Add applications

This topic describes how to define an application in the Vault from the PVWA.


Step 1: Add an application

To define an application in the Vault from the PVWA:

  1. In the Applications tab, click Add Application and specify the following information in the Add Application dialog box:




    A unique name (ID) for the application.

    Non-English letters are not supported.


    A short description of the application to identify it.

    Business owner

    The contact details of the application’s business owner:


    The location of the application in the Vault hierarchy. If a location is not specified, the application is added to the location of the user who is creating the application.

    Time restrictions

    Time restrictions for secret retrieval.

    Expiration date

    An expiration date for the application.


    If selected, the application is disabled.

  2. Click Add. By default, applications are added with the following properties:



    Application authentication method

    No method is specified by default and no credential file is used.

    User type


    Allow extended authentication restrictions

    You can disable the default limitation of PVWA application maximum character count (4000 characters).

    When selected, you can configure the Credential Provider to support extended authentication for applications. This enables you to specify more machines, OS users, path values, and hash values for a single application.

    Use credential file authentication

    You can configure applications to access the Vault with a credential file and retrieve passwords as in previous versions of the Credential Provider.

    If you select this option, you will be prompted to acknowledge that all authentication and allowed machines for this application are deleted if you proceed.

    Click the download button to download the credential file.

    You can specify the following application authentication characteristics for the application. These restrictions will be applied when creating the credential file for the application:

    • One OS user

    • One IP address

    • One IP subnet in CIDR IPv4 or IPv6 format

    To change the authentication type for applications that were previously configured to authenticate to the Vault with a credential file, clear Use credential file authentication, then specify application authentication characteristics as described below.


    This authentication has been deprecated and is documented for backward compatibility. Where possible, configure application authentication. For more information, refer to Application authentication methods.

Step 2: Add application authentication

The following procedure describes how to add application authentication.

Specifying the application's authentication details enables the Credential Provider to check runtime application characteristics before retrieving the application password.


For more information about which authentication is supported by each of type of Credential Provider, see Application authentication methods.

To add application authentication:

  1. In the Authentication tab, click Add.
  2. Select the authentication characteristic to specify. Multiple values can be specified for each authentication type. The Credential Provider verifies each authentication type and value defined for each application.

    Type Description 

    OS user

    Specify the name of the OS user who will run the application

    Application path

    Specify the path where the application will run.

    To indicate that the specified path is a folder, select the Path is folder option.

    To enable internal scripts to retrieve the application password for this application, select the Allow internal scripts to request credentials on behalf of this application ID option

    We recommend always using OS User or Allowed Machines authentication, or both.


    Calculate a hash

    Run the AIMGetAppInfo utility to calculate the application’s unique hash..

    Copy the hash value that is returned by the utility.

    In the Hash edit box, paste the application’s unique hash value,


    Specify multiple hash values with a semicolon.

    You can add additional information in a comment after each hash value specified for an application by specifying ‘#’ after the hash value, followed by the comment.

    For example,

    1A6F2A14E4C30729AA1E392261DA47568465ED47FFD8ED4E03082CE13ACB44819BF34D9D902668E4782C450D22EFC8F573F329657B1EAF20E5228BB49D613827 # app2

    The comment must not include a colon or a semicolon.

    We recommend always using OS User or Allowed Machines authentication, or both.

    Certificate Serial Number

    For Central Credential Provider only.


    Extract the Serial Number value from the Client Certificate. You can use Windows Certificate Manager or any other management utility to do this.

    • The certificate must be trusted by IIS.

    • Ensure that no duplicate certificates are issued.

    • Ensure that the Serial Number contains only the valid characters accepted for Serial Number authentication – [a-f], [A-F], [0-9] and ‘#’

    To specify a Certificate Serial Number:

    In the SN field, paste the Client Certificate Serial Number value.

    To add more information about an SN value, add a ‘#’ after the SN value and then the comment. The comment must not include a colon or a semicolon.

    For example: A1B4F6D8#app2

    In the SN field, add the Certificate Serial Number.

When an authentication type is added, it is displayed in the Authentication tab.

To delete a method, highlight it and select the Delete Authentication () button.

Step 3: Add allowed machines

Enable the Credential Provider to verify that only applications that run from a specified machine can access secrets.

To specify allowed machines:

  1. In the Allowed Machines tab, click Add.

  2. Specify the IP subnet in CIDR IPv4 or IPv6 format, IP, hostname, or DNS of the machine where the application will run and will request passwords, then click Add.


    To specify the host name or DNS of the machine where the application will run, make sure that PVWA v6.0 patch#5 or later is installed.