Pass-Through Login Credentials

Pass-through of login credentials will automatically use the currently logged in PAM user account to also authenticate against the remote session.

This provides the benefit of not having to define a specific shared account to be used with this record’s connection and it will also provide a more seamless login experience for your users.

Also this pass-through credential option provides the benefit of being able to use your own login while auditing, recording and managing session access with workflows.

Please keep in mind that the pass-through credentials feature will only work with endpoints that support a User and Password login.

To configure Remote Pass-Through on a record:

  1. Create a new record or Edit an existing record that connects to a remote endpoint using a User and Password authentication method. For example, a Windows Host record type.
  2. In the User field, enter the value $forward or $login.

    3. FAQ-Login-Pass-Through-Record

  3. Optionally, you may remove the Password value.

  4. Click the Save and Return button when finished.

Now to test, simply login to PAM with a user account that has the appropriate permissions on this endpoint and click the Connect button on its record. PAM will pass-through the credentials used to login to it to the remote endpoint for session authentication.

To confirm, you can open the record’s Audit Log and observe which account was passed through to the remote endpoint as shown below.

 

FAQ-Login-Pass-Through-Audit-Event

 

Use $user placeholder instead of $login one to make the system to use user name as the login of the current user while still using the password on record to connect.

Note that $user, $login or $search placeholders might be used as a component of more complex pattern such as in this example: admin-$login. In this case, the system will generate user name based on the login of the current user and the pattern provided.

If the system user is supported with a UPN format, use $account placeholder instead of $login. The system will use the current logged in users credentials to connect to the record. (The $account placeholder will remove the "@domain" portion of the username, An example: admininstrator@pam will be replaced as administrator.)

Pass-through credentials only support connections to remote sessions (Web and/or Proxy Sessions). All Pass-through place holders such as $login, $user, and $account do NOT support the automation or execution of jobs/tasks.