CA Privileged Access Manager - 3.3.1

3.3.1 3.3 3.2.6 3.2.5 3.2.4 3.2.3 3.2.2 3.2 3.1.4 3.1.3 3.1.2 3.1.1 3.0.3 3.0.2 3.0.1 2.8.4.1 2.8.3 2.8.2 2.8.1 2.8 2.7
English

Configure Windows Transparent Login

Provisioning Windows transparent login on and through  has these stages:
capam33
Provisioning Windows transparent login on and through 
Privileged Access Manager
 has these stages:
  1. Preparing Target Device records, including an RDP server hosting an RDP Application
  2. Running the Learn Tool at the RDP server in coordination (through the RDP Access Method applet) with 
    Privileged Access Manager
  3. Configuring the RDP Application record on 
    Privileged Access Manager
  4. Provisioning Target Account records and 
    Privileged Access Manager
     Policy
To run Learn Tool and edit transparent login configurations, a 
Privileged Access Manager
 administrator must have at minimum the role of Service Manager. This level of role permits the 
servicesRead
servicesManage
, and 
servicesDelete
 privileges. Among the preconfigured roles, these privileges are also provided only to the Global Administrator and Operational Administrator roles.
Prepare Targets
Initially, as the 
Privileged Access Manager
 administrator, you provision a Device and the RDP Application that is the target (or intermediary) of the transparent login. You might also want to provision (in Credential Manager) the primary access credentials that are consumed during login to the Device. At this stage, you do not need to provision the secondary credentials that are consumed by the RDP Application.
Run Learn Mode
During Learn Mode, 
Privileged Access Manager
 is taught the credential-processing interfaces of the provisioned RDP Application. This process captures the required sequence in a transparent login configuration file that is stored at 
Privileged Access Manager
.
Example Procedure
This example procedure uses the execution of a connection to a Linux target device using the RDP Application PuTTY.
  1. Confirm that you have provisioned in 
    Privileged Access Manager
     your desired target Device. Confirm that the target RDP Application, that is configured later in 
    Privileged Access Manager
    , is installed on that Device.
  2. If needed, log in to 
    Privileged Access Manager
     as the administrator responsible for Learn Mode.
  3. Navigate to the 
    Access
     page.
  4. Mouse over the 
    RDP
     link to the target Device so that (after a moment) it displays the RDP options pop-up window.
  5. While in that panel:
    1. Select the option 
      Learn mode
      .
    2. You might also want to expand the size of your RDP window in 
      Resolutions
       to the largest practical value. Example: "Fullscreen" Learn Mode is easier to use when there is a large target desktop.
    3. Select 
      Launch
       to initiate the RDP connection.
    Your RDP applet and connection launch.
    Following login, a script window appears telling you that the Learn Mode Tool ("Transparent Login Learn Tool") is launching. The initial Learn Tool window opens. If transparent login configurations are already set up, they are shown in the drop box near the upper left corner of the Learn Tool. 
    With the Learn Tool, you can create a configuration script that allows 
    Privileged Access Manager
     to recognize the username, password, submit, and other widgets of an RDP Application when your Users connect to that application. This script also populates and executes these widgets for transparent login.
    Initially, several configurations (Transparent Login Configurations, or TLCs) can be pre-populated in 
    Privileged Access Manager
    . As the Learn Tool is launched, these configurations are loaded into Learn Tool memory and are available from the configuration name drop-down list.
    In this example, we create a configuration. First, assign it a name, in this example PuTTY-to-LinuxTarget1. This name is found in the 
    Transparent Login Configurations
     list on 
    Privileged Access Manager
    . You can edit the name in the 
    Name
     field when you prepare your RDP Application record.
    1. Select the "Add new configuration" button, and in the dialog window enter a 
      Name
      , and select 
      OK
      .
      The configuration name now appears in the field to the left of that button, and is immediately saved. 
    2. To save the (currently empty) configuration in 
      Privileged Access Manager
       with this name, select the "Save configuration" button.
  6. Open your target RDP application; a configuration interface is ordinarily presented (the 
    PuTTY Configuration
     window).
