EV Reach Console - Configuration - Using Alternate Credentials

Last modified on 2023/08/07 10:55
Contents

By default, EV Reach uses the operator’s credentials to authenticate and authorize the actions performed on a remote system. In the event an operator doesn’t hold enough privileges, EV Reach automatically prompts for alternate credentials.

Specified system credentials are optionally saved into the EV Reach Credential Manager for re-use. All persistent credentials are securely saved on the operator’s machine in an encrypted format and can only be used by the operator who generated it. Saved credentials cannot be shared.

Alternate credentials can be specified for different services including Native Windows Authentication, Microsoft RDP, VNC, and Intel vPro. Additionally, credentials can be configured for a scope of systems at the Active Directory domain level, an IP range or an external site.

EV Reach supports Smartcards and can use a common access card to authenticate against remote machines.

EV Reach also supports Microsoft LAPS and can automatically query system’s passwords in Active Directory of MS LAPS enabled environments.

This user guide will describe how to configure and use alternate credentials in EV Reach.

Providing Credentials as Needed

If you perform an action on a remote system that requires privileges not held by your account, EV Reach automatically prompts you for alternate credentials:

2017-10-23_16-01-11.jpg

Specify the necessary credentials to continue with the operation. The user name must be in the format AUTHORITY\USERID where AUTHORITY is either a domain name, the machine name or ‘.’ to specify local credentials.

To make the specified credential persistent, enable the Save Credentials option. EV Reach credentials are saved in an encrypted local database which can only be used by the operator that created it.

EV Reach Credential Manager

All credentials registered in EV Reach can be managed using the EV Reach Credential Manager. To open the Credential Manager, click on the Application tab at the top left of the main window then select Credential Manager.

2017-10-23_15-59-56.jpg

You can also access the Credential Manager from the Alternate Credentials section of the EV Reach General Settings area.

The EV Reach Credential Manager is used to view, update, remove or configure new credentials for computer systems, or scopes of machines.

2017-10-23_15-35-53.jpg

Specifying Credentials for Individual Computers

  • Click on the Add button and select Individual Computers or Servers

    2017-10-23_15-26-38.jpg

  • Specify the computer name in the Target Name field. It is recommended to provide a FQDN or  UNC format for the computer name, for instance SomeMachine.Domain.com or Domain\SomeMachine. However, a short name or IP address can also be provided.
  • If you want to specify credentials for a group of individual computers, click on the […] button and generate the list of computers.
  • You can also specify a partial computer name and click on the search button to query Active Directory for matching computer IDs.

Once the computer selection has been made, click on the Next button to provide credentials.

By default, provided credentials are used against the Native OS Authentication. However, you can also specify credentials for Microsoft RDP, VNC, and Intel vPro AMT.

gov_credentials_prompt_authtypes.png

How to Specify Local Computer Credentials

To specify a local account, either use the computer name (if a single computer selection is made) or a period:

2017-10-23_17-04-11.jpg

Specifying Credentials for an IP Range

  • Click on the Add button and select IP Range
  • Specify a Range Name and an IP range and click on Next then provide the credentials to be used.

5.png

Specifying Credentials for an AD Domain

You must specify AD credentials if:

  • Your account doesn’t hold enough privileges to perform Active Directory account management.
  • You want to use alternate credentials to remote administer the computers that belong to an AD domain.
  • If you need to activate MS LAPS support on a specific AD domain. See Find out more.

Click on the Add button and select Active Directory Domain, then specify the domain name in the Target Name field (you can also click on the Search button to browse through the list of AD domains) then click on Next.

Click on the Configure button to specify the domain credentials and if these credentials should be used only for AD account management or also for the remote administration of computers that belong to that domain:

2017-10-23_15-56-22.jpg

Specifying Credentials for an External Site

Click on the Add button and select External Site, then specify the site name (or click on the Search button to browse through the list of available external sites), then click on Next.

Note: An external site is a grouping of computers that are manageable over-the-internet via the EV Reach Gateway Services. This option is only available if EV Reach Gateway Services have been enabled.

Specify the credentials to be used against the selected external site:

  • Specify a local administrator account for sites of individual computers
  • Specify a domain administrator account for sites of domain joined computers

See Find out more.

Enabling Microsoft LAPS Support

EV Reach includes full support of MS LAPS environments. Once MS LAPS support is enabled, EV Reach transparently queries MS LAPS passwords in Active Directory when elevated access is required. EV Reach also keeps track of password expiration dates and updates them accordingly.

Before you can use Microsoft LAPS in EV Reach, you must enable it. You can do this in the General Settings area of EV Reach:

  1.    Click on the Application button on the top right corner of the application and select General Settings.

2.    Select the Alternate Credentials section.

3.    Check the Enable Microsoft LAPS Support option and click on OK or Apply.

6.png

Once you have enabled MS LAPS support in EV Reach, you will be able to configure MS LAPS authentication for all machines that belong to an Active Directory domain, or use MS LAPS passwords on a per-machine basis. You will also be able to inject a MS LAPS password within a remote-control session to login to the system.

