case, the Device that is associated with the secondary Target Account that is specified in policy is used. See alsoElement type='Keystrokes' in step 14, in which a Target Account is also used to populate username and password.
- The second element in the PuTTY Configuration window you identify is theOpenbutton (on the same screen), which is used to execute the connection:
- Use the Control Viewer procedure of step 10 to identify theElement IDfor this button.
- Once you have that ID, open the "Mouse click" tool because that is how this PuTTY control is used. TheAddMouse Click Tagpopup window appears.
- We are using the first option,Click on the element. The other option allows to you specify a specific pixel location for the mouse click. Enter the Element ID value that you identified in step 12a into theIDfield.
- SelectOKto insert the populated script command. The command appears underneath the first command you entered.
However, the point of the transparent login feature is to insertPrivileged Access Manager-supplied credentials transparently. Although the PuTTY application closes its configuration window and opens a console for execution of the SSH connection, create a script to provide those credentials. Select the "Save configuration" button to save the current configuration. Then, select the "Add new configuration" button to create another configuration for PuTTY login credentials.PuTTY opens its console and communicates with the target Linux Device. Doing this might take some time, and we can account for it in the script. - Select the "Sleep" clock icon to open a new widget in which you enter a number of milliseconds. As a rough estimate, you might provide 1000, which allows PuTTY to open and close its windows and be ready with the prompt it receives from its target device.Now you can assume that your console window is ready with the first of its login prompts from the target, for the username. The Learn Tool allows you to enter a script command that recognizes the Target Account Name:
- Select the "Text input" again. Set up theAdd Edit Tagas shown, withElement type="Keystrokes" (and thenElement ID="window" by default) andValue type="username".SelectOK. The script command that is created grabs the Account Name from the Target Account that is provided byPrivileged Access Managerthrough your Policy specification. The command then passes it along to the PuTTY target.
- However, tosubmitthe username to the OS then, you have to send a return command. That is, theEnterkey: Use the "Text input" tool as in the previous step. This time setValue type="text", and forValue, click your mouse inside its field and press theEnterkey. The field then displays the text{ENTER}. SelectOKto insert this tag.
- Likewise, use the "Text input" tool to set a second command withValue type="password". Remember before entering that command to insert another "wait" command using the "Sleep" tool as already explained. You might need to experiment for the most efficient wait times.Save this TLC by selecting the (now-active)Save configurationfloppy disk icon near the right side.Now you are ready with your script. However, you might want first to test it to see that it performs as expected.Privileged Access Managerprovides this capability with the "Debug" tool.
- (Optional) To test your configuration, run the Debug tool. This feature executes the currently staged TLC script while displaying debug-level messages in a console.
- Select the "Debug" tool button to open theRun dialogwindow.
- In theApp pathfield, use the browse[…]button to the right to specify the location of the RDP Application executable.
- Enter theTitleof the first window, so that Debug can locate it.
- When credentials and destination must be supplied to execute script processing fully, enter them inUsername,Password, andHost.
- When you are ready to run the debug program, selectRun.The Debug console appears.
- The Debug program first checks each tag for syntax errors, providing feedback in the console, under an initial "App #1" line label.
- When you bring RDP Application window (manually) into focus, the Debug program then executes the script. The sequence is labeled ("Try #1"), and then feedback is provided for each tag. If a tag fails to execute successfully, the script is restarted and executes again.
- (Optional) To improve security in confirming your target application, generate, and copy the SHA-1 digest for the RDP Application. Use the Learn Tool'sGet Application Fingerprintfeature. When configuring the RDP Application inPrivileged Access Manager, copy this value into theApplication Fingerprintfield.
- Continue with Configure RDP Application.
Reference
The following tables describe the Learn Tool features.