    While both the Learn Tool and the application are open during this procedure, you populate the Learn Tool script window (the body of its GUI). You identify widgets on the target application using one of several Learn Tool widgets that are detailed in the following tables. Each use of a scripting widget inserts a script command.
    When executing PuTTY using its GUI, the simplest procedure might be to specify a target address, then execute a connection using PuTTY default parameters. Then automatically submit the username and password to affect a login:
    First, identify for the Learn Tool the location of the PuTTY Session screen, 
    Host Name (or IP address)
     field. When the script is run, 
    Privileged Access Manager
     knows where to insert that address.
  7. To create the script command that provides this functionality, select the "Text input"  tool. Like each of the other Learn Tool scripting controls, this tool invokes an 
    Add Edit Tag
     dialog window. Specify parameters to identify and populate this command in this window.
    The first field is the 
    Element type
    . In this case, select the default "Text Field", which is the type of control widget that PuTTY 
    Host Name (or IP address)
     is. (The other choices are "Drop Down List", "Checkbox", "Radio Button", and "Keystrokes"). To identify where this field is, provide the 
    Element ID
    . The first step is to invoke the application AutoIt Control Viewer (v. 1.1) from the Learn Tool menu:
  8. Select the "Run Control Viewer" button from the Learn Tool menu bar. You might briefly see a script window, and then in a minute or so the 
    Control Viewer
     window appears. Now you have three windows. The Learn Tool window is resizable.
  9. In the Control Viewer window, press and hold your mouse over the 
    Browse Tool
     square area to the upper right. A magnifying glass icon appears, which is your control selection cursor.
    While you hold your mouse down, move this cursor over to the location of the widget (GUI field, or control) that you want to identify.
    As you move the cursor, the control of the target application that is under the cursor displays a red outline. Depending on how the application (PuTTY) was designed, the red outline might refer to a single control or a group of controls.
    1. If the 
      specific
       control (here, the host name field) is already outlined in red, you would now skip the remainder of this step 10.
    2. However, a group of controls is selected, and you have not yet been able to identify the 
      Host Name (or IP address)
       field itself.
      1. Look at the additional characteristics for this specific control that is highlighted in the blue item in the 
        Controls
         list at the bottom of the Control Viewer window. This list also identifies any subordinate controls that are contained by that control. In this case, we want to identify the specific host name control.
      2. Scroll that list to select the other controls in the list, one by one, until you match the one you are searching for. When the selected control is outlined, note (under the 
        Control
         tab in the central 
        Info
         group) what its full 
        Instance
         name (5) is: here, "[CLASS:Edit; INSTANCE:1]".
  10. You have now identified the exact field that 
    Privileged Access Manager
     must populate. Finish using the Learn Tool 
    Add
     
    Edit Tag
     window that you opened in step 8:
    1. Select the entire 
      Instance
       name (from open bracket to close bracket, inclusive), and copy it in the 
      Element Id
       field.
    2. In the 
      Value type
       field, select the "text" option. The other two options are "username" and "password." These options refer to data that is supplied by 
      Privileged Access Manager
       during execution, and not embedded in the script.
    3. In the 
      Value
       field, enter the IP address that you use to populate that PuTTY field. Alternatively, you can specify a variable hostname by using
       *Value type
      ="host" (which has a fixed 
      Value
      ="true"). In that case, the Device that is associated with the secondary Target Account that is specified in policy is used. See also 
      Element type
      ='Keystrokes' in step 14, in which a Target Account is also used to populate username and password.
    4. Select 
      OK
       to insert the populated script command. The command appears in the script body. Alternatively, you can specify a variable hostname by using
       *Value type
      ="host" (which has a fixed 
      Value
      ="true"). In that case, the Device that is associated with the secondary Target Account that is specified in policy is used. See also 
      Element type
      ='Keystrokes' in step 14, in which a Target Account is also used to populate username and password.
  11. The second element in the PuTTY Configuration window you identify is the 
    Open
     button (on the same screen), which is used to execute the connection:
    1. Use the Control Viewer procedure of step 10 to identify the 
      Element ID
       for this button.
