Add Windows Proxy Target Applications and Accounts
Describes how to manage credentials for Windows Proxy accounts.
You can manage credentials for Windows Proxy accounts. For introductory information about the Windows Proxy, see Add a Windows Proxy Connector.
To configure Windows Proxy target applications and accounts, follow these procedures:
Prerequisites for Windows Proxy Accounts
To register Windows Proxy target accounts, including Windows services, verify that the following prerequisites are met.
- Install a Windows Proxy for Credential Manager on the target server or another server in the domain that the target server can access.
- Create a Device (target server) of type Password Management or A2A.
- Verify that you have control of an account with Administrator rights on the target server.
- If the Windows Remote target account is of Administrator account type, the account requires Administrator rights on the Windows server.If your target account is to be used as a service account (that is, it is to be used to rotate passwords of other target accounts), we recommend that you prevent this account from being able to login interactively. To do this, assign the following User Rights to the Windows account:
- Deny log on locally
- Deny log on through Remote Desktop Service
Create a Windows Target Application
Follow these steps:
- SelectCredentials,Manage Targets,Applications. The Application List page appears.
- SelectAdd. The Add Target Application page appears.
- Select theHostNamemagnifying glass to find an existing target server.
- Enter a uniqueApplication Name.
- Select "Windows Proxy" as theApplication Type.The Windows Proxy and Account Discovery tabs appear.
- (Optional) Select aPassword Composition Policy.
- If you are using target groupings, addDescriptors.
- On theWindows Proxytab, select theAccount Type.If you selectLocal Account, go to the next step. If you selectDomain Account, you select from further options.
- Local Accountis only able to manage local accounts on target servers.
- Domain Accountis able to manage Windows Domain accounts. We recommend using the Active Directory connector to manage Domain Accounts.For the Domain Account, a drop-down list becomes active, with the following options:
- Target Server is Domain Controller(For domain administrator accounts only)
- Domain Controllers are on servers(withSpecify Serverstext field)Enter one or more servers, which are separated by commas.
- Lookup Domain Controllers in DNS
- Lookup Domain Controllers in specified(withSpecify DNStext field)Enter one or more DNS servers, which are separated by commas
- Domain Name:Specify the Windows domain of the managed account
- Active Directory Site:This field is not active for the Target Server is Domain Controller option. If you enter a value, it is used to narrow the search for domain controllers, using the specified name. If the field is empty, we search for all domain controllers in DNS.
- DC replication time (in ms):Enter the frequency of replication in milliseconds.
- ForActive Directory Connect Timeout, enter the timeout for connecting to AD, in milliseconds.
- ForActive Directory Read Timeout, enter the timeout for reading from AD, in milliseconds.
- Select one or moreAvailable Proxiesand add them to theSelected Proxieslist.
- On the Account Discovery tab, selectDiscover ServicesandDiscover Tasks. Specify an optionalAccount Filter.If you do not specify a filter, all accounts are discovered from the Windows server. Use only the * character in filters. Example: User*
The new Windows target application is added to the list of applications on the Target Applications page.
Create a Windows Target Account and Target Alias
Follow these steps:
- SelectCredentials,Manage Targets,Accounts. The Account List page appears with a list of existing accounts.
- SelectAdd. The Add Target Account page appears.
- On the Account tab, select the magnifying glass to find an existingApplication Nameon the host server, or select + to create a target Application. Select or create a Windows Proxy type application.TheHost Namefield is filled. The Windows Proxy tab appears on the Add Target Account page.
- Enter theAccount Name. The Account Name must be unique for a given target application and must be the account name that is used by the target system.This target account requires Administrator rights on the Windows server.
- Select thePassword View Policyfor the account.
- Select whether theAccount Typeis A2A (application-to-application) or privileged account. This choice is only possible if your license allows for A2A accounts.
- (Optional) Enter anAccess Type. Access type is a reference field for customer convenience. Access Type is not used by Credential Manager.
- If you select A2A Account Type, more fields appear:
- If you are using target groupings, enterDescriptorsfor the target Account.
