This topic describes how to define an application in the Vault from the PVWA.
Step 1: Add an application
To define an application in the Vault from the PVWA:
In the Applications tab, click Add Application and specify the following information:
A unique name (ID) for the application.
Note: Non-English letters are not supported.
A short description of the application to identify it.
The contact details of the application’s business owner:
The location of the application in the Vault hierarchy. If a location is not specified, the application is added to the location of the user who is creating the application.
Time restrictions for secret retrieval.
An expiration date for the application.
If selected, the application is disabled.
Click Add. By default, applications are added with the following properties:
Application authentication method
No method is specified by default and no credential file is used.
Allow extended authentication restrictions
You can disable the default limitation of PVWA application maximum character count (4000 characters).
When selected, you can configure the Credential Provider to support extended authentication for applications. This enables you to specify more machines, OS users, path values, and hash values for a single application.
This functionality is supported for Vault / PVWA and Provider v7.1.7 and later.
Use credential file authentication
You can configure applications to access the Vault with a credential file and retrieve passwords as in previous versions of the Credential Provider.
If you select this option, you will be prompted to acknowledge that all authentication and allowed machines for this application are deleted if you proceed.
Click the download button to download the credential file.
You can specify the following application authentication characteristics for the application. These restrictions will be applied when creating the credential file for the application:
One OS user
One IP address
One IP subnet in CIDR IPv4 format
To change the authentication type for applications that were previously configured to authenticate to the Vault with a credential file, clear Use credential file authentication, then specify application authentication characteristics as described below.
This authentication has been deprecated and is documented for backward compatibility. Where possible, configure application authentication. For more information, refer to Application authentication methods.
Step 2: Add application authentication
The following procedure describes how to add application authentication.
Specifying the application's authentication details enables the Credential Provider to check runtime application characteristics before retrieving the application password.
For more information about which authentication is supported by each of type of Credential Provider, see Application authentication methods.
To add application authentication:
- In the Authentication tab, click Add.
Select the authentication characteristic to specify. Multiple values can be specified for each authentication type. The Credential Provider verifies each authentication type and value defined for each application.
Specify the name of the OS user who will run the application
Specify the path where the application will run.
To indicate that the specified path is a folder, select the Path is folder option.
To enable internal scripts to retrieve the application password for this application, select the Allow internal scripts to request credentials on behalf of this application ID option
Calculate a hash
Run the AIMGetAppInfo utility to calculate the application’s unique hash..
Copy the hash value that is returned by the utility.
In the Hash edit box, paste the application’s unique hash value,
Specify multiple hash values with a semicolon.
You can add additional information in a comment after each hash value specified for an application by specifying ‘#’ after the hash value, followed by the comment.
1A6F2A14E4C30729AA1E392261DA47568465ED47FFD8ED4E03082CE13ACB44819BF34D9D902668E4782C450D22EFC8F573F329657B1EAF20E5228BB49D613827 # app2
The comment must not include a colon or a semicolon.
Certificate Serial Number
For Central Credential Provider only.
Extract the Serial Number value from the Client Certificate.
The following example shows how to extract the Serial Number in Windows Certificate Manager, although any management utility can be used.
The certificate must be trusted by IIS.
Ensure that no duplicate certificates are issued.
Ensure that the Serial Number contains only the valid characters accepted for Serial Number authentication – [a-f], [A-F], [0-9] and ‘#’
To specify a Certificate Serial Number:
In the SN field, paste the Client Certificate Serial Number value.
To add more information about an SN value, add a ‘#’ after the SN value and then the comment. The comment must not include a colon or a semicolon.
For example: A1B4F6D8#app2
In the SN field, add the Certificate Serial Number.
When an authentication type is added, it is displayed in the Authentication tab.
To delete a method, highlight it and select the Delete Authentication () button.
Step 3: Add allowed machines
Enable the Credential Provider to verify that only applications that run from a specified machine can access secrets.
To specify allowed machines:
In the Allowed Machines tab, click Add.
Specify the IP subnet in CIDR IPv4 format, IP, hostname, or DNS of the machine where the application will run and will request passwords, then click Add.
To specify the host name or DNS of the machine where the application will run, make sure that PVWA v6.0 patch#5 or later is installed.