By default, Goverlan Reach uses the operator’s credentials to authenticate and authorize the actions performed on a remote system. In the event an operator doesn’t hold enough privileges, Goverlan Reach automatically prompts for alternate credentials.
Specified system credentials are optionally saved into the Goverlan Credential Manager for re-use. All persistent credentials are securely saved on the operator’s machine in an encrypted format and can only be used by the operator who generated it. Saved credentials cannot be shared.
Alternate credentials can be specified for different services including Native Windows Authentication, Microsoft RDP, VNC, and Intel vPro. Additionally, credentials can be configured for a scope of systems at the Active Directory domain level, an IP range or an external site.
Goverlan Reach supports Smartcards and can use a common access card to authenticate against remote machines.
Goverlan also supports Microsoft LAPS and can automatically query system’s passwords in Active Directory of MS LAPS enabled environments.
This user guide will describe how to configure and use alternate credentials in Goverlan Reach.
Providing Credentials as Needed
If you perform an action on a remote system that requires privileges not held by your account, Goverlan automatically prompts you for alternate credentials:
Specify the necessary credentials to continue with the operation. The user name must be in the format AUTHORITY\USERID where AUTHORITY is either a domain name, the machine name or ‘.’ to specify local credentials.
To make the specified credential persistent, enable the Save Credentials option. Goverlan credentials are saved in an encrypted local database which can only be used by the operator that created it.
Goverlan Credential Manager
All credentials registered in Goverlan can be managed using the Goverlan Credential Manager. To open the Credential Manager, click on the Application tab at the top left of the main window then select Credential Manager.
You can also access the Credential Manager from the Alternate Credentials section of the Goverlan General Settings area.
The Goverlan Credential Manager is used to view, update, remove or configure new credentials for computer systems, or scopes of machines.
Specifying Credentials for Individual Computers
- Click on the Add button and select Individual Computers or Servers
- Specify the computer name in the Target Name field. It is recommended to provide a FQDN or UNC format for the computer name, for instance SomeMachine.Domain.com or Domain\SomeMachine. However, a short name or IP address can also be provided.
- If you want to specify credentials for a group of individual computers, click on the […] button and generate the list of computers.
- You can also specify a partial computer name and click on the search button to query Active Directory for matching computer IDs.
Once the computer selection has been made, click on the Next button to provide credentials.
By default, provided credentials are used against the Native OS Authentication. However, you can also specify credentials for Microsoft RDP, VNC, and Intel vPro AMT.
How to Specify Local Computer Credentials
To specify a local account, either use the computer name (if a single computer selection is made) or a period:
Specifying Credentials for an IP Range
- Click on the Add button and select IP Range
- Specify a Range Name and an IP range and click on Next then provide the credentials to be used.
Specifying Credentials for an AD Domain
You must specify AD credentials if:
- Your account doesn’t hold enough privileges to perform Active Directory account management.
- You want to use alternate credentials to remote administer the computers that belong to an AD domain.
- If you need to activate MS LAPS support on a specific AD domain (See Enabling Microsoft LAPS Support for further information.)
Click on the Add button and select Active Directory Domain, then specify the domain name in the Target Name field (you can also click on the Search button to browse through the list of AD domains) then click on Next.
Click on the Configure button to specify the domain credentials and if these credentials should be used only for AD account management or also for the remote administration of computers that belong to that domain:
Specifying Credentials for an External Site
Click on the Add button and select External Site, then specify the site name (or click on the Search button to browse through the list of available external sites), then click on Next.
Specify the credentials to be used against the selected external site:
- Specify a local administrator account for sites of individual computers
- Specify a domain administrator account for sites of domain joined computers
Please refer to the Goverlan Reach Gateway User Guide for further information.
Enabling Microsoft LAPS Support
Goverlan Reach includes full support of MS LAPS environments. Once MS LAPS support is enabled, Goverlan Reach transparently queries MS LAPS passwords in Active Directory when elevated access is required. Goverlan Reach also keeps track of password expiration dates and updates them accordingly.
Before you can use Microsoft LAPS in Goverlan Reach, you must enable it. You can do this in the General Settings area of Goverlan:
1. Click on the Application button on the top right corner of the application and select General Settings.
2. Select the Alternate Credentials section.
3. Check the Enable Microsoft LAPS Support option and click on OK or Apply.
Once you have enabled MS LAPS support in Goverlan Reach, you will be able to configure MS LAPS authentication for all machines that belong to an Active Directory domain, or use MS LAPS passwords on a per-machine basis. You will also be able to inject a MS LAPS password within a remote-control session to login to the system.
