Active Directory

Indeed PAM interacts with end users through an account that will read directory users and their attributes

Creating an account to use with user directory

1. Run the Active Directory Users and Computers snap-in
2. Open the context menu of organizational unit or container
3. Select Create - User item from the menu
4. Specify the user name, say, IPAMManager
5. Fill in the mandatory fields and complete the account creation

Alternatively, you can use an existing account.

Creating and configuring the service account to use with Active Directory

1. Start the Active Directory Users and Computers snap-in
2. Open the context menu of the Container or Organization Unit
3. Select Create - User item
4. Enter the name, for example IPAMService
5. Fill in the required fields and complete the creation of the account
6. Open the context menu of the created account and select the Properties item
7. Go to the Member Of tab and click Add
8. Search for the Domain Admins security group and click Ok
9. Save all changes

Or use an already created account.

Storage of media files and shadow copies

File storages are necessary for aggregation and long-term storage of videos, screenshots and files transferred in sessions.

File storage account

Create and configure file storage

1. Log in to the server, which will act as a file storage
2. Create folders, for example MediaData and ShadowCopy
3. Call the contextual menu of the folder you created, select the item Share with > Specific people.
4. Enter the username, for example IPAMManager and click Add.
5. In the "Permission level" column, click the Read value next to the IPAMManager user and select Read/Write from the menu.
6. Finish by clicking Share.

Data storage

Indeed PAM uses Microsoft SQL Server or PostgreSQL Pro to store data. The following components require databases:

• IPAMCore - Indeed PAM Core component database is used to store Indeed PAM privileged accounts, resources, permissions, and other service data
• IPAMTasks - The Indeed PAM Core component database is used to store scheduled tasks
• IPAMIDP - Indeed PAM IdP component database is used to store authenticators of Indeed PAM users and administrators
• ILS - The Indeed Log Server component database is used to store the Indeed PAM event

Database creation

Microsoft SQL Server

1. Run Microsoft SQL Management Studio (SSMS) and connect to Microsoft SQL Server instance
2. Open the context menu of Databases item
3. Select the New Database item
4. Specify a database name, for example IPAMCore, IPAMTasks, IPAMIdP, ILS
5. Click ОK

PostgreSQL, PostgreSQL Pro

1. Launch pgAdmin and connect to the PostgreSQL Pro server
2. Open the context menu of the Databases item 
3. Select Create, Database
4. Specify a database name, for example: IPAMCore, IPAMTasks, IPAMIdP, ILS
5. Click Save

Creating a service account to work with data storage

Microsoft SQL Server

1. Start Microsoft SQL Management Studio (SSMS) and connect to the Microsoft SQL Server instance
2. Expand the Security item
3. Open the context menu of Logins item
   
4. Select the Create login item
   
5. Enter the name, for example IPAMSQLService
6. Select SQL Server authentication item and fill in the required fields
7. Switch to User Mapping item
   
8. Check IPAMCore, IPAMTasks, IPAMIdP and ILS databases
   
9. Check database roles db_owner, db_datareader and db_datawriter
10. Click ОK

PostgreSQL, PostgreSQL Pro

1. Launch pgAdmin and connect to the PostgreSQL Pro server
2. Open the context menu of the Login/Group Roles item
3. Select Create, Login/Group Role
4. Specify a Name, for example IPAMSQLService
5. Go to Definition tab, enter the new password for account
6. Go to Privileges tab, check Yes for Can Login? and Superuser? items
7. Click Save, repeat for the rest of the databases.

IIS

The WEB Server role can be installed using the Powershell script located in the distribution folder \Misc\IISSetup. The script checks for IIS components and installs them if necessary.

Additional components Microsoft .NET Core 3.1 Hosting Bundle and URL Rewrite (from the MSComponents.zip archive) should be installed only after IIS.

Secret Generation for Applications

For Indeed PAM Core, Indeed PAM Gateway, SSH Proxy and ConsoleApp to interact with Indeed PAM IdP, you need to generate a key and its hash.

1. Go to Indeed.PAM_2.2.0\Misc\ConsoleApp folder
2. Edit file appsettings.json
3. Enter https://1 as a value for the parameter apiUrl
4. Enter https://2 as a value for the parameter idpUrl
5. Run Command prompt (CMD)
6. Run the Pam.ConsoleApp.exe utility with the generate-secret parameter
7. Save the secret and its hash

Service operations on Active Directory

Active Directory service operations are performed on behalf of the service account:

• Checking the connection to the Domain
• Domain accounts synchronization
• Checking the domain account password
• Changing the domain account password

Create a security group for Active Directory Privileged access accounts 

1. Start the Active Directory Users and Computers snap-in.
2. Open the context menu of the Domain, Container or Organization Unit
3. Select Create - Group item
4. Enter the name, for example IPAMPrivilegedAccounts
5. Select Global in the Group scope section
6. Select Security in the Group type section
7. Save the changes

Service operations for Windows resources

The following service operations are performed at Windows resources on behalf of the domain or local service account:

• Checking of connection to resources
• Synchronization of local accounts
• Checking of local account passwords
• Changing of local account passwords

Configuring a domain account as service one

1. Log in to resource
2. Run the Computer management snap-in
3. Switch to System tools - Local Users and Groups - Groups section
4. Open the context menu of Administrators group
5. Select Properties item
6. Click Add
7. Select the domain account to be used as service one for the resource and click OK

Configuring a local account as service one

If you plan to use local built-in administrator account as service account, then no additional configuration is required. Otherwise, proceed as follows:

1. Log in to resource
2. Run the Computer management snap-in
3. Switch to System tools - Local Users and Groups - Groups section
4. Open the context menu of Administrators group
5. Select Properties item
6. Click Add
7. Select the local account to be used as service one for the resource and click Ок
8. Run Windows registry editor (RegEdit)
9. Expand the HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ branch
10. Open the context menu of System section
11. Select Create - DWORD (32-bit) Value
12. Specify the parameter name - LocalAccountTokenFilterPolicy
13. Open the context menu of LocalAccountTokenFilterPolicy parameter
14. Select Modify item and set the Value data:  equal to 1

Registry editing is required due to restrictions on remote WinRM management for all local accounts except for built-in administrator account.

Configuring a resource to use local accounts as service one

Synchronize accounts operation is performed using remote WinRM management. It is necessary to add the resource to the TrustedHosts list if local resource accounts are used as service ones.

Configuring the TrustedHosts list

1. Log in to the server on which Indeed PAM Core will be installed
   
2. Run Command line (CMD) as Administrator
3. Execute the following command:

winrm s winrm/config/client @{TrustedHosts="Resource1.demo.local, Resource2.demo.local, Resource3.demo.local"}

The specified resources shall be added to the TrustedHosts list.

@{TrustedHosts="Resource1.demo.local, Resource2.demo.local, Resource3.demo.local, NewResource.demo.local"}

Service operations for *nix resources

The following service operations are performed at *nix resources on behalf of the local service account:

• Checking of connection to resource
• Searching for local accounts
• Checking of local account passwords
• Changing of local account passwords

Creating and configuring a service account

1. Log in to resource.
2. Run Terminal.

3. Create a user, for example IPAMService:

   adduser IPAMService

4. Add the user to SUDO group
   

   usermod -aG sudo IPAMService

Configuring a group of privileged accounts

Automatic searching and adding of Access accounts to Indeed PAM is performed based on their permission to execute a SUDO command. To grant the permission to execute SUDO command, you need to edit the /etc/sudoers file.

SSL Configuration for Indeed PAM components

Secure interaction will require certificates for servers that have Indeed PAM components installed. The certificates can be generated using the standard Machine template.