Auto Logon Helper

Automatically Logging in to Remote Systems & Applications
 

Passwords of remote systems and applications are stored in PMP. Normally, to login to the systems and applications, you need to copy the password from PMP and paste it in the target system. PMP provides an option for automatically logging in to the target systems and applications directly from the PMP web interface eliminating the need for copying and pasting of passwords.

 

From version 6500 onwards, PMP provides two kinds of Auto Logon Mechanisms :

 

 

How does this auto logon feature work?

Auto Logon Gateway

From version 6500, PMP comes bundled with RDP, SSH and Telnet session gateways. This allows the users to launch remote terminal sessions from their browser that are tunneled through the PMP server. The remote terminal sessions are emulated in the browser screen itself and hence there is no need for installing any plug-in or agent in any end-points. The only requirement is the browser should be HTML 5 compatible (For example IE 9 or above, FF 3.5 or above, Safari 4 or above, Chrome).

 

As soon as an administrator adds a resource that supports one of these remote terminal session types, the feature becomes available to all users in the system who have access to that resource, with no further configuration anywhere. In addition, the 'Auto Logon' sub tab under the 'Home' tab will allow users to easily locate remote accounts and launch a session with a single click.

 

The entries in the 'Auto Logon' page with the names 'Windows Remote Desktop', 'SSH' and 'Telnet' belong to this type and come out-of-the-box. No additional configuration or management is required for these types other than modifying their names for your convenience. Resource level configuration like port to connect for SSH (if different than the default 22) and logging into a Windows machine using a domain service account can be performed in a specific resource or for a set of resources.

Auto Logon Helper Scripts

This can be enabled by configuring helper scripts which will be invoked by the browser, in the user's machine. The script is nothing but a command specific to the operating system, which the users normally use to connect to the target systems (for exampls telnet, rdp, putty etc). Due to inherent security restrictions in the browsers, users have to download and install browser specific plug-ins one time to be able to invoke operating system commands.

 

Example 1

 

Assume you have 10 resources - Windows servers. You have stored the login accounts and passwords of these 10 resources in PMP. You want to directly login to these resources from PMP web-interface. You will connect the PMP web-interface from both Windows and Linux systems. For auto logon, you need to do the following:

 

Create a 'helper script' by providing the command to establish connection to the target system. The command has to be written specific to the operating system from where the PMP web-interface will be connected. That is, if you would connect the PMP web-interface in Windows, the command has to be Windows specific - enter the command that would normally use to invoke a MSTSC session in Windows. If you would connect the web interface from Linux, enter the command to invoke Remote Desktop (RDP) connection. By doing so, whether you connect the PMP web-interface from Windows or Linux, you will be able to establish the connection automatically.

 

Example 2

 

Assume you have 10 resources - Cisco devices and Unix servers. You have stored the login accounts and passwords of these 10 resources in PMP. You want to directly login to these resources from PMP web-interface. You will connect the PMP web-interface from Windows. For auto logon, you need to do the following:

 

Create a 'helper script' by providing the command to establish connection to the target system. The command has to be written specific to the operating system from where the PMP web-interface will be connected. That is, if you would connect the PMP web-interface in Windows, the command has to be Windows specific - enter the command that would normally use to invoke a PuTTY session in Windows. Instead of PuTTY, you can also enter the command for TELNET.

PMP will have no control over the command other than invoking it and also does not process the result of the command. The helper script supplied will be stored in the same database as the other information, which provides security as well as backup, if it is configured for the PMP database. The command is invoked with the same privileges as the user account running the browser that is accessing the PMP application.

Difference Between Gateway and Helper Script Methods - When to Use, What?

 

Description

Auto Logon Gateway

Auto Logon Helper Scripts

Supported for

Windows RDP, SSH and Telnet

No restrictions. Any program can be invoked from the user machine

Requisites

The user's browser should be HTML 5 compatible. No other requisite

Should install browser version specific plug-ins. The program to execute should be available in all machines that the end users will use

When to use

When you are sure that the remote systems support one of Windows RDP, SSH or Telnet

When you are not sure of the type of remote connection, you can configure multiple options and let the users choose

Benefits

Very reliable. Connections are tunneled through the PMP server, so the user needs connectivity only to the PMP server and can still launch remote sessions to multiple end points

No apparent benefit other than the flexibility of multiple options

Security

Extremely secure as the passwords for remote sessions do not even come to the browser. Traffic encryption at every hop is ensured by PMP

Not very secure after the control is transferred to the launched program. Installing browser plug-ins is not a secure practice

PMP Recommendation

Recommended    

Not recommended unless you understand the implications and left with no choice

 

How to set up auto logon?

