Authentication method configurations on the Central Credential Provider

This section describes the configuration required on the IIS/Central Credential Provider side in order to enable an application to authenticate to the Central Credential Provider using the different methods. For more information about the supported authentications for Credential Provider, see Application authentication methods.

OS user authentication method in Central Credential Provider

OS user client side configuration

The Central Credential Provider is supported on Windows environments; it runs on Internet Information Services (IIS), which it uses as the web server for Windows.

Applications can authenticate to the Central Credential Provider from all types of environments using their IP/host, OS user, or client certificate authentications (see Application authentication methods).

Because the Central Credential Provider is installed as a web service on the IIS web server, the application must authenticate to the Central Credential Provider using IIS.

For an application to authenticate to IIS using its OS user, it must supply the user credentials in the SOAP/REST request.

For example, in Windows PowerShell there is an option to send default credentials to IIS using the -UseDefaultCredentials flag. In the script that sends the call to the Central Credential Provider:

  
$AppID        = “App_MyApp”
$object       = “Object-Name”
$CCPAddress   = “https://CyberArkCCP/WindowsAuthentication/api/Accounts?AppID=$AppID&Object=$object”
$restresponse = invoke-restmethod -uri $CCPAddress -method GET -UseDefaultCredentials

To use OS user authentication to the Central Credential Provider, provide the user credentials in your calls to the web service.

Configure Windows Domain Authentication

This section describes how to configure Windows Authentication on the Central Credential Provider machine to enable the Central Credential Provider to authenticate applications with the Windows domain user that runs the application.

 

  • You must also define the allowed authentication in the application definition in the PVWA. For details, see Manage applications.

  • It is clarified that the Windows Authentication Providers are subject to their respective terms of use as provided by their vendors. The Customer is solely responsible for its use of the Windows Authentication Provider, and CyberArk disclaims any and all warranties and liabilities with regards to such providers and their use by the Customer.

To enable some applications to authenticate with Windows Domain authentication and others to authenticate using different authentication methods, configure the Central Credential Provider web service to work with multiple endpoints. For more information, see Authentication method configurations on the Central Credential Provider above.

To configure Windows domain authentication on the Central Credential Provider machine:

  1. In the Windows Server Manager, make sure that the Windows Authentication role service is installed. For details, see the Microsoft documentation.

  2. In the IIS Manager, make sure that DefaultAppPool v4.0 application pool is installed. For details, see Microsoft documentation.

  3. Define the Windows Authentication Providers:

     

    If you configured multiple SOAP/REST APIs endpoints, do the following for each endpoint that needs this authentication.

    1. In the IIS Manager, navigate to Sites > Default Web Site, and select the folder where the Central Credential Provider web service is installed. By default, this is AIMWebService.

    2. In Authentication, select Windows Authentication.

      1. Enable Windows Authentication.

      2. Click Advanced Settings, and disable Kernel mode authentication.

      3. Add the Windows Authentication Providers according to your organization’s needs. To do this, click Providers and add the necessary providers from the Available Providers list to the Enabled Providers list. Always add Negotiate, then add the provider required by your organization, for example, Negotiate:Kerberos.

        Remove any other providers from the Enabled Providers list.

      4. In the Authentication list, disable all other authentications.

  4. Restart IIS by running the following PowerShell command:

      
    iisreset

Configure a hardened server to accept OS user authentication

When hardening a server, all non-administrator users become blocked from authenticating to the hardened server using OS user authentication.

When Central Credential Provider is installed on a hardened PVWA, you need to reconfigure the authenticated users on this server:

  1. Go to the Local security policy.
  2. Under User Rights Assignment, select Access this computer from the network.

  3. In the policy's properties, add the Authenticated Users group. This allows all non-administrator users to connect to Central Credential Provider using OS user authentication and successfully retrieve secrets.

 

This configuration change allows more users to connect to your PVWA server and, as a result, may expand the attack surface on that server.

To control user access on this server, you can add a user-defined group instead of the Authenticated Users group.