RDP, SSH, Web and SQL Connection

Available permissions to access resources are displayed in the user console.

Sorting is available for each column except the Tags column. When entering characters in the search field, matches will be displayed for all columns.

If the user has access to ad hoc resources, they will be displayed at the top of the list.

Connection to a Resource via RDP

Connect to a resource using an RDP file or open a session in a new browser tab through the Web terminal.

RDP file

1. Click next to the permission and select Download RDP connection file.
2. Open the downloaded file.
3. Complete authentication and specify local drives to use in the remote session.
   If the administrator has configured session opening without re-authentication, credentials do not need to be entered.

info

When reusing an RDP file, a password is required to be entered.

Web Terminal

1. Click next to the permission and select Open via Web Terminal.
2. Complete authentication and specify the reason for connection.
   If the administrator has configured session opening without re-authentication, credentials do not need to be entered.

The session will open in a new browser tab. To terminate the session, close the tab.

Clipboard limitations

The clipboard supports working only with text data.

Connection to the Access Gateway

The access gateway accepts the user's connection and displays a list of resources available for launching a session.

RDS gateway

1. Click Connect to the access gateway, the download of the RDP file will begin.
2. Run this RDP file.
3. Authenticate and set up the connection.

SSH gateway

Connect to the SSH gateway from the command line or using an SSH client.

Command line

1. Open the console utility.

2. Enter the IP address or DNS name to connect to the SSH access server or load balancer.
   To find out the address, go to the user console and copy the SSH command to any resource. Use the value specified after the @ symbol. If required, specify the path to the private key.

   Template of SSH Proxy Connection Command

   ssh <user login>@<IP address or DNS name> -p <port number> -i <path to private key>
   Example of SSH Proxy Connection Command

   ssh user@axidianproxy -p 2222 -i "C:\Users\user\.ssh\id_ed25519"

3. Complete authentication. If SSH key authentication is configured, skip this step.

4. Select a resource and connect.

PuTTY

Authentication via Password

1. Open the PuTTY app.
2. In the Host Name (or IP address) field, enter the SSH Proxy or the load balancer address. You can use an IP address or DNS. To find out the SSH Proxy address, copy the SSH command of any resource in the user console and take the value specified after the @ character.
3. Optionally specify the port in the Port field.
4. In the Connection type field, select SSH.
5. Click Open.
6. Enter user login.
7. Enter the password.
8. Enter OTP.
9. Select a resource and connect.

Authentication via SSH Key

caution

This method is possible only if SSH key authentication is configured and the key is generated by the PuTTYgen utility.

1. Open the PuTTY app.
2. In the Host Name (or IP address) field, enter the SSH Proxy or the load balancer address. You can use an IP address or DNS. To find out the SSH Proxy address, copy the SSH command of any resource in the user console and take the value specified after the @ character.
3. Optionally specify the port in the Port field.
4. In the Connection type field, select SSH.
5. Open Connection → Data. Enter user login in Auto-login-username field.
6. Open Connection → SSH → Auth → Credentials. Specify the private key in the Private key file for authentication field.
7. Click Open.
8. Enter OTP.
9. Select a resource and connect.

Certificate Authentication

caution

This method is available only if SSH key authentication is configured and PuTTY CAC is installed.

1. Open the PuTTY app.
2. In the Host Name (or IP address) field, enter the SSH Proxy or the load balancer address. You can use an IP address or DNS. To find out the SSH Proxy address, copy the SSH command of any resource in the user console and take the value specified after the @ character.
3. Optionally specify the port in the Port field.
4. In the Connection type field, select SSH.
5. Open Connection → Data. Enter user login in Auto-login-username field.
6. Open Connection → SSH → Certificate. Click Set CAPI Cert.
7. Click Open.
8. Enter OTP.
9. Select a resource and connect.

MobaXterm

caution

In MobaXterm versions earlier 23.0, you need to disable the Fix connection issues option in the Settings → Configuration → SSH section.

Authentication via Password

1. Open the MobaXterm app.
2. Click Sessions → New Session.
3. Select SSH.
4. In Remote host specify the SSH Proxy or the load balancer address. You can use an IP address or DNS. To find out the SSH Proxy address, copy the SSH command of any resource in the user console and take the value specified after the @ character.
5. Enable the Specify username option and enter the username.
6. Optionally specify the port in the Port field.
7. Click OK.
8. Enter the password.
9. Enter OTP.
10. Select a resource and connect.

Authentication via SSH Key

caution

This method is possible only if SSH key authentication is configured.

1. Open the MobaXterm app.
2. Click Sessions → New Session.
3. Select SSH.
4. In Remote host specify the SSH Proxy or the load balancer address. You can use an IP address or DNS. To find out the SSH Proxy address, copy the SSH command of any resource in the user console and take the value specified after the @ character.
5. Enable the Specify username option and enter the username.
6. Optionally specify the port in the Port field.
7. Click the Advanced SSH Settings tab.
8. Enable the Use private key option and specify the private key in this field.
9. Click Expert SSH settings.
10. In the SSH protocol version field, specify SSHv2.
11. Click OK.
12. Enter OTP.
13. Select a resource and connect.

