OneSign Web Console Session using PAM RemoteApps

Among other methods, part of the management of Imprivata OneSign is done through the use of Web Portals; one for the administration of the product and a second for the administration of the appliance. The security of both portals may be vital to the continued, uninterrupted use of OneSign.

With the use of the RemoteApp feature of Imprivata PAM, it is now possible to securely vault the privileged credentials of your OneSign deployment and to safely provide remote access to one or both OneSign Web Portals. This remote access cannot only be provided on an “as needed” basis using powerful Permission and Workflow options, but it can also provide auditing and session recording capabilities to maintain strict compliance and security of OneSign.

The guide provided in this article is designed to teach Imprivata PAM Administrators how to configure the RemoteApp feature to start securing their OneSign Web Portal access.

Before we can begin, let’s cover the pre-requisites.

Pre-requisites

• Fully implemented, configured, and working Windows Remote Desktop Services Host (RDS) with Published RemoteApp functionality enabled. You will need access to the host to install our PAM Auto Shell program and to make it a Published RemoteApp Program. This RDS Host will be used by PAM to launch a Google Chrome browser to access the OneSign Web Portals.

• In your RDS Collection’s User Groups configuration, add a valid User or Group that PAM can use to connect to this RDS host, using RDP, to access our published RemoteApp.

• In your RDS Collection’s Client Settings configuration, both the Drives and Clipboard options must be enabled.

• Google Chrome must be installed on the RDS Host server and accessible by the PAM account to launch the browser. We recommend you disable Chrome’s Password Manager feature when using it with PAM.

• The OneSign web URL for each console you wish to provide remote access and valid credentials for authentication into the console.

• Imprivata PAM using at least version 2.3.202203271414, released on March 27, 2022, and a valid System Administrator account to perform this configuration.

Deploy and Publish the PAM App Launcher

1. This first step to deploy the PAM App Launcher to your RDS Host and publish it as a RemoteApp Program. Next, we will enable RDP connections to this host and install Google Chrome.

2. Obtain the PAM App Launcher from your PAM deployment located at $PAM_HOME\pkg\pam-app-launcher.zip. Copy this zip file to your RDS host server.

3. On RDS, extract this zip and copy its content to a non-temporary location on the host. We will use the example C:\app as the location in this guide. When extracted to C:\app, there will be 2 files, XtAutoShell.exe and PamRemoteApp.jar, and 1 directory, /Include, in this path.

4. Publish the XtAutoShell.exe as a new RemoteApp Program in your RDS collection.

   

5. Enable Remote Desktop to this host and assign the required Windows permission to start an RDP session to the account that PAM will later use.

6. If not already, install the Google Chrome web browser to your RDS host and note the installation path.

Modifying the PAM RemoteApp Script

This step may not be required if your RDS deployment is configured identically to the default script. However, if necessary, you can make the below adjustment to suit your environment.

1. Log in to PAM using a System Administrator account and navigate to Administration > Scripts.

2. Locate the script named Remote Application OneSign Appliance Console and click its Edit button.

3. At the beginning of this script, locate the line Local $CHROME_EXE= and confirm the Chrome application path displayed is identical to the location where Chrome is installed on your RDS host. If it is not correct, modify the path as needed.

   

4. Click the Save button if any changes were made to the script.

Enabling Record Types

Next, we need to enable the required Record Types to make them available for record creation.

1. Navigate to Administration > Record Types and click the checkbox next to the following types:

   • Remote App Host;

   • OneSign Appliance Console;

   • OneSign Admin Console (optionally, if you wish to support the OneSign Admin Console).

2. With the two (or three) Record Types checked, scroll to the top of the page and click the Bulk Actions > Enable option to enable your selected types.

Creating Records to Support OneSign RemoteApp Sessions

Now we will create the records required to allow users to securely connect to your OneSign web console session through the PAM RemoteApp feature.

1. Navigate to Records > All Records and (optionally) create a new container. A container is not required, but it allows the records to be more organized.

2. Within your chosen location, select Add Record > Remote App Host to create your first record. This record will be used by PAM to create the required RDP connection to your RDS host server to launch the Chrome browser. Create this record using the guidance provided below and click the Save and Return button when finished.

   1. Name: (required) enter a name of your choice for this Remote App Host record

   2. Description: (optional) enter a record description

   3. Reference Record: leave blank

   4. Host: enter the Host Name or IP address of your RDS Host server.

   5. Port: define the RDP port of your RDS host server (default is 3389)

   6. User: enter the Username of the account that will connect via RDP to your RDS Host server and launch the PAM App Launcher published RemoteApp

   7. Password: enter the valid password of this account

   8. Filter: OneSign Appliance Console, OneSign Admin Console

   9. Remote App Platform: select Windows RDS from the dropdown

   10. Enabled: check the box.

3. Return to the container where you created this record and create a second record by selecting Add Record > OneSign Appliance Console. This record will contain the information required to connect to your OneSign Appliance web console. Create this record using the guidance provided below and click the Save and Return button when finished.

   1. Name: (required) enter a name of your choosing for this OneSign Appliance Console record

   2. Description: (optional) enter a record description

   3. Reference Record: leave blank

   4. Url: enter the full web URL to your OneSign Appliance Console’s login page

   5. User: enter the username of the account that can login to this web console

   6. Password: enter the valid password of this account

   TIP: If you plan to also support the OneSign Admin Console, then repeat this section to create a third record using the Add Record > OneSign Admin Console option. Please note when entering the User for your OneSign Admin Console record, use the full account name like user@domain.com.