Learn Tool: Menu Bar
Menu | Description | |
View | Always on Top | When selected, this feature keeps the Learn Tool window in front of all other windows, even when it is not in focus. The selection state is persistent: After logging off this Device and then logging in again, the option value (whether selected or unselected) remains the same. Default: Selected |
Action | Clear cache | Select to remove currently cached applications. When cache is set to "Enable" in Global Settings , Applet Customization , Transparent Login Cache , the Windows target caches the Transparent Login Agent (TLA), Learn Tool, and Control Viewer that are downloaded during connection from Privileged Access Manager when transparent login has been configured, provisioned, and activated. On subsequent connections to that Windows target, the load times for these applications are reduced. |
Help | Learn Tool Help | Opens the Compiled HTML (CHM) Learn Tool Help file, which contains detailed descriptions of the Learn Tool controls. |
About | Identifies the Learn Tool application and build versions in a dialog window. |
Learn Tool: XML Scripting Controls
Icon and Tooltip | Description | |
One set of <window></window> tags brackets a single-level sequence of XML commands for Privileged Access Manager to manipulate the windows of an RDP Application. Each script control inserts a line containing one XML tag with attributes at the end of the sequence, above the </window> tag. You can copy-and-paste the XML tag lines as in a text editing program, so you can move the lines when and where needed. | ||
Camera icon | Screen verification | Allows insertion of a tag that verifies that a portion of the screen image of the transparent login application matches a previously saved screen capture. Usage
Note: Ensure that the captured image portion does not vary from application invocation to invocation, and matches whether the window is active or inactive. |
Example: (truncated): <checkimg content="iVBORuu ... C6kYII=" /> | ||
Clock icon | Sleep | Allows insertion of a tag that pauses the script for a configurable number of milliseconds. Usage: Upon selection, opens the Add Sleep Time Tag pop-up window to specify the milliseconds, then inserts the tag at the end of the script. |
Example: <sleep time="500" /> | ||
Keyboard void icon | Freeze Input | Allows insertion of a tag that disables user input (keyboard and mouse events) while a Transparent Login script is running. Freeze Input can prevent re-injection of the user password when using multiple browser tabs. This example freezes user input for 10 seconds. Note: Place this statement at the beginning of your script. |
Example: <inputfreeze action="enable"/> <sleep time="10000"/> <inputfreeze action="disable"/> | ||
Duplicate windows icon | Activate window | Allows insertion of a tag that places the named window into focus. Usage: Upon selection, inserts this tag at the end of the script. |
Example: <activate /> | ||
Mouse icon | Mouse click | Allows insertion of a <click> tag, which affects a mouse-click at a specified location: on a specified button as identified using the Control Viewer; or at the center of the target window; or at a location specified "x" pixels from the left and "y" pixels from the top of the target window. |
Example: button: <click id="[CLASS:TEdit; INSTANCE:2]" /> Example: window center: <click pos="center" /> Example: location: <click x="123" y="72" /> |
Icon and Tooltip | Description | |||||
Page with pencil | Text input | Allows insertion of a tag that submits one of these data types:
| ||||
Element type | Element ID | Value type | Value | |||
"Text Field" | as determined through Control Viewer – see example in procedure | "text" | String, to populate the field | |||
"username", or "password", or "host" | "true": For the specified Value Type, TLA sends the Value that is attached to the User policy through the target account record. | |||||
"Combobox" | "text" | String, matching a (drop-down) list option | ||||
"index" | Integer, as specified to select the ordinal location of a (drop-down) list option | |||||
"Keystrokes" | "window" (or none) | "text" | As specified: (a) strings, and (b) key stroke tags: (i) entered into the dialog field by typing merely the named key: • includes: .ENTER,.ESCAPE, TAB. • appear as: {ENTER}, {ESCAPE}, {TAB} • only one is permitted per XML tag. (ii) entered by typing the key sequence: for example: {F1} entered by typing the four keys: .{+ .F + 1 +} + | |||
"username", or "password", or "host" | "true": For the specified Value Type, TLA sends the Value in the Target Account that is chosen for the RDP Application that is specified in Privileged Access Manager policy. | |||||
Element type | Element ID | Checked | ||||
"Checkbox" | As determined through Control Viewer | "True" or "False" | ||||
"Radio Button" | "True" | |||||
Example: (using "Text Field", "text" options in dialog): The following tag inserts the text string "123" (without quotes) into the ID-specified text field: <edit id="[CLASS:TEdit; INSTANCE:1]" text="123" /> | ||||||
