ALERT: Some images may not load properly within the Knowledge Base Article. If you see a broken image, please right-click and select 'Open image in a new tab'. We apologize for this inconvenience.

Web Portal Integration problem with domain accounts

book

Article ID: 239124

calendar_today

Updated On:

Products

CA Privileged Access Manager (PAM)

Issue/Introduction

The authentication method, from the web site that we are trying to integrate with a PAM Web Portal, is already integrated with our AD, and it is possible to manually logon on the web site using the AD credentials providing the user name with syntax <domain>\<accountname>. However when we are trying to configure the Web Portal we are not able to set the use of the domain along with the account name, and the authentication is failing.

If we use a local account, from the web site, which does not require the Domain\ prefix, the Web Portal authentication is completed with success.

Is it possible to set the Web Portal to use "Domain\accountname" in order to authenticate with the domain account on the web site?

Cause

Auto-logon to Web Portals in PAM has limited capabilities. The only option is to mark the user name field, and PAM will use the target account name. There is no option for a complex expression such as addition of a prefix, or selection of the credential source from a drop-down menu.

Environment

Release : 4.0

Component : PRIVILEGED ACCESS MANAGEMENT

Resolution

Active Directory target accounts have to be configured with a distinguished name, and the DN is used for credential management, i.e. password verifications and updates. Thus it is possible to set the Account Name in the target account to <domain>\<username> without losing the ability to manage the password of the account with PAM. This is a possible workaround, if the account is NOT needed for RDP auto-login, only for Web Portal login, because the account name change would break auto-login using the RDP access method.

If you need to use the same account for RDP auto-login as well, you cannot use the above workaround. An alternative might be the use of User Principal Name (UPN). This will work with RDP auto-login. If your Web Portal also supports use of the UPN, configure the account with the UPN as Account Name.

If neither account name option works for you, the only other alternative would be to get away from a Web Portal service and use RDP transparent login instead, where the web portal is launched on an RDP jump server, see KB 105668 and documentation page Set Up Transparent Login for RDP Servers.