Connect using RDP

Connect to target devices directly from your desktop using any standard RDP client application, such as MSTSC or Connection Manager, to benefit from a native user experience.

To connect using smart cards, the following are required:

  • Smart card drivers must be installed on the PSM machine.

  • The smart card must include a valid certificate.

RDP connection requirements

Customers who enforce NLA when connecting to Windows accounts via PSM should ensure the following:

  • The PSM must be installed on an indomain machine.

  • The PSM should be joined to the domain that houses the AD that is integrated into Identity Administration. This enables authentication to both the machine and to the Shared Services platform.

  • The first authentication challenge must be defined as a textual password.

RDP connection methods

There are two ways to connect using RDP.

Option

Description
Create an RDP file

For each account you want to access, create an RDP file and then double-click the file to connect.

If you have multiple accounts that you access regularly, we recommend that you create an RDP file for each, after which you will be able to connect to all of your accounts without additional configuration.

There are two ways to create an RDP file:
Connect using any standard RDP client

Configure the RDP client whenever you want to access the target account. For details, see Connect using a standard RDP client

You can also see Connect using MSTSC or Connect using Connection Manager if you are using one of these specific clients.

In either case, you can connect without providing connection details in advance, as described in Connect using RDP without providing details in advance.

Create an RDP file manually

Perform the following procedure for each target account.

To create an RDP file manually:

  1. Create an RDP file in the following format:

  2. Configure the following RDP settings:

    To connect to a Windows server with the address of 10.10.2.145, with the user admin and with the RDP protocol, use the following configuration in the Start Program setting:

      
    psm /u admin /a 10.10.2.145 /c PSM-RDP

    To connect to a Windows server with the address of 10.10.2.145, which belongs to the domain mycompany.com, with the domain user domainadmin and with the RDP protocol, use the following configuration in the Start Program setting:

      
    psm /u domainadmin@mycompany.com /a 10.10.2.145 /c PSM-RDP

     

     

    To allow the connection, a domain account with the address of mycompany.com and the username domainadmin must pre-exist in Privilege Cloud.

    To connect to a Unix server with the address of 10.10.2.145, with the user root and with the SSH protocol, use the following configuration in the Start Program setting:

      
    psm /u root /a 10.10.2.145 /c PSM-SSH

    To connect to a Unix server with the address of 10.10.2.145, with the user root and with the WinSCP client, use the following configuration in the Start Program setting:

      
    psm /u root /a 10.10.2.145 /c PSM-WinSCP
  3. To connect using a smart card, add redirectsmartcards:i:1 to the RDP file.

  4. RDP connection is configured by default to use NLA and log in with an AD user. To retain the NLA default, and connect using an AD user, continue to the next step.

    To connect using a non-AD user or to reapply NLA after it has been disabled, select one of the following options:

    Add enablecredsspsupport:i:0 to the RDP file in one of the following ways:

    RDP Application NLA Authentication
    MSTSC RDP client application The MSTSC RDP client application is configured to use NLA by default.
    To disable NLA when connecting with MSTSC, add the setting enablecredsspsupport:i:0 to one of the following files:

    • The default RDP file used by MSTCS.

      The default.rdp file is normally under the My Documents Windows folder.

    • The RDP file that you saved for your connection, and that you are opening with MSTSC.
    RDP files RDP files are configured to use NLA by default.
    To disable NLA when connecting with an RDP file, add the following setting to the RDP file:
    enablecredsspsupport:i:0
    Any other RDP client application For any other RDP client application, such as different connection managers, see the application documentation for enabling or disabling NLA.

    Add enablecredsspsupport:i:1 to the RDP file in one of the following ways:

    RDP Application NLA Authentication
    MSTSC RDP client application To enable NLA when connecting with MSTSC, add the setting enablecredsspsupport:i:1 to one of the following files:

    • The default RDP file used by MSTCS.

      The default.rdp file is normally under the My Documents Windows folder.

    • The RDP file that you saved for your connection, and that you are opening with MSTSC.
    RDP files To enable NLA when connecting with an RDP file, add the following setting to the RDP file:
    enablecredsspsupport:i:1
    Any other RDP client application For any other RDP client application, such as different connection managers, see the application documentation for enabling or disabling NLA.
  5. To connect to the target account, double-click the file.
  
psm /u root /a 10.10.2.145 /c PSM-WinSCP

Connect using a standard RDP client

If you are using a standard RDP client (that is neither MSTSC nor Connection Manager), You can configure a single RDP file to connect through Privilege Cloud, which includes the target machine details in advance.

To connect using RDP without configuring the details in advance, see Connect using RDP without providing details in advance.

To connect using RDP (configure details in advance):

Configure the settings of the RDP client as described in RDP settings.

Connect using MSTSC

This procedure describes how to connect to a target device, through Privilege Cloud, specifically using MSTSC.