Checkmark icon | Element Verification | Allows insertion of a tag that confirms or denies existence of an element. Optionally verifies that element in a specified state (for example, a text field containing a particular string). | ||||
Element types: Text field | Combobox | Checkbox | Radio Button Element ID: Code identification of GUI feature that is obtained through Control Viewer. Value: Literal. Ranges: Checkbox and Radio Button: (only) "checked" Example: The following tag verifies that the radio button that is identified has been selected: <verify component="radiobutton" id="[CLASS:TRadioButton; INSTANCE:3]" /> If the component is not confirmed, the TLC script halts. |
Learn Tool: Utilities
Icon and Tooltip | Description | |
Page with magnifying glass | Run Control Viewer | Runs the third-party, Learn Tool bundled application, AutoIt Control Viewer version 1.1. This application can be used to determine the Element ID when needed in a script command. (No other Control Viewer functions are needed for Privileged Access Manager use.) Usage: (to identify a control or widget): See example in steps 9-10 of the procedure. Usage: (to identify a window name): To populate the <window id= ""> XML tag (top line of the TLC):
Example: <window id="[CLASS:PuTTYConfigBox; INSTANCE:1]" /> |
Fingerprint | Get Application Fingerprint | Calculates and displays an application fingerprint for an RDP Application so that it can be used during transparent login attempts. Usage
|
Play icon | Debug | Runs the TLC script currently staged in the Transparent Login Configuration panel (the main body of the window). Usage: See example in step 17 of the previous procedure. |
Learn Tool: File Controls
Icon and Tooltip | Description | |
Drop-down list | Filter by name / (configuration name) | Displays the name of the configuration staged in the Transparent Login Configuration field (the 'body' of the window). |
(configuration list) | This drop-down list lists transparent login configurations, either: (a) all staged in the Learn Tool (b) filtered by name (string) entered When the Learn Tool is launched following an RDP connection, these configurations are copied from the full set that is managed in Privileged Access Manager Services, RDP Applications, Transparent Login Configurations. The initial set of configurations can include several configuration samples (for example, for PuTTY or WinSCP) corresponding to recent versions of those applications. | |
Page with plus sign | Add new configuration |
|
Duplicate pages | Copy configuration |
|
Page with X | Remove configuration |
|
Inactive - gray floppy disk Active - blue floppy disks | Save configuration | When active, saves the currently displayed configuration to Privileged Access Manager . |
Inactive - gray floppy disks Active - blue floppy disks | Save all changes | When active, saves all configurations that are staged in the Learn Tool drop-down (that differ from currently saved versions) to Privileged Access Manager . |
Cycle arrow | Refresh all | Loads all currently saved Privileged Access Manager TLCs into Learn Tool. If there are unsaved configurations in the Learn Tool, they are erased. |
Configure an RDP Application
After using Learn Mode, you have a transparent login configuration in
Privileged Access Manager
that you can apply to the RDP Application you are targeting.Follow these steps
:- Navigate to Services, Transparent Login Configurations.Here you can confirm that the configuration you created with the Learn Tool is now available for use.
- Select the line item for your configuration, and confirm that it is as created in the Learn Tool.Alternatively, you can create a configuration file from scratch by selecting theAddbutton to open a blank template and populate it. Configuration files are not dependent on creation with the Learn Tool.
- Return to Services, Manage RDP Applications.
- Select theAddbutton to open a blank template.
- Enter anRDP App Namethat is helpful to your Users when they access the link from their Access pages.
- InLaunch Path, provide the Windows pathname for the local target drive location of the application.
- (Optional) - SelectHide From User. Select this option if you want a user to access the RDP applications in an RDP access method, but not allow the user individual access to the RDP application.
- On theTransparent Logintab, select theTransparent Loginbox.
- (Optional) In theApplication Fingerprintfield, paste the SHA-1 digest you generated while using the Learn Tool.
- SelectOK. A new line identifies the window of this RDP Application that is used to execute a transparent login. AfterPrivileged Access Manageridentifies the title of the designated window, it executes the associated configuration to perform transparent login, or other behavior requiring credentials supplied byPrivileged Access Manager.
- Enter theWindow Titlethat is displayed in the RDP Application GUI.
- From a drop-down list of currently managed transparent login configuration files (see Step 2), select an appropriate configuration in theTransparent Login Configurationfield.
