Connect through Privileged Session Manager for Windows

This topic describes transparent connections to target systems using a standard RDP client application.

Connect to target systems directly from your desktop using any standard RDP client application, such as MSTSC, to benefit from a native user experience.

Requirements

  • The PSM server must be hardened. For details, refer to PSM Hardening Tasks.

  • Connections can be made from Unix / Linux / Mac / Windows end user machines.

  • To connect using a smart card:
    • Smart card drivers must be installed on the PSM machine
    • The smart card must include a valid certificate
    • The Vault must be configured with LDAP integration

Considerations

Before using your standard RDP client application to connect through PSM to your target system, review the following considerations:

Connect to a target

Use one of the following methods to create a connection through PSM to the target system.

Configure a Connection Manager

You can configure a Connection Manager to connect through PSM without providing the target system details, or configure a Connection Manager that includes the target system details in advance.

To configure a Connection Manager to connect through PSM to the target system without the target system details:

 
  • To use this option with NLA, you must use a username that contains the login pattern configured by your Administrator under the PSMLoginPattern parameter. For details, see PSM basic parameters file.
  • When connecting with PKI authentication in NLA, authentication is performed with the smart card certificate, but you still must include the login pattern in the usename field to support this capability.
  1. Open a Connection Manager application on your desktop and create an entry for the target machine.

    Give each entry a meaningful name to indicates the target system details.

  2. Set the Remote machine address to the address of the PSM server through which you want to establish your connection. The PSM address can be entered either as a DNS name, or an IP address in IPV4 format.

    In an environment with load balanced PSMs, specify the address of the PSM load balancer.

  3. To connect using a smart card, enable smart card redirection in the connection manager setting.
  4. Configure the logon credentials by entering "psm " followed by your Vault or LDAP username, according to the authentication process required in your environment.

     
    • It is not recommended to save your Vault password locally.
    • There must be a space after psm.

    For authentication details, see Authentication

    If you do not configure the logon credentials, you will be prompted for them when the connection is made.

  5. When you connect to the target, after you enter your authentication details, you are prompted for your connection details. For more information, see Connect and configure.

To configure a Connection Manager to connect through PSM to the target system with the target system details:

  1. Open a Connection Manager application on your desktop and create an entry for the target machine.

    Give each entry a meaningful name to indicates the target system details.

  2. Set the Remote machine address to the address of the PSM server through which you want to establish your connection. The PSM address can be entered either as a DNS name, or an IP address in IPV4 format.

    In an environment with load balanced PSMs, specify the address of the PSM load balancer.

  3. To connect using a smart card, enable smart card redirection in the connection manager setting.
  4. Configure the logon credentials by entering your Vault or LDAP username, according to the authentication process required in your environment.

     

    It is not recommended to save your Vault password locally.

    For authentication details, see Authentication

    If you do not configure the logon credentials, you will be prompted for them when the connection is made.

  1. Configure the Start Program setting to include the connection details to the target system.

    For details, see Configure an RDP Start Program.

Configure an RDP File

You can configure a single RDP file to connect through PSM without providing the target system details, or configure separate RDP files that include the target system details in advance.

 

To configure an RDP file without providing the target system details:

  • To use this option with NLA, you must use a username that contains the login pattern configured by your Administrator under the PSMLoginPattern parameter. For details, see PSM basic parameters file.
  • When connecting with PKI authentication in NLA, authentication is performed with the smart card certificate, but you still must include the login pattern in the username field to support this capability.
  1. Create an RDP file.
  2. Configure the following RDP settings as described below:

    Setting RDP Parameter Type Description
    full address s

    The address of the PSM server through which you want to establish your connection.

    The PSM address can be entered either as a DNS name, or an IP address in IPV4 format.

    In an environment with load balanced PSMs, specify the address of the PSM load balancer.

    alternate shell s
    • To configure an RDP file with the target system details, enter the connection details including the target user, target machine, connection component, and, if you integrate with a ticketing system, the ticketing information. For details, see Configure an RDP Start Program.

    • To configure an RDP file without providing the target system details, only value the PSM parameter ("psm ").

       

      There must be a space after psm.

    username s

    Enter your Vault or LDAP username, according to the authentication process required in your environment.

    If you do not configure your username, you will be prompted for it when the connection is made. You will also be prompted for your password.