Configuring MS LAPS Authentication at the AD Domain Level

This set-and-forget method allows you to enable MS LAPS for an entire Active Directory domain. Once you have done so, EV Reach automatically uses MS LAPS to query and apply the local administrator’s password used to authenticate against all remote machines that belong to that domain.

Domain-wide MS LAPS authentication is required if you plan on using the EV Reach IT Global Automation features. For instance, if you need to deploy software to your MS LAPS enabled machines.

To configure domain-wide MS LAPS authentication, click on the Add button, select the Active Directory Domain type, specify the domain to target and click on Next.

7.png

Enable the Use Microsoft LAPS … option to activate MS LAPS support for the selected domain. If appropriate, modify the local administrator’s account name to use with MS LAPS, then click on OK.

Note: It is not possible to configure more than one local administrator account name per domain. Different local admin account names or multi-lingual machines are not supported.

Optionally, if your domain controllers are not under MS LAPS policy and you need to configure alternate credentials to perform account management, enable the Use the following credentials for AD Account Management option and specify the domain credentials.

2017-10-23_15-58-51.jpg

Once configured, EV Reach automatically queries the MS LAPS password of a domain machine in AD and uses it with the specified local administrator’s account for remote system authentication.

What if my LAPS Policy is not configured Domain-Wide?

The MS LAPS policy may be assigned to specific OUs versus the domain level. In such cases, a MS LAPS authentication may fail for systems that are not under the MS LAPS policy.

EV Reach does not allow the configuration of MS LAPS based credentials on a per-OU basis, however, if a MS LAPS password cannot be queried for a computer object, or if the MS LAPS password is empty, EV Reach automatically falls back to standard authentication methods (either configured in the Credential Manager or the operator’s credentials).

Consequently, the process of authenticating to a non-MS LAPS system within a MS LAPS enabled Active Directory domain will be transparent, except for a warning message in the EV Reach Console window:

1.png

If EV Reach keeps on prompting credentials for non-MS LAPS computers instead of falling back on standard authentication, make sure that the ms-Mcs-AdmPwd AD attribute for these computers is empty. If not, EV Reach will attempt to use that password and will fail.

LAPS Authentication on a Per-System basis

You can also use MS LAPS passwords on a per-system basis. When EV Reach prompts for the credentials of a domain joined computer, the password field will include a [use LAPS] button that queries the MS LAPS password in AD and populates the password field.

2.png

This method populates the password field with the local administrator’s password value as defined in Active Directory. You must provide the correct value for the local administrator’s user ID in the user name field.

If you do not see the [use LAPS] button, make sure that:

  • Microsoft LAPS is enabled in the EV Reach General Settings area under Alternate Credentials
  • The machine name for which credentials are prompted have a format from which domain information can be queried. For instance, FQDN or UNC format (i.e.: DOMAIN\MachineName). If the machine name is a NetBIOS name or an IP address, EV Reach will not be able to determine the Active Directory domain for that machine and will not display the use LAPS option.

Once LAPS based credentials are configured for a computer, they are remembered by EV Reach (unless you unchecked Save Credentials). Saved computer MS LAPS credentials can be viewed in the Credential Manager:

8.png

What happens when a LAPS password expires?

EV Reach automatically manages MS LAPS password expiration events. When a computer MS LAPS password is saved in the credential manager, the current value of the password is reused as needed until its expiration date, at which time Active Directory is automatically queried for the updated value of the password.

If you manually reset the LAPS password or password expiration time stamp of your systems, the saved credentials in EV Reach may be out-of-sync. This will not be a problem, EV Reach will prompt you to update the credentials of any system for which it failed to authenticate. Simply update the password using MS LAPS.

LAPS support during a Remote-Control Session

During a remote-control session to a MS-LAPS enabled computer, you may need to login to the remote system using the local administrator’s account. Since Windows doesn’t allow clipboard operation in its password field, EV Reach allows you to inject the LAPS password as if you typed it physically.

To do so, set the cursor focus to the password field of the local administrator’s login on the remote machine, then click on the (Inject LAPS Password) control located at the top right corner of the viewing area:

4.png

Note: This option is only available if you open a remote-control session using credentials that are MS-LAPS based.

Injecting alternate credentials during Remote Control

When using alternate credentials to connect to remote systems, use the Inject Password feature to supply the password as needed.

InjectPassword.png

SmartCard Credentials

EV Reach offers full support for PIV / CAC smart card authentication and redirection.

Configuring alternate credentials using a Smartcard authentication works the same way as described above. However, when prompted for credentials, insert a smartcard ID inside the reader, then select desired smartcard identification to authenticate against the configured scope.

Once smartcard authentication has been configured, you must keep your smartcard id card in the reader for the authentication to succeed.

Tags:
Powered by XWiki © EasyVista 2022