Configuring MS LAPS Authentication at the AD Domain Level
This set-and-forget method allows you to enable MS LAPS for an entire Active Directory domain. Once you have done so, Goverlan Reach automatically uses MS LAPS to query and apply the local administrator’s password used to authenticate against all remote machines that belong to that domain.
Domain-wide MS LAPS authentication is required if you plan on using the Goverlan Reach IT Global Automation features. For instance, if you need to deploy software to your MS LAPS enabled machines.
To configure domain-wide MS LAPS authentication, click on the Add button, select the Active Directory Domain type, specify the domain to target and click on Next.
Enable the Use Microsoft LAPS … option to activate MS LAPS support for the selected domain. If appropriate, modify the local administrator’s account name to use with MS LAPS, then click on OK.
Optionally, if your domain controllers are not under MS LAPS policy and you need to configure alternate credentials to perform account management, enable the Use the following credentials for AD Account Management option and specify the domain credentials.
Once configured, Goverlan automatically queries the MS LAPS password of a domain machine in AD and uses it with the specified local administrator’s account for remote system authentication.
What if my LAPS Policy is not configured Domain-Wide?
The MS LAPS policy may be assigned to specific OUs versus the domain level. In such cases, a MS LAPS authentication may fail for systems that are not under the MS LAPS policy.
Goverlan does not allow the configuration of MS LAPS based credentials on a per-OU basis, however, if a MS LAPS password cannot be queried for a computer object, or if the MS LAPS password is empty, Goverlan automatically falls back to standard authentication methods (either configured in the Credential Manager or the operator’s credentials).
Consequently, the process of authenticating to a non-MS LAPS system within a MS LAPS enabled Active Directory domain will be transparent, except for a warning message in the Goverlan Console window:
If Goverlan keeps on prompting credentials for non-MS LAPS computers instead of falling back on standard authentication, make sure that the ms-Mcs-AdmPwd AD attribute for these computers is empty. If not, Goverlan will attempt to use that password and will fail.
LAPS Authentication on a Per-System basis
You can also use MS LAPS passwords on a per-system basis. When Goverlan prompts for the credentials of a domain joined computer, the password field will include a [use LAPS] button that queries the MS LAPS password in AD and populates the password field.
This method populates the password field with the local administrator’s password value as defined in Active Directory. You must provide the correct value for the local administrator’s user ID in the user name field.
If you do not see the [use LAPS] button, make sure that:
- Microsoft LAPS is enabled in the Goverlan General Settings area under Alternate Credentials
- The machine name for which credentials are prompted have a format from which domain information can be queried. For instance, FQDN or UNC format (i.e.: DOMAIN\MachineName). If the machine name is a NetBIOS name or an IP address, Goverlan will not be able to determine the Active Directory domain for that machine and will not display the use LAPS option.
Once LAPS based credentials are configured for a computer, they are remembered by Goverlan (unless you unchecked Save Credentials). Saved computer MS LAPS credentials can be viewed in the Credential Manager:
What happens when a LAPS password expires?
Goverlan automatically manages MS LAPS password expiration events. When a computer MS LAPS password is saved in the credential manager, the current value of the password is reused as needed until its expiration date, at which time Active Directory is automatically queried for the updated value of the password.
If you manually reset the LAPS password or password expiration time stamp of your systems, the saved credentials in Goverlan may be out-of-sync. This will not be a problem, Goverlan will prompt you to update the credentials of any system for which it failed to authenticate. Simply update the password using MS LAPS.
LAPS support during a Remote-Control Session
During a remote-control session to a MS-LAPS enabled computer, you may need to login to the remote system using the local administrator’s account. Since Windows doesn’t allow clipboard operation in its password field, Goverlan allows you to inject the LAPS password as if you typed it physically.
To do so, set the cursor focus to the password field of the local administrator’s login on the remote machine, then click on the (Inject LAPS Password) control located at the top right corner of the viewing area:
Injecting alternate credentials during Remote Control
When using alternate credentials to connect to remote systems, use the Inject Password feature to supply the password as needed.
Goverlan offers full support for PIV / CAC smart card authentication and redirection.
Configuring alternate credentials using a Smartcard authentication works the same way as described above. However, when prompted for credentials, insert a smartcard ID inside the reader, then select desired smartcard identification to authenticate against the configured scope.
Once smartcard authentication has been configured, you must keep your smartcard id card in the reader for the authentication to succeed.