none
MIM/PAM 2016 - Bastion forest access RRS feed

  • Question

  • Hi all,

    I have deployed MIM 2016 with PAM in a bastion forest on Windows server 2016. Here is my current setup:

    - 1 Windows server 2016 Domain Controller (2016 forest label)

    - 1 Windows server 2016 MIM/PAM 2016 + Sharepoint 2016

    - 1 Windows server 2016 + SQL Server 2016

    I have tested all functionalities within the bastion forest using Powershell, PAM portal and the PAM sample portal.  The problem I am having is that when I try to run the PAM powershell commands from a workstation in my production forest, I keep getting an error like " get-pamrole : Failed to negotiate SOAP Security with 'http://parsrv.bastion.com:5725/ResourceManagementService/Enumeration' for target 'http://parsrv.bastion.com:5725/ResourceManagementService/Enumeration'

    Firewalls are not enabled and everything should be opened between networks.  

    Also, I have tried setting up an RDS in the bastion forest to allow our IT users to go through the published web apps (Internet Explorer and powershell) and the users keep getting prompted for their credentials.

    Like I said, there are no authentication issues within the bastion forest, but when accessed from our production environment, prompts galore!

     Any idea what is missing? Any help would be appreciated...

     Thanks,

    Mike


    MichaelB

    Monday, January 29, 2018 7:09 PM

All replies

  • You cannot do that. Workstation used for PAM has to be in Bastion Forest. Bastion does not trust Prod, but Prod trusts Bastion

    Nosh Mernacaj, Identity Management Specialist

    • Proposed as answer by Nosh Mernacaj Monday, January 29, 2018 9:12 PM
    Monday, January 29, 2018 9:11 PM
  • Ok, that makes sense.  And what if I set up an RDS in the bastion forest (already done) and publish powershell and Internet explorer, would this allow users to access the portal or ps module from there without any hiccups?

    Keep in mind that all users have a PRIV account in the bastion forest and access with that account. 


    MichaelB

    Tuesday, January 30, 2018 2:13 PM
  • Not sure about that part, but the purpose is to isolate bastion. this is not about conviniencw, but security.

    Nosh Mernacaj, Identity Management Specialist

    Tuesday, January 30, 2018 2:26 PM
  • I have tried powershell through a remote app and this is the error I get: Get-PAMRole : SOAP security negotiation with 'http://mimsrv.bastion.com:5725/ResourceManagementService/Enumeration' for target 'http://mimsrv.bastion.com:5725/ResourceManagementService/Enumeration' failed. See inner exception for more details. At line:1 char:1 + Get-PAMRole + ~~~~~~~~~~~ + CategoryInfo : NotSpecified: (:) [Get-PAMRole], SecurityNegotiationException + FullyQualifiedErrorId : GeneralServerError,Microsoft.IdentityManagement.AdminPamCmdlets.GetPamRoleCommand Any idea where the problem is coming from?

    MichaelB

    Tuesday, January 30, 2018 3:39 PM
  • Well, I figured out my SOAP issue.  I was not running the service for FIM with the right account.  After correcting this, powershell works great through the RDS WebApp.

    Now moving on fixing the Internet Explorer issues.

    Thanks for the help all.


    MichaelB

    Wednesday, January 31, 2018 8:06 PM