     

    It is not recommended to save your Vault password in the RDP file.

    For details, see Authentication

    Following is an example of a single RDP file that was configured to connect through PSM without providing the target system details:

    Following is an example of an RDP file that was configured to connect through PSM with the target system details:

  3. To connect using a smart card, add redirectsmartcards:i:1 to the RDP file.
  4. When you configure separate RDP files that include the target system details, repeat these steps for each target system to which you want to connect.

  5. When you configure a single RDP file without providing the target system details and later connect to the target, after you enter your authentication details you are prompted for your connection details. For more information, see Connect and configure.

Connect with MSTSC

To configure MSTSC to connect through PSM to the target machine using the Programs tab:

  1. Open MSTSC. The Remote Desktop Connection window opens.

     

    You can also execute MSTSC through the command line using:

    MSTSC /v:<PSM server address>

  2. In the Computer field, enter the address of the PSM server, through which you will establish the connection. The PSM address can be entered either as a DNS name, or as an IP address in IPV4 format.

    In an environment with load balanced PSMs, specify the address of the PSM load balancer.

  3. Open Show Options.

  4. In the User name field, enter your Vault or LDAP username, according to the authentication process required in your environment.

    If you do not configure your username, you will be prompted for it when the connection is made. You will also be prompted for your password.

     

    It is not recommended to save your Vault password locally.

    For details, see Authentication

  5. Click the Programs tab, and select Start the following program on connection.

  6. In the Program path and file name field, enter the connection details to PSM.

    For details, see Configure an RDP Start Program

  7. If you are using smart card authentication, click the Local Resources tab, and select Smart cards.

  8. Click Connect. An authentication window is displayed.
  9. To connect to other target machines using MSTSC, repeat this procedure for each target machine.

To configure MSTSC to connect through PSM to the target machine without using the Programs tab:

 

You cannot use this option if NLA is enabled in your environment.

  1. Open MSTSC. The Remote Desktop Connection window opens.

     

    You can also execute MSTSC through the command line using:

    MSTSC /v:<PSM server address>

  2. In the Computer field, enter the address of the PSM server, through which you will establish the connection. The PSM address can be entered either as a DNS name, or as an IP address in IPV4 format.

    In an environment with load balanced PSMs, specify the address of the PSM load balancer.

  3. Open Show Options.

  4. In the User name field, enter "psm " followed by your Vault or LDAP username, according to the authentication process required in your environment.

     

    There must be a space after psm.

    If you do not configure your username, you will be prompted for it when the connection is made. You will also be prompted for your password.

     

    It is not recommended to save your Vault password locally.

    For details, see Authentication

  5. If you are using smart card authentication, click the Local Resources tab, and select Smart cards.

  6. When you connect to the target, after you enter your authentication details, you are prompted for your connection details. For more information, see Connect and configure.

Connect with any RDP client application

To connect to your target system through PSM using any standard RDP client application, configure your RDP client to use the following parameters:

Setting Description
PSM address

The address of the PSM server through which you want to establish your connection.

The PSM address can be entered either as a DNS name, or an IP address in IPV4 format.

In an environment with load balanced PSMs, specify the address of the PSM load balancer.

RDP Start Program setting

If you want the End User to specify the connection details, only value the PSM parameter ("psm "). When you connect to the target, after you enter your authentication details, you are prompted for the target details. For more information, see Connect and configure.

 

There must be a space after psm.

Or, you can specify the connection details in advance, including the target user, target machine and connection component. For details, see Configure an RDP Start Program.

Username

Enter your Vault or LDAP username, according to the authentication process required in your environment.

 

It is not recommended to save your Vault password locally.

For details, see Authentication.

To connect using a smart card, add redirectsmartcards:i:1 to the RDP file.

Specify a reason for accessing accounts

A rule in the Master Policy determines that users can only retrieve passwords or SSH keys after they specify a reason that explains why they need to retrieve them. You can override the Master Policy rule for specific platforms. For details, see Exceptions.

When you connect through PSM for Windows you are prompted to provide a reason for connecting.

 
  • The reason is limited to 2048 characters, after which it is truncated.
  • Copy-paste is not supported.

PSM for Windows retrieves the password or SSH key, and the reason you specified is stored in the audit log.