Add Windows Proxy Target Applications and Accounts

Describes how to manage credentials for Windows Proxy accounts.
capam32
You can manage credentials for Windows Proxy accounts. For introductory information about the Windows Proxy, see Add a Windows Proxy Connector.
To configure Windows Proxy target applications and accounts, follow these procedures:
2
Prerequisites for Windows Proxy Accounts
To register Windows Proxy target accounts, including Windows services, verify that the following prerequisites are met.
  • Install a Windows Proxy for Credential Manager on the target server or another server in the domain that the target server can access.
  • Create a Device (target server) of type Password Management or A2A.
  • Verify that you have control of an account with Administrator rights on the target server.
  • If the Windows Remote target account is of Administrator account type, the account requires Administrator rights on the Windows server.
    If your target account is to be used as a service account (that is, it is to be used to rotate passwords of other target accounts), we recommend that you prevent this account from being able to login interactively. To do this, assign the following User Rights to the Windows account:
    • Deny log on locally
    • Deny log on through Remote Desktop Service
Create a Windows Target Application
Follow these steps:
  1. Select
    Credentials
    ,
    Manage Targets
    ,
    Applications
    . The Application List page appears.
  2. Select 
    Add
    . The Add Target Application page appears.
  3. Select the
    Host
    Name
    magnifying glass to find an existing target server.
  4. Enter a unique
    Application Name
    .
  5. Select "Windows Proxy" as the
    Application Type
    .
    The Windows Proxy and Account Discovery tabs appear.
  6. (Optional) Select a
    Password Composition Policy
    .
  7. If you are using target groupings, add
    Descriptors
    .
  8. On the
    Windows Proxy
    tab, select the
    Account Type
    .
    If you select
    Local Account
    , go to the next step. If you select
    Domain Account
    , you select from further options.
    • Local Account
      is only able to manage local accounts on target servers.
    • Domain Account
      is able to manage Windows Domain accounts. We recommend using the Active Directory connector to manage Domain Accounts.
      For the Domain Account, a drop-down list becomes active, with the following options:
      • Target Server is Domain Controller
        (For domain administrator accounts only)
      • Domain Controllers are on servers
        (with
        Specify Servers
        text field)
        Enter one or more servers, which are separated by commas.
      • Lookup Domain Controllers in DNS
      • Lookup Domain Controllers in specified
        (with
        Specify DNS
        text field)
        Enter one or more DNS servers, which are separated by commas
      For
      DNS Servers, complete the following fields:
      • Domain Name:
        Specify the Windows domain of the managed account
      • Active Directory Site:
        This field is not active for the Target Server is Domain Controller option. If you enter a value, it is used to narrow the search for domain controllers, using the specified name. If the field is empty, we search for all domain controllers in DNS.
      • DC replication time (in ms):
        Enter the frequency of replication in milliseconds.
    • For
      Active Directory Connect Timeout
      , enter the timeout for connecting to AD, in milliseconds.
    • For
      Active Directory Read Timeout
      , enter the timeout for reading from AD, in milliseconds.
  9. Select one or more
    Available Proxies
    and add them to the
    Selected Proxies
    list.
  10. On the Account Discovery tab, select
    Discover Services
    and
    Discover Tasks
    . Specify an optional
    Account Filter
    .
    If you do not specify a filter, all accounts are discovered from the Windows server. Use only the * character in filters. Example: User*
  11. Select
    OK
    .
The new Windows target application is added to the list of applications on the Target Applications page.
Create a Windows Target Account and Target Alias
Follow these steps:
  1. Select
    Credentials
    ,
    Manage Targets
    ,
    Accounts
    . The Account List page appears with a list of existing accounts.
  2. Select
    Add
    . The Add Target Account page appears.
  3. On the Account tab, select the magnifying glass to find an existing
    Application Name
    on the host server, or select + to create a target Application. Select or create a Windows Proxy type application.
    The
    Host Name
    field is filled. The Windows Proxy tab appears on the Add Target Account page.
  4. Enter the
    Account Name
    . The Account Name must be unique for a given target application and must be the account name that is used by the target system.
    This target account requires Administrator rights on the Windows server.
  5. Select the
    Password View Policy
    for the account.
  6. Select whether the
    Account Type
    is A2A (application-to-application) or privileged account. This choice is only possible if your license allows for A2A accounts.
  7. (Optional) Enter an
    Access Type
    . Access type is a reference field for customer convenience. Access Type is not used by Credential Manager.
  8. If you select A2A Account Type, more fields appear:
    1. If you are using target groupings, enter
      Descriptors
      for the target Account.
    2. Enter target
      Aliases
      . A target alias name must be unique across Credential Manager.