To connect using MSTSC:

  1. Open the MSTSC client.

    You can also execute MSTSC through the command line using: MSTSC /v:<PSM server address>

  2. In the Computer field, enter the address of the PSM server, through which you will establish the connection. The PSM address can be entered either as a DNS name, or as an IP address in IPV4 format.

    In an environment with load balanced PSMa, specify the address of the PSM load balancer.

  3. Expand Show Options, and do the following:

    1. In the User name field, enter your CyberArk user name.

      If you do not configure your username, you will be prompted for it when the connection is made. You will also be prompted for your password.

    2. Click the Programs tab, and select Start the following program on connection
    3. In the Program path and file name field, enter the connection details to PSM. For details, see RDP settings.
    4. If you are using smart card authentication, click the Local Resources tab, and select Smart cards.

  4. Click Connect.

Connect using Connection Manager

This section describes how to connect to a target device, through Privilege Cloud, specifically using Connection Manager, by configuring the Connection Manager with the target machine details in advance.

To connect using RDP without configuring the details in advance, see Connect using RDP without providing details in advance.

To connect using Connection Manager (configure details in advance):

  1. Open Connection Manager application on your desktop and create an entry for the target device.

    Give each entry a meaningful name to indicate the target device details.

  2. Set the Remote machine address to the address of the PSM server through which you want to establish your connection.

    The PSMaddress can be entered either as a DNS name, or an IP address in IPV4 format.

    In an environment with load balanced PSMs, specify the address of the PSM load balancer.

  3. To connect using a smart card, enable smart card redirection in the connection manager setting.

  4. Enter your Privilege Cloud credentials.

    If you do not configure the log on credentials, you will be prompted for them when the connection is made.

  1. Configure the RDP settings, as described in RDP settings.

Connect using RDP without providing details in advance

You can connect using any standard RDP client or an RDP file without providing details about your target machine in advance.

 
  • To use this option with NLA, you must use a username that contains the login pattern configured by your Administrator under the PSMLoginPattern parameter. For details, see PSM basic parameters file .
  • When connecting with PKI authentication in NLA, authentication is performed with the smart card certificate, but you still must include the login pattern in the usename field to support this capability.

  1. Configure the following settings:

    Setting RDP Parameter Type Description
    full address s

    The address of the PSM server through which you want to establish your connection.


    The PSM address can be entered either as a DNS name, or an IP address in IPV4 format.

    In an environment with load-balanced PSMs, specify the address of the PSM load balancer.

    alternate shell s

    Only value the PSM parameter ("psm ").

    There must be a space after psm.
    username s

    Enter your CyberArk user name, according to the authentication process required in your environment.

    If you do not configure your user name, you will be prompted for it when the connection is made. You will also be prompted for your password.

    Note: We do not recommend saving your password.

    Example:

  2. To connect using a smart card, add redirectsmartcards:i:1 to the RDP file.
  3. When you connect to the target, after you enter your authentication details, you are prompted for your connection details.
 

You cannot use this option if NLA is enabled in your environment.

  1. Open MSTSC.

     

    You can also execute MSTSC through the command line using:

    MSTSC /v:<PSM server address>

  2. In the Remote Desktop Connection window, in the Computer field, enter the address of the PSM server through which you will establish the connection.

    The server address can be entered either as a DNS name, or as an IP address in IPV4 format.

    In an environment with load-balanced PSMs, specify the address of the PSM load balancer.

  3. Open Show Options, and in the User name field, enter "psm " followed by your CyberArk user name, according to the authentication process required in your environment.

    If you do not configure your user name, you will be prompted for the user name and password when the connection is made.

     
    • We do not recommend saving your password locally.
    • There must be a space after psm.

  4. If you are using smart card authentication, click the Local Resources tab, and select Smart cards.

  5. When you connect to the target, after you enter your authentication details, you are prompted for your connection details.

RDP settings

The following settings are relevant for all types of RDP connections.

Settings Description
full address

The address of the PSM server.

Get this information from your admin.

alternate shell 

psm /u target-user /a target-address /c connection-component

  • target-user The name of the user used to log on to the target device.

    When using a domain account, use the following format:

    username@domain-name

    When using a shared account to connect to vCenter machine, use the following format:

    username@vCenter-address

  • target-address The address of the target system. As defined in the account address setting.

    Use one of the following formats:

    • IPv4 – For example, 1.1.1.1
    • IPv6 – For example, 1000:1000:1000:1000:1000:1000:1000:0055
    • DNS – For example, ‘myhost’

  • connection-component The type of the connection that will be established with the target device.

    Get this information from your admin.

username

Enter your CyberArk user name, according to the authentication process required in your environment. If you do not configure your user name, you will be prompted for it when the connection is made. You will also be prompted for your password.

Note: We do not recommend saving your password.