Testing your Session Connections

Finally, it is time to try your OneSign Appliance Console remote session.

1. Open your OneSign Appliance Console record and click the Connect or Connect and Record button.

2. A new session will begin. PAM will first establish an RDP connection to your RDS host server using your Remote App Host record.

3. Once this RDP session is successfully connected, the PAM App Launcher will automatically open and begin the process of launching the Chrome browser.

4. After the PAM App Launcher completes its operation, a Chrome browser will appear and PAM will begin the connection process. It will automatically enter the URL into the browser and after the login page loads, it will then enter the User, Password, and finally login to your OneSign Appliance Console. The user cannot interact with the session until the automated process is complete.

5. You may now navigate the OneSign Appliance Console using the credentials stored in the PAM vault. When you are finished, you can logout of the OneSign Console and close the RDS Chrome browser to complete your PAM session.

6. If you selected the Connect and Record option, you may choose to review your recorded session now.

Troubleshooting and Tips

Below you can find some common issues or tips that may help with this RemoteApp feature of PAM.

• The initial remote session to your RDS server fails with a session error 519 or 768.

  • This failure is usually caused by an incorrect host, port, or domain credentials stored in the record. Please verify that your User and Password are accurate and confirm with your RDS Administrator that the Host and Port are accurate. You should also make sure that RDP access to this host is available and this domain account is permitted to connect with this RDP session.

  • Additional information related to this connection error.

• The initial remote session to your RDS server fails with a session error 771: Access Denied.

  • This failure typically occurs when the account defined in your Remote App Host record lacks the required permission in your RDS Collection to connect to the RD Session Host server and access published RemoteApp programs.

  • In your RDS Collection settings, open the User Groups section and add the account from your Remote App Host record.

• PAM App Launcher starts and executes the script, but quickly fails and my session completes.

  • This may be caused by an incorrect application path for the Chrome browser on your RDS Host server as defined in the PAM script. Please review the section above that discusses how to modify this path in the PAM script.

    

• I receive the error message: Initial program cannot be started: <path\XtAutoShell.exe>

  

  • XtAutoShell.exe was not found in the location defined in the RDS Published Remoteapp Program. Check this published RemoteApp in your RDS Collection and make any required changes to the RemoteApp program location.

• I receive the error message: Initial program cannot be started: XtAutoShell

  

  • XtAutoShell was not published in your RDS collection. Check your RDS Collection and publish the XtAutoShell app as described earlier in this article.

• The automatic process of inputting the Url, User, or Password values into the login page of my console happens too fast or too slow.

  • Adjust the various Sleep(n) values in your script as needed. A Sleep value of 1000, measured in milliseconds, is equal to a 1-second pause in the execution of the script. We do not recommend overly minimizing the Sleep pauses as a slowdown in application loading or web loading can lead to issues with the automated processing. It is better to have longer pauses to reduce the possibility of failures.

• Our OneSign Admin Console has a Domain dropdown selector that prevents a successful login when passing just the User from the PAM record.

  • If your OneSign Admin Console is integrated with 2+ Directories and a dropdown selector is required in the login form, then you must specify the User value in the PAM record using its full account name (UPN). For example, if the user is bwilliams and the domain is constoso.com, you would enter the User as bwilliams@contoso.com in the PAM record for your OneSign Admin Console.

• The PAM RemoteApp session is starting successfully, however, Chrome is asking if the user wants to save the password. We don’t want this to happen as it breaks the PAM autologin experience for RemoteApps.

  • We recommend you disable the Chrome Password Manager feature for this installation on your RDS Host server. Here is a link that offers guidance around Chrome Password Manager: https://chromeenterprise.google/policies/#PasswordManagerEnabled

• When a second user, UserB, starts a session the first user, UserA, is disconnected with the session error 521.

  • RDS is configured to allow only a single RDP session per user and since PAM is using the same account to connect to RDS (Remote Host App record), the second connection is taking over the first.

  • By default, Windows prevents a single user from establishing multiple sessions. As a workaround you may consider the following change on the RDS host server: from the Local Group Policy editor on the RDS Host server: Computer Configuration > Administrative Templates > Windows Components > Remote Desktop Services > Remote Desktop Session Host > Connections > Restrict Remote Desktop Services user to a single Remote Desktop Services session > Disabled.

    • Consult with your Administrators before making any changes to the RDS Host server. Imprivata Support cannot help with Windows configuration.

• PAM App Launcher stuck on the “Waiting for window” message

  • Due to the limitations native to Google Chrome and most modern browsers, only a single session per user profile is permitted. As a result, when PAM starts a second session, using the same account from the Remote App Host record, Chrome is unable to launch and the App Launcher remains on this waiting message. This is a known limitation of Chrome and some workarounds are available that could be used to allow additional sessions per user profile as mentioned here: https://bugs.chromium.org/p/chromium/issues/detail?id=160676

    

    • Consult with your Administrators before making any changes to the RDS Host server. Imprivata Support cannot help with Windows configuration.

• What is the expected behavior when PAM is configured to use a OneSign Login (SAML) when the endpoint has a OneSign agent installed and the OneSign Extension is enabled in the browser?

  • If PAM is configured for OneSign Login (SAML), and the endpoint has a OneSign agent installed (with SSO enabled), and the web browser has the OneSign Chromium extension installed, when the OneSign Login button is clicked on the PAM webpage, the user is automatically logged using OneSign SSO, without any prompt for a username, password or MFA token.

  • If OneSign Single Sign-on is suspended in the OneSign agent, the PAM system will prompt for the username, password and MFA token.