PCS End-to-End Installation and Run Guide

This guide assumes that you already have the Delinea Platform set up for fundamental tasks and that you understand how to use them:

Platform and Secret Server integration
Discovery for active directory users and servers
Setting up a site for engines
Setting up a PRA engine
Installing the Delinea Connector
Setting up an MFA profile (see Add a New Authentication Profile)
Vaulting an account

Procedure Overview

Setting up Privileged Control for Servers to work on the platform and your network servers involves the following tasks:

Step 1: Configure Firewall Ports for PCS

Step 2: Set Up PCS Service Accounts

Step 3: Install the Delinea Connector on Managed Servers

Step 4: Enable IWA Service on Connectors

Step 5: Install the Delinea Platform Engine on Managed Servers

Step 6: Install the Delinea Agent on Managed Servers

Step 7: Run Discovery Scan

Step 8: Check Inventory for your Added Machines

Step 9: Set Up Authentication Profiles for PCS

Step 10: Set up PCS Policies

Step 11: Set up Audit and Session Recording

Step 12: Set up Use My Account for *nix Systems

Step 1: Configure Firewall Ports for PCS

To use Privilege Control for Servers, configure firewall ports appropriately according to the two resources below:

If your firewall ports are already configured correctly, please skip to the next section.

After you configure the firewall ports correctly, return to this page and pick up reading again in the section below.

Step 2: Set Up PCS Service Accounts

On the platform, you need to create two domain service accounts with roles and permissions that are specific to PCS. These accounts must be placed in the Secret Server vault to be used for setting up Delinea Platform Engine Management and its Command Relay workload. You must create at least one of each of these accounts but you can also create more according to best practices for the Secret Server Discovery and Directory Services.

Delinea Platform Engine Management Admin
See Account Permissions and Roles

Command Relay Service Account
See Command Relay Workload

Also see Engine Management and Roles and Permissions.

If the two service accounts above are already set up on the platform, please skip to the next section.

Step 3: Install the Delinea Connector on Managed Servers

The Delinea Directory Connector enables secure communication between the Delinea Platform and AD directories. Install the Delinea Connector on your target servers by following the procedures at Delinea Connector and in these subsections:

If have already successfully installed the Delinea Connector, please skip to the next section.

After you successfully install the Delinea Connector, return to this page and pick up reading again in the section below.

Step 4: Enable IWA Service on Connectors

Enable Integrated Windows Authentication for PCS by following the procedure at IWA Configuration.

Step 5: Install the Delinea Platform Engine on Managed Servers

Delinea Platform Engine and Engine Management are components of the larger Delinea Platform product and they are requirements for using Privilege Control for Servers. The Delinea Platform Engine runs two workloads for PCS:

Command Relay
Audit Collector

On the server where the Delinea Platform Engine will be running, along with its Command Relay and Audit Collector workloads, log in as a user with the custom role you created for viewing inventory. Download and install the Delinea Platform Engine on your target servers by following the procedures at Engine Management

If you have already installed the Delinea Platform Engine on your target servers, please skip to the next section.

Updating the Platform Engine Management Settings

From the left navigation menu click Settings, then select Engine Management.
Select the site that you want to update using the vaulted secret you just created.
Click the Settings tab.
Click Edit next to Audit Collector.
Enter the following configurations:
- Collector Port: 5063
- Session Recording: enabled
Click Save.
Click Edit next to Command Relay.
Next to Command Relay Service Account, click Select.
Search for and select the vaulted engine management account you created earlier.
Click Turn off folder inheritance and share secret.
Click Save.

Updating the Platform Engine

Click Settings, then select Engine Management.
Click the name of the site where your Delinea Platform Engine is installed.
Click the Engines tab.
Look at the Engine Version column.

If the version is not 1.2.33.0 or later, the engine must be updated as described below:

Click the name of the engine
Click the Workloads tab.
Look at the command-relay version column.
If the version is not 1.0.94 or higher, restart the Delinea engine service on the server that is running the Platform Engine. Wait for Command Relay to update.
Log in to the server running the Platform Engine.
Open PowerShell as an administrator.
Copy the uninstall script below:

Clear-Host;Write-Host "Uninstalling Delinea Platform Engine"; $ZipFile = "$env:TEMP\DelineaEngineInstaller.zip"; $InstallerFolder = "$env:TEMP\$(New-Guid)"; $ProgramFilesFolder = 'C:\Program Files\Delinea Platform Engine'; $ProgramDataFolder = 'C:\ProgramData\Delinea Platform Engine'; $ProgressPreference = 'Continue'; Write-Host "Downloading latest installer packages. This may take a moment..."; if (Test-Path $ZipFile) { Remove-Item $ZipFile } if (Test-Path $InstallerFolder) { Remove-Item $InstallerFolder -Recurse -Force } $Uri = 'https://enginepoolupdatedev.blob.core.windows.net/shell-installer/555173/win-x64.zip'; if ($PSVersionTable.PSVersion -lt [Version]"6.0") { $ProgressPreference = 'SilentlyContinue' } Invoke-WebRequest $Uri -OutFile $ZipFile; $ProgressPreference = 'Continue'; Expand-Archive $ZipFile $InstallerFolder; Remove-Item $ZipFile;Set-Location -Path $InstallerFolder; ./Delinea.EnginePool.Engine.Installer.exe uninstall --keep-working-directory; if (Test-Path $ProgramFilesFolder) { Remove-Item -Recurse -Force $ProgramFilesFolder; } if (Test-Path $ProgramDataFolder) { Remove-Item -Recurse -Force $ProgramDataFolder; }
Paste the script into PowerShell.
Run the script.

Note: If errors happen during the uninstall. Close the PowerShell windows. Relaunch PowerShell as administrator and rerun the uninstall script.
On the platform, click Settings, then click Engine Management.
Open the site where the Platform Engine is installed.
Click the Engines tab.
Click the engine name.
Click Delete Engine.

Step 6: Install the Delinea Agent on Managed Servers

See additional content at Agents Reference.

Checking for Agent Installation

To see whether the Delinea Agent is already installed on a given computer, view the computer's information in the Inventory page. See Viewing Your Inventory. If the agent is installed, the Client Version field shows a software version number.

Downloading the Agent

Log in to your platform tenant.
Click Marketplace from the left navigation menu.
Click the Download Center tab.
In the Search box, enter Agent.
Find the agent for your OS.
Click the download icon.
Wait for the package to compile and download.
Copy the download package to the server you want to manage.

Installing the Linux Agent

Requirements

Perl (and the modules: lib, File::Basename, File::Copy, File::Find, File::stat, Getopt::Long, Sys::Hostname and Text::ParseWords)
Forward and Reverse DNS entries for each *nix Server

If you require a different version of *nix agent please visit: https://<tenant>.delinea.app/view/marketplace/browse/authorization/agent-downloads-grid

You can also update the agent installation script to use the new URL for the agent download.

Steps:

Log in to your Linux server as root user.
Create a folder (e.g. delinea-agent) and extract the download package to the folder.
- ```
# mkdir delinea-agent
```
- ```
# tar -xzf rhel6-x86_64.tgz -C delinea-agent/
```
Navigate to the folder that you created above: # cd delinea-agent/
Install the Linux Agent using agent_setup.sh: # ./agent_setup.sh --domain <domain name>

There are several options you can specify if needed. Please refer to the usage of agent_setup.sh: # ./agent_setup.sh --help

Joining to an Active Directory Domain

For the UNIX computers where you have installed the Delinea agent, you need to join them to the Active Directory domain and the Privilege Control zone DelineaZone. To do this, use the adjoin command, either interactively at the command line or in a script. To use this command, you need to have certain privileges, and it must be run with a set of required command-line options. For details, see Join Linux/Unix Computers to a Domain and Zone.

Installing the Windows Agent

Requirements:

.Net 4.8 is needed – already done in lab environment
Must be joined to the AD domain and zone

Steps:

Log in to the server as domain administrator.
Select the Windows Agent you downloaded in the previous step.
Right-click the downloaded Windows zip agent file.
Select Extract All...
Click Extract. The extracted files will open in a new file explorer window.
Note: The container package is in ZIP format, but the files inside are in TGZ format.
Open the Agent-for-Windows-6... folder.
Launch the agent for Windows 64.
Click Next. The Delinea Agent for Windows Wizard opens.
Click Next.
Accept the terms of the license agreement
Click Next.
Keep the default destination folder.
Click Next.
Click Install.
Select Run Agent Configuration Wizard

Agent Configuration Wizard

Click Add Service.
Click Privilege Elevation Service.
Click OK.
Select the DelineaZone.
Click Next.
Select Yes to add the Domain Admins.
Select Yes to Restart.