    2. Once you have that ID, open the "Mouse click" tool because that is how this PuTTY control is used. The 
      Add
      Mouse Click Tag
       popup window appears.
    3. We are using the first option, 
      Click on the element
      . The other option allows to you specify a specific pixel location for the mouse click. Enter the Element ID value that you identified in step 12a into the 
      ID
       field.
    4. Select 
      OK
       to insert the populated script command. The command appears underneath the first command you entered.
    You have now specified the two elements that provide PuTTY a destination. 
    However, the point of the transparent login feature is to insert 
    Privileged Access Manager
    -supplied credentials transparently. Although the PuTTY application closes its configuration window and opens a console for execution of the SSH connection, create a script to provide those credentials. Select the "Save configuration" button to save the current configuration. Then, select the "Add new configuration" button to create another configuration for PuTTY login credentials. 
    PuTTY opens its console and communicates with the target Linux Device. Doing this might take some time, and we can account for it in the script.
  12. Select the "Sleep" clock icon to open a new widget in which you enter a number of milliseconds. As a rough estimate, you might provide 1000, which allows PuTTY to open and close its windows and be ready with the prompt it receives from its target device.
    Now you can assume that your console window is ready with the first of its login prompts from the target, for the username. The Learn Tool allows you to enter a script command that recognizes the Target Account Name:
  13. Select the "Text input" again. Set up the 
    Add Edit Tag
     as shown, with 
    Element type
    ="Keystrokes" (and then 
    Element ID
    ="window" by default) and 
    Value type
    ="username".
    Select 
    OK
    . The script command that is created grabs the Account Name from the Target Account that is provided by 
    Privileged Access Manager
     through your Policy specification. The command then passes it along to the PuTTY target.
  14. However, to 
    submit
     the username to the OS then, you have to send a return command. That is, the 
    Enter
     key: Use the "Text input" tool as in the previous step. This time set 
    Value type
    ="text", and for 
    Value
    , click your mouse inside its field and press the 
    Enter
     key. The field then displays the text 
    {ENTER}
    . Select 
    OK
     to insert this tag.
  15. Likewise, use the "Text input" tool to set a second command with 
    Value type
    ="password". Remember before entering that command to insert another "wait" command using the "Sleep" tool as already explained. You might need to experiment for the most efficient wait times.
    Save this TLC by selecting the (now-active) 
    Save configuration
     floppy disk icon near the right side. 
    Now you are ready with your script. However, you might want first to test it to see that it performs as expected. 
    Privileged Access Manager
     provides this capability with the "Debug" tool.
  16. (Optional) To test your configuration, run the Debug tool. This feature executes the currently staged TLC script while displaying debug-level messages in a console.
    1. Select the "Debug" tool button to open the 
      Run dialog
       window.
    2. In the 
      App path
       field, use the browse 
      […]
       button to the right to specify the location of the RDP Application executable.
    3. Enter the 
      Title
       of the first window, so that Debug can locate it.
    4. When credentials and destination must be supplied to execute script processing fully, enter them in 
      Username
      Password
      , and 
      Host
      .
    5. When you are ready to run the debug program, select 
      Run
      .
      The Debug console appears.
      • The Debug program first checks each tag for syntax errors, providing feedback in the console, under an initial "App #1" line label.
      • When you bring RDP Application window (manually) into focus, the Debug program then executes the script. The sequence is labeled ("Try #1"), and then feedback is provided for each tag. If a tag fails to execute successfully, the script is restarted and executes again.
  17. (Optional) To improve security in confirming your target application, generate, and copy the SHA-1 digest for the RDP Application. Use the Learn Tool's 
    Get Application Fingerprint
     feature. When configuring the RDP Application in 
    Privileged Access Manager
    , copy this value into the 
    Application Fingerprint
     field.
Reference
The following tables describe the Learn Tool features.
Learn Tool: Menu Bar
Menu
Description
View
Always on Top
When selected, this feature keeps the Learn Tool window in front of all other windows, even when it is not in focus.
