Active Directory

Indeed PAM interacts with end users through an account that will read directory users and their attributes

Creating an account to use with user directory

  1. Run the Active Directory Users and Computers snap-in
  2. Open the context menu of organizational unit or container
  3. Select Create - User item from the menu
  4. Specify the user name, say, IPAMManager
  5. Fill in the mandatory fields and complete the account creation

Alternatively, you can use an existing account.

Creating and configuring the service account to use with Active Directory

  1. Start the Active Directory Users and Computers snap-in
  2. Open the context menu of the Container or Organization Unit
  3. Select Create - User item
  4. Enter the name, for example IPAMService
  5. Fill in the required fields and complete the creation of the account
  6. Open the context menu of the created account and select the Properties item
  7. Go to the Member Of tab and click Add
  8. Search for the Domain Admins security group and click Ok
  9. Save all changes

Or use an already created account.

Membership in the Domain Admins security group is required to reset the password for domain administrators that Indeed PAM should manage. If end users should not receive domain administrator privileges, and Indeed PAM should not manage these accounts, then delegation of rights to reset the password for certain containers or the domain as a whole will be required.

  1. Run the Active Directory Users and Computers snap-in
  2. Open the context menu of the Container or Organization Unit
  3. Select Create - User item
  4. Enter the name, for example IPAMService
  5. Fill in the required fields and complete the creation of the account
  6. Open the context menu of the container, organizational unit, or domain root
  7. Select the Properties item
  8. Go to the Security tab
  9. Click Add
  10. Select IPAMService account and click Ok
  11. Click Advanced
  12. Select IPAMService account and click Edit
  13. For the field Applies to: set value Descendant User objects
  14. In the Permissions: section check Reset password
  15. Save all changes

Storage of media files and shadow copies

File storages are necessary for aggregation and long-term storage of videos, screenshots and files transferred in sessions.

File storage account

It is recommended that you use an already created IPAMManager account. A domain account is required to work with file storage.

Create and configure file storage

  1. Log in to the server, which will act as a file storage
  2. Create folders, for example MediaData and ShadowCopy
  3. Call the contextual menu of the folder you created, select the item Share with > Specific people.
  4. Enter the username, for example IPAMManager and click Add.
  5. In the "Permission level" column, click the Read value next to the IPAMManager user and select Read/Write from the menu.
  6. Finish by clicking Share.

Data storage

Indeed PAM uses Microsoft SQL Server or PostgreSQL Pro to store data. The following components require databases:

  • IPAMCore - Indeed PAM Core component database is used to store Indeed PAM privileged accounts, resources, permissions, and other service data
  • IPAMTasks - The Indeed PAM Core component database is used to store scheduled tasks
  • IPAMIDP - Indeed PAM IdP component database is used to store authenticators of Indeed PAM users and administrators
  • ILS - The Indeed Log Server component database is used to store the Indeed PAM event

Database creation


  1. Run Microsoft SQL Management Studio (SSMS) and connect to Microsoft SQL Server instance
  2. Open the context menu of Databases item
  3. Select the New Database item
  4. Specify a database name, for example IPAMCore, IPAMTasksIPAMIdPILS
  5. Click ОK
  1. Launch pgAdmin and connect to the PostgreSQL Pro server
  2. Open the context menu of the Databases item 
  3. Select Create, Database
  4. Specify a database name, for example: IPAMCore, IPAMTasksIPAMIdPILS
  5. Click Save

Creating a service account to work with data storage


  1. Start Microsoft SQL Management Studio (SSMS) and connect to the Microsoft SQL Server instance
  2. Expand the Security item
  3. Open the context menu of Logins item
  4. Select the Create login item
  5. Enter the name, for example IPAMSQLService
  6. Select SQL Server authentication item and fill in the required fields
  7. Switch to User Mapping item
  8. Check IPAMCoreIPAMTasksIPAMIdP and ILS databases
  9. Check database roles db_ownerdb_datareader and db_datawriter
  10. Click ОK
  1. Launch pgAdmin and connect to the PostgreSQL Pro server
  2. Open the context menu of the Login/Group Roles item
  3. Select Create, Login/Group Role
  4. Specify a Name, for example IPAMSQLService
  5. Go to Definition tab, enter the new password for account
  6. Go to Privileges tab, check Yes for Can Login? and Superuser? items
  7. Click Save, repeat for the rest of the databases.

The rights db_owner for Microsoft SQL Server and Superuser for PostgreSQL are required only for the first access to the database.

IIS

Additional components Microsoft .NET Core 3.1 Hosting Bundle and URL Rewrite (from the MSComponents.zip archive) should be installed only after IIS.

Generate secret for applications

For Indeed PAM Core, Indeed PAM Gateway, SSH Proxy and ConsoleApp to interact with Indeed PAM IdP, you need to generate a key and its hash.

  1. Go to Indeed.PAM\Misc\ConsoleApp folder
  2. Edit file appsettings.json
  3. Enter https://1 as a value for the parameter apiUrl
  4. Enter https://2 as a value for the parameter idpUrl
  5. Run Command prompt (CMD)
  6. Run the Pam.ConsoleApp.exe utility with the generate-secret parameter
  7. Save the secret and its hash

  • No labels