Step 7: Run Discovery Scan

From the left navigation menu, click Discovery, then select Sources.
Click Run Discovery Now.
From the drop-down menu, click Run Discovery Scan.

It might take a minute or two for the Discovery Scan to complete.

Step 8: Check Inventory for your Added Machines

From the left navigation menu, click Inventory, then select Computers.
On the Computers page, verify that your computers have been added.

Step 9: Set Up Authentication Profiles for PCS

For additional information on platform authentication profiles, see Authentication Profiles.

Emergency Access Profiles

You do not need to create any profiles for Emergency Access policies, because their Rule Type is always Allow, meaning they do not accept a Rule Profile (Authentication Profile).

Endpoint Login Profiles

Profiles for Endpoint Login policies should not have Challenge 1 set to Password, because the platform will always present a password challenge to the user first, automatically.

Local Administrator Privilege Profiles

Profiles for Local Administrator Privilege policies should not have Challenge 1 set to Password, because the platform will always present a password challenge to the user first, automatically.

Step 10: Set up PCS Policies

PCS authentication policies provide users with machine-level (server) permissions for logging into and performing actions on remote computers and servers managed by Delinea. By assigning machine-level policies, you can ensure that each asset adheres to compliance standards, maintaining both security and efficiency across your network. For a policy to grant access, all the policy's rules and conditions must be satisfied, and the user must not be denied access by a different policy with the same rules and conditions.

Viewing Policies

Click Policies from the left navigation menu. The Policies page opens, listing each policy available in your platform environment on a table row, with columns for details including the policy Name, State, Deployment Status, and Policy Type.

Deployment Status

The deployment status refers to the deployment of the policy on the target, and can be Active, Activating, Active - incomplete, Activation Failed, Deactivating, Deactivation Failed, or Inactive. The Activating and Deactivating statuses appear for just a few seconds.

When the policy is not being enforced on one or more targets that are included in the policy, because the Delinea Agent is not installed on the targets, a warning message is displayed here in the Deployment Status area. Click the message to get a list of the affected computers.

Creating a Policy

To define a policy, use the following steps.

Click Policies from the left navigation menu. The Policies page opens, listing each policy available in your platform environment.
Click Create Policy.
On the Create Policy page, click a radio button to select a policy type from among the types listed. A policy type is defined by the events you want to control. Select one of the following:
- Emergency Access: Users who meet the conditions defined in this policy can log in and perform elevation actions when a server can not communicate with the Delinea Platform.
  
  We strongly suggest that you define and enable an Emergency Access policy, at the minimum, to avoid losing access to your Delinea Platform instance.
- Endpoint Login: Users who meet the conditions defined in this policy can log in to any computer where this policy is enabled.
- Local Administrator Privileges: Users who meet the conditions defined in this policy gain administrative privileges on the target agent. The user can run any command as administrator or root. On Windows, the Run with Privilege option is used; on Linux, the dzdo command is used.
- (Private Preview customers only) Granular Privilege Elevation: For users who meet the conditions defined in this policy, administrators can assign elevated permissions to users or groups so they can run commands on Windows and Unix/Linux servers.
  
  This feature is currently available only to customers participating in a private preview. If you'd like to participate to be among the first to try this feature, ask our support or account team for details.
Click Select template. A page opens where you can create a new policy. For details about how to fill out this page, see the next few sections.

Policy Details

In the first section of the Create Policy page, specify the basic information about the policy.

Enter a policy name in the Name field.
(Optional) Enter a policy description in the Description field.
Select the box next to Enabled to enable the policy.

Command Groups

This feature is currently available only to customers participating in a private preview. If you'd like to participate to be among the first to try this feature, ask our support or account team for details.

(For Granular Privilege Elevation policies only)

In a standard UNIX shell environment, an ordinary user account can execute a large number of common command-line programs without any special privileges, and one or more administrative accounts, such as root, are required to execute commands that perform privileged operations. If ordinary users need to execute any of the commands requiring administrative privileges, they might have to switch to an administrative account that requires them to know the password for a privileged users or been granted access by configuration settings in a sudoers file.

A policy of type Granular Privilege Elevation controls access on Delinea managed computers to all the commands in the command group. In this section of the Create Policy page, you will choose one or more command groups to specify which commands you want to enable users to run.

Each command group contains a set of command-line programs. Before you can add command groups to a policy, you must first define the commands, then add them to command groups, as described in the next few sections.