The selection state is persistent: After logging off this Device and then logging in again, the option value (whether selected or unselected) remains the same.
Default: Selected
Action
Clear cache
Select to remove currently cached applications.
When cache is set to "Enable" in
Global Settings
,
Applet Customization
,
Transparent Login Cache
, the Windows target caches the Transparent Login Agent (TLA), Learn Tool, and Control Viewer that are downloaded during connection from
Privileged Access Manager
 when transparent login has been configured, provisioned, and activated. On subsequent connections to that Windows target, the load times for these applications are reduced.
Help
Learn Tool Help
Opens the Compiled HTML (CHM) Learn Tool Help file, which contains detailed descriptions of the Learn Tool controls.
About
Identifies the Learn Tool application and build versions in a dialog window.
Learn Tool: XML Scripting Controls
Icon and Tooltip
Description
One set of <window></window> tags brackets a single-level sequence of XML commands for
Privileged Access Manager
 to manipulate the windows of an RDP Application.
Each script control inserts a line containing one XML tag with attributes at the end of the sequence, above the </window> tag.
You can copy-and-paste the XML tag lines as in a text editing program, so you can move the lines when and where needed.
Camera icon
Screen verification
Allows insertion of a tag that verifies that a portion of the screen image of the transparent login application matches a previously saved screen capture.
Usage
  1. After selection, the mouse cursor becomes a cross hair, while the full screen area of the RDP window dims and becomes an active grid. Meanwhile, the Learn Tool window is hidden from the desktop so that it does not interfere with screen capture.
  2. Use the cross-hair cursor to define a rectangle indicating a portion of the RDP Application GUI to be compared to the same GUI during runtime.
  3. After mouse-up from the cursor, the dialog window Screen Capture Preview displays the comparison Screen capture and the Generated XML Tag to be inserted as PNG.
  4. Select OK to insert this tag and show the Learn Tool window again.
Note:
Ensure that the captured image portion does not vary from application invocation to invocation, and matches whether the window is active or inactive.
Example:
(truncated): <checkimg content="iVBORuu ... C6kYII=" />
Clock icon
Sleep
Allows insertion of a tag that pauses the script for a configurable number of milliseconds.
Usage:
 Upon selection, opens the Add Sleep Time Tag pop-up window to specify the milliseconds, then inserts the tag at the end of the script.
Example:
<sleep time="500" />
Keyboard void icon
Freeze Input
Allows insertion of a tag that disables user input (keyboard and mouse events) while a Transparent Login script is running. Freeze Input can prevent re-injection of the user password when using multiple browser tabs. This example freezes user input for 10 seconds.
Note:
Place this statement at the beginning of your script.
Example:
 <inputfreeze action="enable"/>
                  <sleep time="10000"/>                
                  <inputfreeze action="disable"/>
Duplicate windows icon
Activate window
Allows insertion of a tag that places the named window into focus.
Usage:
 Upon selection, inserts this tag at the end of the script.
Example:
<activate />
Mouse icon
Mouse click
Allows insertion of a <click> tag, which affects a mouse-click at a specified location:
on a specified button as identified using the Control Viewer; or
at the center of the target window; or
at a location specified "x" pixels from the left and "y" pixels from the top of the target window.
Example:
button: <click id="[CLASS:TEdit; INSTANCE:2]" />
Example:
window center: <click pos="center" />
Example:
location: <click x="123" y="72" />
Icon and Tooltip
Description
Page with pencil
Text input
Allows insertion of a tag that submits one of these data types:
  • Edits a specified control (field, drop-down list, checkbox, radio button) so that it contains specified data (text, sequence value, Boolean value).
  • Sends a text string, which is composed of literal values, key stroke shortcuts or labels, or parameters provided by
    Privileged Access Manager
     such as username or password.
Element type
Element ID
Value type
Value
"Text Field"
as determined through Control Viewer – see example in procedure
"text"
String, to populate the field
"username", or
"password", or "host"
"true":
For the specified Value Type, TLA sends the Value that is attached to the User policy through the target account record.
