RDP, SSH, Web and SQL Connection
The Axidian Privilege user console displays permissions to access resources. Sorting is available for each column except the Tags column. When searching, matches are displayed across all columns.
If the user has access to ad hoc resources, they are displayed at the top of the list.
Connection to a Resource via RDP
Connect to a resource using an RDP file or open a session in a new browser tab through the Web terminal.
- RDP file
- Web Terminal
- Click
next to the permission and select Download RDP connection file. - Open the downloaded file and authenticate as an Axidian Privilege user.
If the administrator has enabled an authentication code, credentials do not need to be entered. - (Optional) Specify a reason for the connection if required by the policy.
- Authenticate on the resource:
- If the permission specifies an account, login is performed on behalf of that account.
- If the permission is granted for a user account and authentication in Axidian Privilege was completed as a PAM user, their login and password are auto-filled in the resource login form.
If authentication codes are enabled, enter the user password when reusing the RDP file.
- Click next to the permission and select Open via Web terminal.
- Authenticate as an Axidian Privilege user.
If the administrator has enabled an authentication code, credentials do not need to be entered. - (Optional) Specify a reason for the connection if required by the policy.
- Authenticate on the resource:
- If the permission specifies an account, login is performed on behalf of that account.
- If the permission is granted for a user account and authentication in Axidian Privilege was completed as a PAM user, their login and password are auto-filled in the resource login form.
The session opens in a new browser tab. To terminate the session, close the tab.
The clipboard supports text data only.
Connection to the Access Gateway
The access gateway accepts the user's connection and displays a list of resources available for launching a session.
RDS gateway
- Click Connect to the access gateway, the download of the RDP file will begin.
- Run this RDP file.
- Authenticate and set up the connection.
SSH gateway
Connect to the SSH gateway from the command line or using an SSH client.
- Command line
- PuTTY
- MobaXterm
- SecureCRT
Open the console utility.
Enter the IP address or DNS name to connect to the SSH access server or load balancer.
To find out the address, go to the user console and copy the SSH command to any resource. Use the value specified after the@symbol. If required, specify the path to the private key.Template of SSH Proxy Connection Commandssh <user login>@<IP address or DNS name> -p <port number> -i <path to private key>Example of SSH Proxy Connection Commandssh user@axidianproxy -p 2222 -i "C:\Users\user\.ssh\id_ed25519"Complete authentication. If SSH key authentication is configured, skip this step.
Select a resource and connect.
Authentication via Password
- Open the PuTTY app.
- In the Host Name (or IP address) field, enter the SSH Proxy or the load balancer address. You can use an IP address or DNS. To find out the SSH Proxy address, copy the SSH command of any resource in the user console and take the value specified after the @ character.
- Optionally specify the port in the Port field.
- In the Connection type field, select SSH.
- Click Open.
- Enter user login.
- Enter the password.
- Enter OTP.
- Select a resource and connect.
Authentication via SSH Key
This method is possible only if SSH key authentication is configured and the key is generated by the PuTTYgen utility.
- Open the PuTTY app.
- In the Host Name (or IP address) field, enter the SSH Proxy or the load balancer address. You can use an IP address or DNS. To find out the SSH Proxy address, copy the SSH command of any resource in the user console and take the value specified after the @ character.
- Optionally specify the port in the Port field.
- In the Connection type field, select SSH.
- Open Connection → Data. Enter user login in Auto-login-username field.
- Open Connection → SSH → Auth → Credentials. Specify the private key in the Private key file for authentication field.
- Click Open.
- Enter OTP.
- Select a resource and connect.
Certificate Authentication
This method is available only if SSH key authentication is configured and PuTTY CAC is installed.
- Open the PuTTY app.
- In the Host Name (or IP address) field, enter the SSH Proxy or the load balancer address. You can use an IP address or DNS. To find out the SSH Proxy address, copy the SSH command of any resource in the user console and take the value specified after the @ character.
- Optionally specify the port in the Port field.
