Book Demo!

Connecting to a remote Unix or Windows host using Xton Access Manager (XTAM) gateway is simple: find a record describing the remote host, optionally request access and wait for approval. Then perform Connect operation so XTAM will open a session window with the remote host connection. XTAM will use host name as well as user and password on the record to establish the connection. XTAM does not reveal privileged password on the record that allows to share access securely. There are several interesting cases for dynamic credential option when XTAM does additional operations to find a user and a password to connect to a remote host on the record.

XTAM Prompt Dynamic Pass-Through Credentials Connect Session Management

1
Prompt for Credentials.

When a User field on the record left blank, XTAM will prompt the current system user to enter credential to a remote host when connecting. XTAM will optionally record the session, session events, produce audit log, alerts and syslog notifications about the session. Also, access approval workflow can optionally control operation availability.

Prompt for Credentials is a good option to provide controlled access to servers in a datacenter when administrators know credentials to login like in case of using their own credentials or using well known shared accounts such as domain administrator.

Read configuring this option in the following article: Prompt User for Connection Parameters

2
Pass-Through Credentials.

When a User field on the record contains $forward or $login keyword, XTAM will take login and password of the currently logged in user and use it as credential to connect to a remote server. As usual, XTAM will optionally provide recording, workflow and auditing around this connection event.

Pass-Through Credentials is a good option to provide automated controlled access to servers in a datacenter when administrators use their own credentials to login.

Read configuring this option in the following article: Remote Session Pass-Through Login Credentials

3
Dynamic Credential.

When a User field on the record contains $search:CRITERIA, XTAM will use CRITERIA to search for the records using regular XTAM search. When XTAM finds a single record based on this criteria XTAM will use user and password on this found record during connection.

CRITERIA might contain placeholders such as $login resolving to current user login name.

For example, we created a record with jwilliams credentials. We used jwilliams@domain.com in the record description. Then, we created a Windows host record and specified $search:$login@domain.com into the User field. When user jwilliams connects to this record XTAM will actually use credentials (both user and password) from the record found by jwilliams@domain.com criteria. If someone else will try to connect to the same record, it will use credentials from a record found by other dynamically built criteria.

Note that XTAM users performing connect operation in Dynamic Credentials scenario should have View and one of the Connect permissions to the record. However, they might have no permissions to the records searched by the User search criteria. This option provides additional security around the actual accounts used to connect to the remote servers.

Dynamic Credentials option is useful in the scenario when different groups of users should connect to remote servers using different shared accounts. Another good use of this option is to support multi-domain scenario when the same accounts exist in multiple domains serving different computers at the datacenter. In this case Dynamic Credentials option allows administrators know their credentials from one of the domains only while using matching accounts from other domains to connect to remote servers.

Read configuring this option in the following article: Remote Session Dynamic Login Credentials

Categories: xton

Mark Klinchin

I am Co-Founder and CEO of Xton Technologies. I am interested in computers, software development, cyber security, content management, photography, image processing and mathematics.

Related Posts

xton

How to enable Windows Remote Management using domain policy

Xton Access Manager (XTAM) uses Windows Remote Management technology to execute jobs such as password reset on the remote Windows computers. WinRM is enabled on the windows computer using the following command executed from command Read more…

xton

Configuring Windows Server NLB for Multi-Node Deployment

Configuring Windows Server NLB for Multi-Node Deployment Architecture This article discusses details of Windows Network Load Balancer (NLB) configuration to balance two or more XTAM Server nodes. Earlier we discussed XTAM Server multi-node architecture built Read more…

Industry

The Challenge of Multi-Factor Authentication and Shared Accounts

Recently, I wrote about the importance of combining multi-factor authentication (MFA) and privileged access management. According to 2018 Global Password Security Report, 45% of organizations are already using two-factor authentication (2FA) and the 451 Group Read more…

Copyright © 2020 Xton Technologies, LLC. All rights reserved.