"Combobox"
"text"
String, matching a (drop-down) list option
"index"
Integer, as specified to select the ordinal location of a (drop-down) list option
"Keystrokes"
"window"
(or none)
"text"
As specified:
(a) strings, and
(b) key stroke tags:
(i) entered into the dialog field by
typing merely the named key:
• includes: .ENTER,.ESCAPE, TAB.
• appear as: {ENTER}, {ESCAPE}, {TAB}
• only one is permitted per XML tag.
(ii) entered by typing the key sequence:
for example: {F1} entered by typing
the four keys: .{+ .F + 1 +} +
"username", or
"password", or
"host"
"true":
For the specified Value Type, TLA sends the Value in the Target Account that is chosen for the RDP Application that is specified in
Privileged Access Manager
 policy.
Element type
Element ID
Checked
"Checkbox"
As determined through Control Viewer
"True" or
"False"
"Radio Button"
"True"
Example:
(using "Text Field", "text" options in dialog): The following tag inserts the text string "123" (without quotes) into the ID-specified text field:
<edit id="[CLASS:TEdit; INSTANCE:1]" text="123" />
Checkmark icon
Element Verification
Allows insertion of a tag that confirms or denies existence of an element. Optionally verifies that element in a specified state (for example, a text field containing a particular string).
Element types:
 Text field | Combobox | Checkbox | Radio Button
Element ID:
 Code identification of GUI feature that is obtained through Control Viewer.
Value:
 Literal. Ranges: Checkbox and Radio Button: (only) "checked"
Example:
 The following tag verifies that the radio button that is identified has been selected:
<verify component="radiobutton" id="[CLASS:TRadioButton; INSTANCE:3]" /> If the component is not confirmed, the TLC script halts.
Learn Tool: Utilities
Icon and Tooltip
Description
Page with magnifying glass
Run Control Viewer
Runs the third-party, Learn Tool bundled application, AutoIt Control Viewer version 1.1.
This application can be used to determine the Element ID when needed in a script command. (No other Control Viewer functions are needed for
Privileged Access Manager
 use.)
Usage:
(to identify a control or widget): See example in steps 9-10 of the procedure.
Usage:
 (to identify a window name): To populate the <window id= ""> XML tag (top line of the TLC):
  1. From the Control Viewer window in the Browse Toolbox in the upper right, click your mouse and hold it down to show the magnifying glass cursor.
  2. While holding your mouse down, drag the cursor so that it is over your RDP Application window title bar, then let your mouse up.
  3. In the Control Viewer Info panel, Window tab, Class row, copy the text from its field. For example, for PuTTY, Control Viewer might display "PuTTYConfigBox".
  4. Paste the text from that field into the following string:
    [CLASS:WindowID; INSTANCE:1]
    substituting "WindowID" with your actual value.
  5. Paste the entire revised string between the quotation marks into the <window id="" /> tag on the first line of your TLC.
Example:
 <window id="[CLASS:PuTTYConfigBox; INSTANCE:1]" />
Fingerprint
Get Application Fingerprint
Calculates and displays an application fingerprint for an RDP Application so that it can be used during transparent login attempts.
Usage
  1. Select this button to open the Get Application Fingerprint dialog window. Select the path location of the application executable and a fingerprint string is generated and populated into the Application Fingerprint field. Copy the full text string into the Ctrl-C buffer or a text file.
  2. Paste the fingerprint to the corresponding Application Fingerprint field of a 
    Privileged Access Manager
     RDP Application record.
  3. When
    Privileged Access Manager
     makes a transparent login attempt, it first checks this stored fingerprint against one generated for the RDP Application discovered on the target RDP server (Windows Device). If the fingerprints do not match, the attempt is canceled.
Play icon
Debug
Runs the TLC script currently staged in the Transparent Login Configuration panel (the main body of the window).
Usage:
See example in step 17 of the previous procedure.
Learn Tool: File Controls
Icon and Tooltip
Description
Drop-down list
Filter by name / (configuration name)
Displays the name of the configuration staged in the Transparent Login Configuration field (the 'body' of the window).
