none
Privileged Access Management logon to workstaton with Priviledged account RRS feed

  • Question

  • I have set up a PAM environment following this guide: PAM install guide

    Everything works. I have added a second domain and now have 2 domains trusting the Bastion domain - Domain A and Domain B.

    In my Bastion domain I have one user from each domain - User Bastion\A and User Bastion\B.

    With User Bastion\B and User Bastion\A I can run a Powershell session on a workstation in Domain A from a desktopsession run by User A\A. With a valid PAM request I'm also able to browse the test share with both Bastion users.

    I'm planning to use the Bastion to grant access to machines in the trusting domains. But what will I have to do to achieve that?

    I have tried adding the group A\CorpAdmins to the "Remote Desktop Users" on the workstation in Domain A. Since that didn't work, I tried adding the user Bastion\B to both "Remote Desktop Users" and "Administrators" on the workstation in Domain A. But I still get this:

    Who can I get Bastion\B to log on to a workstation in Domain A?

    Thursday, April 20, 2017 11:46 AM

Answers

  • I played around with this a little more today.

    Turned out User Bastion\B was member of "Protected Users" in Bastion Domain. Once removed from that group, Bastion\B (Shadow user B) was able to log on to the workstation in Domain A without configuring any trust between Domain A and B.

    Friday, April 21, 2017 10:59 AM

All replies

  • So Domain B is the one you are managing via Bastion, thus the process is all the same.
    Whatever group grants such permissions in Domain B, needs to be imported into Bastion (Following the same process - create the shadow group, users).  You login as the Bastion\ShadowUser (Copy of the Domain B user)

    Nosh Mernacaj, Identity Management Specialist

    Thursday, April 20, 2017 12:14 PM
  • Ï am managing Domain A and Domain B from the Bastion Domain.

    I want to log on to a workstation in domain A. I have placed the Group A\CorpAdmins in the local Administrator group on the workstation. Group A\CorpAdmins has a ShadowGroup. Bastion\CorpAdmins. User Bastion\B has CorpAdmins as an active role.

    When trying to connect via RDP to the workstation in Domain A and using the credentials of Bastion\B should grant me access to logon to the workstation, since Group A\CorpAdmins in the local Administrator group, but that just results in the error in the initial question.

    Thursday, April 20, 2017 1:09 PM
  • Sorry, I misunderstood some of it initially.

    Is user Bastion\B shadow of a user A\B?

    Can you login using old fashion creds, removing PAM from the picture for a second?  I suspect not. 


    Nosh Mernacaj, Identity Management Specialist

    Thursday, April 20, 2017 1:15 PM
  • User Bastion\B is a shadow of User B\B. I have not tried to log on to the workstation with User Bastion\A, that is a shadow of User A\A that resides in the same domain as the workstation. I will give that a try tomorrow.

    I can log on to the workstation with User A\A, but not with User B\B or Shadow User Bastion\B

    I can, however, access the testshare with Shadow User Bastion\B via runas, after requesting the CorpAdmin Role.

    Thursday, April 20, 2017 2:43 PM
  • Seems to me the workstation does not trust domain B .

    Nosh Mernacaj, Identity Management Specialist

    Thursday, April 20, 2017 2:45 PM
  • Is that nessesary when the user logging on is Bastion\B from the Bastion domain?
    Thursday, April 20, 2017 2:47 PM
  • A bastion user is a mirror of the domain user, so the access is grated to its native domain user. Shadow account is just a remote driver of that account and access.

    I would simply remove PAM from the picture and make sure it works natively, before trying anything else


    Nosh Mernacaj, Identity Management Specialist

    Thursday, April 20, 2017 2:53 PM
  • Without PAM User B/B cannot logon to any workstations in Domain A. Furthermore User B/B cannot launch Powershell on the workstation in Domain A with runas.

    As I understand the setup, access in PAM is granted to the Bastion account and that account is allowed to use runas in Domain A because of the one-way trust. If that is not the case, then how does this work?