- In the Connection type field, select SSH.
- Open Connection → Data. Enter user login in Auto-login-username field.
- Open Connection → SSH → Certificate. Click Set CAPI Cert.
- Click Open.
- Enter OTP.
- Select a resource and connect.
In MobaXterm versions earlier 23.0, you need to disable the Fix connection issues option in the Settings → Configuration → SSH section.
Authentication via Password
- Open the MobaXterm app.
- Click Sessions → New Session.
- Select SSH.
- In Remote host specify the SSH Proxy or the load balancer address. You can use an IP address or DNS. To find out the SSH Proxy address, copy the SSH command of any resource in the user console and take the value specified after the @ character.
- Enable the Specify username option and enter the username.
- Optionally specify the port in the Port field.
- Click OK.
- Enter the password.
- Enter OTP.
- Select a resource and connect.
Authentication via SSH Key
This method is possible only if SSH key authentication is configured.
- Open the MobaXterm app.
- Click Sessions → New Session.
- Select SSH.
- In Remote host specify the SSH Proxy or the load balancer address. You can use an IP address or DNS. To find out the SSH Proxy address, copy the SSH command of any resource in the user console and take the value specified after the @ character.
- Enable the Specify username option and enter the username.
- Optionally specify the port in the Port field.
- Click the Advanced SSH Settings tab.
- Enable the Use private key option and specify the private key in this field.
- Click Expert SSH settings.
- In the SSH protocol version field, specify SSHv2.
- Click OK.
- Enter OTP.
- Select a resource and connect.
Authentication via Password
- Open the SecureCRT app.
- Click File → Quick Connect.
- In the Protocol field, select SSH2.
- In the Hostname field, specify the SSH Proxy or the balancer address. You can use an IP address or DNS. To find out the SSH Proxy address, copy the SSH command of any resource in the user console and take the value specified after the @ character.
- Optionally specify the port in the Port field.
- In the Username field, enter the username.
- Click Connect.
- Enter the password.
- Enter OTP.
- Select a resource and connect.
Authentication via SSH Key
- Open the SecureCRT app.
- Click File → Quick Connect.
- In the Protocol field, select SSH2.
- In the Hostname field, specify the SSH Proxy or the balancer address. You can use an IP address or DNS. To find out the SSH Proxy address, copy the SSH command of any resource in the user console and take the value specified after the @ character.
- Optionally specify the port in the Port field.
- In the Username field, enter the username.
- In the Authentication group, enable the PublicKey option and disable all others.
- Select PublicKey with the mouse and click
. - Select the Use session public key setting option.
- Specify the private key in the Use identity or certificate file field.
- Click OK.
- Click Connect.
- Enter OTP.
- Select a resource and connect.
Connection to a Resource via SSH
Connect to the resource using the command line, SSH client, or start an SSH session in a new browser tab via a Web Terminal.
- Command Line
- Web terminal
- PuTTY
- MobaXterm
- SecureCRT
Click
next to the permission and select Copy SSH command.Run the copied command in the terminal.
If you need to specify a reason for the connection, add it to the command after the username.Example command with a reasonssh "pamadmin@pam.local#10.10.1.191#LINUX-PAM.LOCAL\pam-admin#reason-for-connection#@pam.axidian-id.hq" -p 2222Authenticate as an Axidian Privilege user.
If the administrator has enabled an authentication code, credentials do not need to be entered.Example command with a reason and an authentication codessh "pamadmin@pam.local#10.10.1.191#LINUX-PAM.LOCAL\pam-admin#reason-for-connection#ZO3nNVdBFMKIGEs@pam.axidian-id.hq" -p 2222Authenticate on the resource:
- If the permission specifies an account, login is performed on behalf of that account.
- If the permission is granted for a user account and authentication in Axidian Privilege was completed as a PAM user, their login and password are auto-filled in the connection string.
To log in to the resource, press Enter twice.
If authentication codes are enabled, enter the user password when reusing the command.