Creating Commands

If needed, create one or more new commands. Commands are configured by defining command rights, adding the rights to the appropriate roles, and assigning the roles to different users and groups. Users who have been assigned the appropriate roles can then run privileged commands by invoking the dzdo command.

The most common reason for defining a command right is to grant access to commands that perform privileged operations. For example, you might want to grant users additional privileges to execute specific commands in a standard shell environment that they are not otherwise allowed to execute with the default rights associated with their account.

You can define command access rights to tightly control the specific commands users can execute. You can also refine those rights to only allow specific arguments to be used or to require an executable to be located in a specific directory.

From the left navigation menu, click Policies > Commands.
Click Create command and choose the operating system (Linux/Unix or Windows).
Click Create custom command.
Enter a name and (optional) description.

The name is required and must not be more than 63 characters in length or contain any special characters, such as asterisks (*), slashes (\ /), question marks (?), or quotation marks (“).

The rest of the steps depend on whether you are defining a Linux/Unix command or a Windows command.
- For a Linux/Unix command, use steps 5 - 8.
- For a Windows command, use steps 9 - 11.
(Linux/Unix) In Command, give the name of the command as you would enter it at the command line; for example, vi.

You can also use wild cards or a regular expression to specify commands matching a particular pattern.
(Linux/Unix) In Arguments, give any input arguments that the command requires; for example, /etc/ssh/sshd_config to edit the SSH server's config file. Glob pattern matching is used to expand any wildcard expressions.
(Linux/Unix) In Match path, choose the path where the command can be found:
- Select Standard user path to use the local operating system’s common set of user directories to find the command; for example, /bin, /usr/bin.
- Select Standard system path to use the directories the root user would normally get on the local operating environment to find the command; for example, /sbin, /usr/sbin
- Select System search path to search for the command in a predefined set of locations. The search locations are defined using the dzdo.search_path configuration parameter. If you select System search path and the dzdo.search_path parameter is not defined, the current user’s path is used to search for the command. For example, /sbin, /usr/sbin, /bin, /usr/bin.
- Select Specific path to define a custom set of locations for finding the command specified. You can specify one or more paths, separated by a colon. If you set both Command and Specific path to match all strings (*), any command from any path is allowed.
(Linux/Unix) In Run command as, choose the user role that determines the permissions that will be used to run the command. You can specify a user account or run the command as root. The user account must be present on the endpoint.

In most cases, the local root account is the appropriate account to use because it allows ordinary users to execute the specified command using root account privileges. However, you can click Add to add other users, groups, or service accounts that can be used to execute the command. Use the format #UID for UID values, %group for group names, or %#GID for GID values.

The account used to execute commands can be an Active Directory user with a UNIX profile in the zone or a local UNIX user account. However, the account used to log on and invoke the command using dzdo must be associated with an Active Directory account.

The role that is set in Run Command As is only applicable to users executing policies under the dzdo command. Users with the Restricted Shell (dzsh defined as their login shell) continue to execute policies as the logged-in user.
(Windows) In Application, give the name of the application runtime file; for example, taskschd.msc.
(Windows) In Arguments, give any input arguments that the application requires; for example, \s.
(Windows) In Match path, choose the path where the command can be found:
- Standard system path
- Specific path; for example, %systemroot%\system32\
(Windows) (For Private Preview customers only) In Run command as, select one of the following to choose the user or group whose permissions will be used to run the command:

This feature is currently available only to customers participating in a private preview. If you'd like to participate to be among the first to try this feature, ask our support or account team for details.
- To use a Windows built-in security group: Choose Built-in group from the dropdown, then choose one of the provided Active Directory security groups. For more information about these groups, see Active Directory security groups in the Microsoft documentation.
- To use an individual user: Choose AD domain user from the dropdown, then click Select a domain user to search for and select a user account. The user account must be present on the endpoint.
- To use an Active Directory security group that is defined in one of the domains accessible to your policy: Choose AD domain group from the dropdown, then click Select a domain group to search for and select an Active Directory domain group.
Click Create command.

The command is saved, and the Commands list page is displayed again. The new command appears in the list.

If needed, repeat these steps to create more commands.

Creating Command Groups

After creating all the commands you need, create command groups.

From the left navigation menu, click Policies > Command groups.
Click Create command group.
Enter a name and (optional) description.
Click Assign command.
Click one or more checkboxes next to the commands you want to include in the command group.

