Accessing Remote Systems

By default, if you have the View and Login permissions, you can log on to remote systems from the Admin Portal using the default web browser-based client. You can also configure remote sessions to start by launching a local Windows client with an appropriate command or a direct RDP or SSH configuration file. Both of these options enable you to log on to the target system from the Admin Portal through the Delinea Connector.

Logging on to a target system through the connector has several advantages. For example:

You can watch and terminate remote sessions.
You can view session activity in the portal and in reports.
You can configure authentication rules and authentication profiles for remote access.
You can capture and playback audited remote activity.

Privileged Access Service allows you to access remote systems in the following ways:

Using the web to remote access a system.
Using a native Windows client with the Remote Access Kit.
Using Direct RDP or native SSH to access a remote system

Procedures

Using the Web to Remote Access a System

To use the default web browser-based client to remote access a system, see Using Default Web-based Clients

Using a Native Windows Client with the Remote Access Kit

As an alternative to using the default web‑based client, you can configure remote connections to use a local Windows-based client or native UNIX client. By configuring remote connections to use a local Windows-based client or a native client, you can use a familiar interface you are comfortable with for performing remote operations. However, these clients and remote connections still require you to enable the SSH or RDP gateway service for at least one connector before you can log on remotely to target systems using secure shell or remote desktop sessions. If the gateway service is available for a connector in your infrastructure and you have appropriate permissions, you can log on either by using stored account information or by manually specifying a user name and password. For information about how to configure a local Windows-based client instead of the default web-based browser for remote connections, see Selecting User Preferences. For information about how to use a native UNIX client for remote connections, see [Using Direct RDP or Native SSH to Access a Remote System.] For information about adding the gateway service to a connector, see Selecting Connector Services

If you decide to use a local Windows-based client for remote connections, you have the option to download and install a separate "client launcher" application that is part of the Remote Access Kit software package. The Remote Access Kit enables you to execute the command to open the local client and pass arguments to it without manually typing the command and its arguments every time you open a new session. If you download the Remote Access Kit and trust the website detected for the current cloud server, Privileged Access Service adds the host name for the current cloud server to a list of trusted websites for launching the local client. This information is stored the HostWhiteList registry key on the computer that hosts the local Windows-based client. You can add other host names to the list of trusted websites or remove host names from the list to ensure the arguments used to invoke the local client are only passed from the secure websites that you trust.

The following diagram illustrates the basic flow when you use a local Windows-based client with the client launcher.

As illustrated in the diagram, selecting a target and account for remote access in the Admin Portal sends initial login information and the request for a token to the server that handles process requests (REST call: GetAuthToken). The server returns the authentication token, which is cached by the Admin Portal, and sent with the login information and current URL to the client launcher. The client launcher checks the \HKEY_CURRENT_USER\Software\Centrify\CpsRun\HostWhiteList registry key to determine whether the URL is listed as a trusted website. If the URL isn't listed but the user specifies it is a trusted website, the client launcher requests additional login details (REST call: GetLoginDetails) from the server and passes the login details to a local client—such as PuTTY or a remote Session Host—to connect to the target system.

You can remove a trusted website for the client launcher by manually editing the registry entry on the computer that hosts the local client. If you attempt to add a trusted website and don’t see confirmation that the operation was successful, it might indicate that there is a security issue, such as invalid or expired credentials. For more information about specifying URLs for trusted websites and the success or failure of the operation, see the client launcher log file. By default, the log file log.txt is found in the Program Data\Centrfy\CPS Run Log folder.

Keep in mind that manually editing the registry can result in making a system unstable or unusable if not done properly, Only experienced administrators should modify registry keys directly.

Changing Windows-Based Client Session Display Size

You can set a user preference to specify the default window size for remote sessions to adjust to different display requirements. For example, if you are viewing sessions using a tablet or a computer with a small monitor you might want to change the display size to suit a smaller screen than when you are working with a full-scale desktop monitor.

If you have administrative rights for the Privileged Access Service, you can change the window size for remote sessions from the Admin Portal by setting a user preference.

For more information about changing the window size for Windows-based client sessions, see Selecting User Preferences

Downloading and Testing the Remote Access Kit

If you want to use the local Windows-based client for remote sessions, you can download and install the Remote Access Kit for Windows computers. After you have downloaded and installed the software package or if you need to verify access to it on a specific local computer, you can test for the availability of the program before you attempt to open sessions using the local Windows-based client.

if you have administrative rights for the Privileged Access Service, you can download, install, and test access to the remote access kit from the Admin Portal by setting a user preference.

For more information about changing the window size for Windows-based client sessions, see Selecting User Preferences

Downloading and Installing the Remote Access Kit

In the Admin Portal, click Settings, then click Resources to display the settings available for the Infrastructure Services.
Click User Preferences.
Select the local Windows-based client to use for SSH and RDP sessions.
Click Download to download the Remote Access Kit software package that contains the local client launcher.
Open the downloaded file and follow the prompts displayed to install the software.
Click Save.
Downloading the installing the Remote Access Kit automatically downloads the RDP file for launching a Windows Remote Desktop Connection.
If you want to immediately verify installation on the local computer, select I have installed the Remote Access Kit on this computer then click Test.
Click Open Delinea Remote Access Kit to complete verification.
If you trust the website URL for the current cloud server, click Yes.