Connection using a command with additional parameters
You can write an SSH command manually using the template below.
Write an SSH command using the following template:
SSH command templatessh [user-name]#[resource]#[account-name]#[reason]@[proxy-address]user-name— username.resource— IP address or DNS name of the resource.account-name— name of the privileged account.reason— connection reason text; if the reason contains spaces, enclose it in quotes.proxy-address— IP address or DNS name of the SSH Proxy server.
Any parameter except
proxy-addresscan be omitted. In this case, SSH Proxy will prompt for these parameters separately.Run the command in the terminal.
Authenticate.
To open an SSH session in a new browser tab:
- Click next to the permission and select Open via Web terminal.
- Authenticate as an Axidian Privilege user.
If the administrator has configured an authentication code, credentials do not need to be entered. - (Optional) Specify a reason for the connection if required by the policy.
- Authenticate on the resource:
- If the permission specifies an account, login is performed on behalf of that account.
- If the permission is granted for a user account and authentication in Axidian Privilege was completed as a PAM user, their login and password are auto-filled in the connection string.
To log in to the resource, press Enter twice.
The session opens in a new browser tab. To terminate the session, close the tab.
The clipboard supports text data only.
- In the user console, to the right of the permission to the SSH resource, click Copy SSH command.
- Open the PuTTY app.
- Paste the copied line in the Host Name (or IP address) field. Remove the ssh, quotes, and port from this line.
- Specify the port in the Port field.
- Click Open.
- Enter your password and OTP.
- Open the MobaXterm app.
- Click Sessions → New Session.
- Select SSH.
- In Remote host specify the SSH Proxy or the load balancer address. You can use an IP address or DNS. To find out the SSH Proxy address, copy the SSH command of any resource in the user console and take the value specified after the @ character.
- Enable the Specify username option.
- Enter username. You can specify it in the format:
[user-name]#[resource]#[account-name]#[reason]Example of specifying additional parameters in a usernameVDD\alex.shushkin#cent9en.vdd.com#CENT9EN\local## - Optionally specify the port in the Port field.
- Click OK.
- Enter your password and OTP.
- Open the SecureCRT app.
- Click File → Quick Connect.
- In Protocol field select SSH2.
- In the Hostname field, specify the SSH Proxy or the balancer address. You can use an IP address or DNS. To find out the SSH Proxy address, copy the SSH command of any resource in the user console and take the value specified after the @ character.
- In the Username field, specify the username.
You can specify it in the format: [user-name]#[resource]#[account-name]#[reason]Example of specifying additional parameters in a usernameVDD\alex.shushkin#cent9en.vdd.com#CENT9EN\local## - Click Connect.
- Enter your password and OTP.
Connection to a Resource via PostgreSQL Proxy
A special license is required to connect to the PostgreSQL resource.
- Psql CLI
- GUI DBMS Client
Click
next to the permission and select Copy Psql connection command.Run the copied command in the terminal.
If you need to specify a reason for connection, enter it in the command after the username.Example of a command without a reasonpsql "postgresql://pamadmin%40pam.local%2310.10.1.105%23POSTGRESQL%5CAdmin@pam.axidian-id.hq:5432/postgres"Example command with a reasonpsql "postgresql://pamadmin%40pam.local%2310.10.1.105%23POSTGRESQL%5CAdmin%23reason-for-connection@pam.axidian-id.hq:5432/postgres"Complete authentication. If the administrator has configured session opening without re-authentication, credentials do not need to be entered.
Example command with a reason and an authentication codepsql "postgresql://pamadmin%40pam.local%2310.10.1.105%23POSTGRESQL%23reason-for-connection%230C6XI9IrGx:nopassword@pam.axidian-id.hq:5432/postgres"infoWhen reusing a command, a password is required to be entered.
Open the user console of Axidian PAM.
Click Show connection credentials.