- If you want this configuration to be available to the User during any RDP session (with access to the Windows Desktop) to this target Device, and not exclusively during a session to this RDP Application, select theRDP Sessioncheckbox. When the User connects to an RDP server, the Transparent Login agent is loaded and runs in the background. Once the configured RDP Application is launched, the Transparent Login agent detects it and automatically fills out the necessary information to proceed. Enable this option if you are using Hide From User in step 7.
- You can create more line items usingAdd Windowif you want to assign more transparent login configurations using this RDP Application. (For example, using PuTTY, you might specify alternate targets or a different login parameter.)
- SelectSave.
- Edit thePrivileged Access ManagerDevice record for the Windows RDP server so that it uses this RDP Application, now listed underServices.
- Continue with Activate Policy.
Activate Policy
When you associate a Transparent Login RDP Application Service with a
Privileged Access Manager
Policy, specify target accounts for use by the Transparent login Agent on the target device. These target accounts are referred to as Transparent Login Credentials. They are the credentials that are used to fill in the "username" and "password" attributes in the Transparent Login scripts generated by the Learn Tool. They are associated with the Transparent RDP application. Follow these steps:
- Ensure that the Transparent Login RDP Application is associated with the correct Target Device. Follow the steps to associate a Service with a Device.
- Navigate to Policies, Manage Policies. Select the Add button to create a new policy or Update to add the Transparent Login RDP Application service to an existing policy.
- Enable Transparent Login for this policy. Select the Enabled checkbox on the Transparent login tab.
- Select the Services tab.
- Locate the Transparent Login RDP Application Service under Available Services and select the service. Use the right-arrow icon to move the service to the Selected Services area.
- Select the login target account for auto login into the policy Device. Select the gray magnifying glass icon undert the Target Account column.
- When you select a Transparent Login RDP Application service, the bottom half of the tab populates with the details about the service. If you do not require Transparent Login Credentials for this service, select OK to save the policy.
- Select the magnifying glass icon next to Transparent Login Credentials on the bottom right of the tab.
- Select the accounts that you want to make available for use with the selected Transparent Login RDP Application Service. Select OK. These are the accounts that the Transparent Login agent offers for use when the end user accesses a Transparent Login application through the Access page.
Caching
Depending on your security needs, and after using the Learn Tool and testing transparent login configurations, you might enable the Transparent Login Cache. This feature caches the Learn Tool (when used), the Transparent Login Agent, and the Control Viewer (when Learn Tool is used) on the RDP server. They do not need to be loaded onto a temporary local drive during each login at that Device, thus reducing application startup time.
Configuration
To turn on caching, set
Global Settings
, Applet Customization
, Transparent Login Cache
= "Enable" .Usage
During login at a particular target, you see confirmation of the caching storage in the RDP initialization console of each application cached.
User Experience
Script windows and the application interface are displayed briefly as the automation proceeds, and stops showing changes when the script completes.
Following selection of the RDP Application link PuTTY, the user sees this sequence following login at the RDP server host:
- The console for the RDP session initialization appears.
- The console for the transparent login agent (TLA) that is running on the local virtual drive appears.
- The RDP Application (PuTTY) is invoked, and (in this case) a configuration GUI is auto-populated and activated by the transparent login script, eventually invoking a second interface (the PuTTY console).
- The RDP Application (PuTTY) invokes a new window (the console interface), and is auto-populated by the continuing transparent login script. After the script completes, the console interface is ready for User access.
Auditing
You can use logs and session recording for auditing access attempts.
- LogsPrivileged Access Managerlogs each access attempt, for example:
2016-03-11 01:16:27 super login Win 2008 R2 (32-bit) Xsuite user transparently logged into RDP Application "putty.exe" to "PuTTY Configuration" window as "dev"
- Session RecordingA session recording marks the location of the secondary transparent login attempt. For RDP connections to Windows, these attempts are marked in theEventslist and by a red arrow on the timeline. You can see event detail as a tooltip from the line item in theEventslist, and in theInfobox at the lower left and in a pop-up window during cross-over on the timeline.For transparent login activity to be successfully recorded when the User has Internet Explorer, the administrator must configure all equivalentPrivileged Access Manageraddresses. Example: A cluster VIP name and VIP address in the browser security settings. See Set Up Session Recording.