Configuring Auto Logon Gateway

As mentioned above, PMP comes bundled with RDP, SSH and Telnet session gateways. This allows the users to launch remote terminal sessions from their browser that are tunneled through the PMP server. The remote terminal sessions are emulated in the browser screen itself and hence there is no need for installing any plug-in or agent in any end-points. The only requirement is the browser should be HTML 5 compatible (For example IE 9 or above, FF 3.5 or above, Safari 4 or above, Chrome).

 

Auto Logon configuration while adding resources

 

When administrators add a resource that supports one of these remote terminal session types, the configuration for Auto Logon has to be made in Step 3 of the resource addition process.

 

 

Port Requirements

 

The Windows RDP Auto Logon Gateway listens at port 7273 by default. This is a secure web socket port (wss://) and you should allow traffic to this port from the end user machines for this to work. You can change this port from Admin >> General >> Server Settings >> Remote Desktop Gateway Port. PMP web server (7272 by default) and this gateway should open and listen at different ports.

 

Important Note: When PMP is installed, it generates a self-signed SSL certificate for the instance which is also used by the Auto Logon Gateway to encrypt the traffic. It is recommended that you apply a CA signed certificate to the PMP instance before opening it out for end users. With a self-signed certificate, connecting to the gateway is not possible unless users explicitly mention the gateway port in the URL, accept the warning and install the self-signed certificate. (For steps to generate unique SSL certificare, refer to this section of our site).

 

The SSH and Telnet Gateways have no such requirement as they use the same PMP web server port for all communication.

 

RDP Port

 

 

Configuring Auto Logon Script

Step 1: Add 'Helper' Script

 

In the UI that pops-up, provide the details as detailed in the steps below.

Steps 2 & 3: Entering 'Name' & Commands for the Helper Script 

As mentined above, auto logon can be enabled by configuring helper scripts which will be invoked by the browser, in the user's machine. The script is nothing but a command specific to the operating system, which the users normally use to connect to the target systems (for example telnet, rdp, putty etc). Due to inherent security restrictions in the browsers, users have to download and install browser specific plug-ins one time to be able to invoke operating system commands.

You can configure the individual commands required for Windows and Linux systems respectively and map the relevant target system type. For a particular target system type, there can be more than one method to connect and hence you can map any number of commands to a single target system type.

 

You need to provide a 'Name' (a label or an alias) for the command, which the users will click against a password to login to the remote system. When there are multiple commands configured for a target system type, all the command names will be listed in a menu for the user to choose.

 

 

 

 

In addition, if the 'Resource URL' attribute is set for the resource, the menu will also include a label 'Open URL' which will open the URL in a new browser window. If the attribute has the usual placeholders, they will be substituted in the URL query string appropriately. (Refer to the section below to configure the Resource URL attribute).

 

The following example will make you understand this step with ease:

 

Assume that your requirement is to connect to a remote system automatically from PMP by establishing a telnet connection, you need to do the following:

 

You need to write the command for establishing telnet connection to the target system. The command has to be written specific to the operating system from where the PMP web-interface will be connected. That is, if you would connect the PMP web-interface in Windows, the command has to be Windows specific - enter the command that would normally use to invoke a telnet session in Windows. However, it is advisable to enter the commands for establishing the connection from both Windows and from Linux separately. By doing so, whether you connect the PMP web-interface from Windows or Linux, you will be able to establish the connection automatically.

 

It is pertinent to take note of the following before creating your commands:

 

You can use the following place holders in your command string:

 

%RESOURCE_NAME%

%DNS_NAME%

%ACCOUNT_NAME%

%PASSWORD%

 

These place holders will be replaced with respective values at the time of invoking of the commands.

 

Also, the command configured will be invoked as is on the user machines and hence it is recommended to ensure that the PATH environment variable is properly set or the command be located in the same execution path in all the user machines.

 

Invoking Direct Connection to URLs

 

If you want to open connection to a URL automatically in a browser window, you can specify the URL for the same through 'Resource URL' field while adding the resource or by editing a resource. You can even specify the user name and password in the URL to directly login to the resource. For security reasons, PMP provides the option for using place holders to avoid the usage of user name, password etc in plain text in the URL. At the time of URL invocation, PMP replaces the respective data for the placeholders and submits the data by 'POST' method. Nowhere during the URL invocation, the password will be visible to the users.

