Remote Support Integration with Secret Server

Third-party vendors create and maintain this integration. Delinea does not guarantee that the integration will work properly or that it respects Delinea product limitations. Delinea has not reviewed this integration and Delinea Support staff can only assist with the Delinea side of setup.

BeyondTrust's Remote Support plugin integration to Delinea Secret Server enables automatic password injection to authorized systems through encrypted BeyondTrust connections, removing the need to share and expose credentials to privileged accounts. In addition to machine-specific credentials, the integration also allows to retrieve domain credentials that are not machine-specific, giving domain admins and other privileged users access to those credentials for use on endpoints on a domain.

The integration between BeyondTrust and Delinea enables:

  • One-click password injection and session spawning.

  • Credentials never exposed to authorized users of BeyondTrust.

  • Access to systems on or off the network with no preconfigured VPN or other routing in place.

  • Passwords always stored securely in Delinea Secret Server.

This integration works only with Secret Server Cloud and is not compatible with the Delinea Platform (Secret Server on the Delinea Platform).

This third-party integration does not natively support the Delinea Platform (Secret Server on the Delinea Platform). Once upgraded to the Delinea Platform, the integration will continue to function properly as long as the application account used for the integration remains in Secret Server. Once fully upgraded to the Platform service account model, the existing integration will no longer work with Secret Server on the Delinea Platform as all identity data will be moved to the Delinea Platform and will no longer be maintained in Secret Server.

Integration Workflow

The BeyondTrust Endpoint Credential Manager (ECM) enables the communication between Delinea Secret Server and BeyondTrust Remote Support. The ECM is deployed to a hardened Windows Server inside the firewall, typically in the same network as Secret Server.

When a remote support session is initiated, SRA sends context about the user and target endpoint to the integration. The integration then authenticates to Secret Server using the configured application account, calling the Authenticate SOAP method to obtain a primary auth token. It then calls ImpersonateUser to perform a secondary authentication on behalf of the requesting user, followed by SearchSecretsByFieldValue to find secrets the user can access for the target endpoint.

The user is presented with a list of matching secrets and selects the one to inject. The integration retrieves the full secret details by calling GetSecret, and if the secret includes file attachments such as SSH keys or certificates, calls DownloadFileAttachmentByItemId to retrieve them. The credential data is then encrypted and transmitted back to SRA, which injects it into the remote session.

When the session ends, SRA notifies the integration, which calls CheckIn to release the secret so it becomes available to other users. Delinea Secret Server handles all elements of securing and managing the passwords, so policies that require the password to be rotated after use are supported. BeyondTrust Remote Support handles creating and managing access to the endpoint and then recording the session and controlling the level of access granted to the user, including what the user can see and do on that endpoint.

Configuration

Before configuring the integration, ensure the following requirements are met in Secret Server:

  • Enable Web Services: Navigate to Admin > Configuration > General and confirm that Enable Webservices is set to Yes.

  • API Application Account: Create or designate an application account that the integration will use to authenticate against the Secret Server SOAP API.

  • Impersonate Permission: The API application account's role must include the Web Services Impersonate permission (sometimes listed as simply Impersonate). This allows the integration to perform actions on behalf of the requesting user.

  • Secret and Folder Access: The API application account must have appropriate access to the secrets and folders that end users will need to retrieve credentials from during remote sessions.

For detailed instructions on configuring the BeyondTrust side of this integration, refer to the BeyondTrust documentation.

SOAP API Endpoints

The integration uses the following Secret Server SOAP API methods:

SOAP Method Purpose
Authenticate Authenticates the API application account and returns a primary auth token.
ImpersonateUser Performs secondary authentication to impersonate you.
SearchSecretsByFieldValue Searches for secrets you can access that match the target endpoint.
GetSecret Retrieves the full details of the selected secret.
DownloadFileAttachmentByItemId Downloads file attachments associated with a secret (e.g., SSH keys, certificates).
CheckIn Checks the secret back in after the session ends so it is available to other users.

Troubleshooting

The integration fails to connect to Secret Server Cloud

If the integration cannot reach your Secret Server Cloud instance, verify that the SOAP endpoint URL does not include an extra /SecretServer/ path segment. The correct format is https://<your-tenant>.secretservercloud.com/webservices/SSWebservice.asmx. A common mistake is to use https://<your-tenant>.secretservercloud.com/SecretServer/webservices/SSWebservice.asmx, which will cause the connection to fail. Note that on-premises installations that use a /SecretServer/ virtual directory may require the longer path.

API calls fail mid-session or secrets cannot be retrieved

If the integration stops responding or returns authentication errors partway through a session, the cached auth token may have expired. The integration caches tokens and reuses them across API calls within a session flow, but if the token lifetime is exceeded, subsequent calls will fail. The integration will attempt to re-authenticate automatically, but if issues persist, check the session timeout value in Secret Server under Admin > Configuration > Session Timeout and consider increasing it.