If you are not sure which commands to choose, you can click the name of any command to see its details.
Click Create group.
If needed, repeat these steps to create more command groups.

Adding Command Groups to the Policy

After creating all the command groups you need, you are ready to fill out the Command Groups part of the Create Policy page for a Granular Privilege Elevation policy.

Click Add command groups.

The Select Command Groups page shows all the command groups that have been defined.
Click one or more checkboxes next to the command groups you want to include in the policy.

If you are not sure which groups to choose, you can click the name of any group to see which commands it includes.

Modifying Commands and Command Groups

You can edit commands and command groups after creating them and adding them to policies. To do so, display the command or command group and click Edit or Delete.

The Delinea Platform keeps track of changes to commands and command groups. The platform records the modification date and the username of the person who made the change. The platform then updates its display wherever the changed entity is shown.

To be specific:

When a command is modified, the modification date and username are updated and displayed in the following pages:

Commands page, which lists all of the commands
Pages for any command group that contains the command
Pages for any policy that includes a command group where the command is a member

When a command is added to a command group or removed from a command group, the date and username are updated and displayed in the following pages:

Command Groups page, which lists all the command groups
Pages for any policy that includes the command group

When a command is deleted, the date and username are updated and displayed in the following pages:

Pages for any command group that contained the command
Pages for any policy that included a command group where the command was a member

When a command group is deleted, the date and username are updated and displayed in the pages for any policy that included the command group.

Policy Subjects

Scroll down to the Subjects section to see a list of available subjects. Subjects are the users and user groups your policy can apply to, based on the template you selected earlier.
Click the Add Subjects button.
Select the box next to each AD user and user group you wish to add to the policy.
Click the Update button.

Policy Targets

Targets are the computers and computer groups your policy can apply to, where the Subject will perform the action, based on the template you selected earlier.

Scroll down to the Targets section.

To define the targets, make one of the following choices:
- To add individual computers and computer groups, click Add computers. In the Select Computers dialog, select the box next to each computer and computer group your policy will apply to.
  
  Computers where the Delinea Agent is installed and AD computers where the Delinea Agent is not yet installed can all be selected as policy targets. To see whether a computer has the agent installed, see Checking for Agent Installation.
- (Private Preview customers only) To add collections, click Add collections. In the Select Collections dialog, select the box next to one or more collections, then click Add Collections. For more information about collections, see Computer Collections.
  
  This feature is currently available only to customers participating in a private preview. If you'd like to participate to be among the first to try this feature, ask our support or account team for details.
Click the Update button.

When you finish defining the policy and you set its status to Enabled, the policy will start to be enforced on the selected targets where the Delinea Agent is installed.

For any target that does not have the agent installed, a policy that is set to Enabled will start to be enforced whenever the agent is installed and the target is joined to a domain and zone. A message is displayed on the Policy page to let you know when one or more targets that are included in the policy are not being enforced because the agent is not installed. Click the message to get a list of these computers so you can remedy the situation. You can download the list in CSV format.

For more information about installing the agent or determining whether it is already installed on a computer, see Step 6: Install the Delinea Agent on Managed Servers.

Policy Conditions

Conditions define when or how the policy should by applied. Conditions are optional. If a policy has a time range condition, the policy will apply only within that time range. All of the time conditions must be met. Local time, not universal time, is used.

If a policy has no time range condition, the policy will apply at all times.

Scroll down to the Conditions section.
Click Add Condition.
Click inside the Search or pick one box below Condition Type.
Select one of the condition types displayed or enter text to search. When you have selected a condition type, options will appear below Constraint.
Set the constraints for the condition you selected.
To add another condition, click Add Condition again and follow the same procedure.

Policy Controls

Controls are additional requirements the user must meet to fulfill the requirements of the policy. All of the control conditions must be met.

Policy controls can be set in the following ways:

MFA. Requires multi-factor authentication. If you select MFA, a new Search or pick one box appears. Select an Authentication Profile to specify which MFA challenges the user must pass and how much time will elapse before the user is prompted again for authentication. Emergency Access profiles always allow access without MFA, so the option is not presented.
Require Session Recording: Denies access if session recording cannot be performed on the endpoint. For example, session recording is not available if the audit service is not enabled on the endpoint or a session recording process is blocked. Require Session Recording can be assigned as the only control, or in conjunction with MFA. Require Session Recording can be also be applied to local administrator privileges. Emergency Access profiles always allow access without session recording, so the option is not presented.

