Using PAM to inject credentials when Mapping a Network Drive

Products

CA Privileged Access Manager (PAM)

Issue/Introduction

After logging into a Windows Server in one domain there is a prompt for the userID and password when trying to Map a Network Drive in another domain. A method for entering those credentials is needed, so that the user does not need to know them.

Environment

Release :

Component : PRIVILEGED ACCESS MANAGEMENT

This was tested with 3.3, but should apply to any supported PAM version.

Resolution

This was partially resolved using Transparent Login to inject the userID and password into the Windows Security window. This is the window opens when you Right-click on Network Explorer, click on Map network drive, and enter the mapping information. This technique was not heavily tested, so use it with caution, as other parts of Windows may use the Windows Security window. The solution here does not automatically launch File Explorer, but does inject the credentials in the Windows Security window when it appears.

Additional Information

Here are the steps performed to implement the solution:

1. Create an RDP application for File Explorer.

The Transparent Login Configuration must contain the name of the script that was created in Transparent Login Learn Mode. Checking the RDP Session box will enable Transparent Login to work when the application is launched manually in RDP.

The RDP Session box is check so that Transparent Login will work for this service when Windows Security is launched manually.

2. Create a device for the the system on which the RDP Application will be launched and another for the system to which the Network Drive will be mapped. The first device will include the RDP application created in the previous step.

3. Create a Device Group, in which the two devices above will be configured as Credential Sources. Only the system to which the user will initially login need be included in the device list.

4. Create Target Applications and Target Accounts for the credentials to be used on both systems. In this case the first system was access using Active Directory credentials and the Network Drive credentials were created using a Generic Application. This was not required.

5. Create a policy based on the device group. Make sure to check the Enable box on the Transparent Login tab.

6. Launch the RDP Application on the Access page.

7. When the RDP window opens launch File Explorer, Right Click on Networks and click on Map Network Drive.

8. Select the desired Drive Letter and enter the server address and sharename to be used.

9. Transparent Login will inject the username and password in the Windows Security window that opens, and will press the OK button to complete the login.

10. Once the Mapped Drive appears use it as you would normally.

11. Here is the script that was used. The click method had to be used, because the Windows Security window did not allow the individual portions of the window to be accessed separately.