If you do not download and install the Remote Access Kit on the local computer, review the instructions displayed for information about how to start sessions using the local Windows-based client with command-line arguments.

Testing the Availability of the Remote Access Kit

In the Admin Portal, click Settings, then click Resources to display the settings available for the Infrastructure Services.
Click User Preferences.
Select I have installed the Remote Access Kit on this computer.
Click Test.
If you have installed the Remote Access Kit on the local computer, you are prompted to open it.
Click Open Delinea Remote Access Kit to complete verification.
If you trust the website URL for the current cloud server, click Yes.

Accessing Remote Systems with Direct RDP or Native SSH

In some cases, you might want to log on remotely to a target system using a stored account, but without using the portal at all. You can do so by specifying the connector host name or IP address. You use a cloud user's username to begin the session along with the connector IP/FQDN and port. The connector port is the port specified in the connector settings.

The connection client will then prompt you for all the information needed to authenticate your identity and access the target system. For example, if you have not preconfigured any connection strings, you might need to provide your user name and password, a second form of authentication if you have a profile that requires multi-factor authentication, the host name or IP address of the target system, and the stored account you want to use to log on to the target system.

Opening the connection might look similar to the following:

Copy

login as: joey@acme.net
Password: ********
Answer security question 'Favorite clown': ******
Hostname: win1.acme.net
Account: qadmin

Connection Strings

The username is critical when using Direct RDP or SSH to access a system. You need one of the following connection strings to log into a remote system:

localaccount@systemname@clouduser.
systemname@clouduser.
clouduser.

For SSH, you can use your own connection strings. Additionally, with SSH you can use browserless or direct file transfer.

Direct RDP or SSH Clients for Connecting to Remote Systems

Delinea PAS supports any clients that support RDP files including Microsoft Remote Desktop.

Logging into a Remote System using Direct RDP or Native SSH

You can use native clients such as MSTSC or Putty to directly log into a remote system.

Users with more than 500 sets and/or collections should expect some latency until the connection to the target is made. As such, providing the whole connection string (example: account@system@clouduser) may reduce this time by a few seconds.

To use Direct RDP or SSH to log into a remote system

Open a Direct RDP or SSH session.
On the General tab, for Computer , enter the connector IP or FQDN and the port. And for the user name, you use a "connection string."
Click Connect.
A command window appears and you will then be asked to enter a password for the account you are trying to access followed by a host name.
Next, you can choose a vaulted user or local user. If you choose a vaulted account, you will proceed with entering the account name. If you enter an account that is not vaulted, you will be prompted to manually log into the system:

In the Admin Portal, the same operation is done by navigating to the Admin Portal Systems > select and account > Accounts > Actions > Enter Account:

whereby you will be asked to manually enter the user name and password.

Enter the user name and password and click Login.

Logging in with a Workflow-enabled Account

If Workflow is enabled, direct RDP/SSH using this account submits a request for login permission. From your RDP or SSH, attempt to access an account. You will be asked to request login permission for an account, similar to the following:

Once the workflow request is submitted, much like all Delinea workflow, you will be emailed and have a request waiting for you in Delinea PAS (Access > Requests) and can approve or reject. Once the workflow is approved, you can login. If the workflow is rejected, you will be asked to request login permission again. For additional information on Workflow for accounts, see Configuring Global Account Workflow

Logging in with a Non-PAS-Vaulted Account (manual login)

If an account is not vaulted, direct RDP/SSH using this account to manually login. From the RDP or SSH client, access an account that is not vaulted using the account name for the user name. You will be asked if you want to log in manually and you proceed to log in manually. For more information on manually logging into a system, see Manual Logon

Logging in with an MFA-Enabled Account

If MFA is enabled, direct RDP/SSH using this account challenges the user with the challenges defined on the profile. From the RDP or SSH client, enter the password and for Hostname, enter the IP address or the system name. You then choose a system and will be asked if you wish to manually login and you manually log in and answer any MFA questions set up on the account. For more information on authentication rules, see Creating Authentication Rules

Logging in with a Reconciliation-Enabled Account

If an account is reconciliation-enabled, direct RDP/SSH using this account resets the password and reconciles it. From the RDP or SSH client, you can log into a faulty account and the password is corrected. Faulty accounts are only corrected if reconciliation is enabled. If not, login will fail. For more information on password reconciliation, see Configuring Windows Local Account Reconciliation

Logging in with a Discovered Missing-Password Account

If an account is discovered and missing a password, direct RDP/SSH using this account changes the account and grants access to the system. From the RDP or SSH client, you can log into an account using manual login for discovered accounts that do not have passwords. For more information on discovering accounts, see Assigning Alternative Account Profile Management Permissions

Viewing Reports for Remotely Accessed Accounts

There are two reports that provide information on remote accessed accounts. You can access them from the Admin Portal> Reports:

Remote Sessions Activity: displays information on any RDP/SSH session from a specific date.
Remote Sessions Count: displays number of RDP/SSH sessions by connector type.

For more information about accessing remote systems, see the subtopics to this page.