Shared logon authentication

Shared authentication is based on a user credential file that is stored in the PVWA web server. During shared authentication, only the user defined in the credential file can log on to the PVWA, but multiple users can use the logon token.

This type of authentication requires the application using the REST services to manage the users as the Vault can't identify which specific user performs each action.

Multiple concurrent connections can be created using the same token, without affecting each other.

The shared user is defined in a user credential file, whose location is specified in the WSCredentialFile parameter, in the appsettings section of the PVWAweb.config file:

  
<add key="WSCredentialFile" value="C:\CyberArk\Password Vault Web Access\CredFiles\WSUser.ini"/>
  • Make sure that this user can access the PVWA interface.
  • Make sure the user only has the permissions in the Vault that they require.

Securing application-to-REST communication

We recommend securing the connections between the requesting application and the REST Web Services when using Shared Logon Authentication, using Client Authentication.

In addition to SSL, use Client Authentication to authenticate the requesting application using a client certificate.

Configuring client authentication using client certificates

This procedure enables client-side authentication of the requesting application for REST Web Services, using a client certificate.

To configure client authentication using client certificates:

1. Make sure that a server certificate has been generated for the web server where the PVWAis installed.
2. In the PVWAVirtual Directory, change the Secure Communication settings:
a. Run inetmgr, select Web Sites, then select the website where the PVWAruns.
b. Right-click PVWA, then select Properties; the Properties window appears.
c. In the Directory Security tab, in the Secure Communications area, click Edit; the Secure Communication window appears.
d. Select the following:
  • Require secure channel (SSL)
  • Accept client certificates

Note:   If you use a client certificate, select Require client certificates instead of Accept Client Certificates.

e. Click OK to save the Secure Communications settings; the Inheritance Overrides window appears. This window enables you to configure the security settings to apply the selected security settings to the listed child nodes.

f. Do not select any child nodes from the list. Click OK.
3. In the PVWAWeb Services folder, change the Secure Communication settings:
a. Expand PVWA, and then expand WebServices.
b. Expand auth, and then right-click Shared; the Shared Properties window appears.
c. In the Directory Security tab, in the Secure Communications area, click Edit; the authentication settings for the Shared folder are displayed.
d. In Client certificates, select Require client certificates, then click OK.

e. Run iisreset.
1. Make sure that a server certificate has been generated for the web server where the PVWAis installed.
2. In the PVWAVirtual Directory, change the Secure Communication settings:
a. Run inetmgr, select Sites, then select the website where the PVWAruns.
b. Select SSL Settings, the SSL Setting window appears.
c. Select the following:
  • Require SSL
  • Accept – This configures the IIS to accept Client Certificates.

Note:  If you use a client certificate, select Require instead of Accept.

d. Click Apply to save the Secure Communications settings;
3. In the PVWAWeb Services folder, change the Secure Communication settings:
a. Expand PVWA, and then expand WebServices.
b. Expand auth, and then select Shared.
c. Select SSL Settings, the SSL Setting window appears,
d. Select the following:
  • Require SSL
  • Require – This configures the IIS to require Client Certificates.
e. Click Apply to save the Secure Communications settings;
4. Run iisreset.