SecureCRT

Authentication via Password

1. Open the SecureCRT app.
2. Click File → Quick Connect.
3. In the Protocol field, select SSH2.
4. In the Hostname field, specify the SSH Proxy or the balancer address. You can use an IP address or DNS. To find out the SSH Proxy address, copy the SSH command of any resource in the user console and take the value specified after the @ character.
5. Optionally specify the port in the Port field.
6. In the Username field, enter the username.
7. Click Connect.
8. Enter the password.
9. Enter OTP.
10. Select a resource and connect.

Authentication via SSH Key

1. Open the SecureCRT app.
2. Click File → Quick Connect.
3. In the Protocol field, select SSH2.
4. In the Hostname field, specify the SSH Proxy or the balancer address. You can use an IP address or DNS. To find out the SSH Proxy address, copy the SSH command of any resource in the user console and take the value specified after the @ character.
5. Optionally specify the port in the Port field.
6. In the Username field, enter the username.
7. In the Authentication group, enable the PublicKey option and disable all others.
8. Select PublicKey with the mouse and click .
9. Select the Use session public key setting option.
10. Specify the private key in the Use identity or certificate file field.
11. Click OK.
12. Click Connect.
13. Enter OTP.
14. Select a resource and connect.

Connection to a Resource via SSH

Connect to the resource using the command line, SSH client, or start an SSH session in a new browser tab via a Web Terminal.

Command Line

Connection by command from the user console

1. Click next to the permission and select Copy SSH command.

2. Run the copied command in the terminal.
   If you need to specify a reason for connection, enter it in the command after the username.
   

   Example of a command without a reason

    ssh "pamadmin@pam.local#10.10.1.191#LINUX-PAM.LOCAL\pam-admin##@pam.axidian-id.hq" -p 2222
   Example command with a reason

    ssh "pamadmin@pam.local#10.10.1.191#LINUX-PAM.LOCAL\pam-admin#reason-for-connection#@pam.axidian-id.hq" -p 2222

3. Complete authentication. If the administrator has configured session opening without re-authentication, credentials do not need to be entered.

   Example command with a reason and an authentication code

   ssh "pamadmin@pam.local#10.10.1.191#LINUX-PAM.LOCAL\pam-admin#reason-for-connection#ZO3nNVdBFMKIGEs@pam.axidian-id.hq" -p 2222
   info

   When reusing a command, a password is required to be entered.

Connection by command with additional parameters

You can write an SSH command manually using the template below.

1. Write an SSH command using the template below.

   Template of SSH command

   ssh [user-name]#[resource]#[account-name]#[reason]@[proxy-address]
   • user-name — user name.
   • resource — IP address or DNS.
   • account-name — name of the privileged account.
   • reason — text of the connection reason. If the reason contains spaces, specify it in quotation marks.
   • proxy-address — IP address or DNS of the SSH Proxy server.

   You can omit any parameter except proxy-address. In this case, SSH Proxy will request these parameters separately.

2. Run the command in the terminal.

3. Complete authentication.

PuTTY

1. In the user console, to the right of the permission to the SSH resource, click Copy SSH command.
2. Open the PuTTY app.
3. Paste the copied line in the Host Name (or IP address) field. Remove the ssh, quotes, and port from this line.
4. Specify the port in the Port field.
5. Click Open.
6. Enter your password and OTP.

MobaXterm

1. Open the MobaXterm app.
2. Click Sessions → New Session.
3. Select SSH.
4. In Remote host specify the SSH Proxy or the load balancer address. You can use an IP address or DNS. To find out the SSH Proxy address, copy the SSH command of any resource in the user console and take the value specified after the @ character.
5. Enable the Specify username option.
6. Enter username. You can specify it in the format: [user-name]#[resource]#[account-name]#[reason]
   
   
   Example of specifying additional parameters in a username

   VDD\alex.shushkin#cent9en.vdd.com#CENT9EN\local##
7. Optionally specify the port in the Port field.
8. Click OK.
9. Enter your password and OTP.

SecureCRT

1. Open the SecureCRT app.
2. Click File → Quick Connect.
3. In Protocol field select SSH2.
4. In the Hostname field, specify the SSH Proxy or the balancer address. You can use an IP address or DNS. To find out the SSH Proxy address, copy the SSH command of any resource in the user console and take the value specified after the @ character.
5. In the Username field, specify the username. You can specify it in the format: [user-name]#[resource]#[account-name]#[reason]
   
   
   Example of specifying additional parameters in a username

   VDD\alex.shushkin#cent9en.vdd.com#CENT9EN\local##
6. Click Connect.
7. Enter your password and OTP.

Web Terminal

1. Click next to the permission and select Open via Web Terminal.
2. Complete authentication and specify the reason for connection.
   If the administrator has configured session opening without re-authentication, credentials do not need to be entered.

The session will open in a new browser tab. To terminate the session, close the tab.

Clipboard limitations

The clipboard supports working only with text data.

Connection to a Resource via the PostgreSQL Proxy

caution

A special license is required to connect to the PostgreSQL resource.