    Thursday, April 20, 2017 3:06 PM
  • Here is how I see this.
    I am sorry, if I am not getting it right.

    Comment on the right side got truncated, but it says

    "In order for this user to gain access to a workstation in Domain A, Domain A has to grant the rights to the user BB in Domain B.


    Nosh Mernacaj, Identity Management Specialist


    Thursday, April 20, 2017 3:17 PM
  • Your help is much appreciated!

    The drawing is spot on.

    Eventhough Shadow BB cannot log on to the workstation, Shadow BB can launch powershell on the workstation, can member of bastion\CorpAdmins and can access the restricted fileshare.

    I would think that the authentication when launching Powershell as Shadow BB on the Domain A workstation would require the same trust as a full desktp logon.

    Thursday, April 20, 2017 3:25 PM
  • Ok, you may have granted access to use powershell, but not the rights for interactive logon (remote logon).

    Always remember that the access is granted to the DomainB\BB not bastion.  in PAM You add the Shadow BB to DomainB\GroupName (Group that grants logon to workstation).


    Nosh Mernacaj, Identity Management Specialist

    Thursday, April 20, 2017 3:33 PM
  • That is exactly the issue. I have not done anything to grant Shadow B / User B rights to launch Powershell on the workstation in Domain A. I was convinced that that was possible, because Domain A trusts the Bastion Domain and I run the Powershell process as Shadow B.

    Since there is no Domain A original of Shadow B, should that be possible at all?

    Thursday, April 20, 2017 3:49 PM
  • You may have the trust, but not the right access for remote RDP.

    Nosh Mernacaj, Identity Management Specialist

    Thursday, April 20, 2017 4:50 PM
  • I am not sure I understand this last sentence, but again. You grant access to A DOMAN USER\GROUP not a Shadow. Shadow manipulates the given rights on JIT.

    Nosh Mernacaj, Identity Management Specialist

    Thursday, April 20, 2017 4:51 PM
  • I just tried to logon to the workstation with Shadow A. The account was not allowed to logon. After requesting the CorpAdmin Role for Shadow A, Shadow A was able to logon to the workstation.

    Shadow B, however, got the error above both before and after requesting the CorpAdmin Role.

    How can I make Shadow B logon to the workstation? What will I have to setup in Domain A? There must be some way to achieve this without having to create an account for User B in Domain A first.

    Thursday, April 20, 2017 5:02 PM
  • Domain A has to trust Domain B

    Workstation must grant access to Domain B users to login remotely.


    Nosh Mernacaj, Identity Management Specialist

    Thursday, April 20, 2017 5:04 PM
  • The plan is to add multiple other domains and using PAM to grant Domain B users access to PAM handled ressources in Domain A, Domain A2, Domain A3 etc. 

    To sum it up, I would have to create 2 one-way trusts like this:

    Domain A trusts Domain B

    Domain A trusts Domain Bastion

    for every Domain A in Domain A, Domain A2, Domain A3

    Thursday, April 20, 2017 5:16 PM
  • Yes, and also Domain B Trusts Bastion.

    Please remove PAM from your mind for a minute and think of how a user from domain B can login to Domain A. Once that plumbing is in place, add PAM to the mix.


    Nosh Mernacaj, Identity Management Specialist

    Thursday, April 20, 2017 5:19 PM
  • Will do. The thing about being able to run the Powershell console as Shadow B on the workstation in Domain A without the one-way trust from Domain A to Domain B led me astray.

    Thank you for your help!

    Thursday, April 20, 2017 5:22 PM
  • I played around with this a little more today.

    Turned out User Bastion\B was member of "Protected Users" in Bastion Domain. Once removed from that group, Bastion\B (Shadow user B) was able to log on to the workstation in Domain A without configuring any trust between Domain A and B.

    Friday, April 21, 2017 10:59 AM