To define policy controls:

Scroll down to the Controls section.
Select MFA if you want to require multi-factor authentication.

Emergency Access profiles always allow access without MFA, so the option is not shown.
If you select MFA, a dropdown list box appears.

Select an authentication profile from the ones presented.
Select Require Session Recording if you want to deny access when session recording can not be performed.

Emergency Access profiles always allow access without session recording, so the option is not shown.
When you have made all the required changes, click Create Policy.
Click Activate to activate the policy.

Default Identity Policy

Click Access from the left navigation menu, then click Identity policies from the secondary menu.
Click to open the Default Policy.
Select the Authentication tab.
Scroll to the Other Settings section and click Edit.
Enable IWA connections and the two available options.
Click Save.
Log in to the Delinea Platform as one of the AD users you created.

Step 11: Set up Audit and Session Recording

If audit and session recording are already set up on your platform, please skip to the next section.

Click Insights from the left navigation menu.
Click Session review from the secondary menu.
Log into the server as the administrator, root, or normal AD user.

Configure on Linux

Do not skip these steps. The Linux agent requires Direct Audit to be enabled on the Agent when policies have session recording enabled. If you skip these steps, and enable Session Recording in a Granular Privilege Elevation policy for Linux, you could be blocked from logging in to the Linux agent. See Issue: I can not log in to my Linux agent after enabling Session Recording.

Log in as root user.
Enter commands:
1. dacontrol -i DelineaPlatformAudit
2. dacontrol -e
3. dainfo

Configure on Windows:

Log in a Domain Administrator.
Launch Agent Configuration.
Click Add Service.
Select Auditing and Monitoring Service.
Click OK.
On Enable session capture and replay page, select DelineaPlatformAudit.
Click Next.
Audit and Monitoring configuration is complete.

Viewing Audit Session Recordings

If you already know how to view audit session recordings on the platform, please skip to the next section.

On the platform, click Insights, then click Session review.

Linux

Run commands as root user.
Run commands as normal AD users.
1. Elevate Commands as a normal AD user having the Local Administrator Privileges policy using the dzdo command.

Windows

Run programs as the administrator.
Run commands as a normal AD user.
1. Launch elevated desktop as a normal AD user having the Local Administrator Privileges policy.

Step 12: Set up Use My Account for *nix Systems

Setup Using Delinea OpenSSH

To automatically set up UMA for *nix systems, run the agent_setup.sh script during the agent installation.

Using OS Stock Version of OpenSSH

The agent_setup.sh script automatically sets up UMA during the agent installation process.

Automatic Script for UMA

Navigate to where you downloaded the agent from the Delinea Marketplace.
Run the following script with root permissions:

./uma_setup.sh --install-cakey-file delinea_<tenantname>_date.pub -v

Example: ./uma_setup.sh --install-cakey-file delinea_jwtraining-us_20240125_124856.pub –v

Manual Steps

Navigate to and open the folder where you downloaded the agent from the Delinea Marketplace.

The agent is a .pub file in the following format: delinea_{tenant-name}_{download-date}.pub
Copy the pub file to the ssh directory. Example:
1. cp delinea_{tenant-name}_{download-date}.pub /etc/ssh/users_ca.pub
  1. cp delinea_fishing_20231213_041058.pub /etc/ssh/users_ca.pub
Edit the sshd_config file but make a backup copy in case you need to revert back:

cp /etc/ssh/sshd_config /etc/ssh/sshd_config_121323bk
Edit the sshd_config file with the following lines:
1. Example command: vi /etc/ssh/sshd_config
2. AuthorizedPrincipalsCommand /usr/bin/adquery user -P %u
3. AuthorizedPrincipalsCommandUser root
4. TrustedUserCAKeys /etc/ssh/users_ca.pub
Restart OpenSSH Service
1. Example: systemctl restart sshd.service

Step 13: Test Use My Account

UMA is only for *nix systems with the agent installed that is joined to the domain and zone.

Log in to the platform as an AD user with permission to log in to the Linux system.
Click Inventory from the left navigation menu.
Find and the server with the agent installed that is joined to the domain and zone.
Hover your cursor over the row with the target computer, and click the launch icon.
Select Launch with My Account.

When reusing the same tenant for testing and the same SE Lab Template, make sure you delete all AD users from the platform.