(configuration list)
This drop-down list lists transparent login configurations, either:
(a) all staged in the Learn Tool
(b) filtered by name (string) entered
When the Learn Tool is launched following an RDP connection, these configurations are copied from the full set that is managed in
Privileged Access Manager
 Services, RDP Applications, Transparent Login Configurations. The initial set of configurations can include several configuration samples (for example, for PuTTY or WinSCP) corresponding to recent versions of those applications.
Page with plus sign
Add new configuration
  1. Opens a dialog window into which you can enter the name for a new configuration.
  2. Upon selecting OK, the Learn Tool body is cleared (to <window> tags), a new config file is created on
    Privileged Access Manager
     with that name, and the name is loaded into the drop-down field.
  3. Upon creation of new XML tags, the name is marked with a preceding asterisk, indicating unsaved changes.
Duplicate pages
Copy configuration
  1. While a configuration file is staged, this button opens a dialog window into which you can enter the name for a new configuration.
  2. The content of the first configuration is then copied into the new configuration so it appears in the Learn Tool GUI as if only the name has changed. You can then edit and save to that new file.
Page with X
Remove configuration
  1. Opens a dialog window for confirmation.
  2. Upon selection, removes the currently staged configuration from the Learn Tool and the file from
    Privileged Access Manager
    .
Inactive - gray floppy disk
Active - blue floppy disks
Save configuration
When active, saves the currently displayed configuration to
Privileged Access Manager
.
Inactive - gray floppy disks
Active - blue floppy disks
Save all changes
When active, saves all configurations that are staged in the Learn Tool drop-down (that differ from currently saved versions) to
Privileged Access Manager
.
Cycle arrow
Refresh all
Loads all currently saved
Privileged Access Manager
 TLCs into Learn Tool. If there are unsaved configurations in the Learn Tool, they are erased.
Configure an RDP Application
After using Learn Mode, you have a transparent login configuration in 
Privileged Access Manager
 that you can apply to the RDP Application you are targeting.
Follow these steps
:
  1. Navigate to Services, Transparent Login Configurations.
    Here you can confirm that the configuration you created with the Learn Tool is now available for use.
  2. Select the line item for your configuration, and confirm that it is as created in the Learn Tool.
    Alternatively, you can create a configuration file from scratch by selecting the 
    Add
     button to open a blank template and populate it. Configuration files are not dependent on creation with the Learn Tool.
  3. Return to Services, Manage RDP Applications.
  4. Select the 
    Add
     button to open a blank template.
  5. Enter an 
    RDP App Name
     that is helpful to your Users when they access the link from their Access pages.
  6. In 
    Launch Path
    , provide the Windows pathname for the local target drive location of the application.
  7. (Optional) - Select
     Hide From User
    . Select this option if you want a user to access the RDP applications in an RDP access method, but not allow the user individual access to the RDP application.
  8. On the 
    Transparent Login
     tab, select the 
    Transparent Login
     box.
  9. (Optional) In the 
    Application Fingerprint
     field, paste the SHA-1 digest you generated while using the Learn Tool.
  10. Select 
    OK
    . A new line identifies the window of this RDP Application that is used to execute a transparent login. After 
    Privileged Access Manager
     identifies the title of the designated window, it executes the associated configuration to perform transparent login, or other behavior requiring credentials supplied by 
    Privileged Access Manager
    .
    1. Enter the 
      Window Title
       that is displayed in the RDP Application GUI.
    2. From a drop-down list of currently managed transparent login configuration files (see Step 2), select an appropriate configuration in the 
      Transparent Login Configuration
       field.
    3. If you want this configuration to be available to the User during any RDP session (with access to the Windows Desktop) to this target Device, and not exclusively during a session to this RDP Application, select the 
      RDP Session
       checkbox. When the User connects to an RDP server, the Transparent Login agent is loaded and runs in the background. Once the configured RDP Application is launched, the Transparent Login agent detects it and automatically fills out the necessary information to proceed. Enable this option if you are using Hide From User in step 7.