Open your DBMS client and enter into its connection form the data you received in the previous step:
- Connection Address
- Connection Port
- Account Name
- Default Database
If the User must specify the connection reason option is enabled in the session policy, then add the connection reason text to the Account Name field.
Example: if the Account Name value was
admin@company.local#1.1.1.1#MYCOMPANY\test-admin, after the reason was added it will read as:admin@company.local#1.1.1.1#MYCOMPANY\test-admin#"my reason to connect".If this option is disabled, skip this step.
In the connection form, enter the password of your PAM account.
Connection to a Resource via MSSQL Proxy
A special license is required to connect to the MSSQL resource.
- Sqlcmd CLI
- GUI DBMS Client
Click
next to the permission and select Copy sqlcmd connection command.Run the copied command in the terminal.
If you need to specify a reason for connection, enter it in the command after the username.Example of a command without a reasonsqlcmd -S pam.local,8081 -U ivan.ivanov#SQL -d masterExample command with a reasonsqlcmd -S pam.local,8081 -U ivan.ivanov#SQL#MSSQLuser#reason-for-connection -d masterComplete authentication. If the administrator has configured session opening without re-authentication, credentials do not need to be entered.
Example command with a reason and an authentication codesqlcmd -S pam.local,8081 -U ivan.ivanov#SQL#MSSQLuser#reason-for-connection#C6XI9IrGx:nopassword -d masterinfoWhen reusing a command, a password is required to be entered.
Open the user console of Axidian PAM.
Click Show connection credentials.
Open your DBMS client and enter into its connection form the data you received in the previous step:
- Connection Address
- Connection Port
- Account Name
- Default Database
If the User must specify the connection reason option is enabled in the session policy, then add the connection reason text to the Account Name field.
Example: if the Account Name value was
admin@company.local#1.1.1.1#MYCOMPANY\test-admin, after the reason was added it will read as:admin@company.local#1.1.1.1#MYCOMPANY\test-admin#"my reason to connect".If this option is disabled, skip this step.
In the connection form, enter the password of your PAM account.
Connection to a Resource via Web Proxy
Connect to the web application or website via a Web Proxy from the user's console.
- Open in new tab
- RDP file
To open a web resource in a new browser tab:
- Click Open in new tab next to the required permission.
- Specify the reason for the connection and click Confirm.
The session opens in a new browser tab. To terminate the session, close the tab.
The clipboard supports text data only.
- Click next to the permission and select Download RDP connection file.
- Open the downloaded file and authenticate as an Axidian Privilege user.
If the administrator has enabled an authentication code, credentials do not need to be entered. - (Optional) Specify a reason for the connection if required by the policy.
- Authenticate on the resource:
- If the permission specifies an account, login is performed on behalf of that account.
- If the permission is granted for a user account and authentication in Axidian Privilege was completed as a PAM user, their login and password are auto-filled in the resource login form.
If authentication codes are enabled, enter the user password when reusing the RDP file.
Connection to an Ad Hoc Resource
Ad hoc resources are resources that are not registered in the Axidian Privilege system. This type of connection makes it possible to connect to any resources according to connection types predefined by the PAM administrator.
A special license is required to connect to the ad hoc resource.
Click Specify connection address to the right of the required permission to the ad hoc resource.
Select Connection type.
infoThe available connection types are determined by the PAM administrator when granting permissions.
Enter Connection address.
Depending on the selected connection type, click one of the buttons: Copy SSH command or Download RDP file.
If you have several permissions (with different connection types) to an ad hoc resource, and in the Connection to an ad hoc resource window in the Connection type field there are no required options, then check the Permission Access Schedule.
The connection type will not be displayed in the Connection type field if you are trying to connect via permission outside the hours specified in the Permission Access Schedule.
Setting a Password During Connection
When connecting to the resource, you may be asked for a password.
This means that the account on whose behalf you are granted access to the resource does not have a password. You cannot connect to the resource with such an account. Contact your PAM administrator, as only an administrator can set an account password.
Ending a Session
To end the session, close the remote connection window or log off the resource.