Psql CLI

1. Click next to the permission and select Copy Psql connection command.

2. Run the copied command in the terminal.
   If you need to specify a reason for connection, enter it in the command after the username.
   

   Example of a command without a reason

     psql "postgresql://pamadmin%40pam.local%2310.10.1.105%23POSTGRESQL%5CAdmin@pam.axidian-id.hq:5432/postgres"
   Example command with a reason

     psql "postgresql://pamadmin%40pam.local%2310.10.1.105%23POSTGRESQL%5CAdmin%23reason-for-connection@pam.axidian-id.hq:5432/postgres"

3. Complete authentication. If the administrator has configured session opening without re-authentication, credentials do not need to be entered.

   Example command with a reason and an authentication code

   psql "postgresql://pamadmin%40pam.local%2310.10.1.105%23POSTGRESQL%23reason-for-connection%230C6XI9IrGx:nopassword@pam.axidian-id.hq:5432/postgres"
   info

   When reusing a command, a password is required to be entered.

GUI DBMS Client

1. Open the user console of Axidian PAM.

2. Click Show connection credentials.

3. Open your DBMS client and enter into its connection form the data you received in the previous step:

   • Connection Address
   • Connection Port
   • Account Name
   • Default Database

4. If the User must specify the connection reason option is enabled in the session policy, then add the connection reason text to the Account Name field.

   Example: if the Account Name value was admin@company.local#1.1.1.1#MYCOMPANY\test-admin, after the reason was added it will read as: admin@company.local#1.1.1.1#MYCOMPANY\test-admin#"my reason to connect".

   If this option is disabled, skip this step.

5. In the connection form, enter the password of your PAM account.

Connection to a Resource via the MSSQL Proxy

caution

A special license is required to connect to the MSSQL resource.

Sqlcmd CLI

1. Click next to the permission and select Copy sqlcmd connection command.

2. Run the copied command in the terminal.
   If you need to specify a reason for connection, enter it in the command after the username.
   

   Example of a command without a reason

      sqlcmd -S pam.local,8081 -U ivan.ivanov#SQL -d master
   Example command with a reason

     sqlcmd -S pam.local,8081 -U ivan.ivanov#SQL#MSSQLuser#reason-for-connection -d master

3. Complete authentication. If the administrator has configured session opening without re-authentication, credentials do not need to be entered.

   Example command with a reason and an authentication code

   sqlcmd -S pam.local,8081 -U ivan.ivanov#SQL#MSSQLuser#reason-for-connection#C6XI9IrGx:nopassword -d master
   info

   When reusing a command, a password is required to be entered.

GUI DBMS Client

1. Open the user console of Axidian PAM.

2. Click Show connection credentials.

3. Open your DBMS client and enter into its connection form the data you received in the previous step:

   • Connection Address
   • Connection Port
   • Account Name
   • Default Database

4. If the User must specify the connection reason option is enabled in the session policy, then add the connection reason text to the Account Name field.

   Example: if the Account Name value was admin@company.local#1.1.1.1#MYCOMPANY\test-admin, after the reason was added it will read as: admin@company.local#1.1.1.1#MYCOMPANY\test-admin#"my reason to connect".

   If this option is disabled, skip this step.

5. In the connection form, enter the password of your PAM account.

Connection to a Resource via Web Proxy

Connect to the web application or website via a Web Proxy from the user's console.

Open in new tab

1. Click next to the permission and select Open in new tab.
2. Specify the reason for connecting and click Confirm.
   If the administrator has configured session opening without re-authentication, credentials do not need to be entered.

The session will open in a new browser tab. To terminate the session, close the tab.

Clipboard limitations

The clipboard supports working only with text data. The clipboard operation between the web resource and the user's workplace is not supported.

RDP file

1. Click next to the permission and select Download RDP connection file.
2. Open the downloaded file.
3. Complete authentication and specify local drives to use in the remote session.
   If the administrator has configured session opening without re-authentication, credentials do not need to be entered.

info

When reusing an RDP file, a password is required to be entered.

Connection to an Ad Hoc Resource

Ad hoc resources are resources that are not registered in the Axidian Privilege system. This type of connection makes it possible to connect to any resources according to connection types predefined by the PAM administrator.

caution

A special license is required to connect to the ad hoc resource.

1. Click Specify connection address to the right of the required permission to the ad hoc resource.

2. Select Connection type.

   info

   The available connection types are determined by the PAM administrator when granting permissions.

3. Enter Connection address.

4. Depending on the selected connection type, click one of the buttons: Copy SSH command or Download RDP file.

info

If you have several permissions (with different connection types) to an ad hoc resource, and in the Connection to an ad hoc resource window in the Connection type field there are no required options, then check the Permission Access Schedule.

The connection type will not be displayed in the Connection type field if you are trying to connect via permission outside the hours specified in the Permission Access Schedule.

Setting a Password During Connection

When connecting to the resource, you may be asked for a password.

This means that the account on whose behalf you are granted access to the resource does not have a password. You cannot connect to the resource with such an account. Contact your PAM administrator, as only an administrator can set an account password.

Ending a Session

To end the session, close the remote connection window or log off the resource.