    4. You can create more line items using 
      Add Window
       if you want to assign more transparent login configurations using this RDP Application. (For example, using PuTTY, you might specify alternate targets or a different login parameter.)
  11. Select 
    Save
    .
  12. Edit the 
    Privileged Access Manager
     Device record for the Windows RDP server so that it uses this RDP Application, now listed under 
    Services
    .
  13. Continue with Activate Policy.
Activate Policy
When you associate a Transparent Login RDP Application Service with a 
Privileged Access Manager
 Policy, specify target accounts for use by the Transparent login Agent on the target device. These target accounts are referred to as Transparent Login Credentials. They are the credentials that are used to fill in the "username" and "password" attributes in the Transparent Login scripts generated by the Learn Tool. They are associated with the Transparent RDP application. 
Follow these steps:
  1. Ensure that the Transparent Login RDP Application is associated with the correct Target Device. Follow the steps to associate a Service with a Device.
  2. Navigate to Policies, Manage Policies. Select the Add button to create a new policy or Update to add the Transparent Login RDP Application service to an existing policy.
  3. Enable Transparent Login for this policy. Select the Enabled checkbox on the Transparent login tab.
  4. Select the Services tab.
  5. Locate the Transparent Login RDP Application Service under Available Services and select the service. Use the right-arrow icon to move the service to the Selected Services area.
  6. Select the login target account for auto login into the policy Device.  Select the gray magnifying glass icon undert the Target Account column.
  7. When you select a Transparent Login RDP Application service, the bottom half of the tab populates with the details about the service. If you do not require Transparent Login Credentials for this service, select OK to save the policy.
  8. Select the magnifying glass icon next to Transparent Login Credentials on the bottom right of the tab.
  9. Select the accounts that you want to make available for use with the selected Transparent Login RDP Application Service. Select OK. These are the accounts that the Transparent Login agent offers for use when the end user accesses a Transparent Login application through the Access page.
Caching
Depending on your security needs, and after using the Learn Tool and testing transparent login configurations, you might enable the Transparent Login Cache. This feature caches the Learn Tool (when used), the Transparent Login Agent, and the Control Viewer (when Learn Tool is used) on the RDP server. They do not need to be loaded onto a temporary local drive during each login at that Device, thus reducing application startup time.
Configuration
To turn on caching, set 
Global Settings
Applet Customization
Transparent Login Cache
 = "Enable" .
Usage
During login at a particular target, you see confirmation of the caching storage in the RDP initialization console of each application cached.
User Experience
Script windows and the application interface are displayed briefly as the automation proceeds, and stops showing changes when the script completes.
Following selection of the RDP Application link PuTTY, the user sees this sequence following login at the RDP server host:
  1. The console for the RDP session initialization appears.
  2. The console for the transparent login agent (TLA) that is running on the local virtual drive appears.
  3. The RDP Application (PuTTY) is invoked, and (in this case) a configuration GUI is auto-populated and activated by the transparent login script, eventually invoking a second interface (the PuTTY console).
  4. The RDP Application (PuTTY) invokes a new window (the console interface), and is auto-populated by the continuing transparent login script. After the script completes, the console interface is ready for User access.
Auditing
You can use logs and session recording for auditing access attempts.
  • Logs
    Privileged Access Manager
     logs each access attempt, for example:
2016-03-11 01:16:27 super login Win 2008 R2 (32-bit) Xsuite user transparently logged into RDP Application "putty.exe" to "PuTTY Configuration" window as "dev"
  • Session Recording
    A session recording marks the location of the secondary transparent login attempt. For RDP connections to Windows, these attempts are marked in the 
    Events
     list and by a red arrow on the timeline. You can see event detail as a tooltip from the line item in the 
    Events
     list, and in the 
    Info
     box at the lower left and in a pop-up window during cross-over on the timeline.
    For transparent login activity to be successfully recorded when the User has Internet Explorer, the administrator must configure all equivalent 
    Privileged Access Manager
     addresses. Example: A cluster VIP name and VIP address in the browser security settings. See Set Up Session Recording.