    3. Enter the appropriate settings for password
      Cache Behavior
      for the A2A Client:
      • Use Cache First:
        The A2A Client looks for the password in local cache first. If there is no password or if the password is not the most recent, the A2A Client contacts Credential Manager.
      • Use Server First:
        The A2A Client contacts Credential Manager to get the most recent password. If a password is unavailable, the A2A Client looks in the local cache.
      • No Cache:
        The password is never stored in the local cache. The A2A Client always contacts Credential Manager for the password.
    4. For A2A accounts that use caching, set the cache duration in
      Cache Expiry Days
      .
  9. Enter an initial account
    Password
    or select the blue Generate Password icon to generate a default password. The Generate Password icon is to the right of the Password field, and looks like a ring with a set of keys.
  10. On the Password tab, select
    Discovery Allowed
    to discover accounts from the Windows Proxy system.
  11. Select the appropriate synchronization option (for example, update both Credential Manager and the target system). The
    Synchronized
    option is not available for the Generic application type.
    • Update only the Password Authority Server:
      Passwords are updated only in Credential Manager. Credential Manager and target system passwords can differ.
    • Update both the Password Authority Server and the target system:
      Password updates are performed both in Credential Manager and on the target system to maintain consistency.
  12. If you use multiple target accounts, add the target servers on the Compound Servers tab. For more information, see the Compound Target Accounts section in Add Target Accounts and Aliases.
  13. (Optional) If you are adding or updating an account and you do not know the existing password, select the
    Force password change
    checkbox. The existing password gets changed, even though the account is not in sync.
  14. Select
    OK
    to save changes.
Your new Windows Proxy Account is added to the Target Accounts page.
Use An Alternate Account to Change Passwords
You can specify an account that has the authority to change passwords. On the Windows Proxy tab, the Change Process option lets you determine which account manages password changes. The options for this setting are:
  • Account can change own password.
    To allow the existing target account to change its own password, keep the default option,
    Account can change own password
    , selected. The initial password that you enter must be the same as the target account password. The exception is a user with more privileges, who can update the password.
  • Use proxy credentials to change password.
    Select this option for domain accounts. For this option to work:
    • Configure the Windows Proxy server on a Domain member.
    • Configure the service to run with credentials for a domain account that Windows Proxy connector can use to change passwords.
  • Use the following account to change password.
    Select this option to specify a master account that can change password. For most target accounts, a blank field appears below the radio button. Select the magnifying glass and search for the target account to use as the alternate. Avoid using the current target account as the alternate.
    To show the target accounts that are defined in the system, filter by account name or host name. You can also show all target accounts. Typically, the other account is an account of the same application.
Discover Windows Proxy Target Account Services and Scheduled Tasks
You can use account discovery to manage credentials of multiple Windows services and scheduled tasks.
PAM
can use the target account to manage changes and updates for any services and scheduled tasks that use this account. You do not have to update the password on an individual service or scheduled task basis.
This procedure is for local Windows accounts. To discover services and scheduled tasks for Active Directory accounts, see Discover Services and Scheduled Tasks for AD Accounts.
Prerequisite
Before you run account discovery, go to the Account Discovery tab of the Windows Proxy Target application. Select the discover option for services or tasks. You can select both.
Discover Services and Tasks
To discover new tasks and services on Windows Proxy accounts, follow these steps:
  1. Select
    Credentials
    ,
    Discovery
    .
  2. On the Scan Profiles tab, select
    Run
    for the profile of the account you want to update.
    If a profile does not exist, follow these steps:
    1. Select
      Add
      .
    2. Give the profile a
      Name
      .
    3. On the Servers tab, select the Server that is associated with the remote account.
    4. Select
      Run
      .
  3. Select the
    Discovered Accounts
    tab.
    Windows Proxy accounts that have updates available display a green checkbox under the Updates Available column.
  4. Select the
    Update
    button for the Windows Proxy account with updates available.
    The Update Discovered Accounts window appears. Available Services and Scheduled Tasks appear on their respective tabs.
  5. Select
    OK
    .
  6. Select
    Yes
    when you are prompted to Update Selected Accounts.
  7. To see a list of services and scheduled tasks:
    1. Select
      Credentials
      ,
      Manage Targets
      ,
      Accounts
      .
    2. Select the Services and Scheduled Tasks tabs to display the list accounts.
To remove tasks and services from a Windows Proxy Target Accounts, follow these steps:
  1. Select
    Credentials
    ,
    Manage Targets
    ,
    Accounts
    .
  2. Select the account that you want to modify.
  3. Select
    Update
    .
  4. Select the Services or Scheduled Tasks tab.
  5. To delete a service or task, select the
    X
    next to the entry.
More Information:
Account Discovery