 

The following four place holders are allowed: %RESOURCE_NAME%, %DNS_NAME%, %ACCOUNT_NAME% and %PASSWORD%

Examples for using the place holders in the URL:


(1) Assume that you have a resource named 'abc' and on typing the resource name in the browser as http://abc you can access an application. In this case, you can enter the resource url with placeholder as shown below:

http://%RESOURCE_NAME%


(2) Assume you have an application running on port 7272 and you can access it through the DNS name of the host where it runs. You can make use of the placeholder and construct the URL as below:

https://%DNS_NAME%:7272


In case, you wish to supply the username and password for the application and directly login to the resource, you can construct the URL as below:

https://%DNS_NAME%:7272/j_security_check?j_username=%ACCOUNT_NAME%&j_password=%PASSWORD%&domainName=LOCAL

 

 

In the text field against "Command to invoke in Windows", enter the command for invoking auto logon from PMP web interface connected in Windows. For example, to establish telnet connection to a remote system automatically from the PMP web interface connected in Windows, enter the command as follows:

 

telnet %DNS_NAME% -l %ACCOUNT_NAME%

 

PMP will take care of replacing the values of the respective place holders.

 

Similarly, in the text field against "Command to invoke in Linux", enter the command for invoking auto logon from PMP web interface connected in Linux. For example, to establish telnet connection to a remote system automatically from the PMP web interface connected in Linux, enter the command as follows:

 

konsole -e telnet %DNS_NAME% -l %ACCOUNT_NAME%

Step 4: Map Commands with the Resource Types

After creating the required commands as detailed above, you need to select the 'Resource Types' for which you wish to map the helper commands.

 

For example, assume you have created helper script for connecting to remote systems via PuTTY (from PMP web-interface), you can map the command to the following resource types: All UNIX resources and Cisco devices.

 

If you do so, the auto logon to remote systems via PuTTY will be enabled for all the resources belonging to the above three resource types. When you view those resources, you will find "Connect To" icon as shown below. The command names associated by you to that resource type will be visible in the list. (Complete Step 6 below before trying to check this step in your setup, otherwise the data entered in this UI till now will not be saved).

 

For a particular target system, there can be more than one method to connect (telnet, PuTTY, RDP etc.,) and hence you can map any number of commands to a single target system type. All the command names associated with the resource type will be displayed on "Connect To" icon.

 

 

Step 5: Request for Approval

As explained above, the helper script is invoked with the same privileges as the user account running the PMP server. To guard against potential risks associated with invoking arbitrary scripts/commands, a dual control mechanism is implemented, which will ensure two administrators see and approve the script before it is invoked by PMP. When an administrator adds a helper script, PMP does not invoke it unless it has been approved by another administrator. The same process is followed when the helper script details are edited by an administrator. These operations can be performed by any two administrators and are audited.

 

The helper scripts can be added only by PMP administrators. The scripts thus added have to be approved by some other administrator. So, the helper script created will remain pending for approval. Select an administrator from the drop-down to send approval request. A mail will be sent to that administrator intimating the approval request.

 

If you are an administrator and requested by another admin to approve a script, you need to navigate to  "Admin" >> "Customize" >> and click "Auto Logon" and click the link present under "Approval Status". Once it is approved, the helper script will take effect.

 

Click "Save". The required auto logon helper has been created. The helper script creation and approval events are all audited in PMP.

Invoking Auto Logon

Through Auto Logon Gateway

As soon as an administrator adds a resource that supports one of the three remote terminal session types (Windows RDP, SSH and Telnet sessions), the feature becomes available to all users in the system who have access to that resource, with no further configuration anywhere. You will see the 'Auto Logon' sub tab under the 'Home' tab will allow users to easily locate remote accounts and launch a session with a single click.

 

 

Auto Logon

Through Auto Logon Helper Script

To automatically connect to a particular resource, navigate to the 'Resources' tab and click the required resource. Click the "Connect To" icon present against the required user account. A list containing the list of commands supported for that resource will be displayed. Click the required command.

 

auto-logon

 

The command configured will be invoked as is on the user machines and hence it is recommended to ensure that the PATH environment variable is properly set or the command be located in the same execution path in all the user machines. The command string will have these place holders %RESOURCE_NAME%, %DNS_NAME%, %ACCOUNT_NAME% and %PASSWORD% which will be replaced with respective values at the time of invocation.

 

PMP has no control over the command other than invoking it and also does not process the result of the command. The helper script supplied will be stored in the same database as the other information, which provides security as well as backup, if it is configured for the PMP database.

For the first time of invocation alone, you will have to install browser plug-ins as explained below:

 

Due to inherent security restrictions in the browsers, as a one-time activity, you need to download and install browser specific plug-ins to invoke operating system commands.

 

To install plug-in for Internet Explorer

 

When you click the 'Connect To' icon of a resource, you will get a security warning pop-up. The pop-up will ask if you want to install that plug-in with publisher name as ZOHO Corp. Click 'Install'. The plug-in would be installed.

 

To install plug-in for Firefox

 

 

Once you do this, you will be able to login automatically.


©2014-12, ZOHO Corp. All Rights Reserved.