- Enter targetAliases. A target alias name must be unique across Credential Manager.
- Enter the appropriate settings for passwordCache Behaviorfor the A2A Client:
- Use Cache First:The A2A Client looks for the password in local cache first. If there is no password or if the password is not the most recent, the A2A Client contacts Credential Manager.
- Use Server First:The A2A Client contacts Credential Manager to get the most recent password. If a password is unavailable, the A2A Client looks in the local cache.
- No Cache:The password is never stored in the local cache. The A2A Client always contacts Credential Manager for the password.
- For A2A accounts that use caching, set the cache duration inCache Expiry Days.
- Enter an initial accountPasswordor select the blue Generate Password icon to generate a default password. The Generate Password icon is to the right of the Password field, and looks like a ring with a set of keys.
- On the Password tab, selectDiscovery Allowedto discover accounts from the Windows Proxy system.
- Select the appropriate synchronization option (for example, update both Credential Manager and the target system). TheSynchronizedoption is not available for the Generic application type.
- Update only the Password Authority Server:Passwords are updated only in Credential Manager. Credential Manager and target system passwords can differ.
- Update both the Password Authority Server and the target system:Password updates are performed both in Credential Manager and on the target system to maintain consistency.
- If you use multiple target accounts, add the target servers on the Compound Servers tab. For more information, see the Compound Target Accounts section in Add Target Accounts and Aliases.
- (Optional) If you are adding or updating an account and you do not know the existing password, select theForce password changecheckbox. The existing password gets changed, even though the account is not in sync.
- SelectOKto save changes.
Your new Windows Proxy Account is added to the Target Accounts page.
Use An Alternate Account to Change Passwords
You can specify an account that has the authority to change passwords. On the Windows Proxy tab, the Change Process option lets you determine which account manages password changes. The options for this setting are:
- Account can change own password.To allow the existing target account to change its own password, keep the default option,Account can change own password, selected. The initial password that you enter must be the same as the target account password. The exception is a user with more privileges, who can update the password.
- Use proxy credentials to change password.Select this option for domain accounts. For this option to work:
- Configure the Windows Proxy server on a Domain member.
- Configure the service to run with credentials for a domain account that Windows Proxy connector can use to change passwords.
- Use the following account to change password.Select this option to specify a master account that can change password. For most target accounts, a blank field appears below the radio button. Select the magnifying glass and search for the target account to use as the alternate. Avoid using the current target account as the alternate.To show the target accounts that are defined in the system, filter by account name or host name. You can also show all target accounts. Typically, the other account is an account of the same application.
Discover Windows Proxy Target Account Services and Scheduled Tasks
You can use account discovery to manage credentials of multiple Windows services and scheduled tasks.
PAMcan use the target account to manage changes and updates for any services and scheduled tasks that use this account. You do not have to update the password on an individual service or scheduled task basis.
Before you run account discovery, go to the Account Discovery tab of the Windows Proxy Target application. Select the discover option for services or tasks. You can select both.
Discover Services and Tasks
To discover new tasks and services on Windows Proxy accounts, follow these steps:
- On the Scan Profiles tab, selectRunfor the profile of the account you want to update.If a profile does not exist, follow these steps:
- Give the profile aName.
- On the Servers tab, select the Server that is associated with the remote account.
- Select theDiscovered Accountstab.Windows Proxy accounts that have updates available display a green checkbox under the Updates Available column.
- Select theUpdatebutton for the Windows Proxy account with updates available.The Update Discovered Accounts window appears. Available Services and Scheduled Tasks appear on their respective tabs.
- SelectYeswhen you are prompted to Update Selected Accounts.
- To see a list of services and scheduled tasks:
- SelectCredentials,Manage Targets,Accounts.
- Select the Services and Scheduled Tasks tabs to display the list accounts.
To remove tasks and services from a Windows Proxy Target Accounts, follow these steps:
- SelectCredentials,Manage Targets,Accounts.
- Select the account that you want to modify.
- Select the Services or Scheduled Tasks tab.
- To delete a service or task, select theXnext to the entry.